Tor Project infrastructure updates in response to security breach

Mike Perry mikeperry at fscked.org
Fri Jan 22 20:58:11 UTC 2010


Thus spake Paolo Palmieri (palmaway at gmx.it):

> Sorry, but I have to point out that none of the proposed solution really
> works, and both are actually quite bad from the security point of view.
> 
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actually it does little about security. It
> only verifies that the user is connected to the real Tor website, but if
> the file is corrupt or, worse, has been maliciously replaced by some
> malware version of it, you have no means of finding out. Since we are
> talking in this very thread about Tor servers being attacked, I consider
> this as a serious threat.
>
> "Check the git/gpg sig" is a little better, but from a quick look at the
> git repository I couldn't find the .xpi's on it (correct me if I'm wrong
> here). This means that only the sources are signed, thus requiring the
> user to recompile the package at every new release. This is time
> consuming, but it also add some additional requirements on the user,
> like having the right compilation environment on the box, having it
> properly configured etc. All this for no security benefit. Finally,
> checking the git's signature is not as easy as checking a simple .asc file.
> 
> So, I have to join Jim's plea. Mike, could you please put the .xpi's
> .asc signature files on the TorButton website?

You're right. I was considering addons.mozilla.org as the canonical
source of the xpi, but still, that can be owned too. In fact, I just
got a message from them informing me that they modified my torbutton
1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
they see fit to randomly modify the xpis too. Wonder what would happen
if I did have a code signing cert..

I've posted the gpg sigs for 1.2.2, 1.2.3 and 1.2.4 at:
https://www.torproject.org/torbutton/releases/

> P.S. Are git connection to the Tor git's repository protected by TLS
> against a valid certificate?

No. The git:// protocol is not protected. You need to rely on the tag
signatures.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100122/f53f7f1e/attachment.pgp>


More information about the tor-talk mailing list