[tor-talk] Torbutton: 'Disable Updates During Tor' - Option

tagnaq tagnaq at gmail.com
Fri Jul 8 19:24:37 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

>> I concluded that the addon process is insecure because the versioncheck
>> happens over HTTPS but the actual download of the new xpi file is over http.
>> This simple conclusion is wrong if one doesn't check the entire update
>> mechanism.
>> To download something over an insecure channel is fine as long as you
>> can check the file for modifications after the download.
> 
> Authentication is done now. 

Thanks for confirming this.

>> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=653830#c4
>>
>> http://kb.mozillazine.org/Software_Update
> 
> This is extremely interesting. Seems to indicate that to preserve the
> same level of update security that Mozilla provides, 

yes, the certificate is hardcoded - I tried an addon update doing a MITM
with my own root CA (manually installed)
result: update refused (good!)

> we should be
> hardcoding certificates for both the HTTPS-Everywhere and torbutton
> update urls, as they do not go through versioncheck (anymore)..

hardcoding your *.tpo wildcard cert will also make other services safer
(check.tpo, www.tpo), but it will require new releases when the cert
expires.
-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk4XWXUACgkQyM26BSNOM7ZtWQD7BaSlwl/1TGWQEoTFTLpEevEr
L4/JcnMMKkAJroUB0qIBAIVpFM1RLnUN07a6DUzkx0F1dCXen/lT8A0yLbpYLcca
=NwiA
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list