Opened 5 years ago

Closed 4 years ago

#8645 closed defect (fixed)

Pluggable transports bundles warn of need to upgrade when no new version is yet available

Reported by: dcf Owned by: asn
Priority: Medium Milestone:
Component: Obfuscation/Pluggable transport Version:
Severity: Keywords: flashproxy
Cc: asn, aallai, adrelanos@…, micahlee Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Say there is a TBB and corresponding PT bundle both with version number X.Y.Z-alpha-1. https://check.torproject.org/RecommendedTBBVersions will say:

[
/* ... stable bundles ... */
"X.Y.Z-alpha-1-MacOS",
"X.Y.Z-alpha-1-Windows",
"X.Y.Z-alpha-1-Linux"
]

When the X.Y.Z-alpha-2 TBB is released, the file changes to

[
/* ... stable bundles ... */
"X.Y.Z-alpha-2-MacOS",
"X.Y.Z-alpha-2-Windows",
"X.Y.Z-alpha-2-Linux"
]

If we haven't built new corresponding PT bundles yet, those will still have the old version number X.Y.Z-alpha-1, and users will get a blinking Tor button telling them to upgrade. However no upgrade exists for them yet.

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by dcf

Lunar proposes putting separate lines with independent version numbers for PT bundles in RecommendedTBBVersions. Using a naming convention from #8644, if the X.Y.Z-alpha-1-pt1 PT bundle is still safe to use, the file might look like

[
/* ... stable bundles ... */
"X.Y.Z-alpha-2-MacOS",
"X.Y.Z-alpha-2-Windows",
"X.Y.Z-alpha-2-Linux",
"X.Y.Z-alpha-1-pt1-MacOS",
"X.Y.Z-alpha-1-pt1-Windows",
"X.Y.Z-alpha-1-pt1-Linux"
]

What to do if the old PT bundle is not safe to use (i.e., if TBB was updated because of a security vulnerability) is another question. We want to alert the user somehow, with a message other than "Download new version." I think it might be nice to have separate switches for "this version is safe to use" and "there is a newer version." This may not fit how RecommendedTBBVersions works, however.

comment:2 in reply to:  1 Changed 5 years ago by asn

It seems to me that if we (Erinn?) start making PT bundles along with normal TBBs this issue will be autosolved. If we can start doing so soon, it will probably be a better solution than hacking torcheck.

I think that torcheck is a component that is hard to upgrade; for example, aagbsn hacked up a new torcheck a year ago (https://github.com/aagbsn/TorCheck), but we still have the same torcheck in check.tpo. I would prefer not to mess with torcheck.

comment:3 Changed 5 years ago by matt

It appears that Tor Pluggable Transports Bundle 2.4.11-alpha-2-dev is just Tor Pluggable Transports Bundle 2.4.11-alpha-1-dev renamed. I confirmed this for gnu-linux-i686, gnu-linux-x86_64, and windows.

`md5sum tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-2-dev-en-US.tar.gz

a9737183ecaea2f4c1aa71abffc71de5 tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-2-dev-en-US.tar.gz`

and

`md5sum tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-1-dev-en-US.tar.gz

a9737183ecaea2f4c1aa71abffc71de5 tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-1-dev-en-US.tar.gz`

comment:4 in reply to:  3 Changed 5 years ago by aallai

We did just rename the windows/linux bundles for alpha-2, the release was meant to fix a problem in the OSX bundles.

Replying to matt:

It appears that Tor Pluggable Transports Bundle 2.4.11-alpha-2-dev is just Tor Pluggable Transports Bundle 2.4.11-alpha-1-dev renamed. I confirmed this for gnu-linux-i686, gnu-linux-x86_64, and windows.

`md5sum tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-2-dev-en-US.tar.gz

a9737183ecaea2f4c1aa71abffc71de5 tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-2-dev-en-US.tar.gz`

and

`md5sum tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-1-dev-en-US.tar.gz

a9737183ecaea2f4c1aa71abffc71de5 tor-pluggable-transports-browser-gnu-linux-i686-2.4.11-alpha-1-dev-en-US.tar.gz`

comment:5 Changed 5 years ago by proper

Cc: adrelanos@… added

It seems to me that if we (Erinn?) start making PT bundles along with normal TBBs this issue will be autosolved. If we can start doing so soon, it will probably be a better solution than hacking torcheck.

Once #6009 git is implemented, you won't need separate pt bundles anymore?

However, there may be situations, where pt users need an update, while non-pt users don't. This shouldn't be a problem with the alpha version.

Will there be ever stable pt builds?

comment:6 Changed 5 years ago by micahlee

Cc: micahlee added

I've been working on Tor Browser Launcher, a program that downloads the latest Tor Browser, verifies signatures, installs, and launches it, as well as keeps it up-to-date.

I've recently added a settings dialog that lets users choose if they want the stable or alpha version, and I would love to add the pluggable transports bundle to that list too. But I can't until there's a reliable way to check for the latest Obfsproxy TBB version.

Here's the related Tor Browser Launcher bug: https://check.torproject.org/RecommendedTBBVersions

Is there a timeline for getting this fixed?

comment:7 in reply to:  6 Changed 5 years ago by micahlee

Replying to micahlee:

Here's the related Tor Browser Launcher bug: https://check.torproject.org/RecommendedTBBVersions

Oops, here's the real related bug: https://github.com/micahflee/torbrowser-launcher/issues/38

comment:8 in reply to:  6 Changed 5 years ago by dcf

Replying to micahlee:

I've recently added a settings dialog that lets users choose if they want the stable or alpha version, and I would love to add the pluggable transports bundle to that list too. But I can't until there's a reliable way to check for the latest Obfsproxy TBB version.

Is there a timeline for getting this fixed?

I don't think you should count on the pluggable transports version number ever appearing in RecommendedTBBVersions. Making releases is already difficult enough and involves a lot of people; adding even more version numbers makes maintenance that much harder.

You might have luck scraping https://www.torproject.org/projects/obfsproxy.html.en#download. Even that is wrong at the moment; the Windows link is broken per #8804.

The existence of a separate pluggable transports bundle is temporary. #8019 is about moving pluggable transports into the normal TBB.

comment:9 Changed 5 years ago by micahlee

Thanks, dcf. I don't want to have to scrape HTML to figure out a version number :) -- so I think in that case the best bet is just waiting until #8019 is finished and not offering the pluggable transports bundle as an option in TBL.

comment:10 Changed 4 years ago by dcf

Resolution: fixed
Status: newclosed

Pluggable transports are now part of the normal bundle.
https://blog.torproject.org/blog/tor-browser-36-beta-1-released

Note: See TracTickets for help on using tickets.