Opened 2 years ago

Closed 2 years ago

#19481 closed task (fixed)

Change app.update.url to point to aus1.tpo

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam201611R
Cc: mcs, brade, boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should point to the new location for our xml files, aus1.tpo. Tor Browser 6.5 can be the target. It seems to me we can do this even earlier.

Child Tickets

TicketStatusOwnerSummaryComponent
#20180closedtpaPin public keys for aus1.tpo and cdn.tpoInternal Services/Tor Sysadmin Team

Change History (14)

comment:1 Changed 2 years ago by mcs

Status: newneeds_review

Here is a patch for the browser:
https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug19481-01&id=0df39cf9448b523421db8f66d300b2586613d004

Is this all we need to do? What about key pinning for aus1.tpo and cdn.tpo?

comment:2 Changed 2 years ago by gk

Keywords: TorBrowserTeam201606R added

comment:3 in reply to:  1 ; Changed 2 years ago by gk

Replying to mcs:

Here is a patch for the browser:
https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug19481-01&id=0df39cf9448b523421db8f66d300b2586613d004

Is this all we need to do? What about key pinning for aus1.tpo and cdn.tpo?

weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.

comment:4 Changed 2 years ago by gk

Keywords: TorBrowserTeam201607R added; TorBrowserTeam201606R removed

comment:5 Changed 2 years ago by gk

Keywords: TorBrowserTeam201608R added; TorBrowserTeam201607R removed

Old reviews for the "new" month.

comment:6 Changed 2 years ago by gk

Keywords: TorBrowserTeam201609R added; TorBrowserTeam201608R removed

Moving review tickets to September

comment:7 in reply to:  3 ; Changed 2 years ago by yawning

Replying to gk:

weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.

This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan).

WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal.

comment:8 in reply to:  7 Changed 2 years ago by gk

Replying to yawning:

Replying to gk:

weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.

This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan).

WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal.

I've created #20180 for aus1.tpo and cdn.tpo pinning.

comment:9 Changed 2 years ago by gk

Keywords: TorBrowserTeam201610R added; TorBrowserTeam201609R removed

Moving review tickets to October.

comment:10 in reply to:  7 Changed 2 years ago by bugzilla

On topic:

We should point to the new location for our xml files

You should check that even if you put your xml files directly on NSA server, your updater will apply the intended updates only.

Off topic:
Replying to gk:

weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.

weasel AFAIK is responsible for server side where only HPKP is available and not used. But should?

Replying to yawning:

This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan).

Usually only CA certs are pinned (on Mozilla side too), chain can't be pinned. If you are going to pin your 3 mo cert itself (which is best for security as it fully "breaks" PKI), then it's better to develop strong policy for the whole your infrastructure support (instead of PKI) at first, or you will end with a disaster worse than Mozilla has had recently.

WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal.

The scope of potential problems is limited to: some adversary could prevent TBB from updating (if there are no holes in the process of checking signed MARs).

comment:12 in reply to:  11 Changed 2 years ago by mcs

Replying to bugzilla:

FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1151485
ESR52: https://bugzilla.mozilla.org/show_bug.cgi?id=1182352

We already removed the updater-specific cert pinning. See #17442 and #18912.

comment:13 Changed 2 years ago by gk

Keywords: TorBrowserTeam201611R added; TorBrowserTeam201610R removed

Moving review tickets to November.

comment:14 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

We have HPKP for aus1.tpo now. Thus, let's try this switch in the next alpha. We might be able to get something even better before 6.5 gets stable. Commit 74af032f2b07b8106b216a240c175d163634d89d on tor-browser-45.4.0esr-6.5-1 has the fix.

Note: See TracTickets for help on using tickets.