[tbb-bugs] #15687 [Tor Browser]: Make Tor Browser work with AppLocker

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 14 13:28:43 UTC 2015

#15687: Make Tor Browser work with AppLocker
     Reporter:  gk       |      Owner:  tbb-team
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  tbb-security, tbb-usability-
   Resolution:           |  stoppoint-app
Actual Points:           |  Parent ID:
       Points:           |

Comment (by starlight):

 I agree that signing all the binaries and DLLs would be ideal.

 Here I've avoided the default rules and require all
 binaries be signed by an approved publisher
 or have a hash entry--i.e. strict whitelisting.
 Allowing anything in system directories to run
 is less about security and more about controlling
 what applications users' can run in a managed

 With signed binaries, just one EXE and one DLL
 rule are required.  Presently have to create two
 hash rules for each TBB release, adding files from
 several subdirectories.  Is a fair amount of
 work.  Temporary installer DLLs require a rule
 as well.

 While whitelisting is not, as many point out,
 a silver bullet against intrusion, it raises
 the bar for attackers tremendously.  Makes
 obtaining persistence much more difficult.

 Perhaps Linux signed binaries should be
 supported eventually as well.  Don't know
 enough about it yet myself to have
 an opinion.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15687#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list