Opened 3 years ago

Last modified 5 months ago

#22809 new defect

Tor Browser does not provide red security warning for downloading executable in HTTP

Reported by: naif Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ux-team
Cc: Actual Points:
Parent ID: #30854 Points:
Reviewer: Sponsor: Sponsor58


This ticket is to enhance Tor Browser that today does not provide red security warning for downloading executable in HTTP in clear text that can be easy subject to MITM attacks.

Actually there's a ticket sitting on Mozilla Firefox to implement exactly that .

The very same should apply for mixed content where from an HTTPS website there's download of executable from an HTTP resource.

Attached the standard warning provided by Firefox that does not explain to the end-user how risky is the download of an executable over HTTP in clear.

Child Tickets

Attachments (1)

Screen Shot 2017-07-04 at 11.28.28.png (435.4 KB) - added by naif 3 years ago.
Download of an executable over an insecure HTTP channel

Download all attachments as: .zip

Change History (10)

Changed 3 years ago by naif

Download of an executable over an insecure HTTP channel

comment:1 Changed 3 years ago by cypherpunks

Component: - Select a componentApplications/Tor Browser
Keywords: ux-team added
Owner: set to tbb-team

comment:2 Changed 3 years ago by arma

The best order of operations here would be for Firefox to fix its bug, and merge the fix, and then we can get the fix when we pull in a future version of Firefox.

Another option is, if there is a good patch but Firefox won't take it or it will be years until we pull in the version of Firefox that includes it, that we could apply the patch to Tor Browser directly, and maintain it until things catch up with the Firefox releases.

But I am unclear on why we should single out exe files here. In the mozilla bugtracker, you mention rpm and deb files too. Why not tarballs also? Or docx files? Where do we draw the line?

comment:3 Changed 3 years ago by naif

As per definitions of exe or rpm or tarballs, we could probably define "any installer file that can be executed on the target machine" and that could be a list of content-type and extensions.

Ive been told that Firefox UX team is very busy with the new major releases, so they will not be going to work on it soon.

A good patch on Firefox from Tor Project would probably be the fastest solution, that could in turn go back to Firefox as "ready made" .

That's something I'm going to bid and look forward to support financially and functionally for the implementation as I'm finding out that there are too many software being delivered over HTTP, target of malware infection appliance, and the only way to work around it is to have browser to warn or block that downloads (probably doing a sort of "" but for software distribution security).

Last edited 3 years ago by naif (previous) (diff)

comment:4 Changed 3 years ago by naif

Now the Turla APT group is exploiting trough MITM the delivery of legitimate executable download over HTTP:

comment:5 Changed 2 years ago by naif

Also Citizenlab found that malware infection appliance are used against opensource software download

It seems Mozilla and Chrome are not yet doing nothing :(

comment:6 Changed 17 months ago by pili

Sponsor: Sponsor27

comment:7 Changed 16 months ago by pili

Sponsor: Sponsor27

comment:8 Changed 16 months ago by pili

Parent ID: #30037

comment:9 Changed 5 months ago by antonela

Parent ID: #30037#30854
Sponsor: Sponsor58

Lovely. I want to work with Downloads. Subscribing to a becoming-active parent.

Note: See TracTickets for help on using tickets.