[Pkg-privacy-maintainers] Bug#845989: Bug#845989: browser can't be downloaded because of invalid SSL certificate

Antoine Beaupré anarcat at debian.org
Sun Nov 27 15:11:06 UTC 2016

On 2016-11-27 09:30:21, Mikhail Kshevetskiy wrote:
> Package: torbrowser-launcher
> Version: 0.2.6-2
> Severity: grave
> Tags: upstream
> Trying to start torbrowser for the first time produce the following message
>     The SSL certificate served by https://www.torproject.org is invalid!
>     You may be under attack.
> After that the program terminate. Running it from terminal results in the
> following console output:
> Tor Browser Launcher
> By Micah Lee, licensed under MIT
> version 0.2.6
> https://github.com/micahflee/torbrowser-launcher
> Downloading over Tor
> Downloading and installing Tor Browser for the first time.
> Downloading https://dist.torproject.org/torbrowser/update_2/release/Linux_x86_64-gcc3/x/en-US
> Download error: [<twisted.python.failure.Failure OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]>] <class 'twisted.web._newclient.ResponseNeverReceived'>

I have seen a similar error recently, restarted the browser, and it
went away.

This could potentially be a hostile exit node doing SSL interception.

Workaround: restart the browser.

Fix: use a hidden service for dist.torproject.org

Optionally: identify the exit node and take it down

My passionate sense of social justice and social responsibility has
always contrasted oddly with my pronounced lack of need for direct
contact with other human beings and communities. I am truly a "lone
traveler" and have never belonged to my country, my home, my friends,
or even my immediate family, with my whole heart; in the face of all
these ties, I have never lost a sense of distance and a need for
                       - Albert Einstein

More information about the Pkg-privacy-maintainers mailing list