[tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Jan 21 20:40:33 UTC 2011 

#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
 Reporter:  rransom                   |       Owner:  rransom     
     Type:  defect                    |      Status:  needs_review
 Priority:  critical                  |   Milestone:              
Component:  Tor bundles/installation  |     Version:              
 Keywords:                            |      Parent:              
--------------------------------------+-------------------------------------

Comment(by rransom):

 Replying to [comment:6 dkg]:
 > Replying to [ticket:2340 rransom]:
 >
 > > The GPG signatures only prove that a particular person associated with
 The Tor Project has signed a particular file; they do not authenticate the
 filename, thus they do not authenticate the package name or the package
 version, and they do not prove that a particular package file is the final
 build of a package version which we want to distribute to users.  This
 leaves our users vulnerable to version-rollback attacks and package-
 substitution attacks if they download packages from mirrors or over non-
 HTTPS connections.
 >
 > Isn't this still true if they download the proposed new file format over
 non-HTTPS connections?  as an attacker in this scenario, i can just point
 them to the set of different files, including the old .asc.

 You wouldn't be able to label an old package like TBB-Windows 1.3.13 as a
 shiny new 1.3.18, and thereby persuade users of an up-to-date version to
 'upgrade' to a buggy older version, with the new format.

 > Doesn't the tor installer package contain its version number internally?
 You mention an .exe, and i haven't worked on that platform in years, but i
 seem to recall that Windows executables could embed a version number that
 is visible in the one of the tabs in the File Properties dialog, which
 would presumably not change even if the file name changed.

 The Vidalia Bundle for Windows installer has the version numbers of Tor
 and Vidalia in its 'File Description' field.  The Tor Browser Bundle for
 Windows self-extracting archive does not have any useful version
 information on the archive itself, although a README file inside the
 archive can give a lower bound on the version.

 > Another approach entirely could use the OS-native mechanism for signing
 distributed software:
 >
 >  * [http://stackoverflow.com/questions/252226/signing-a-windows-exe-file
 windows appears to use signtool.exe] -- i don't know much about it,
 whether embedded version numbers are themselves signed, and/or whether the
 signatures can be made to expire.

 The major advantage of this signing method is that Windows will verify the
 signature for users under some circumstances.  The major drawback is that
 it requires paying off the 'SSL mafia' for a code-signing certificate.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list