[Pkg-privacy-maintainers] Bug#845989: Bug#845989: browser can't be downloaded because of invalid SSL certificate
Antoine Beaupré
anarcat at debian.org
Sun Nov 27 15:11:06 UTC 2016
On 2016-11-27 09:30:21, Mikhail Kshevetskiy wrote:
> Package: torbrowser-launcher
> Version: 0.2.6-2
> Severity: grave
> Tags: upstream
>
> Trying to start torbrowser for the first time produce the following message
>
> The SSL certificate served by https://www.torproject.org is invalid!
> You may be under attack.
>
> After that the program terminate. Running it from terminal results in the
> following console output:
>
> Tor Browser Launcher
> By Micah Lee, licensed under MIT
> version 0.2.6
> https://github.com/micahflee/torbrowser-launcher
> Downloading over Tor
> Downloading and installing Tor Browser for the first time.
> Downloading https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US
> Download error: [<twisted.python.failure.Failure OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]>] <class 'twisted.web._newclient.ResponseNeverReceived'>
I have seen a similar error recently, restarted the browser, and it
went away.
This could potentially be a hostile exit node doing SSL interception.
Workaround: restart the browser.
Fix: use a hidden service for dist.torproject.org
Optionally: identify the exit node and take it down
--
My passionate sense of social justice and social responsibility has
always contrasted oddly with my pronounced lack of need for direct
contact with other human beings and communities. I am truly a "lone
traveler" and have never belonged to my country, my home, my friends,
or even my immediate family, with my whole heart; in the face of all
these ties, I have never lost a sense of distance and a need for
solitude.
- Albert Einstein
More information about the Pkg-privacy-maintainers
mailing list