[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17870 [Tor Browser]: Some Windows 10 users experience authenticode errors if Tor Browser is signed on Linux
#17870: Some Windows 10 users experience authenticode errors if Tor Browser is
signed on Linux
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
Type: defect | team
Priority: High | Status: closed
Component: Tor Browser | Milestone:
Severity: Major | Version:
Keywords: tbb-security, TorBrowserTeam201601, | Resolution: fixed
GeorgKoppen201601 | Actual Points:
Parent ID: #15538 | Points:
Sponsor: |
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:12 tom]:
> I tested this on Windows 10 and had no issues, as seen here:
http://i.imgur.com/vAi7xQS.png
>
> When I run it, it still gives the "Do you want to run this file?"
prompt, but this is because it's a downloaded executable. the Publisher
shows the correct name. I don't believe there's anything Tor can do about
this prompt. (The only thing might be to submit it to Windows for
additional scanning or something - but I'm not sure and I can't find any
indication that this is an option - it's hard to search for.)
Thanks.
> I will note that the application is signed with SHA-1, which may cause
issues down the road. It would be better to dual-sign it with SHA-256
_and_ SHA-1. (We're not an MSI, which causes problems, but .exes can be
dual-signed. I don't know how to do this on linux, but there are
instructions for Windows here:
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-
enforcement-of-authenticode-code-signing-and-timestamping.aspx ).
>
> SHA-256 will be untrusted as a signing algorithm in the future.
According to MSFT's timetable, it looks like "On Win 7 and above, blocked
on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after
1/1/2016 for Mark of the Web files." Additionally as time goes on it may
be more difficult to obtain a SHA-1 signing cert. I don't think "Mark of
the Web" will affect Tor, but in the unlikely situation we wanted someone
running a 4-year-old executable, the signature will be untrusted in four
years.
This is a bit complicated. See the bug where Mozilla wrestled with it:
https://bugzilla.mozilla.org/show_bug.cgi?id=1079858 (for a summary see
comments 196 and 197). So, we are doing the same as Mozilla right now:
SHA-1 signature with a SHA-2 code signing certificate. I've created #18287
for taking a switch to a SHA-2 signature into account.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17870#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs