[tbb-bugs] #30479 [Applications/Tor Browser]: Move away from using signed git tags to avoid rollback attacks?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 11 13:08:24 UTC 2019 

#30479: Move away from using signed git tags to avoid rollback attacks?
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by boklm):

 > However, thinking a bit more the expiration problem is actually
 orthogonal as this could even happen with a properly signed tag, which
 does not suffer from a signature done with a key that is expired now, but
 which is still not the current version. That means: assuming you have
 three tags t1, t2, and t3 and t1 has a signature which is expired while t2
 and t3 don't, but only t3 contains the critical fix, then with a git
 attacker in question it does not make a difference whether we fix the
 expiration date problem as they could easily make us use t1 *or* t2.

 I don't think signed tags allow rollback attacks. The data that is signed
 by gpg includes the tag itself, so if an attackers returns t2 when we want
 t3, the signature will be valid but the content of the tag will say t2 so
 git should reject it.

 For example, we can see that the signed data for the tag
 `tbb-8.5a12-build3` includes the line `tag tbb-8.5a12-build3`:
 {{{
 $ git cat-file -p  tbb-8.5a12-build3
 object a28a0c3b1b52a1ef87cb58bd6b62d888fcf313a0
 type commit
 tag tbb-8.5a12-build3
 tagger Georg Koppen <gk at torproject.org> 1557175973 +0000

 Tagging build3 for 8.5a12
 -----BEGIN PGP SIGNATURE-----

 iQJGBAABCgAwFiEEqhpZkioIc40jQrwFTZKn5Ktz7FQFAlzQnqUSHGdrQHRvcnBy
 b2plY3Qub3JnAAoJEE2Sp+Src+xUZoYQAKfhS5VQxkhfU3HkNDNJXVXD4yeeTKz2
 QlhM4KT742Gxa2u3mM4BcsjMhAR0PRyqZqt+7rBAHC4IKQvck1lDmRBswGinI+44
 qc19hpIS5brZfzhmzTEAvqkM4KpAINNBBk6xeNjJvtfjY17DwGmFzeFG0UUzjQEM
 PIW4sFkU1OVFe9E1sOWTNhhdEC0EhASa0hSgp9iZPbp7kdseUC0ebAZ/i2y9ITsF
 ypoH12WlqqptJ8nkVmJg6+7IoAJXFeygP8BPmOqH7OeK6lwXNVoXe5NrlzqqtviN
 3hwbmzextwRLPRLq5v1YELM6n9NHGs4uYDJUrMFo66cLszn+nALwWRYsGMh42PmH
 KewX0AT/om+LhIhL0fW8Wr8HQ8hgUB3zH8cr8yhhR3puorYVm8fuQVyRAKKAAOzl
 NijKqy/UchYOGDM//DRatl7UNhIIl2RD3miusFSk2Ssv7WK3m7BRmjUWyAzhIKBK
 rKK0UEriQtp55bpa6q7pgsY7rqMGm/+NhiG5UcdsJIey9tJMt0VaWrpQlwGyWn4J
 XDM1ezsdvePQRT/zNrZ57zWQIZ2ygF9w1Jw939x8ACUBp8c0pC1rdetaHr68Sb5k
 WGU0Ofel+CQYAneuLTRnRpPr8VOZcdyoLY/Nr7MQs7bnCpx1M1IMOUUw4Qdmw/0K
 +CjxsU9kYB1F
 =TqMm
 -----END PGP SIGNATURE-----
 }}}

 This is however true for the signed tarballs. The filename of the tarball
 is not part of the signed data, so an attacker could give us an older
 version of a tarball with a valid signature. So maybe we should stop using
 gpg to verify donloaded files, and use hashes instead (or in addition)?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30479#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list