[tbb-bugs] #13065 [Tor Browser]: counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 5 14:44:12 UTC 2014
#13065: counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign /
verify tbb versions file
-------------------------+--------------------------
Reporter: proper | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
Securely downloading
https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions
solely relies on SSL, is currently neither signed, nor gets verified by
Tor Button.
This is problematic, because should torproject.org's web server or CA be
compromised one day, applications such as Tor Button and
[https://github.com/micahflee/torbrowser-launcher torbrowser-launcher]
could be fooled into using an outdated and/or malicious
RecommendedTBBVersions file.
Suggestion: could you please,
1) provide a signed version of RecommendedTBBVersions,
2) verify RecommendedTBBVersions in Tor Button.
To prevent downgrade and stale mirror attacks, the signature would have to
be renewed after every X weeks, and rejected by the verification mechanism
[+ user notification] if is is too old. (Similar to
[http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-
release-f.html Valid-Until] / #9810.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13065>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list