Audit Instantbird's security
We need a thorough security audit of Instantbird which checks for things like:
- render attack surface (content window, XSS filter, etc.)
- crypto in NSS and how JS uses it (if we use it?)
- interface between the UI and OTR
- Proxy by-pass issues
- Show closed items
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Author
Trac:
Keywords: N/A deleted, SponsorO added Trac:
Cc: N/A to gk- Author
Trac:
Parent: N/A to #14161 (closed)
Keywords: N/A deleted, TorMessengerPublic added - Author
Trac:
Status: new to assigned
Owner: N/A to sukhbir Trac:
Cc: gk to gk, arlolraI talked to Florian today and he gave me some hints and useful information for auditing. I plan to work at some of the above points although I probably won't have the time to cover all things mentioned in the description.
That's great to hear. Thanks!
Attached are the things I did and found while looking at Tor Messenger (essentially version 0.0.6, I guess). It contains some ToDos for the next audit as well.
Trac:
audit_tor_messenger0.0.6Thanks gk! That was very helpful. I reopened a few tickets and copied findings to their relevant tasks.
- Author
Removing parent (#14161 (closed)) as blocker as we already have tickets for the tasks.
Trac:
Parent: #14161 (closed) to N/A Trac:
Keywords: SponsorO deleted, N/A addedTrac:
Keywords: TorMessengerPublic deleted, N/A addedTrac:
Owner: sukhbir to N/A
Sponsor: N/A to N/A
Severity: N/A to Normal
Reviewer: N/A to N/ATrac:
Status: assigned to new<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)
sad but true: https://blog.torproject.org/sunsetting-tor-messenger
luckily there are alternatives: https://blog.torproject.org/tor-heart-onion-messaging
.. and maybe someday
Trac:
Status: new to closed
Resolution: N/A to wontfix- Trac closed
closed