Opened 2 years ago

Last modified 2 years ago

#24138 needs_information defect

Older version of Tor Browser not updating

Reported by: lizzard Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Version 4.5.3 (MacOS 10.12) shows that it's up to date in the About Tor Browser menu. It definitely isn't up to date.

Child Tickets

Change History (7)

comment:1 Changed 2 years ago by lizzard

Updating through the onion button in the toolbar gives me a warning that something is trying to trick me into accepting an update.

comment:2 Changed 2 years ago by arma

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:3 Changed 2 years ago by gk

Cc: boklm added
Status: newneeds_information

Okay, there are at least two bugs here:

1) Tor Browser should not show that it is up-to-date
2) Tor Browser should eventually update you to the latest stable release.

2) is tricky as the keys we use nowadays are not working for pretty old Tor Browser releases anymore. So what we would need is an update over several Tor Browser versions until one finally reaches the current one.

2) Might involve quite some work but I am not sure about 1). What do you think boklm?

comment:4 Changed 2 years ago by mcs

It may be difficult to fix this now. Opening Tor Browser 4.5.3, using about:config to set app.update.log = true, and opening the Browser Console reveals that the update URL used is:

https://www.torproject.org/dist/torbrowser/update_2/release/Darwin_x86_64-gcc3/4.5.3/en-US?force=1

An update check results in this error:
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', got: 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US'.

This happens because 4.5.3 includes some built-in checks to ensure that the browser is talking to the correct update server, but unfortunately we have switched from a DigiCert issued certificate to one from Let's Encrypt. I am not sure how to avoid this problem without running a server that uses a certificate from the older CA... forever.

comment:5 in reply to:  4 Changed 2 years ago by gk

Replying to mcs:

It may be difficult to fix this now. Opening Tor Browser 4.5.3, using about:config to set app.update.log = true, and opening the Browser Console reveals that the update URL used is:

https://www.torproject.org/dist/torbrowser/update_2/release/Darwin_x86_64-gcc3/4.5.3/en-US?force=1

An update check results in this error:
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', got: 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US'.

This happens because 4.5.3 includes some built-in checks to ensure that the browser is talking to the correct update server, but unfortunately we have switched from a DigiCert issued certificate to one from Let's Encrypt. I am not sure how to avoid this problem without running a server that uses a certificate from the older CA... forever.

So, 2) is even worse than I assumed without checking, *sigh*. But there is still 1). Could we do something about the false feedback in the About Tor Browser menu?

comment:6 Changed 2 years ago by tom

Sorry to be a nag, but are you certain that this won't happen in the future under similar circumstances?

To address pinned cert rollover, most browsers will not enforce pins N months after the build date of the browser.

To address the 'several version update' FF does just that. We will tag watershed releases that all users must update through. So if you're on firefox 20 you may have to upgrade through (hypothetical example) 20 -> 28 -> 35 -> 42 -> 50 -> 56. Watersheds aren't planned, they just occur when they're necessary for things like mandatory SSE2 support, signing key rollover, etc.

comment:7 Changed 2 years ago by gk

Just some data point: Tor Browser 5.5 (which got released almost two years ago) still updates to 7.0.9. Tor Browser 5.0, however, is already broken.

Note: See TracTickets for help on using tickets.