[tor-commits] [tor-browser-spec/master] Add update security info.

mikeperry at torproject.org mikeperry at torproject.org
Thu Apr 30 05:26:01 UTC 2015

commit 351f4868291f16da605191c6f0597b632277d841
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Wed Apr 29 20:55:25 2015 -0700

    Add update security info.
 design-doc/design.xml |   55 +++++++++++++++++++++++++------------------------
 1 file changed, 28 insertions(+), 27 deletions(-)

diff --git a/design-doc/design.xml b/design-doc/design.xml
index 5c16ce8..90f8032 100644
--- a/design-doc/design.xml
+++ b/design-doc/design.xml
@@ -221,19 +221,6 @@ ephemeral-keyed encrypted swap.
-<!-- XXX-4.5: Add a section for this.
- <listitem><link linkend="update-safety"><command>Update Safety</command></link>
-The browser MUST NOT perform unsafe updates or upgrades. Update checks
-and downloads MUST protected by a pinned TLS certificate. All automatic update
-packages SHOULD be signed with at least one offline key. The update mechanism
-MUST have defenses against holdback/freeze attacks, downgrade attacks, and
-general availability attacks.
@@ -1121,13 +1108,6 @@ $HOME environment variable to be the TBB extraction directory.
-<!-- FIXME: Write me... 
-  <sect2 id="update-safety">
-   <title>Update Safety</title>
-   <para>FIXME: Write me..
-   </para>
-  </sect2>
   <sect2 id="identifier-linkability">
    <title>Cross-Origin Identifier Unlinkability</title>
@@ -2367,7 +2347,6 @@ of its update pings.
 <sect1 id="BuildSecurity">
   <title>Build Security and Package Integrity</title>
-<!-- XXX-4.5: signatures of MARs and exes are reproducibly removable -->
 In the age of state-sponsored malware, <ulink
@@ -2532,7 +2511,6 @@ time-based dependency tracking</ulink> that only appear in LXC containers.
-<!-- XXX-4.5: unsigning -->
     <title>Package Signatures and Verification</title>
@@ -2565,11 +2543,11 @@ consensus, and encoding the package hashes in the Bitcoin blockchain.
-At the time of this writing, we do not yet support native code signing for Mac
-OS or Windows. Because these signatures are embedded in the actual packages,
-and by their nature are based on non-public key material, providing native
-code-signed packages while still preserving ease of reproducibility
-verification has not yet been achieved.
+The Windows releases are also signed by a hardware token provided by Digicert.
+In order to verify package integrity, the signature must be sripped off using
+the osslsigncode tool, as described on the <ulink
+Vericication</ulink> page.
@@ -2598,6 +2576,29 @@ verifier.
+  <sect2 id="update-safety">
+   <title>Update Safety</title>
+   <para>
+We make use of the Firefox updater in order to provide automatic updates to
+users. We make use of certificate pinning to ensure that update checks
+be tampered with, and we sign the individual MAR update files with an offline
+signing key.
+   </para>
+   <para>
+The Firefox updater also has code to ensure that it can reliably access the
+update server to prevent availability attacks, and complains to the user of 48
+hours go by without a successful response from the server. Additionally, we
+use Tor's SOCKS username and password isolation to ensure that every new
+request to the updater traverses a separate circuit, to avoid holdback attacks
+by exit nodes.
+   </para>
+  </sect2>
   <sect2 id="components">

More information about the tor-commits mailing list