[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames

To: undisclosed-recipients:;
Subject: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Fri, 31 Dec 2010 14:33:47 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 31 Dec 2010 09:33:58 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bugs reporting list for trac <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
 Reporter:  rransom                   |       Owner:  erinn
     Type:  defect                    |      Status:  new  
 Priority:  critical                  |   Milestone:       
Component:  Tor bundles/installation  |     Version:       
 Keywords:                            |      Parent:       
--------------------------------------+-------------------------------------
 Currently, [https://www.torproject.org/docs/verifying-signatures we tell
 users] that the GPG signatures linked to from the download page 'allow you
 to verify the file you've downloaded is exactly the one that we intended
 you to get. For example, tor-browser-1.3.15_en-US.exe is accompanied by
 tor-browser-1.3.15_en-US.exe.asc.'  This is false.

 The GPG signatures only prove that a particular person associated with The
 Tor Project has signed a particular file; they do not authenticate the
 filename, thus they do not authenticate the package name or the package
 version, and they do not prove that a particular package file is the final
 build of a package version which we want to distribute to users.  This
 leaves our users vulnerable to version-rollback attacks and package-
 substitution attacks if they download packages from mirrors or over non-
 HTTPS connections.

 We should:

 * switch to signing the output of `sha256sum` on a package file, which
 includes the filename and a hash of the file, rather than signing the
 package file directly, and
 * explain on the verifying-signatures page how to verify downloaded
 packages using the signed SHA256SUM files, including explaining that
 unless there is a blank line after the '`Hash: `' line and before the
 hash-and-filename lines, the SHA256SUM file has been tampered with.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #2302 [Tor Relay]: Controller event for sighup and shutdown
Next by Author: Re: [tor-bugs] #2336 [Website]: translation.tpo update to transifex
Previous by thread: Re: [tor-bugs] #2339 [Torbutton]: Torbutton Date hook parses dates incorrectly (was: Detecting TORButton!!)
Index(es):
- Author
- Thread