[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option

To: Tor-Talk <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
From: tagnaq <tagnaq@xxxxxxxxx>
Date: Sun, 26 Jun 2011 13:40:02 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 26 Jun 2011 07:40:03 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=zPOk8AQyqMdFlOaDAZfTITdzlZrTbG2Bd4miUwHaMZc=; b=BYqxCWhjncgUz1DH+zDkr5v64otuwzeXyY83eu9FWxd2vQaxzGPCMCGIUaNlasBPEo FXLwe4tUxQdXfUezU34UG2iwEZWO9QZldDrNjWCR0NPcljN19p/0ULT+PYnnn5tGfQYI WFsa95Du0js/r/zP2xHWH596MZjehjoQxA64U=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; b=k+LwWKXtHnZ+FVwDawCZH57CKYu/o/fzRsFXyMM21fQRw6bLaw5KjIKk8zYT++Z/sf DC7lLov1TKJ0lmKanz5FIXRY70C5AsIVH9aAYjTGDVlzF5Bp9sKbe1uzhfVhlbSs0dxH s3B2k2eIm9jKmjw+IbJyVzGz/q5xGPElpGj1E=
In-reply-to: <4E0679AE.8030901@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4DF6198B.9040707@xxxxxxxxx> <4E0679AE.8030901@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>> - I assume requests to mozilla are encrypted + authenticated
> 
> This assumption was and is wrong.
> Disabling such insecure update paths makes sense.

I concluded that the addon process is insecure because the versioncheck
happens over HTTPS but the actual download of the new xpi file is over http.
This simple conclusion is wrong if one doesn't check the entire update
mechanism.
To download something over an insecure channel is fine as long as you
can check the file for modifications after the download.

The versioncheck mechanism provides the location of the new xpi file and
the SHA256 Hash over SSL to the browser:
======
[...]
 <em:updateLink>http://releases.mozilla.org/pub/mozilla.org/addons/722/noscript-2.1.1.1-fx+sm+fn.xpi</em:updateLink>

<em:updateInfoURL>https://addons.mozilla.org/versions/updateInfo/1246876/%APP_LOCALE%/</em:updateInfoURL>

<em:updateHash>sha256:738eafacb3d3273b9d8ab46f7ffb34d6ba756dd7a35548ad73332106be88ae02</em:updateHash>
[...]
======

If firefox actually checks the SHA256 hash before installing the xpi it
should be reasonable safe (beside the information leaks).
Regarding SSL MITM: Mozilla seams to have a hardcoded check for the
certificate of the versioncheck host.[1]

What let Torbutton to the conclusion that the update mechanism is
insecure and therefore disabled by default?
(TBB: "Add-on update security checking is disabled. You may be
compromised by updates.")

Is 'compromised' meaning in this context: someone may install arbitrary
xpis or was it more the kind of "your anonymity gets compromised because
you disclose your addons incl. their versions"

I suppose thats a question for, Mike?

thanks!


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4

http://kb.mozillazine.org/Software_Update






-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk4HGpIACgkQyM26BSNOM7ZclgD9Ft2mbuVLR5Qj7Ny3TS1B4aU5
bZYzAqh51szODEvr9TIA/jPbRxrrE2ixnn7eMeIFo52v3eNS+dmxyOLpylMAup9z
=A1VT
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
  - From: tagnaq
- Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
  - From: tagnaq

Prev by Author: Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
Next by Author: Re: [tor-talk] detecting harmful relays
Previous by thread: Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option
Next by thread: [tor-talk] ServerDNSRandomizeCase and GoDaddy
Index(es):
- Author
- Thread