Opened 4 years ago

Closed 2 years ago

#13968 closed task (implemented)

Document a metaproject security policy

Reported by: michael Owned by:
Priority: High Milestone:
Component: Applications/Tor Browser Version: Tor: 0.2.7
Severity: Normal Keywords: security, documentation, tor-doc-process
Cc: Actual Points:
Parent ID: Points: 3
Reviewer: Sponsor: SponsorU-can

Description

Considering the year of heartbleed, shell shock, and POODLE exploits, as well as internal vulnerabilities and high profile attention catchers, a security page might help folks in tricky situations determine if their Tor component is secure. Right now security advisories are published on the blog and there's no formal maintenance window.

As with #13966 (exploit reporting), it might be useful to study FreeBSD security information and pick out the parts we'd like to apply.

Child Tickets

Change History (27)

comment:1 Changed 4 years ago by nickm

Milestone: Tor: 0.2.7.x-final

comment:2 Changed 4 years ago by nickm

Status: newassigned

comment:3 Changed 4 years ago by nickm

Keywords: 027-triaged-1-in added

Marking more tickets as triaged-in for 0.2.7

comment:4 Changed 4 years ago by nickm

As another place to look, let's see https://www.openssl.org/about/secpolicy.html

comment:5 Changed 4 years ago by isabela

Keywords: SponsorU added
Points: medium
Priority: normalmajor
Version: Tor: 0.2.7

comment:6 Changed 4 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.8.x-final

comment:7 Changed 4 years ago by nickm

Keywords: 028-triaged added

comment:8 Changed 4 years ago by nickm

Keywords: SponsorU removed
Sponsor: SponsorU

Bulk-replace SponsorU keyword with SponsorU field.

comment:9 Changed 3 years ago by nickm

Priority: HighMedium

comment:10 Changed 3 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final
Status: assignednew

Turn most 0.2.8 "assigned" tickets with no owner into "new" tickets for 0.2.9. Disagree? Find somebody who can do it (maybe you?) and get them to take it on for 0.2.8. :)

comment:11 Changed 3 years ago by isabela

Sponsor: SponsorUSponsorU-can

comment:12 Changed 3 years ago by nickm

Priority: MediumHigh

comment:13 Changed 3 years ago by nickm

Owner: set to nickm
Status: newaccepted

comment:14 Changed 3 years ago by nickm

Keywords: tor-doc-process added

comment:15 Changed 3 years ago by isabela

Points: medium3

comment:16 Changed 3 years ago by nickm

Owner: nickm deleted
Status: acceptedassigned

by no means sure that I can get to these.

comment:17 Changed 3 years ago by nickm

Status: assignednew

Put all unowned "assigned" tickets back into "new".

comment:18 Changed 3 years ago by isabela

Keywords: isaremoved added
Milestone: Tor: 0.2.9.x-finalTor: 0.2.???

comment:19 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:20 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:21 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:22 Changed 2 years ago by nickm

Keywords: 027-triaged-in added

comment:23 Changed 2 years ago by nickm

Keywords: 027-triaged-in removed

comment:24 Changed 2 years ago by nickm

Keywords: 027-triaged-1-in removed

comment:25 Changed 2 years ago by nickm

Keywords: 028-triaged removed

comment:26 Changed 2 years ago by nickm

Keywords: isaremoved removed

comment:27 Changed 2 years ago by nickm

Component: Core Tor/TorApplications/Tor Browser
Milestone: Tor: unspecified
Resolution: implemented
Severity: Normal
Status: newclosed

The tor part of this is launched: see https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy

The non-Tor part of this will need to get buy-in from other parts of the Tor world too.

I'm going to kick this over to the Tor Browser world: how can we edit our policy to make it your policy too? Or would you like to make your own?

Note: See TracTickets for help on using tickets.