[tor-commits] [tor-browser-spec/master] Add update security info.

mikeperry at torproject.org mikeperry at torproject.org
Thu Apr 30 05:26:01 UTC 2015


commit 351f4868291f16da605191c6f0597b632277d841
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Wed Apr 29 20:55:25 2015 -0700

    Add update security info.
---
 design-doc/design.xml |   55 +++++++++++++++++++++++++------------------------
 1 file changed, 28 insertions(+), 27 deletions(-)

diff --git a/design-doc/design.xml b/design-doc/design.xml
index 5c16ce8..90f8032 100644
--- a/design-doc/design.xml
+++ b/design-doc/design.xml
@@ -221,19 +221,6 @@ ephemeral-keyed encrypted swap.
 
 </para></listitem>
 
-<!-- XXX-4.5: Add a section for this.
- <listitem><link linkend="update-safety"><command>Update Safety</command></link>
-
-<para>
-The browser MUST NOT perform unsafe updates or upgrades. Update checks
-and downloads MUST protected by a pinned TLS certificate. All automatic update
-packages SHOULD be signed with at least one offline key. The update mechanism
-MUST have defenses against holdback/freeze attacks, downgrade attacks, and
-general availability attacks.
-
-</para></listitem>
--->
-
 </orderedlist>
 
   </sect2>
@@ -1121,13 +1108,6 @@ $HOME environment variable to be the TBB extraction directory.
    </para>
 
   </sect2>
-<!-- FIXME: Write me... 
-  <sect2 id="update-safety">
-   <title>Update Safety</title>
-   <para>FIXME: Write me..
-   </para>
-  </sect2>
--->
   <sect2 id="identifier-linkability">
    <title>Cross-Origin Identifier Unlinkability</title>
    <para>
@@ -2367,7 +2347,6 @@ of its update pings.
 <sect1 id="BuildSecurity">
   <title>Build Security and Package Integrity</title>
   <para>
-<!-- XXX-4.5: signatures of MARs and exes are reproducibly removable -->
 
 In the age of state-sponsored malware, <ulink
 url="https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise">we
@@ -2532,7 +2511,6 @@ time-based dependency tracking</ulink> that only appear in LXC containers.
   </sect2>
 
   <sect2>
-<!-- XXX-4.5: unsigning -->
     <title>Package Signatures and Verification</title>
     <para>
 
@@ -2565,11 +2543,11 @@ consensus, and encoding the package hashes in the Bitcoin blockchain.
      </para>
     <para>
 
-At the time of this writing, we do not yet support native code signing for Mac
-OS or Windows. Because these signatures are embedded in the actual packages,
-and by their nature are based on non-public key material, providing native
-code-signed packages while still preserving ease of reproducibility
-verification has not yet been achieved.
+The Windows releases are also signed by a hardware token provided by Digicert.
+In order to verify package integrity, the signature must be sripped off using
+the osslsigncode tool, as described on the <ulink
+url="https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification">Signature
+Vericication</ulink> page.
 
     </para>
   </sect2>
@@ -2598,6 +2576,29 @@ verifier.
 
    </para>
   </sect2>
+  <sect2 id="update-safety">
+   <title>Update Safety</title>
+   <para>
+
+We make use of the Firefox updater in order to provide automatic updates to
+users. We make use of certificate pinning to ensure that update checks
+be tampered with, and we sign the individual MAR update files with an offline
+signing key.
+
+   </para>
+   <para>
+
+The Firefox updater also has code to ensure that it can reliably access the
+update server to prevent availability attacks, and complains to the user of 48
+hours go by without a successful response from the server. Additionally, we
+use Tor's SOCKS username and password isolation to ensure that every new
+request to the updater traverses a separate circuit, to avoid holdback attacks
+by exit nodes.
+
+   </para>
+  </sect2>
+
+
 </sect1>
 <!--
   <sect2 id="components">





More information about the tor-commits mailing list