[tor-commits] [tor-browser-spec/master] Add update security info.
mikeperry at torproject.org
mikeperry at torproject.org
Thu Apr 30 05:26:01 UTC 2015
commit 351f4868291f16da605191c6f0597b632277d841
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Wed Apr 29 20:55:25 2015 -0700
Add update security info.
---
design-doc/design.xml | 55 +++++++++++++++++++++++++------------------------
1 file changed, 28 insertions(+), 27 deletions(-)
diff --git a/design-doc/design.xml b/design-doc/design.xml
index 5c16ce8..90f8032 100644
--- a/design-doc/design.xml
+++ b/design-doc/design.xml
@@ -221,19 +221,6 @@ ephemeral-keyed encrypted swap.
</para></listitem>
-<!-- XXX-4.5: Add a section for this.
- <listitem><link linkend="update-safety"><command>Update Safety</command></link>
-
-<para>
-The browser MUST NOT perform unsafe updates or upgrades. Update checks
-and downloads MUST protected by a pinned TLS certificate. All automatic update
-packages SHOULD be signed with at least one offline key. The update mechanism
-MUST have defenses against holdback/freeze attacks, downgrade attacks, and
-general availability attacks.
-
-</para></listitem>
--->
-
</orderedlist>
</sect2>
@@ -1121,13 +1108,6 @@ $HOME environment variable to be the TBB extraction directory.
</para>
</sect2>
-<!-- FIXME: Write me...
- <sect2 id="update-safety">
- <title>Update Safety</title>
- <para>FIXME: Write me..
- </para>
- </sect2>
--->
<sect2 id="identifier-linkability">
<title>Cross-Origin Identifier Unlinkability</title>
<para>
@@ -2367,7 +2347,6 @@ of its update pings.
<sect1 id="BuildSecurity">
<title>Build Security and Package Integrity</title>
<para>
-<!-- XXX-4.5: signatures of MARs and exes are reproducibly removable -->
In the age of state-sponsored malware, <ulink
url="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">we
@@ -2532,7 +2511,6 @@ time-based dependency tracking</ulink> that only appear in LXC containers.
</sect2>
<sect2>
-<!-- XXX-4.5: unsigning -->
<title>Package Signatures and Verification</title>
<para>
@@ -2565,11 +2543,11 @@ consensus, and encoding the package hashes in the Bitcoin blockchain.
</para>
<para>
-At the time of this writing, we do not yet support native code signing for Mac
-OS or Windows. Because these signatures are embedded in the actual packages,
-and by their nature are based on non-public key material, providing native
-code-signed packages while still preserving ease of reproducibility
-verification has not yet been achieved.
+The Windows releases are also signed by a hardware token provided by Digicert.
+In order to verify package integrity, the signature must be sripped off using
+the osslsigncode tool, as described on the <ulink
+url="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification">Signature
+Vericication</ulink> page.
</para>
</sect2>
@@ -2598,6 +2576,29 @@ verifier.
</para>
</sect2>
+ <sect2 id="update-safety">
+ <title>Update Safety</title>
+ <para>
+
+We make use of the Firefox updater in order to provide automatic updates to
+users. We make use of certificate pinning to ensure that update checks
+be tampered with, and we sign the individual MAR update files with an offline
+signing key.
+
+ </para>
+ <para>
+
+The Firefox updater also has code to ensure that it can reliably access the
+update server to prevent availability attacks, and complains to the user of 48
+hours go by without a successful response from the server. Additionally, we
+use Tor's SOCKS username and password isolation to ensure that every new
+request to the updater traverses a separate circuit, to avoid holdback attacks
+by exit nodes.
+
+ </para>
+ </sect2>
+
+
</sect1>
<!--
<sect2 id="components">
More information about the tor-commits
mailing list