Make Tor Browser work with AppLocker

There is a Windows mechanism to lock down access to applications, called AppLocker, and Tor Browser is not compatible with some ways of managing access. We need to think about what kind of rule compatibility we want to support:

There are

publisher based rules path based rules filehash based rules

and

default rules one can choose

(https://technet.microsoft.com/en-us/library/dd759068.aspx)

added component::applications/tor browser owner::tbb-team priority::medium severity::normal status::new tbb-security tbb-usability-stoppoint-app type::defect labels

Trac:
Description: There is a Windows mechanism to lock down access to applications and Tor Browser is not compatible with some ways of managing access. We need to think about what kind of rule compatibility we want to support:

There are

publisher based rules path based rules filehash based rules

and

default rules one can choose

(https://technet.microsoft.com/en-us/library/dd759068.aspx)

to

There is a Windows mechanism to lock down access to applications, called AppLocker, and Tor Browser is not compatible with some ways of managing access. We need to think about what kind of rule compatibility we want to support:

There are

publisher based rules path based rules filehash based rules

and

default rules one can choose

(https://technet.microsoft.com/en-us/library/dd759068.aspx)

We probably have a hard time making Tor Browser compatible with the default rules, see: https://bugzilla.mozilla.org/show_bug.cgi?id=902771 while file hash based rules should work already and are the most recommended ones. The question then probably remains: should we support publisher rules and sign all the windows files (that is at least .exe, .dll)? I think so, at least in the long run.

Trac:
Cc: N/A to starlight, mikeperry

Trac:
Cc: starlight, mikeperry to starlight, mikeperry, tom

I agree that signing all the binaries and DLLs would be ideal.

Here I've avoided the default rules and require all binaries be signed by an approved publisher or have a hash entry--i.e. strict whitelisting. Allowing anything in system directories to run is less about security and more about controlling what applications users' can run in a managed environment.

With signed binaries, just one EXE and one DLL rule are required. Presently have to create two hash rules for each TBB release, adding files from several subdirectories. Is a fair amount of work. Temporary installer DLLs require a rule as well.

While whitelisting is not, as many point out, a silver bullet against intrusion, it raises the bar for attackers tremendously. Makes obtaining persistence much more difficult.

Perhaps Linux signed binaries should be supported eventually as well. Don't know enough about it yet myself to have an opinion.

Trac:
Cc: starlight, mikeperry, tom to starlight, mikeperry, tom, mcs

Set all open tickets without a severity to "Normal"

Trac:
Severity: N/A to Normal

Trac:
Cc: starlight, mikeperry, tom, mcs to starlight, mikeperry, tom, mcs, traumschuleriebau@riseup.net
Sponsor: N/A to N/A
Reviewer: N/A to N/A

Trac:
Cc: starlight, mikeperry, tom, mcs, traumschuleriebau@riseup.net to starlight, mikeperry, tom, mcs

moved to tpo/applications/tor-browser#15687 (moved)