[Pkg-privacy-commits] [torbrowser-launcher] 249/476: added security design doc

Ximin Luo infinity0 at moszumanska.debian.org
Sat Aug 22 13:21:42 UTC 2015 

This is an automated email from the git hooks/post-receive script.

infinity0 pushed a commit to branch debian
in repository torbrowser-launcher.

commit fc9fa1f85a387b986469c7a12f7f0d82cf66136c
Author: Micah Lee <micah at micahflee.com>
Date:   Thu Jul 17 13:30:37 2014 -0700

    added security design doc
---
 README.md          |  2 ++
 security_design.md | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/README.md b/README.md
index ba931b4..e16610c 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,8 @@ Tor Browser Launcher is intended to make the Tor Browser Bundle (TBB) easier to
 
 If you use Ubuntu, you can install it now from my PPA (see "Installing in Ubuntu" below). [Soon](https://github.com/micahflee/torbrowser-launcher/issues/31) it will be in Debian. To install it in any other distribution, follow the "Quick Start" instructions.
 
+You might want to check out the [security design doc](/security_design.md).
+
 ## Quick Start
 
 First, clone the repository:
diff --git a/security_design.md b/security_design.md
new file mode 100644
index 0000000..95c0ac6
--- /dev/null
+++ b/security_design.md
@@ -0,0 +1,25 @@
+# Tor Browser Launcher Security Design
+
+This document could be improved. At the moment it's copy/pasted verbatum from a post to the [debian bug tracker](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752275).
+
+## TLS/x.509 security
+
+torbrowser-launcher doesn't rely on the CA infrastructure. The only TLS it does is make HTTPS requests to check.torproject.org and (if you haven't set a mirror) www.torproject.org. When it connects to these hostnames, it uses a hardcoded certificate. So none of the TLS PKI issues apply at all here.
+
+(And I took extra measures to make sure the .pem included with torbrowser-launcher is valid. I downloaded the cert from several different internet connections/ISPs and compared, and when I had one I thought was correct I sought out Tor devs to verify I was including the right one and not a malicious one.)
+
+## Downgrade attacks
+
+Downgrade attacks shouldn't be possible, unless they're committed by Tor devs themselves. If an attacker captures a valid old request to https://check.torproject.org/RecommendedTBBVersions that claims that the current version is an older version than what's currently installed, torbrowser-launcher prevents it from installing. (And by "installing" I mean extracting to the user's home dir.)
+
+However, there is the scenereo where the user has set a third-party mirror to download from instead of the default. The third-party mirror could serve a tarball and sig that have filenames of the latest version, but are actually an older version. This attack is mitigated by the fact that all mirror options use HTTPS -- though none of the mirror certs are pinned, so in this case it would rely on CA infrastructure. This is an edge case, and would only work against users who are using a non [...]
+
+## Installing Tor Browser system-wide
+
+You cannot install Tor Browser system-wide. It's released by the Tor Project as a bundle. There's a lot of code in there that specifically prevents it from touching any other files outside of it's own directory. All files need to be owned by current user, and it's designed to be runnable off of a USB stick. A long time ago I put a bunch of work into tearing apart the "bundle"-ness of TBB to make it installable systemwide, and concluded it wasn't practical without the Tor devs releasing i [...]
+
+## What secret keys/access attackers need to succeed
+
+Yes, attackers that 1) have access to the trusted keys included with torbrowser-launcher and 2) have access to modify files on https://www.torproject.org/ or have access to its TLS key are able to get arbitrary code exec as the current user when they open Tor Browser.  This may or may not include any of the Tor devs whose keys are included.
+
+But like Holger said above, this is a feature, not a bug. This is the whole purpose of torbrowser-launcher, so users can automatically install TBB updates that are signed by Tor devs.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git

More information about the Pkg-privacy-commits mailing list