[tor-dev] Tor Browser Launcher

Micah Lee micahflee at riseup.net
Mon Feb 18 20:05:46 UTC 2013

On 02/18/2013 12:15 AM, Jacob Appelbaum wrote:
> Do you plan to download TBB over Tor that is provided by the system, say
> by adding a dependency on a system Tor?

I was assuming that making the launcher depend on a system Tor would be
troublesome. However now that I'm looking at
https://www.torproject.org/docs/debian again, it seems like it could
totally work. What about for Ubuntu users?

My workaround plan was to download TBB not over Tor the first time.
After extracting it, copy a Firefox extension into the TBB profile, and
then run it. From that point on, the extension would be in charge of
checking for updates, downloading new updates, and telling the user when
they should restart their browser.

But I think I'll make a Tor dependency instead. It would make things way
simpler and much less work.

>> And there are screenshots here:
>> http://imgur.com/a/Mvpwl
> These look pretty great. I'd say the wording needs a bit of work but
> generally, it seems reasonable. I'd suggest that if signatures don't
> work, I'd add a 'report' button rather than an exit button. I'd also
> suggest that you might want to ensure that version numbers are always
> increasing and other things that are outlined in the. A MITM may be able
> to replay an old valid signature for a package, does your code handle
> that case? You may enjoy the paper and code on theupdateframework.com to
> look into those kinds of issues...

That's a good idea about adding a report button. I just opened a bug for


What do you think the report button should do? What information should
it send back to us, and how should it send it? If there is a real attack
and the user can't successfully download TBB, how can we make sure they
can successfully report the attack? You can post comments on the bug.

I'll read the paper on the update framework. As it stands, it would be
possible for an attacker to replay an old valid signature to get someone
to update to an old version. I just opened a new bug for this:


> Do you pin SSL certs? Or fetch from known mirrors? Or...? :)

No. I assumed that if someone successfully did a MITM attack on the
https connection to torproject.org, they wouldn't get their malicious
software installed because of the signature verification. Also, I didn't
realize urllib2 doesn't check certs automatically. It's a good idea to
implement anyway. Thanks for opening the bug about it.


>> Before trying to get it in Debian I'd like to make it so it doesn't need
>> to be updated each time TBB is updated. There are more details in the
>> ticket, but this would require Tor to maintain a file on
>> https://www.torproject.org/ that has the current version number of TBB
>> in it and a timestamp, and possibly digital signature of this file too.
> TBB has a version check built into it - have you seen how it works?

I haven't. Doesn't check.torproject.org tell you if your TBB is out of
date? Can you link me to the file where it's implemented?

>> Do you think this is doable?
> I think it is reasonable - I wonder though, can't you just fetch
> https://www.torproject.org/dist/torbrowser/ and parse it to look for
> files that match a given file pattern? As an example,
> https://www.torproject.org/dist/torbrowser/?C=M;O=D will sort by latest
> date, as will https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D
> for GNU/Linux and so on for Mac OS X:
> https://www.torproject.org/dist/torbrowser/osx/?C=M;O=A

I'd thought about this, but I wasn't sure if this is a reliable way to
know which version to download. For example, when I go to
https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D now, the first
file is:


But when I go to the TBB download page, the version I'm presented with
is 2.3.25-2, not 2.4.10-alpha-1. Maybe TBB's built-in version check will
shed some light onto the best way to know what the latest stable version is.

>> I also want to get it localized into all the languages TBB is localized
>> into. Any thoughts or suggestions?
> Once the program is structured in a way that the strings are pretty much
> fixed, I'd suggest Transifex: https://www.transifex.com/ as it is what
> Tor uses for most every translation need.

Cool! I'll wait until this is closer to done and the strings are more
fixed to do this.

> I'm off to read the code and try it out! Thanks!


Micah Lee

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20130218/749de1e4/attachment-0001.pgp>

More information about the tor-dev mailing list