[tbb-bugs] #18287 [Applications/Tor Browser]: Use SHA-2 signature for Tor Browser setup executables
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Aug 14 13:51:43 UTC 2016
#18287: Use SHA-2 signature for Tor Browser setup executables
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: assigned
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by bugzilla):
* status: new => assigned
* owner: erinn => tbb-team
* component: Applications/Tor bundles/installation => Applications/Tor
Browser
Comment:
'''This ticket is about SHA-2 digest algorithm in digital signature (not
certificate).'''
(Otherwise it's a misunderstanding, taken here from Mozilla)
As noted there:
> "Microsoft does not require these file hashes to be done using SHA-2.
Windows will also not enforce policies on these hashes. If pre-image
attacks on SHA-1 become feasible we will reevaluate how the system trusts
signatures made with such file hashes."
There is no current need to implement it, except for additional security.
But exactly for additional, so
> provide both SHA-1 for older systems and SHA-2 for newer ones.
(and exactly in this order, so SHA-1 would be the first in the list)
This solution has as much compatibility as possible.
(Current TBB 6.5a2 uses: SHA-1 digest + SHA-2 certificate + SHA-1
timestamp)
(Current Mozilla progress is in
https://bugzilla.mozilla.org/show_bug.cgi?id=1245842)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18287#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list