Opened 5 years ago

Last modified 10 months ago

#10692 new defect

GetTor needs official two-factor-enabled dropbox and google accounts

Reported by: mrphs Owned by:
Priority: High Milestone:
Component: Applications/GetTor Version:
Severity: Normal Keywords:
Cc: sukhbir, arma, hellais, ioerror Actual Points:
Parent ID: #8542 Points:
Reviewer: Sponsor:

Description

we need official, and two-factor-enabled dropbox and google accounts in order to finish what we've started on #8542.

we're already using dropbox links in gettor reply message. this dropbox account was not created using a secure email address and is for test purpose only.

This is very important as an attacker may find a way to reset the password of that dropbox account and replace legit bundles with malicious ones.

Child Tickets

Change History (9)

comment:1 in reply to:  description Changed 4 years ago by ilv

Replying to mrphs:

we need official, and two-factor-enabled dropbox and google accounts in order to finish what we've started on #8542.

we're already using dropbox links in gettor reply message. this dropbox account was not created using a secure email address and is for test purpose only.

This is very important as an attacker may find a way to reset the password of that dropbox account and replace legit bundles with malicious ones.

We should also have account(s) for #12819

comment:2 Changed 3 years ago by ilv

We're now distributing links to download Tor Browser from github. Right now we're using this repo, but we should use an official one. Maybe under Tor Project organization? (I believe hellais owns it, but I'm not sure).

comment:3 Changed 3 years ago by sukhbir

@mrphs: Can you please look at this? We should fix this ASAP.

comment:4 Changed 3 years ago by ilv

Status update: Dropbox account has exceeded its quota. For now we're sending Google Drive links instead, using a personal account.

comment:5 Changed 3 years ago by isis

Cc: hellais ioerror added; phobos removed

Replying to ilv:

We're now distributing links to download Tor Browser from github. Right now we're using this repo, but we should use an official one. Maybe under Tor Project organization? (I believe hellais owns it, but I'm not sure).


Yep, hellais is one of the owners.


Hey hellais and ioerror,

Could one of you set up a new team for GetTor under the TorProject github account and add ilv to it, please? Also I think you might need to make a gettor repo under that new team (I'm not sure how the team permissions work, e.g. who can create repos, etc.).

comment:6 in reply to:  5 Changed 3 years ago by ilv

Replying to isis:

Hey hellais and ioerror,

Could one of you set up a new team for GetTor under the TorProject github account and add ilv to it, please? Also I think you might need to make a gettor repo under that new team (I'm not sure how the team permissions work, e.g. who can create repos, etc.).

Thanks for the support isis! And yes, these things would be very helpful.

comment:7 Changed 3 years ago by hellais

I created a team called GetTor and invited ilv to it. In order to complete this transition you will have to transfer the ownership of the repo over to TheTorProject, then I will add that repo to the group GetTor and you will have admin capabilities on it (be able to do everything as well as add new people with any capability to the GetTor group).

comment:8 Changed 3 years ago by ilv

I've accepted the invitation and transferred the ownership of the repo to TheTorProject. Thanks hellais!

comment:9 Changed 10 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.