[tor-talk] automatic Tor browser updates
Ken Cline
cline at frii.com
Sun Feb 14 08:16:02 UTC 2016
> On 13 Feb 2016, at 10:33 PM, Mirimir <mirimir at riseup.net> wrote:
>
> I can't say that I trust the MAR update protocol as much as
> checking GPG signatures.
In practice, the OpenPGP format used by GPG is unsatisfactory for automatic software updates. GPG does not provide a library for creating or reading this format, so you'd have to run the signature checking in a child process, along with gpg-agent, intrusive keyring management, and quirky behavior across operating systems. More trouble than it is worth!
MAR is a refreshingly simple format which uses PKCS1 (RSA-2048 + SHA2 should be in use now) for signatures - the same cryptographic primitives you are likely to use with GPG, but without the OpenPGP format insanity.
> The scrupulous can disable automatic updating, and go old school.
Personally, I believe bugs in the Firefox side of TBB are far more likely to provide exploits than a signed MAR update process, but whatever floats your boat.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20160214/64435673/attachment.sig>
More information about the tor-talk
mailing list