Re: [tor-bugs] #7085 [Tor bundles/installation]: Integrate Cryptocat Browser Extension into Tor Browser Bundle

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#7085: Integrate Cryptocat Browser Extension into Tor Browser Bundle
--------------------------------------+-------------------------------------
 Reporter:  kaepora                   |          Owner:  erinn                        
     Type:  enhancement               |         Status:  new                          
 Priority:  normal                    |      Milestone:  TorBrowserBundle 2.2.x-stable
Component:  Tor bundles/installation  |        Version:  Tor: unspecified             
 Keywords:                            |         Parent:                               
   Points:                            |   Actualpoints:                               
--------------------------------------+-------------------------------------

Comment(by kaepora):

 Replying to [comment:26 mikeperry]:

 > Unfortunately, putting Cryptocat into the default TBB is not zero
 cost/zero risk. Here's a list of things that would make me feel better
 about the decision.
 >
 > First and foremost, I'd want to be absolutely sure that it didn't
 potentially expose even users who didn't use it to XUL XSS bugs or other
 vulnerabilities. Related. I'd want to be sure the UI didn't confuse or
 distract users who didn't know what it was for.
 >
 > Second, I am very concerned that there were XUL XSS bugs in the chat
 windows. To me, that's a bad sign. Ideally, I'd like to see something on
 your side (ie a tag in your bugtracker or some other document you wrote)
 that enumerates the patches that resulted from your first audit.

 The patches in which we fixed the audit bugs are enumerated (perhaps
 incompletely) in this [https://blog.crypto.cat/2012/11/security-update-
 our-first-full-audit/ blog post].

 >
 > Third, while it does look like the audit was extremely thorough, I think
 I'd prefer a second one for this reason. XUL XSS is quite serious, and
 since you're writing a network-facing app with lots of user and network
 provided content, its critical that your code receives lots of this type
 of review.

 Very well. Who would you recommend to perform the second audit? If you can
 give me a preferred auditor or a list of auditors that the Tor Project
 would feel comfortable with, I have no problem getting in touch with them.

 > I also want to feel sure you understand the issues and vulnerability
 vectors here, so I can be confident they won't reappear in future versions
 as you add features.

 I can safely say that I strongly understand.

 > Fourth, I guess I am mildly concerned about the crypto security. I don't
 believe it's impossible to do crypto with JS, but I would prefer it if the
 underlying primitive implementations also had a chance for review,
 especially since our inclusion of this addon would probably be seen as
 endorsement of its crypto and security by many.

 Our OTR implementation has been reviewed. If there is a specific type of
 further review you would wish to ask for, we can see it done.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7085#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs