[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #18074 [Tor Browser]: TBB Vagrantfile uses HTTP
#18074: TBB Vagrantfile uses HTTP
----------------------------+----------------------------------------------
Reporter: miserlou | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Tor | Version:
Browser | Keywords: tbb, tor-browser-bundle, browser
Severity: Minor | Parent ID:
Actual Points: | Sponsor:
Points: |
----------------------------+----------------------------------------------
In the Tor Browser Bundle's Vagrantfile, the Ubuntu 12.04 build machine
base image is retrieved over plaintext HTTP. An attacker could potentially
swap this out for a malicious machine image. It's a small issue, but an
easy fix that'd probably set a few minds at ease.
The simple fix, of course, is to replace:
config.vm.box_url = "http://files.vagrantup.com/precise64.box";
with:
config.vm.box_url = "https://files.vagrantup.com/precise64.box";
Although this may cause a certificate error since VagrantUp is hosted on
Heroku.
A better alternative would be for Tor to host this .box themselves and
serve that over HTTPS/HSTS, but I don't how know feasible this is for you
at this time.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18074>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs