[tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 18 23:53:25 UTC 2017


#22971: The XPI signing mechanism needs to use different hash functions.
--------------------------------------+--------------------------
 Reporter:  yawning                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by isis):

 Replying to [comment:2 yawning]:
 > This is probably more an upstream issue since the practical result is
 "Extension Signing is worthless vs adversaries that can produce SHA1
 collisions".

 Ugh. And yeah, this seems to be an upstream issue, we should see if
 they've already got a fix they're working on.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22971#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list