[tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 16 17:44:11 UTC 2014


#12642: Can Network Attacker Downgrade Dependency Install Security?
-----------------------+-------------------------
 Reporter:  earthrise  |          Owner:  hellais
     Type:  defect     |         Status:  new
 Priority:  normal     |      Milestone:
Component:  Ooni       |        Version:
 Keywords:             |  Actual Points:
Parent ID:             |         Points:
-----------------------+-------------------------
 From the ooni-backend readme:

 {{{
 pip install -r requirements.txt --use-mirrors
 # Note: it is important that you install the requirements before you run
 # the setup.py script. If you fail to do so they will be downloaded over
 # plaintext.
 python setup.py install


 }}}
 What happens if an attacker is MITMing the network connection, and they
 make one package inaccessible during the pip install, but allow setup.py
 to download it. Will it fall back to an insecure connection, allowing the
 attacker to modify the code?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list