Thandy attacks / suggestions

Roger Dingledine arma at mit.edu
Mon Dec 8 19:57:33 UTC 2008


On Mon, Dec 08, 2008 at 11:25:49AM -0800, coderman wrote:
> On Sun, Dec 7, 2008 at 5:14 PM, Roger Dingledine <arma at mit.edu> wrote:
> > ...
> > 1) Apparently python's urllib doesn't check SSL certs or cert chains.
> > ... His suggested fix was to ship our SSL cert with the updater;
> 
> how critical is https given the signature checking on the files
> downloaded?

Checking the cert only matters if a) the client has the wrong time,
and/or b) the attacker gets a copy of the timestamp key. In those
cases being able to mitm the client requests will let the attacker 1)
keep the client from realizing that an upgrade is available, and 2) for
newly bootstrapping clients, choose which versions the client should like.

So it is not critical, but 'defense in depth' is the mantra here.

> > C) We should stop letting every mirror serve the timestamp file, but
> > instead serve it from a smaller more trusted subset of the mirrors
> > ... I'm not sure how big a change this is
> > from the spec, which says:
> >  Every mirror is a copy of some or all of the directory hierarchy
> >  containing at least the /meta, /bundles/, and /pkginfo directories.
> 
> what if clients only download that particular file from the (more)
> trusted set?  or should the confusion of a timestamp on a mirror where
> it will never be requested be avoided?

Sounds fine to me. The mirrors will want the /meta files anyway, to
check the consistency/integrity of the files they're serving.

--Roger



More information about the tor-dev mailing list