[tbb-bugs] #18074 [Tor Browser]: TBB Vagrantfile uses HTTP

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jan 16 16:24:20 UTC 2016


#18074: TBB Vagrantfile uses HTTP
----------------------------+----------------------------------------------
     Reporter:  miserlou    |      Owner:  tbb-team
         Type:  defect      |     Status:  new
     Priority:  Medium      |  Milestone:
    Component:  Tor         |    Version:
  Browser                   |   Keywords:  tbb, tor-browser-bundle, browser
     Severity:  Minor       |  Parent ID:
Actual Points:              |    Sponsor:
       Points:              |
----------------------------+----------------------------------------------
 In the Tor Browser Bundle's Vagrantfile, the Ubuntu 12.04 build machine
 base image is retrieved over plaintext HTTP. An attacker could potentially
 swap this out for a malicious machine image. It's a small issue, but an
 easy fix that'd probably set a few minds at ease.

 The simple fix, of course, is to replace:
 config.vm.box_url = "http://files.vagrantup.com/precise64.box"

 with:
 config.vm.box_url = "https://files.vagrantup.com/precise64.box"

 Although this may cause a certificate error since VagrantUp is hosted on
 Heroku.

 A better alternative would be for Tor to host this .box themselves and
 serve that over HTTPS/HSTS, but I don't how know feasible this is for you
 at this time.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18074>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list