[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TBB 2.2.32 & Automatic Updates

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] TBB 2.2.32 & Automatic Updates
From: Erinn Clark <erinn@xxxxxxxxxxxxxx>
Date: Tue, 6 Sep 2011 02:20:43 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 05 Sep 2011 21:21:00 -0400
In-reply-to: <4E6544B8.6030501@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4E6469F7.9050001@xxxxxxxxx> <20110905110946.GB12302@xxxxxxxxxxxxxx> <4E6544B8.6030501@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.4.2.3i

* cgp3cg <cgp3cg@xxxxxxxxx> [2011:09:06 07:52 +1000]: 
> Thanks Erinn,
> 
> I've also discovered that with this version FF defaults to saving
> passwords, and that there a 4 CA certificates present for DigiNotar and
> 2 for DigiNotar B.V.
> 
> The first isn't a huge issue, but according to the changelog for 2.2.32-2:
> 
> * Update Firefox to 6.0.1, with an additional patch to exclude
>   DigiNotar completely
> 
> I've also had a quick poke at a few older versions (the only ones I have
> handy):
> - 2.2.25 (FF 4.0.1)
> - 1.1.3 (FF 3.6.13)
> 
> and both only show 1 CA cert for DigiNotar. Stock standard FF 6.0 also
> only had one, and it's now gone completely from 6.0.1 ... so why the
> presence of four in TBB?

This is a change in Firefox 6.0.2 where they list them so they can explicitly
distrust them. If you click on Aurora->Preferences (or Options, I think, in
Windows)->View Certificates->then click on any of the DigiNotar things present,
it will say at the top "Explicitly Distrust [...]".

You can see some more of that here: 
https://hg.mozilla.org/releases/mozilla-release/rev/55b5cd1ce8fe

This basically superseded our (and their) patches, and I think the reason there
are so many more listed is because they got all of them, including
intermediaries. To be honest, while Mozilla has been very helpful and
responsive to us, we don't have complete insight into their decision-making
processes so we are trusting them to do the right thing here, at least right
this minute with the given time-constraints. When things have settled down a
bit more we will probably revisit how TBB handles certs overall. In essence,
there has been a lot of turbulence with this release (which happened 2 weeks
early because of this mess, and then went through a bunch of rapid changes
immediately after) so everything is a bit wobbly.

We're going to be making some more radical changes and the build/QA team is
basically just me, for all platforms, except when other devs & volunteers pitch
in. Would you be interested in helping us out with better testing?

Attachment: pgpGwSTNXa6vW.pgp
Description: PGP signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] TBB 2.2.32 & Automatic Updates
  - From: cgp3cg

References:
- [tor-talk] TBB 2.2.32 & Automatic Updates
  - From: cgp3cg
- Re: [tor-talk] TBB 2.2.32 & Automatic Updates
  - From: Erinn Clark
- Re: [tor-talk] TBB 2.2.32 & Automatic Updates
  - From: cgp3cg

Prev by Author: Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Next by Author: Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Previous by thread: Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Next by thread: Re: [tor-talk] TBB 2.2.32 & Automatic Updates
Index(es):
- Author
- Thread