Tor Project infrastructure updates in response to security breach

Paolo Palmieri palmaway at gmx.it
Fri Jan 22 18:40:07 UTC 2010


>> Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
>> sign .xpis, but have been sloppy about posting them publicly.
> <snip>
>> For now, I think the right answer is "Fetch it over SSL" or "Check the
>> git/gpg sig".
> 
> Could you make a point of publicly posting the .xpi gpg signatures along
> with the .xpis?
> <snip>
> So I'd much appreciate being able to get the signature w/o having to
> figure out git.  Particularly if that signature has already been created.

Sorry, but I have to point out that none of the proposed solution really
works, and both are actually quite bad from the security point of view.

"Fetch it over SSL" doesn't give the user any guarantee about the
authenticity of the file. Actually it does little about security. It
only verifies that the user is connected to the real Tor website, but if
the file is corrupt or, worse, has been maliciously replaced by some
malware version of it, you have no means of finding out. Since we are
talking in this very thread about Tor servers being attacked, I consider
this as a serious threat.

"Check the git/gpg sig" is a little better, but from a quick look at the
git repository I couldn't find the .xpi's on it (correct me if I'm wrong
here). This means that only the sources are signed, thus requiring the
user to recompile the package at every new release. This is time
consuming, but it also add some additional requirements on the user,
like having the right compilation environment on the box, having it
properly configured etc. All this for no security benefit. Finally,
checking the git's signature is not as easy as checking a simple .asc file.

So, I have to join Jim's plea. Mike, could you please put the .xpi's
.asc signature files on the TorButton website?

Thanks,
Paolo

P.S. Are git connection to the Tor git's repository protected by TLS
against a valid certificate?
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list