[tor-bugs] #4234 [Firefox Patch Issues]: Investigate the Firefox update process

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 30 16:50:25 UTC 2013 

#4234: Investigate the Firefox update process
-------------------------------------+-------------------------------------
     Reporter:  mikeperry            |      Owner:  mikeperry
         Type:  task                 |     Status:  needs_information
     Priority:  major                |  Milestone:  TorBrowserBundle
    Component:  Firefox Patch        |  2.3.x-stable
  Issues                             |    Version:
   Resolution:                       |   Keywords:  tbb-bounty tbb-
Actual Points:                       |  usability
       Points:                       |  Parent ID:
-------------------------------------+-------------------------------------

Comment (by mcs):

 Using a patched version of Mozilla's update mechanism, Kathy Brade and I
 have successfully updated TBB on Linux, Windows, and Mac OS "in the lab"
 using both incremental and "full replace" updates.  There is still
 significant work to do, but we will post a work in progress patch here
 shortly.

 One of the remaining issues is that the Mozilla code needs access to the
 TBB version before the preference system has been initialized.  We may
 need to pass knowledge of the TBB version through the Firefox build
 process (rather than just setting the torbrowser.version pref.).

 There are also some Windows Vista (and newer) OS security issues that we
 somewhat ignored.  Because TBB is not typically stored under Program Files
 or other "locked down" areas, this is probably not a big concern.  Our
 patch always downloads and applies updates within the TBB package
 directory.

 Finally, updating the bundled browser extensions (e.g., HTTPS-Everywhere)
 is a little tricky because an extension may have been updated by the user.
 We could always overwrite the bundled extensions (which may cause the
 user's updates to be lost) or we could never update them (that seems like
 a bad idea).  Kathy and I lean toward always overwriting the extensions.

 Our high-level understanding of the security aspects of the Firefox
 mechanism:

 1) The update meta-information is retrieved over TLS.  A special check is
 done to ensure that the issuer name and common name of the server's TLS
 certificate match values that are stored in bundled Firefox preferences.

 2) After an update is downloaded (partial MAR or complete MAR), a SHA512
 checksum of the MAR file is checked against a value that was returned in
 the update meta-information.

 Mozilla also has a build option to require signed MAR files, but we have
 not tried to use it yet.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4234#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list