[tor-bugs] #7661 [Tor bundles/installation]: Tor Browser update security
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Dec 7 13:20:22 UTC 2012
#7661: Tor Browser update security
--------------------------------------+-------------------------------------
Reporter: ioerror | Owner: erinn
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------------------------+-------------------------------------
I'm watching a user update their Tor Browser and they not only went and
downloaded it, they opened the .gz, unpacked it and ran it.
I suspect it would be straightforward to have a small handler for opening
Tor Browser downloads that verifies the download with a very small build
of gpgv. Combined with the new Firefox cert pinning, I'd feel rather good
about downloading updates as we clearly (I hope someone clarifies
otherwise!) won't have Thandy anytime soon.
I imagine that it would be a nice way to ensure that there is only one
leap of faith, ever. The first is unavoidable and afterwards, everything
else is unnecessary.
If I wrote a patch to build/include gpgv (with our gpg keys preloaded) -
would that be something we could ship? Could we easily hook it for
torproject.org downloads?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7661>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list