[tor-bugs] #15687 [Tor Browser]: Make Tor Browser work with AppLocker
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 14 13:28:43 UTC 2015
#15687: Make Tor Browser work with AppLocker
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Browser | Keywords: tbb-security, tbb-usability-
Resolution: | stoppoint-app
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by starlight):
I agree that signing all the binaries and DLLs would be ideal.
Here I've avoided the default rules and require all
binaries be signed by an approved publisher
or have a hash entry--i.e. strict whitelisting.
Allowing anything in system directories to run
is less about security and more about controlling
what applications users' can run in a managed
environment.
With signed binaries, just one EXE and one DLL
rule are required. Presently have to create two
hash rules for each TBB release, adding files from
several subdirectories. Is a fair amount of
work. Temporary installer DLLs require a rule
as well.
While whitelisting is not, as many point out,
a silver bullet against intrusion, it raises
the bar for attackers tremendously. Makes
obtaining persistence much more difficult.
Perhaps Linux signed binaries should be
supported eventually as well. Don't know
enough about it yet myself to have
an opinion.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15687#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list