Arthur D. Edelstein:
On Mon, Jan 29, 2018 at 3:47 AM, Georg Koppen gk@torproject.org wrote:
Hi Georg,
Thanks for looking through the list! I addressed each of your points below. (Please see my questions below about 14 and 20.)
[snip]
- #19121: it seems this is WONTFIX for Mozilla right now? I guess we
keep it and make our argument later again? Or we argue along the lines of 10) and bite the bullet.
I looked at our discussion yesterday but I don't really understand the what our patch is fixing. What's the advantage in doing a separate hash check if there is a signature verification (which presumably includes a hash check anyway)?
Okay, after a lot of digging I found what I was looking for. FWIW: it's not the same hash check that you do when verifying a signature. What is meant in our case is that the hash that you got via the update.xml file check is matching the hash of the acual MAR file.
The context for that discussion was:
https://trac.torproject.org/projects/tor/ticket/17442#comment:4
which was kind of a reply to https://bugzilla.mozilla.org/show_bug.cgi?id=1063111#c3 which argued that, especially due to legitimate MitM, only signature based verification should be used. However, we want to have at least two independent means that need to get compromised before fake updates can get applied. That's especially true in our current setup where we host the update.xml ourselves and Fastly holds all the actual update files. tjr made this point in the last meeting.
(Note, though, that we might want to think about strengthening both pillars we currently rely on for our update security but that is orthogonal to the question whether we want to enable the hash check or not)
[snip]
- #5282: "no uplift". The whole pipelining code is gone and Mike is
fine having our patch removed in that wake, too.
OK! Shall I remove it from my TBB-ESR60 branch?
Yes, please.
[snip]
Georg