[tor-commits] [tor-browser-spec/master] Add update security info.
mikeperry at torproject.org
mikeperry at torproject.org
Thu Apr 30 05:26:01 UTC 2015
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Wed Apr 29 20:55:25 2015 -0700
Add update security info.
design-doc/design.xml | 55 +++++++++++++++++++++++++------------------------
1 file changed, 28 insertions(+), 27 deletions(-)
diff --git a/design-doc/design.xml b/design-doc/design.xml
index 5c16ce8..90f8032 100644
@@ -221,19 +221,6 @@ ephemeral-keyed encrypted swap.
-<!-- XXX-4.5: Add a section for this.
- <listitem><link linkend="update-safety"><command>Update Safety</command></link>
-The browser MUST NOT perform unsafe updates or upgrades. Update checks
-and downloads MUST protected by a pinned TLS certificate. All automatic update
-packages SHOULD be signed with at least one offline key. The update mechanism
-MUST have defenses against holdback/freeze attacks, downgrade attacks, and
-general availability attacks.
@@ -1121,13 +1108,6 @@ $HOME environment variable to be the TBB extraction directory.
-<!-- FIXME: Write me...
- <sect2 id="update-safety">
- <title>Update Safety</title>
- <para>FIXME: Write me..
<title>Cross-Origin Identifier Unlinkability</title>
@@ -2367,7 +2347,6 @@ of its update pings.
<title>Build Security and Package Integrity</title>
-<!-- XXX-4.5: signatures of MARs and exes are reproducibly removable -->
In the age of state-sponsored malware, <ulink
@@ -2532,7 +2511,6 @@ time-based dependency tracking</ulink> that only appear in LXC containers.
-<!-- XXX-4.5: unsigning -->
<title>Package Signatures and Verification</title>
@@ -2565,11 +2543,11 @@ consensus, and encoding the package hashes in the Bitcoin blockchain.
-At the time of this writing, we do not yet support native code signing for Mac
-OS or Windows. Because these signatures are embedded in the actual packages,
-and by their nature are based on non-public key material, providing native
-code-signed packages while still preserving ease of reproducibility
-verification has not yet been achieved.
+The Windows releases are also signed by a hardware token provided by Digicert.
+In order to verify package integrity, the signature must be sripped off using
+the osslsigncode tool, as described on the <ulink
@@ -2598,6 +2576,29 @@ verifier.
+ <sect2 id="update-safety">
+ <title>Update Safety</title>
+We make use of the Firefox updater in order to provide automatic updates to
+users. We make use of certificate pinning to ensure that update checks
+be tampered with, and we sign the individual MAR update files with an offline
+The Firefox updater also has code to ensure that it can reliably access the
+update server to prevent availability attacks, and complains to the user of 48
+hours go by without a successful response from the server. Additionally, we
+use Tor's SOCKS username and password isolation to ensure that every new
+request to the updater traverses a separate circuit, to avoid holdback attacks
+by exit nodes.
More information about the tor-commits