Opened 5 years ago

Last modified 8 weeks ago

#10692 reopened defect

GetTor needs official two-factor-enabled dropbox and google accounts

Reported by: mrphs Owned by:
Priority: High Milestone:
Component: Applications/GetTor Version:
Severity: Normal Keywords:
Cc: sukhbir, arma, hellais, ioerror Actual Points:
Parent ID: #8542 Points:
Reviewer: Sponsor:

Description

we need official, and two-factor-enabled dropbox and google accounts in order to finish what we've started on #8542.

we're already using dropbox links in gettor reply message. this dropbox account was not created using a secure email address and is for test purpose only.

This is very important as an attacker may find a way to reset the password of that dropbox account and replace legit bundles with malicious ones.

Child Tickets

Change History (11)

comment:1 in reply to:  description Changed 4 years ago by ilv

Replying to mrphs:

we need official, and two-factor-enabled dropbox and google accounts in order to finish what we've started on #8542.

we're already using dropbox links in gettor reply message. this dropbox account was not created using a secure email address and is for test purpose only.

This is very important as an attacker may find a way to reset the password of that dropbox account and replace legit bundles with malicious ones.

We should also have account(s) for #12819

comment:2 Changed 3 years ago by ilv

We're now distributing links to download Tor Browser from github. Right now we're using this repo, but we should use an official one. Maybe under Tor Project organization? (I believe hellais owns it, but I'm not sure).

comment:3 Changed 3 years ago by sukhbir

@mrphs: Can you please look at this? We should fix this ASAP.

comment:4 Changed 3 years ago by ilv

Status update: Dropbox account has exceeded its quota. For now we're sending Google Drive links instead, using a personal account.

comment:5 Changed 3 years ago by isis

Cc: hellais ioerror added; phobos removed

Replying to ilv:

We're now distributing links to download Tor Browser from github. Right now we're using this repo, but we should use an official one. Maybe under Tor Project organization? (I believe hellais owns it, but I'm not sure).


Yep, hellais is one of the owners.


Hey hellais and ioerror,

Could one of you set up a new team for GetTor under the TorProject github account and add ilv to it, please? Also I think you might need to make a gettor repo under that new team (I'm not sure how the team permissions work, e.g. who can create repos, etc.).

comment:6 in reply to:  5 Changed 3 years ago by ilv

Replying to isis:

Hey hellais and ioerror,

Could one of you set up a new team for GetTor under the TorProject github account and add ilv to it, please? Also I think you might need to make a gettor repo under that new team (I'm not sure how the team permissions work, e.g. who can create repos, etc.).

Thanks for the support isis! And yes, these things would be very helpful.

comment:7 Changed 3 years ago by hellais

I created a team called GetTor and invited ilv to it. In order to complete this transition you will have to transfer the ownership of the repo over to TheTorProject, then I will add that repo to the group GetTor and you will have admin capabilities on it (be able to do everything as well as add new people with any capability to the GetTor group).

comment:8 Changed 3 years ago by ilv

I've accepted the invitation and transferred the ownership of the repo to TheTorProject. Thanks hellais!

comment:9 Changed 12 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:10 Changed 8 weeks ago by traumschule

Resolution: wontfix
Status: newclosed

Closing this as WONTFIX since gettor files are now on github (#23703).

comment:11 Changed 8 weeks ago by mrphs

Resolution: wontfix
Status: closedreopened

The idea of using cloud storage services to distribute Tor via GetTor is so if one of them is blocked there are other ways to download Tor. And sure enough github raw service which is being used for downloading files directly from github is blocked in various places. Google drive and dropbox remain as two of the main popular platforms with higher collateral, especially google drive.

Last edited 8 weeks ago by mrphs (previous) (diff)
Note: See TracTickets for help on using tickets.