Opened 6 years ago

Closed 6 years ago

#9931 closed defect (fixed)

Securing the integrity of downloads from the Tor/Tails website

Reported by: tolodof Owned by:
Priority: High Milestone:
Component: Webpages/Website Version: Tor: unspecified
Severity: Keywords: SSL, MITM, Verifying, Download, Website
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently when downloading Tor or Tails from the website, we are advised to download a signature file to verify the integrity of the download. As the website acknowledges though, despite using SSL this provides no protection against a MITM attack, meaning that both the program and signature downloads could be compromised.

This same problem applies to downloading the programs necessary to verify the signature is correct, such as gpg4win, whose website doesn't even use SSL.

However, as explained here https://www.grc.com/fingerprints.htm, I believe there is a solution to this problem, namely using an Extended Validation certificate for the Tor/Tails website. Because these certificates are embedded in Firefox and Chrome and thus are not vulnerable to being tampered with, as certs in an external store are, these browsers can indicate when a SSL connection is using one of these certs and assures the user that when visiting the site, they are not subject to a MITM attack.

Therefore, the user can be certain that when downloading the program and signature from the Tor/Tails website, it is in fact being downloaded from there and nowhere else. I think to complete the circle, it would be necessary to host whatever program is needed to verify the signature on the Tor website as well and not have this downloaded from an external website, which even if it uses SSL could expose the user to a MITM attack and result in them downloading a compromised version of the verification program. The MD5 Reborned addon for Firefox https://addons.mozilla.org/en-US/firefox/addon/md5-reborned-hasher/ does at least download from a site using an EV cert, so users can be sure they're not subject to a MITM attack when downloading that but you are still relying on this website not being hacked and the download being replaced with a compromised one. I guess the dev-team are best placed to decide whether any such breach would be publicised immediately by Mozilla, allowing users to protect themselves, or if it would be better to host all downloads on the Tor website.

There would of course still be the chance that the Tor web server could be hacked and the program/signature downloads replaced with compromised ones but I'm sure this would be caught fairly soon, whereas a MITM attack could result in users relying on compromised versions of the software for a long time without any idea.

Child Tickets

Change History (2)

comment:1 Changed 6 years ago by tolodof

Does no-one else share my concern about this fundamental security gap?

comment:2 Changed 6 years ago by cypherpunks

Resolution: fixed
Status: newclosed

@tolodof

Kindly review https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org

You'll notice that the Tor Project's EXCELLENT cryptography implementation is more secure than just about any other software updating/downloading channel you'll find on the internet, with support for TLS 1.2 and forward secrecy in many browsers. Yes, there are a few small changes that could be made, but most if not all would break functionality/compatibility for some users.

Contrast that with update and add-on checking functionality you mentioned in Firefox, which still isn't configured to allow TLS 1.2 by default and which the relevant Mozilla servers can't even support anyway: https://browserprivacy.wordpress.com/2013/11/19/requiring-better-cryptography-in-firefox-and-thunderbird-breaks-update-functionality/

Perhaps something like NSA's Quantum Insertion or a few lesser-known MITM attacks are still theoretically possible, but the bottom line is that downloading a signed copy of Tor from The Tor Project's server can be considerably more secure--if you use the right tools, practices, etc.--than Firefox.

If you're still not convinced, download the data through another network (e.g. Tor) with a different computer and network configuration and then compare the binaries and signatures. I'm willing to bet they'll be identical in your case.


Note: See TracTickets for help on using tickets.