Opened 14 months ago

Last modified 9 months ago

#26212 needs_information enhancement

Use digital signature verification to prevent modification of omni.ja

Reported by: indigotime Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Since omni.ja is an ordinary zip archive, anyone can easily inject a backdoor into it and redistribute modified version of Tor Browser. So, it's need to use digital signature to prevent modification of both omni.ja files.

Child Tickets

Change History (5)

comment:1 Changed 14 months ago by indigotime

Summary: Use digital signature to prevent modification of omni.jaUse digital signature verification to prevent modification of omni.ja

comment:2 Changed 14 months ago by Dbryrtfbcbhgf

Severity: MajorNormal

omni.ja is contained inside the signed torprowser.app , if it is modified then PGP signature will become invalid.

comment:3 Changed 14 months ago by teor

For some operating systems, like macOS, the entire application directory is covered by the digital signature on the application (not the downloaded dmg file, which has a separate signature). So if any file is modified, the application will fail to launch.

comment:4 in reply to:  description ; Changed 14 months ago by gk

Status: newneeds_information

Replying to indigotime:

Since omni.ja is an ordinary zip archive, anyone can easily inject a backdoor into it and redistribute modified version of Tor Browser. So, it's need to use digital signature to prevent modification of both omni.ja files.

Could you explain a bit more your attack scenario? It seems you are not worried about some attacker modifying the omni.ja files *locally* so that users on that system execute malware. Rather you seem to be worried about an attacker taking one our our bundles (e.g. the Linux one), extracting the omni.ja files, inserting a backdoor and then redistributing that as Tor Browser? Is that reading of your bug report correct?

If so, what prevents anyone from just stripping that signature before modifying both files (or just one of them)? And why just the omni.ja files because the Firefox binary or any library could get corrupted as well serving malware? And as a side-effect: messing with those files will invalidate the GPG signature.

So, I am not seeing how we win anything by deploying some elaborate signature scheme for omni.ja files.

comment:5 in reply to:  4 Changed 9 months ago by indigotime

Replying to gk:

Rather you seem to be worried about an attacker taking one our our bundles (e.g. the Linux one), extracting the omni.ja files, inserting a backdoor and then redistributing that as Tor Browser? Is that reading of your bug report correct?

Yes, that reading of my bug report is correct.

And why just the omni.ja files because the Firefox binary or any library could get corrupted as well serving malware?

1) It's easier to modify omni.ja JavaScript modules rather than patching binaries/DLLs.
2) For antivirus scanners, it's easier to detect malware in binary files.
But you're right, DLL's signatures also should be verified at Tor Browser startup.

And as a side-effect: messing with those files will invalidate the GPG signature.

I assume that many Tor Browser users are often ignorant about GPG signatures, and I don't see any way to make them verify those signatures.

So, I am not seeing how we win anything by deploying some elaborate signature scheme for omni.ja files.

We can't protect Tor Browser executable from modification, but we can make Tor Browser files modification harder.

Note: See TracTickets for help on using tickets.