[tor-bugs] #5092 [Torbutton]: "Disable updates during Tor usage" by default (AMO/Addons)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Feb 11 23:17:52 UTC 2012


#5092: "Disable updates during Tor usage" by default (AMO/Addons)
-------------------------+--------------------------------------------------
 Reporter:  cypherpunks  |          Owner:  mikeperry
     Type:  defect       |         Status:  new      
 Priority:  normal       |      Milestone:           
Component:  Torbutton    |        Version:           
 Keywords:               |         Parent:           
   Points:               |   Actualpoints:           
-------------------------+--------------------------------------------------
 "Disable updates during Tor usage" is enabled by default. Does Firefox
 check the certificate signature of AMO or can this update be subverted by
 MITM via rogue CA (which is a realistic concern for Tor's threat model)?

 Secondly, is it a good idea to trust AMO infrastructure and upstream
 developers or shouldn't we first review the addon updates before deploying
 to TBB users via updates signed by Torproject?

 Usually this only concerns NoSript updates which happen frequently but
 never are really high priority.

 Eventually there'll be an autoupdate for the whole TBB anyway (so I
 heard).

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5092>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list