Skip to content
Snippets Groups Projects
New look
Closed (moved) TBB Vagrantfile uses HTTP
  • View options

    • TBB Vagrantfile uses HTTP

  • View options
    • Closed (moved) Issue created by Trac

    In the Tor Browser Bundle's Vagrantfile, the Ubuntu 12.04 build machine base image is retrieved over plaintext HTTP. An attacker could potentially swap this out for a malicious machine image. It's a small issue, but an easy fix that'd probably set a few minds at ease.

    The simple fix, of course, is to replace: config.vm.box_url = "http://files.vagrantup.com/precise64.box"

    with: config.vm.box_url = "https://files.vagrantup.com/precise64.box"

    Although this may cause a certificate error since VagrantUp is hosted on Heroku.

    A better alternative would be for Tor to host this .box themselves and serve that over HTTPS/HSTS, but I don't how know feasible this is for you at this time.

    Trac:
    Username: miserlou

    Linked items ... 0

    • Activity

    • All activity
    • Comments only
    • History only
    • Newest first
    • Oldest first
    Loading Loading Loading Loading Loading Loading Loading Loading Loading Loading