[tbb-bugs] #15864 [Tor Browser]: Differentiate between build and release sha256sums.txt
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 30 16:37:57 UTC 2015
#15864: Differentiate between build and release sha256sums.txt
-------------------------+-------------------------------------------------
Reporter: | Owner: tbb-team
mikeperry | Status: new
Type: defect | Milestone:
Priority: normal | Version:
Component: Tor | Keywords: tbb-4.5-regression,
Browser | TorBrowserTeam201505, tbb-usability
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by gk):
I am not convinced yet that we should add another SHA256 sums file
containing the checksums of the bundles we release for a couple of reasons
(hopefully combined they are stronger than the "but users are doing it
this way"-argument :) ).
First, adding another checksums file is not reproducible builds related
but only for two scenarios:
a) A user just downloads the additional SHA256 sums file and checks a
bundle downloaded before (or obtained otherwise)
b) A user downloads the additional SHA256 sums file and its signature,
checks the signature and uses then the checksum to check a bundle
downloadable before (or obtained otherwise)
Now, I think we don't want to support a) as this actually reduces the
security compared to things we recommend: that users are checking the
signature of the bundle they download and use the advanced verification
method if they don't trust a single signature. Just downloading the SHA256
sums and checking a bundle does actually not provide more security than
HTTPS. I don't know much about verification of Tor Browser on Windows but
could imagine that checking the hash is kind of a shortcut due to the
hassle involved with GPG on Windows but maybe I am wrong here.
What about scenario b)? If users are already checking the signature then
using the SHA256 sum in addition does not buy them anything security-wise
I think.
So given a) I am worried that we are actually harming our efforts to
provide instructions to get Tor Browser in a secure way. But even if we
don't and all the users who are confused by the checksum mismatch are
belonging into group b) then we might create some confusion by providing
different checksum files. I envision users that download the wrong one or
confuse both with each other making the whole process of getting Tor
Browser in a secure way even more cumbersome leading, at the end, to
resignation.
And, note, there are a bunch of user, I think, that are just curious why
the sums are not matching and not demanding that we should provide
additional sums. They might have been used to that method and might easily
adapt to the new situation.
So I think we should proceed with our two clear messages:
1) You should verify your Tor Browser's signature.
2) If you don't trust your Tor Browser's signature follow the advanced
verification path (warning: there be dragons)
I could think about renaming the sha256sums.txt into "sha256sums-
build.txt" if that helps, though. It might make it clearer to users what
these hashes are actually for then.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15864#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list