[tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 16 17:44:11 UTC 2014
#12642: Can Network Attacker Downgrade Dependency Install Security?
-----------------------+-------------------------
Reporter: earthrise | Owner: hellais
Type: defect | Status: new
Priority: normal | Milestone:
Component: Ooni | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-----------------------+-------------------------
From the ooni-backend readme:
{{{
pip install -r requirements.txt --use-mirrors
# Note: it is important that you install the requirements before you run
# the setup.py script. If you fail to do so they will be downloaded over
# plaintext.
python setup.py install
}}}
What happens if an attacker is MITMing the network connection, and they
make one package inaccessible during the pip install, but allow setup.py
to download it. Will it fall back to an insecure connection, allowing the
attacker to modify the code?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list