[tbb-bugs] #30479 [Applications/Tor Browser]: Move away from using signed git tags to avoid rollback attacks?

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 11 13:08:24 UTC 2019

#30479: Move away from using signed git tags to avoid rollback attacks?
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by boklm):

 > However, thinking a bit more the expiration problem is actually
 orthogonal as this could even happen with a properly signed tag, which
 does not suffer from a signature done with a key that is expired now, but
 which is still not the current version. That means: assuming you have
 three tags t1, t2, and t3 and t1 has a signature which is expired while t2
 and t3 don't, but only t3 contains the critical fix, then with a git
 attacker in question it does not make a difference whether we fix the
 expiration date problem as they could easily make us use t1 *or* t2.

 I don't think signed tags allow rollback attacks. The data that is signed
 by gpg includes the tag itself, so if an attackers returns t2 when we want
 t3, the signature will be valid but the content of the tag will say t2 so
 git should reject it.

 For example, we can see that the signed data for the tag
 `tbb-8.5a12-build3` includes the line `tag tbb-8.5a12-build3`:
 $ git cat-file -p  tbb-8.5a12-build3
 object a28a0c3b1b52a1ef87cb58bd6b62d888fcf313a0
 type commit
 tag tbb-8.5a12-build3
 tagger Georg Koppen <gk at torproject.org> 1557175973 +0000

 Tagging build3 for 8.5a12


 This is however true for the signed tarballs. The filename of the tarball
 is not part of the signed data, so an attacker could give us an older
 version of a tarball with a valid signature. So maybe we should stop using
 gpg to verify donloaded files, and use hashes instead (or in addition)?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30479#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list