Older version of Tor Browser not updating

Version 4.5.3 (MacOS 10.12) shows that it's up to date in the About Tor Browser menu. It definitely isn't up to date.

Trac:
Username: lizzard

added component::applications/tor browser owner::tbb-team priority::medium reporter::lizzard severity::normal status::needs-information type::defect labels

Updating through the onion button in the toolbar gives me a warning that something is trying to trick me into accepting an update.

Trac:
Username: lizzard

Trac:
Owner: N/A to tbb-team
Component: - Select a component to Applications/Tor Browser

Okay, there are at least two bugs here:

1. Tor Browser should not show that it is up-to-date

2. Tor Browser should eventually update you to the latest stable release.

3. is tricky as the keys we use nowadays are not working for pretty old Tor Browser releases anymore. So what we would need is an update over several Tor Browser versions until one finally reaches the current one.

4. Might involve quite some work but I am not sure about 1). What do you think boklm?

Trac:
Cc: N/A to boklm
Status: new to needs_information

It may be difficult to fix this now. Opening Tor Browser 4.5.3, using about:config to set app.update.log = true, and opening the Browser Console reveals that the update URL used is: https://www.torproject.org/dist/torbrowser/update_2/release/Darwin_x86_64-gcc3/4.5.3/en-US?force=1

An update check results in this error: Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', got: 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US'.

This happens because 4.5.3 includes some built-in checks to ensure that the browser is talking to the correct update server, but unfortunately we have switched from a DigiCert issued certificate to one from Let's Encrypt. I am not sure how to avoid this problem without running a server that uses a certificate from the older CA... forever.

Replying to mcs:

It may be difficult to fix this now. Opening Tor Browser 4.5.3, using about:config to set app.update.log = true, and opening the Browser Console reveals that the update URL used is: https://www.torproject.org/dist/torbrowser/update_2/release/Darwin_x86_64-gcc3/4.5.3/en-US?force=1

An update check results in this error: Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', got: 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US'.

This happens because 4.5.3 includes some built-in checks to ensure that the browser is talking to the correct update server, but unfortunately we have switched from a DigiCert issued certificate to one from Let's Encrypt. I am not sure how to avoid this problem without running a server that uses a certificate from the older CA... forever.

So, 2) is even worse than I assumed without checking, sigh. But there is still 1). Could we do something about the false feedback in the About Tor Browser menu?

Sorry to be a nag, but are you certain that this won't happen in the future under similar circumstances?

To address pinned cert rollover, most browsers will not enforce pins N months after the build date of the browser.

To address the 'several version update' FF does just that. We will tag watershed releases that all users must update through. So if you're on firefox 20 you may have to upgrade through (hypothetical example) 20 -> 28 -> 35 -> 42 -> 50 -> 56. Watersheds aren't planned, they just occur when they're necessary for things like mandatory SSE2 support, signing key rollover, etc.

Just some data point: Tor Browser 5.5 (which got released almost two years ago) still updates to 7.0.9. Tor Browser 5.0, however, is already broken.

moved to tpo/applications/tor-browser#24138 (closed)