Opened 7 years ago

Closed 7 years ago

#5092 closed defect (fixed)

Sign Torbutton XPI updates

Reported by: cypherpunks Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: TorBrowserButton Version:
Severity: Keywords: MikePerry201205
Cc: g.koppen@… Actual Points: 6
Parent ID: Points: 2
Reviewer: Sponsor:

Description

"Disable updates during Tor usage" is enabled by default. Does Firefox check the certificate signature of AMO or can this update be subverted by MITM via rogue CA (which is a realistic concern for Tor's threat model)?

Secondly, is it a good idea to trust AMO infrastructure and upstream developers or shouldn't we first review the addon updates before deploying to TBB users via updates signed by Torproject?

Usually this only concerns NoSript updates which happen frequently but never are really high priority.

Eventually there'll be an autoupdate for the whole TBB anyway (so I heard).

Child Tickets

Change History (7)

comment:1 Changed 7 years ago by cypherpunks

Priority: normalcritical

critical because, if this is true, this enables (as in "definitely enables") remote arbitrary code execution for state level or similar adversaries.

comment:2 Changed 7 years ago by mikeperry

Component: TorbuttonTorBrowserButton
Milestone: TorBrowserBundle 2.3.x-stable
Priority: criticalmajor
Summary: "Disable updates during Tor usage" by default (AMO/Addons)Sign Torbutton XPI updates

Mozilla does some half-assed cert pinning for AMO, so NoScript covered (sort of).

We should probably also be signing the Torbutton xpi/rdf, though, as it does not use AMO.

The https-everywhere xpi+rdf already is signed, afaik.

comment:3 Changed 7 years ago by mikeperry

See also #3555. I think we want to just sign the xpi though.

comment:4 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:5 Changed 7 years ago by mikeperry

Keywords: MikePerry201205 added
Points: 2

comment:7 Changed 7 years ago by mikeperry

Actual Points: 6
Resolution: fixed
Status: newclosed

This was a huge pain, but it's now done and documented in README.RELEASE. It is an offline process.

Note: See TracTickets for help on using tickets.