[tbb-bugs] #15864 [Tor Browser]: Differentiate between build and release sha256sums.txt

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Apr 30 16:37:57 UTC 2015

#15864: Differentiate between build and release sha256sums.txt
     Reporter:           |      Owner:  tbb-team
  mikeperry              |     Status:  new
         Type:  defect   |  Milestone:
     Priority:  normal   |    Version:
    Component:  Tor      |   Keywords:  tbb-4.5-regression,
  Browser                |  TorBrowserTeam201505, tbb-usability
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |

Comment (by gk):

 I am not convinced yet that we should add another SHA256 sums file
 containing the checksums of the bundles we release for a couple of reasons
 (hopefully combined they are stronger than the "but users are doing it
 this way"-argument :) ).

 First, adding another checksums file is not reproducible builds related
 but only for two scenarios:
 a) A user just downloads the additional SHA256 sums file and checks a
 bundle downloaded before (or obtained otherwise)
 b) A user downloads the additional SHA256 sums file and its signature,
 checks the signature and uses then the checksum to check a bundle
 downloadable before (or obtained otherwise)

 Now, I think we don't want to support a) as this actually reduces the
 security compared to things we recommend: that users are checking the
 signature of the bundle they download and use the advanced verification
 method if they don't trust a single signature. Just downloading the SHA256
 sums and checking a bundle does actually not provide more security than
 HTTPS. I don't know much about verification of Tor Browser on Windows but
 could imagine that checking the hash is kind of a shortcut due to the
 hassle involved with GPG on Windows but maybe I am wrong here.

 What about scenario b)? If users are already checking the signature then
 using the SHA256 sum in addition does not buy them anything security-wise
 I think.

 So given a) I am worried that we are actually harming our efforts to
 provide instructions to get Tor Browser in a secure way. But even if we
 don't and all the users who are confused by the checksum mismatch are
 belonging into group b) then we might create some confusion by providing
 different checksum files. I envision users that download the wrong one or
 confuse both with each other making the whole process of getting Tor
 Browser in a secure way even more cumbersome leading, at the end, to

 And, note, there are a bunch of user, I think, that are just curious why
 the sums are not matching and not demanding that we should provide
 additional sums. They might have been used to that method and might easily
 adapt to the new situation.

 So I think we should proceed with our two clear messages:

 1) You should verify your Tor Browser's signature.
 2) If you don't trust your Tor Browser's signature follow the advanced
 verification path (warning: there be dragons)

 I could think about renaming the sha256sums.txt into "sha256sums-
 build.txt" if that helps, though. It might make it clearer to users what
 these hashes are actually for then.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15864#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list