[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] any issue with TBB extensions auto updating?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> Is there any anonymity / fingerprinting issue(s) w/ extension
> shipped w/ TBB auto updating during a Tor session?
> 
> Default setting in TBB in Addons > Extension under drop box,
> "Update Add-ons Automatically" is checked.
> 
> Do No Script, HTTPS Everywhere, TorButton automatically update when
> the default update selection above is checked & does that pose any
> anonymity / fingerprinting issues?

You might be interested in this discussion:
https://lists.torproject.org/pipermail/tor-talk/2011-June/020755.html
https://lists.torproject.org/pipermail/tor-talk/2011-July/020784.html

short version: the exit sees what you are updating (http request) but
can't modify it without being detected.

regarding the prevention of SSL MITM (compromised CAs and the such)
during the update process, you might want to have a look at:
https://trac.torproject.org/projects/tor/ticket/3555

the future of key pinning via HTTP headers
http://tools.ietf.org/rfcmarkup?doc=draft-ietf-websec-key-pinning-01
-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk+xbEkACgkQyM26BSNOM7aJ3AEAnWiVA4+And1x/ThB07dH/p6M
Y8KBT51eNVCFKg8GCsgA/AjaTuAsE2tuGhky25py9KCZtqAQsIbKdXQsjAE9U9iD
=dlXp
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk