[tor-bugs] #3897 [Tor Browser]: TBB build does insecure download of source files

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Sep 1 23:57:25 UTC 2011


#3897: TBB build does insecure download of source files
-------------------------+--------------------------------------------------
 Reporter:  tmpname0901  |          Owner:  mikeperry    
     Type:  defect       |         Status:  new          
 Priority:  normal       |      Milestone:               
Component:  Tor Browser  |        Version:  Tor: 0.2.2.32
 Keywords:               |         Parent:               
   Points:               |   Actualpoints:               
-------------------------+--------------------------------------------------
 A recent post on the Tor blog reminds us, in the wake of the DigiNotar
 debacle, of the importance of verifying signed files after downloading.
 So why then does the TBB build process download Tor source files
 insecurely, then fail to verify the signatures of the files?

 See file ~/build-scripts/versions.mk, most recently found in the tor-
 browser-2.2.32-2-src.tar.gz tarball.  First it explicitly ignores the
 certificate of the originating site ("wget --no-check-certificate") while
 getting the Tor and Vidalia source.  Then it fails to download the
 signature files and check them against the downloaded source tarball
 files.

 I urge that signed files actually be validated against their signatures in
 those cases where signatures are available.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3897>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list