Opened 4 years ago

Last modified 7 months ago

#17216 new enhancement

Make Tor Browser's updater work over Hidden Services

Reported by: isis Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tor-hs, tbb-security, TorBrowserTeam201901, tbb-update
Cc: isis, asn, special, mikeperry, gk, mcs, brade, whonix-devel@…, boklm, weasel, ln5 Actual Points:
Parent ID: Points: medium
Reviewer: Sponsor:

Description

This would provide additional cover traffic for other HSes. Another proposal from the (second) HS guard discovery protections meeting at the 2015 Berlin Tor developer meeting was to only have clients check for new Tor Browser updates via some HS(es), and then do the actual download of the update over the regular non-HS mirrors.

Child Tickets

Change History (14)

comment:1 Changed 4 years ago by elypter

since updates can be a high lattency application the download process could be split in a randomized pattern and thus be more difficult to filter out of a traffic analysis.

comment:2 Changed 4 years ago by gk

Cc: gk added

Seems #10391 is now a duplicate of this one.

Last edited 4 years ago by gk (previous) (diff)

comment:3 Changed 4 years ago by gk

Cc: mcs brade whonix-devel@… added

comment:4 Changed 4 years ago by mcs

Another thing to add (from an email that was sent to tor-dev):

This is far easier to do for the Torbutton RecommendedTBBVersions fetch since the updater has special cert pinning that would need to be altered for hidden services.

comment:5 Changed 4 years ago by boklm

Cc: boklm added
Severity: Normal

comment:6 Changed 4 years ago by cypherpunks

Not an expert, but should this be postponed until prop 224 and all related HS props that are nearly complete are deployed? I know HS as it is now is still probably as secure or more than a clearnet site but would like to hear whether it is in theory safer to do so then.

comment:7 Changed 3 years ago by gk

#19927 is a duplicate.

comment:8 Changed 2 years ago by gk

#23131 is a duplicate.

comment:9 Changed 21 months ago by gk

#25078 is a duplicate.

comment:10 Changed 9 months ago by gk

Cc: weasel ln5 added
Keywords: TorBrowserTeam201901 added
Status: newneeds_information

I'd like to test this out, first in the alpha series, sooner than later. The idea would be to fetch the metadata file (update.xml) over .onion which is a pretty small file (around 1000 bytes) but *not* the full update. I am in particular concerned about TLS being the means of authenticating the contents of that xml file and think we can do better with an .onion responsible for that.

weasel, ln5: do you feel the current .onion setup for aus1 is robust enough for that test? Should we wait until we have v3 services available? Or...?

Any other concerns?

comment:11 Changed 9 months ago by gk

Keywords: tbb-updater added

comment:12 Changed 9 months ago by gk

Keywords: tbb-update added; tbb-updater removed

Renaming keyword to make it a bit broader

comment:13 in reply to:  10 Changed 9 months ago by weasel

Hi!

Replying to gk:

I'd like to test this out, first in the alpha series, sooner than later. The idea would be to fetch the metadata file (update.xml) over .onion which is a pretty small file (around 1000 bytes) but *not* the full update. I am in particular concerned about TLS being the means of authenticating the contents of that xml file and think we can do better with an .onion responsible for that.

weasel, ln5: do you feel the current .onion setup for aus1 is robust enough for that test? Should we wait until we have v3 services available? Or...?

We discussed this in Brussels a bit. It is our current consensus that the onion service providing aus1.tpo is not suitable for this purpose.

The onion service is backed by onionbalance, which appears to be unmaintained upstream and which does not support v3 onion services. Furthermore, in order for us to be comfortable relying and depending on an onion service for such an important purpose, we would want that onionbalance itself could be run in a distributed/redundant way such that we would not have any SPoFs.

Once these issues are addressed, we can reconsider the issue. For now, however, we recommend you not rely on the onion for updates.

Cheers,

comment:14 Changed 7 months ago by gk

Status: needs_informationnew
Note: See TracTickets for help on using tickets.