[tor-bugs] #2285 [Tor Check]: check.tpo should list current versions of Tor Project software

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon May 2 14:45:17 UTC 2011 

#2285: check.tpo should list current versions of Tor Project software
-------------------------+--------------------------------------------------
 Reporter:  rransom      |          Owner:  nickm                 
     Type:  enhancement  |         Status:  new                   
 Priority:  major        |      Milestone:  Tor Check Enhancements
Component:  Tor Check    |        Version:                        
 Keywords:               |         Parent:  #2880                 
   Points:               |   Actualpoints:                        
-------------------------+--------------------------------------------------

Comment(by mikeperry):

 Replying to [comment:4 rransom]:
 > Replying to [comment:3 mikeperry]:
 >
 > > Instead of a huge list that no one will ever read or even look at, we
 could pass a version to check.tp.o from TBB, since it is the home page of
 TBB. Then the verbiage on check.tp.o can still remain concise, perhaps
 simply displaying an orange onion if your version is out of date.
 >
 > That won't work for users of existing TBBs, and it gives check.tpo the
 ability to log more detailed information about users.  We don't want to
 give whoever controls the check.torproject.org domain name and can get an
 SSL certificate for it that Firefox will accept the ability to collect
 that information.

 I really don't think we're going to get any significant number of upgrades
 out of this unless the page is significantly different when the version is
 out of date. I think realistically the number of upgrades even from a
 scary-colored check.tp.o page will be much less than what we'll get from
 an apt repo or from thandy.

 Also, I don't see how there is significant risk exposure from telling the
 Tor Project (and SSL MITMs) your software version. You've already done
 that when you downloaded it using the same SSL cert trust model.. Can you
 go into more detail on the attack vector here?

 Since this is a stop-gap solution until thandy is deployed, I don't think
 we should make best the enemy of better.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2285#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list