Thus spake tagnaq (tagnaq@xxxxxxxxx): > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > >> - I assume requests to mozilla are encrypted + authenticated > > > > This assumption was and is wrong. > > Disabling such insecure update paths makes sense. > > I concluded that the addon process is insecure because the versioncheck > happens over HTTPS but the actual download of the new xpi file is over http. > This simple conclusion is wrong if one doesn't check the entire update > mechanism. > To download something over an insecure channel is fine as long as you > can check the file for modifications after the download. Authentication is done now. We still provide the option because of fingerprinting issues of downloading xpis in the clear over tor. It will soon become a hidden option only, because we can only protect against fingerprinting in Tor Browser, which should have a fixed set of addons. > If firefox actually checks the SHA256 hash before installing the xpi it > should be reasonable safe (beside the information leaks). > Regarding SSL MITM: Mozilla seams to have a hardcoded check for the > certificate of the versioncheck host.[1] > > What let Torbutton to the conclusion that the update mechanism is > insecure and therefore disabled by default? > (TBB: "Add-on update security checking is disabled. You may be > compromised by updates.") > > Is 'compromised' meaning in this context: someone may install arbitrary > xpis or was it more the kind of "your anonymity gets compromised because > you disclose your addons incl. their versions" Now that authentication is enabled, this is mostly an anonymity issue, yes. > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4 > > http://kb.mozillazine.org/Software_Update This is extremely interesting. Seems to indicate that to preserve the same level of update security that Mozilla provides, we should be hardcoding certificates for both the HTTPS-Everywhere and torbutton update urls, as they do not go through versioncheck (anymore).. -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpC9kkjTjD3T.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk