Opened 5 years ago

Last modified 3 years ago

#14971 new enhancement

Log certificate if there is a certificate error while checking for Tor Browser updates

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Yesterday, I saw a certificate error during the update check of Tor Browser. I was quite sad to not be able to see which certificate caused this issue. Maybe we can log all the relevant values if update logging is enabled in this case. Bonus points if we can get the respective exit node for the connection.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by mcs

Do you remember what error you saw and how it was presented?
Do you know if the error was during the update check (fetch XML update manifest) or if it was during download of the MAR file?

There are a couple of certificate-related errors that may be displayed, but the English strings do not actually mention certificates so maybe you saw something else:

<!ENTITY errorCertAttrNoUpdate2.label "Something is preventing &brandShortName; from updating securely. Please make sure that you have the latest version of &brandShortName; from:">
<!ENTITY errorCertAttrHasUpdate.label "Something is trying to trick &brandShortName; into accepting an insecure update. Please contact your network provider and seek help.">

comment:2 in reply to:  1 Changed 5 years ago by gk

Replying to mcs:

Do you remember what error you saw and how it was presented?

Just some CertUtil check that was failing, IIRC.

Do you know if the error was during the update check (fetch XML update manifest) or if it was during download of the MAR file?

The former. It was one of the background checks related by the timer that failed. But good point, though. I think I'd like to know if either of these requests gets MiTM'd.

There are a couple of certificate-related errors that may be displayed, but the English strings do not actually mention certificates so maybe you saw something else:

<!ENTITY errorCertAttrNoUpdate2.label "Something is preventing &brandShortName; from updating securely. Please make sure that you have the latest version of &brandShortName; from:">
<!ENTITY errorCertAttrHasUpdate.label "Something is trying to trick &brandShortName; into accepting an insecure update. Please contact your network provider and seek help.">

I saw neither. Just the error in my terminal.

comment:3 Changed 3 years ago by cypherpunks

Severity: Normal

Maybe, just to check silently by special software whether exit node passes update requests or not?

Note: See TracTickets for help on using tickets.