[tor-project] A Statement from The Tor Project on Software Integrity and Apple

Mon Mar 21 16:04:23 UTC 2016

  A Statement from The Tor Project on Software Integrity and Apple

The Tor Project exists to provide privacy and anonymity for millions of
people, including human rights defenders across the globe whose lives
depend on it. The strong encryption built into our software is essential
for their safety.

In an age when people have so little control over the information
recorded about their lives, we believe that privacy is worth fighting for.

We therefore stand with Apple to defend strong encryption and to oppose
government pressure to weaken it. We will never backdoor our software.

Our users face very serious threats. These users include bloggers
reporting on drug violence in Latin America; dissidents in China,
Russia, and the Middle East; police and military officers who use our
software to keep themselves safe on the job; and LGBTI individuals who
face persecution nearly everywhere. Even in Western societies, studies
demonstrate that intelligence agencies such as the NSA are chilling
dissent and silencing political discourse
<http://m.jmq.sagepub.com/content/early/2016/02/25/1077699016630255.full.pdf?ijkey=1jxrYu4cQPtA6&keytype=ref&siteid=spjmq>
merely through the threat of pervasive surveillance.

For all of our users, their privacy is their security. And for all of
them, that privacy depends upon the integrity of our software, and on
strong cryptography. Any weakness introduced to help a particular
government would inevitably be discovered and could be used against all
of our users.

The Tor Project employs several mechanisms to ensure the security and
integrity of our software. Our primary product, the Tor Browser, is
fully open source. Moreover, anyone can obtain our source code and
produce bit-for-bit identical copies of the programs we distribute using
Reproducible Builds
<https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise>,
eliminating the possibility of single points of compromise or coercion
in our software build process. The Tor Browser downloads its software
updates anonymously using the Tor network, and update requests contain
no identifying information that could be used to deliver targeted
malicious updates
<http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/>
to specific users. These requests also use HTTPS encryption
<https://www.eff.org/pages/tor-and-https> and pinned HTTPS certificates
(a security mechanism that allows HTTPS websites to resist being
impersonated by an attacker by specifying exact cryptographic keys for
sites). Finally, the updates themselves are also protected by strong
cryptography, in the form of package-level cryptographic signatures (the
Tor Project signs the update files themselves). This use of multiple
independent cryptographic mechanisms and independent keys reduces the
risk of single points of failure.

The Tor Project has never received a legal demand to place a backdoor in
its programs or source code, nor have we received any requests to hand
over cryptographic signing material. This isn't surprising: we've been
public about our "no backdoors, ever
<https://www.torproject.org/docs/faq#Backdoor>" stance, we've had clear
public support from our friends at EFF and ACLU, and it's well-known
that our open source engineering processes and distributed architecture
make it hard to add a backdoor quietly.

From an engineering perspective, our code review and open source
development processes make it likely that such a backdoor would be
quickly discovered. We are also currently accelerating the development
of a vulnerability-reporting reward program to encourage external
software developers to look for and report any vulnerabilities that
affect our primary software products.

The threats that Apple faces to hand over its cryptographic signing keys
<http://fortune.com/2016/03/11/apple-fbi-source-code-signature/> to the
US government (or to sign alternate versions of its software for the US
government) are no different than threats of force or compromise that
any of our developers or our volunteer network operators may face from
any actor, governmental or not. For this reason, regardless of the
outcome of the Apple decision, we are exploring further ways to
eliminate single points of failure, so that even if a government or a
criminal obtains our cryptographic keys, our distributed network and its
users would be able to detect this fact and report it to us as a
security issue.

Like those at Apple
<http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html>,
several of our developers have already stated that they would rather
resign than honor any request to introduce a backdoor or vulnerability
into our software that could be used to harm our users. We look forward
to making an official public statement on this commitment as the
situation unfolds. However, since requests for backdoors or
cryptographic key material so closely resemble many other forms of
security failure, we remain committed to researching and developing
engineering solutions to further mitigate these risks, regardless of
their origin.

We congratulate Apple on their commitment to the privacy and security of
their users, and we admire their efforts to advance the debate over the
right to privacy and security for all.

-- 

Kate Krauss
Director of Communications 
and Public Policy
kate at torproject.org
@TorProject
1-718-864-6647 (works for Signal also)
PGP: CC0D 9B42 DE89 D4D0 619B A606 DDEB 3937 7D18 973B