[tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 18 22:46:38 UTC 2017


#22971: The XPI signing mechanism needs to use different hash functions.
------------------------------------------+----------------------
     Reporter:  yawning                   |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 https://wiki.mozilla.org/Add-ons/Extension_Signing

 Signing 2 hashes of a manifest file containing 2 hashes each of every file
 in an archive, especially when "2 hashes" is MD5 and SHA1 is
 cryptographically unsound.

 See Joux, A., "Multicollisions in Iterated Hash Functions. Application to
 Cascaded Constructions".

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22971>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list