[tbb-bugs] #2340 [Applications/Tor Browser]: protect users against freeze, replay and version-rollback attacks (was: GPG signatures do not authenticate filenames)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 14 02:48:36 UTC 2018

#2340: protect users against freeze, replay  and version-rollback attacks
 Reporter:  rransom                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  assigned
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:  #3893                     |         Points:
 Reviewer:                            |        Sponsor:
Changes (by traumschule):

 * parent:   => #3893


 pulling this up again (ranking 2nd among
 Very High] priority, since how long? :)

 want to learn crypto a little later:
 - https://blog.packagecloud.io/eng/2018/02/21/attacks-against-secure-apt-
  - for example replay attack: a malicious actor performing a MitM against
 your machine has saved the metadata with the vulnerable version. The
 malicious actor replays that metadata to your system, preventing your
 system from seeing the newly patched libEXAMPLE. This gives the attacker
 up until the `Valid-Until` date to attempt to launch an attack against

 What I learned:
 - we know downloading executable files from a website is unsafe unless the
 authenticity is checked (by verifying the issuer of the TLS certificate),
 assuming the used encryption is not vulnerable to a
 rollback attack] or the server has not been compromised in another way
 - to protect against this, files need to be signed with the release key
 which is kept offline (not anywhere near the production environment),
 trusting the signer's opsec
 - it is better to go "the debian way" (or [https://fedoramagazine.org
 /fedora-secures-package-delivery/ fedora's]
 signing architecture]) by pooling all files in a trusted infrastructure
 (though this is not failprove, see link above)
 - package repositories should provide an sufficiently low expiration time
 (implemented for
 [http://deb.torproject.org/torproject.org/dists/sid/Release sid], good!),
 to protect against distribution of vulnerable older versions (fedora uses
 3 days)
 - signatures should always be created with
 Options.html --default-sig-expire] (esoteric warning!) to set a
 [https://tools.ietf.org/html/rfc4880#section- signature expiration
 time] - the date will be shown on verification,
 [http://deb.torproject.org/torproject.org/dists/sid/Release.gpg not

 curl http://deb.torproject.org/torproject.org/dists/sid/Release > Release
 curl http://deb.torproject.org/torproject.org/dists/sid/Release.gpg >
 $ gpg --verify Release.sig
 gpg: assuming signed data in 'Release'
 gpg: Signature made Fri 10 Aug 2018 01:28:01 PM CEST
 gpg:                using RSA key 2265EB4CB2BF88D900AE8D1B74A941BA219EC810
 gpg: Good signature from "deb.torproject.org archive signing key"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the
 Primary key fingerprint: A3C4 F0F9 79CA A22C DBA8  F512 EE8C BC9E 886D
      Subkey fingerprint: 2265 EB4C B2BF 88D9 00AE  8D1B 74A9 41BA 219E
 $ gpg --list-packets Release.sig # just for reference
 # off=0 ctb=89 tag=2 hlen=3 plen=307
 :signature packet: algo 1, keyid 74A941BA219EC810
         version 4, created 1533900481, md5len 0, sigclass 0x00
         digest algo 8, begin of digest a8 9f
         hashed subpkt 33 len 21 (issuer fpr v4
         hashed subpkt 2 len 4 (sig created 2018-08-10)
         subpkt 16 len 8 (issuer key ID 74A941BA219EC810)
         data: [2048 bits]
 When a signature has an expiration date however it is shown at the end:
 gpg: Signature expires Wed 14 Aug 2019 03:37:29 AM CEST
 $ en gpg --list-packets vanguards/TODO.txt.sig
 # off=0 ctb=89 tag=2 hlen=3 plen=441
 :signature packet: algo 1, keyid AA84FDED4E218633
         version 4, created 1534210649, md5len 0, sigclass 0x00
         digest algo 10, begin of digest 54 c3
         hashed subpkt 33 len 21 (issuer fpr v4
         hashed subpkt 2 len 4 (sig created 2018-08-14)
         critical hashed subpkt 3 len 4 (sig expires after 1y0d0h0m)
         subpkt 16 len 8 (issuer key ID AA84FDED4E218633)
         data: [3070 bits]
 Question is what a user is supposed to do, when the signature has been

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list