[tor-bugs] #3897 [Tor Browser]: TBB build does insecure download of source files
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Thu Sep 1 23:57:25 UTC 2011
#3897: TBB build does insecure download of source files
-------------------------+--------------------------------------------------
Reporter: tmpname0901 | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version: Tor: 0.2.2.32
Keywords: | Parent:
Points: | Actualpoints:
-------------------------+--------------------------------------------------
A recent post on the Tor blog reminds us, in the wake of the DigiNotar
debacle, of the importance of verifying signed files after downloading.
So why then does the TBB build process download Tor source files
insecurely, then fail to verify the signatures of the files?
See file ~/build-scripts/versions.mk, most recently found in the tor-
browser-2.2.32-2-src.tar.gz tarball. First it explicitly ignores the
certificate of the originating site ("wget --no-check-certificate") while
getting the Tor and Vidalia source. Then it fails to download the
signature files and check them against the downloaded source tarball
files.
I urge that signed files actually be validated against their signatures in
those cases where signatures are available.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3897>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list