Issue D. Tor Build Script Downloads zlib Over HTTP
At 2014-04-23 11:53:14 Arturo Filastò wrote: The build_tor2web_tor.sh script downloads code to be built from the following URLs:
# Package URLS

URLS
=
"\
https://www.torproject.org/dist/tor-$TOR_VERSION.tar.gz
https://www.torproject.org/dist/tor-$TOR_VERSION.tar.gz.asc
http://zlib.net/zlib-$ZLIB_VERSION.tar.gz
https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz.asc
https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz
https://github.com/downloads/libevent/libevent/libevent-$LIBEVENT_VERSION.tar.gz.asc
https://github.com/downloads/libevent/libevent/libevent-$LIBEVENT_VERSION.tar.gz"
All URLs are HTTPS except for the zlib, which is HTTP. An attacker could intercept the zlib download connection and inject malicious code, so that Tor is built with a malicious copy of zlib.
Remediation
The integrity of the zlib code should be verified. This could be done in one of the following ways: • Include a hard-coded SHA256 checksum of the file, which gets checked after it has been downloaded. • Host a copy of zlib on a server that supports secure connections. • Encourage the zlib project to support HTTPS and/or GPG signatures.
This issue was automatically migrated from github issue https://github.com/TheTorProject/ooni-probe/issues/303