[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
Reporter: rransom | Owner: rransom
Type: defect | Status: needs_review
Priority: critical | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
--------------------------------------+-------------------------------------
Comment(by rransom):
Replying to [comment:6 dkg]:
> Replying to [ticket:2340 rransom]:
>
> > The GPG signatures only prove that a particular person associated with
The Tor Project has signed a particular file; they do not authenticate the
filename, thus they do not authenticate the package name or the package
version, and they do not prove that a particular package file is the final
build of a package version which we want to distribute to users. This
leaves our users vulnerable to version-rollback attacks and package-
substitution attacks if they download packages from mirrors or over non-
HTTPS connections.
>
> Isn't this still true if they download the proposed new file format over
non-HTTPS connections? as an attacker in this scenario, i can just point
them to the set of different files, including the old .asc.
You wouldn't be able to label an old package like TBB-Windows 1.3.13 as a
shiny new 1.3.18, and thereby persuade users of an up-to-date version to
'upgrade' to a buggy older version, with the new format.
> Doesn't the tor installer package contain its version number internally?
You mention an .exe, and i haven't worked on that platform in years, but i
seem to recall that Windows executables could embed a version number that
is visible in the one of the tabs in the File Properties dialog, which
would presumably not change even if the file name changed.
The Vidalia Bundle for Windows installer has the version numbers of Tor
and Vidalia in its 'File Description' field. The Tor Browser Bundle for
Windows self-extracting archive does not have any useful version
information on the archive itself, although a README file inside the
archive can give a lower bound on the version.
> Another approach entirely could use the OS-native mechanism for signing
distributed software:
>
> * [http://stackoverflow.com/questions/252226/signing-a-windows-exe-file
windows appears to use signtool.exe] -- i don't know much about it,
whether embedded version numbers are themselves signed, and/or whether the
signatures can be made to expire.
The major advantage of this signing method is that Windows will verify the
signature for users under some circumstances. The major drawback is that
it requires paying off the 'SSL mafia' for a code-signing certificate.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs