[tor-talk] Tor Browser Bundle with Chromium

Mike Perry mikeperry at torproject.org
Tue Mar 10 22:17:53 UTC 2015


Mike Perry:
> Seth David Schoen:
> > Luis writes:
> > 
> > > What are the reasons that makes building a Tor Browser using Chromium
> > > not such a good idea? I recall reading somewhere that while making a Tor
> > > Browser with a Chromium base would have its benefits due to Chromium's
> > > superior security model (i.e. sandboxing), there are "serious privacy
> > > issues" that would have to be solved to make that possible.
> > > My question is what are those issues? What is preventing someone from
> > > digging out all the Google integration and possible privacy-endangering
> > > features and making a Tor Browser Bundle out of it?
> > 
> > https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
> > 
> > I think that list is kept relatively up-to-date.
> 
> You might also like:
> https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study#chrome
> 
> In particular, this paragraph is relevant to the recent Superfish MITM
> (see http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/):
> 
> "The worst offender on this front is the use of the Microsoft Windows
> CryptoAPI for certificate validation, without any alternative. This bug
> means that certificate revocation checking and intermediate certificate
> retrieval happen outside of the browser's proxy settings, and is subject
> to alteration by the OEM and/or the enterprise administrator. Worse,
> beyond the Tor proxy issues, the use of this OS certificate validation
> API means that the OEM and enterprise also have a simple entry point for
> installing their own root certificates to enable transparent HTTPS
> man-in-the-middle, with full browser validation and no user consent or
> awareness."
> 
> In fact, I tried to argue with Ryan Sleevi and Adam Langley about the
> dangers of using CryptoAPI in this way, but I got crickets in response.
> I believe that supporting such MITMs is a deliberate policy from Google
> corporate that they cannot change. Adam went so far as to tell me that I
> should just fork Chromium, because they would not even consider merging
> an alternate browser-only cert store, even as a user option.
> 
> However, since our ultimate goal with any browser fork is to re-merge
> with upstream so we don't have to maintain invasive patches like this, a
> corporate-level blocker on basic security patches is a non-starter for
> any project involving Chrome.
> 
> 
> 
> P.S. How I miss the days when the outlandish doomsday scenarios that I
> imagined were still merely hypothetical. It seems every week a new
> nightmare comes true. (Man, I sure hope I'm wrong about the likelihood
> of wide-scale software build system attacks. I kind of like having
> computers).

"The security researchers also claimed they had created a modified
version of Apple’s proprietary software development tool, Xcode, which
could sneak surveillance backdoors into any apps or programs created
using the tool. Xcode, which is distributed by Apple to hundreds of
thousands of developers, is used to create apps that are sold through
Apple’s App Store.

The modified version of Xcode, the researchers claimed, could enable
spies to steal passwords and grab messages on infected devices.
Researchers also claimed the modified Xcode could “force all iOS
applications to send embedded data to a listening post.” It remains
unclear how intelligence agencies would get developers to use the
poisoned version of Xcode."

https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

*sigh*

-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150310/8dc08dd1/attachment.sig>


More information about the tor-talk mailing list