[tbb-dev] Tor Browser uplift tracker
Georg Koppen
gk at torproject.org
Mon Feb 5 12:31:00 UTC 2018
Arthur D. Edelstein:
> On Mon, Jan 29, 2018 at 3:47 AM, Georg Koppen <gk at torproject.org> wrote:
>
> Hi Georg,
>
> Thanks for looking through the list! I addressed each of your points
> below. (Please see my questions below about 14 and 20.)
[snip]
>> 14) #19121: it seems this is WONTFIX for Mozilla right now? I guess we
>> keep it and make our argument later again? Or we argue along the lines
>> of 10) and bite the bullet.
>
> I looked at our discussion yesterday but I don't really understand the
> what our patch is fixing. What's the advantage in doing a separate
> hash check if there is a signature verification (which presumably
> includes a hash check anyway)?
Okay, after a lot of digging I found what I was looking for. FWIW: it's
not the same hash check that you do when verifying a signature. What is
meant in our case is that the hash that you got via the update.xml file
check is matching the hash of the acual MAR file.
The context for that discussion was:
https://trac.torproject.org/projects/tor/ticket/17442#comment:4
which was kind of a reply to
https://bugzilla.mozilla.org/show_bug.cgi?id=1063111#c3 which argued
that, especially due to legitimate MitM, only signature based
verification should be used. However, we want to have at least two
independent means that need to get compromised before fake updates can
get applied. That's especially true in our current setup where we host
the update.xml ourselves and Fastly holds all the actual update files.
tjr made this point in the last meeting.
(Note, though, that we might want to think about strengthening both
pillars we currently rely on for our update security but that is
orthogonal to the question whether we want to enable the hash check or not)
[snip]
>> 20) #5282: "no uplift". The whole pipelining code is gone and Mike is
>> fine having our patch removed in that wake, too.
>
> OK! Shall I remove it from my TBB-ESR60 branch?
Yes, please.
[snip]
Georg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20180205/e4817ce0/attachment.sig>
More information about the tbb-dev
mailing list