[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
>> - I assume requests to mozilla are encrypted + authenticated
>
> This assumption was and is wrong.
> Disabling such insecure update paths makes sense.
I concluded that the addon process is insecure because the versioncheck
happens over HTTPS but the actual download of the new xpi file is over http.
This simple conclusion is wrong if one doesn't check the entire update
mechanism.
To download something over an insecure channel is fine as long as you
can check the file for modifications after the download.
The versioncheck mechanism provides the location of the new xpi file and
the SHA256 Hash over SSL to the browser:
======
[...]
<em:updateLink>http://releases.mozilla.org/pub/mozilla.org/addons/722/noscript-2.1.1.1-fx+sm+fn.xpi</em:updateLink>
<em:updateInfoURL>https://addons.mozilla.org/versions/updateInfo/1246876/%APP_LOCALE%/</em:updateInfoURL>
<em:updateHash>sha256:738eafacb3d3273b9d8ab46f7ffb34d6ba756dd7a35548ad73332106be88ae02</em:updateHash>
[...]
======
If firefox actually checks the SHA256 hash before installing the xpi it
should be reasonable safe (beside the information leaks).
Regarding SSL MITM: Mozilla seams to have a hardcoded check for the
certificate of the versioncheck host.[1]
What let Torbutton to the conclusion that the update mechanism is
insecure and therefore disabled by default?
(TBB: "Add-on update security checking is disabled. You may be
compromised by updates.")
Is 'compromised' meaning in this context: someone may install arbitrary
xpis or was it more the kind of "your anonymity gets compromised because
you disclose your addons incl. their versions"
I suppose thats a question for, Mike?
thanks!
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4
http://kb.mozillazine.org/Software_Update
-----BEGIN PGP SIGNATURE-----
iF4EAREKAAYFAk4HGpIACgkQyM26BSNOM7ZclgD9Ft2mbuVLR5Qj7Ny3TS1B4aU5
bZYzAqh51szODEvr9TIA/jPbRxrrE2ixnn7eMeIFo52v3eNS+dmxyOLpylMAup9z
=A1VT
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk