[tor-dev] Tor Browser Launcher

Jacob Appelbaum jacob at appelbaum.net
Mon Feb 18 20:29:49 UTC 2013 

Micah Lee:
> On 02/18/2013 12:15 AM, Jacob Appelbaum wrote:
>> Do you plan to download TBB over Tor that is provided by the system, say
>> by adding a dependency on a system Tor?
> 
> I was assuming that making the launcher depend on a system Tor would be
> troublesome. However now that I'm looking at
> https://www.torproject.org/docs/debian again, it seems like it could
> totally work. What about for Ubuntu users?

For normal Debian GNU/Linux users, I believe it will work. For recent
versions of Ubuntu, I also believe it will work. I would also say that
the launcher could prompt them to actually *add* the Tor repositories
that fix the problems Ubuntu users may or may not face in the future.

> 
> My workaround plan was to download TBB not over Tor the first time.
> After extracting it, copy a Firefox extension into the TBB profile, and
> then run it. From that point on, the extension would be in charge of
> checking for updates, downloading new updates, and telling the user when
> they should restart their browser.
> 

I'm not sure I follow? You want to extend TBB to check for updates
itself? In the long term, I think that is a fine plan - though in the
short term, I think a simple script can be safer, easier and generally
better. Imagine for a moment that there was a system wide cache of TBB
downloads? One TBB to rule them all, or something. Such a thing wouldn't
be easy inside of Firefox.

> But I think I'll make a Tor dependency instead. It would make things way
> simpler and much less work.
> 

Yeah, I totally agree. I'd also say that the code should be aware of the
fact that Tor *may* not work - so you many want to look into using stem
to either control it (eg: ask a user to enter a bridge) or simply to see
the state.

>>> And there are screenshots here:
>>> http://imgur.com/a/Mvpwl
>>>
>>
>> These look pretty great. I'd say the wording needs a bit of work but
>> generally, it seems reasonable. I'd suggest that if signatures don't
>> work, I'd add a 'report' button rather than an exit button. I'd also
>> suggest that you might want to ensure that version numbers are always
>> increasing and other things that are outlined in the. A MITM may be able
>> to replay an old valid signature for a package, does your code handle
>> that case? You may enjoy the paper and code on theupdateframework.com to
>> look into those kinds of issues...
> 
> That's a good idea about adding a report button. I just opened a bug for
> this:
> 
> https://github.com/micahflee/torbrowser-launcher/issues/6

Coolness.

> 
> What do you think the report button should do? What information should
> it send back to us, and how should it send it? If there is a real attack
> and the user can't successfully download TBB, how can we make sure they
> can successfully report the attack? You can post comments on the bug.
> 

I'll add comments to the bug.

> I'll read the paper on the update framework. As it stands, it would be
> possible for an attacker to replay an old valid signature to get someone
> to update to an old version. I just opened a new bug for this:
> 
> https://github.com/micahflee/torbrowser-launcher/issues/4
> 

Great.

>> Do you pin SSL certs? Or fetch from known mirrors? Or...? :)
> 
> No. I assumed that if someone successfully did a MITM attack on the
> https connection to torproject.org, they wouldn't get their malicious
> software installed because of the signature verification. Also, I didn't
> realize urllib2 doesn't check certs automatically. It's a good idea to
> implement anyway. Thanks for opening the bug about it.
> 
> https://github.com/micahflee/torbrowser-launcher/issues/1
> 

Sure - I find it hard to believe that Python's development community
actually settled on that as the default behavior. It bites nearly everyone.

>>> Before trying to get it in Debian I'd like to make it so it doesn't need
>>> to be updated each time TBB is updated. There are more details in the
>>> ticket, but this would require Tor to maintain a file on
>>> https://www.torproject.org/ that has the current version number of TBB
>>> in it and a timestamp, and possibly digital signature of this file too.
>>>
>>
>> TBB has a version check built into it - have you seen how it works?
> 
> I haven't. Doesn't check.torproject.org tell you if your TBB is out of
> date? Can you link me to the file where it's implemented?

I'm not sure where it is - I'd ask Mike Perry or Erinn.

> 
>>> Do you think this is doable?
>>>
>>
>> I think it is reasonable - I wonder though, can't you just fetch
>> https://www.torproject.org/dist/torbrowser/ and parse it to look for
>> files that match a given file pattern? As an example,
>> https://www.torproject.org/dist/torbrowser/?C=M;O=D will sort by latest
>> date, as will https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D
>> for GNU/Linux and so on for Mac OS X:
>> https://www.torproject.org/dist/torbrowser/osx/?C=M;O=A
> 
> I'd thought about this, but I wasn't sure if this is a reliable way to
> know which version to download. For example, when I go to
> https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D now, the first
> file is:
> 
> tor-browser-gnu-linux-x86_64-2.4.10-alpha-1-dev-en-US.tar.gz.asc
> 
> But when I go to the TBB download page, the version I'm presented with
> is 2.3.25-2, not 2.4.10-alpha-1. Maybe TBB's built-in version check will
> shed some light onto the best way to know what the latest stable version is.
> 

Well, which should your users be using? From my perspective, I think you
should give them the alpha and help them report bugs! :-)

>>> I also want to get it localized into all the languages TBB is localized
>>> into. Any thoughts or suggestions?
>>>
>>
>> Once the program is structured in a way that the strings are pretty much
>> fixed, I'd suggest Transifex: https://www.transifex.com/ as it is what
>> Tor uses for most every translation need.
> 
> Cool! I'll wait until this is closer to done and the strings are more
> fixed to do this.
> 

Great.

>> I'm off to read the code and try it out! Thanks!
> 
> Thanks!
> 

I pushed a code audit first pass to the git repo, did you see the
branches that I added?

All the best,
Jacob

More information about the tor-dev mailing list