[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Torbutton: 'Disable Updates During Tor' - Option



Thus spake tagnaq (tagnaq@xxxxxxxxx):

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> >> - I assume requests to mozilla are encrypted + authenticated
> > 
> > This assumption was and is wrong.
> > Disabling such insecure update paths makes sense.
> 
> I concluded that the addon process is insecure because the versioncheck
> happens over HTTPS but the actual download of the new xpi file is over http.
> This simple conclusion is wrong if one doesn't check the entire update
> mechanism.
> To download something over an insecure channel is fine as long as you
> can check the file for modifications after the download.

Authentication is done now. 

We still provide the option because of fingerprinting issues of
downloading xpis in the clear over tor. It will soon become a hidden
option only, because we can only protect against fingerprinting in Tor
Browser, which should have a fixed set of addons.


> If firefox actually checks the SHA256 hash before installing the xpi it
> should be reasonable safe (beside the information leaks).
> Regarding SSL MITM: Mozilla seams to have a hardcoded check for the
> certificate of the versioncheck host.[1]
> 
> What let Torbutton to the conclusion that the update mechanism is
> insecure and therefore disabled by default?
> (TBB: "Add-on update security checking is disabled. You may be
> compromised by updates.")
> 
> Is 'compromised' meaning in this context: someone may install arbitrary
> xpis or was it more the kind of "your anonymity gets compromised because
> you disclose your addons incl. their versions"

Now that authentication is enabled, this is mostly an anonymity issue,
yes.
 
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4
> 
> http://kb.mozillazine.org/Software_Update

This is extremely interesting. Seems to indicate that to preserve the
same level of update security that Mozilla provides, we should be
hardcoding certificates for both the HTTPS-Everywhere and torbutton
update urls, as they do not go through versioncheck (anymore)..

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Attachment: pgpC9kkjTjD3T.pgp
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk