[tor-talk] Binary patch downloads (for updating TBB)?

Mike Perry mikeperry at torproject.org
Sun Jun 30 03:32:26 UTC 2013 

Nick Mathewson:
> On Sat, Jun 29, 2013 at 10:32 PM, Mike Perry <mikeperry at torproject.org> wrote:
> > David Balažic:
> >> Hi!
> >>
> >> You don't realize how big the TBB is until you're forced to use a slow
> >> connection.
> >>
> >> In that light, are there patches available to update between releases?
> >> It might reduce load on the servers too.
> >
> > We hope to support the Firefox updater in TBB soon. After some Tor
> > Launcher cleanup, this is Pearl Crescent's next task.
> >
> > The Firefox updater uses Mozilla MAR format, and updates contain only
> > the binary deltas (patches) between two release versions.
> >
> > Until then, you're still basically stuck removing your previous TBB and
> > downloading a new one to replace it, though..
> 
> Is there a good rundown somewhere on the security properties of the
> firefox updating system?

The initial design doc is at:
https://wiki.mozilla.org/Software_Update

Here's a smattering of illustrative urls:
https://wiki.mozilla.org/Software_Update:Checking_For_Updates
https://wiki.mozilla.org/Software_Update:updates.xml_Format
https://wiki.mozilla.org/Software_Update:MAR#SIGNATURE_blocks

Also note that Firefox does support cert-level pinning specifically for
its update servers, so in addition to MAR signatures, the system also
has a trust path through the compiled-in https cert to the updates.xml
hash value for the update.

I have not yet thought hard about how to integrate it with deterministic
builds, multiple builder signtures, etc..


In terms of Firefox update vs Thandy, my estimation is that supporting
Firefox Update will be considerably less engineering effort and future
maintenance, but that we should still work towards deploying both in
case either updater experiences unexpected issues.

If we find any terribly bad security properties in the process of
understanding, adapting, and deploying Firefox update, we can consider
either patching it or making it optional.

For example, I am sure that it is not hardened against freeze attacks,
infinite-download attacks, and other TUF/Thandy threat model issues.
Some of these are no worse than our current status quo with our existing
in-browser update notification. For more severe issues, we can probably
convince Mozilla to fix them.



-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130629/6c2f2cf2/attachment.sig>

More information about the tor-talk mailing list