[Pkg-privacy-maintainers] Bug#845989: Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)

Antoine Beaupré anarcat at debian.org
Sun Nov 27 15:39:16 UTC 2016

Control: reopen 845989
Control: forwarded 845989 https://github.com/micahflee/torbrowser-launcher/issues/254

On 2016-11-27 09:54:06, Holger Levsen wrote:
> thanks for your bug report, but I fear…
> On Sun, Nov 27, 2016 at 05:30:21PM +0300, Mikhail Kshevetskiy wrote:
>> Trying to start torbrowser for the first time produce the following message
>>     The SSL certificate served by https://www.torproject.org is invalid!
>>     You may be under attack.
> … you've been attacked.

I beg to disagree. I doubt that M. Kshevetskiy has been, in this case,
individually targeted for attack.

That is not how tor works: if he was able to build a circuit (which
seems to be the case here), then the exit node is not supposed to know
who he is, unless the tor network is compromised in a novel way, or some
very powerful actor is running a correlation attack.

I think it is more likely that it is a transient error that is due to a
compromised exit node.

> https://jenkins.debian.net/view/torbrowser/job/torbrowser-launcher_test_on_unstable_amd64/429/console
> was just run successfully, showing no signs of an invalid certificate.
> https://jenkins.debian.net/view/torbrowser/job/torbrowser-launcher_test_on_unstable_amd64/429
> has screenshots and a video too.
> That test was done 10min ago.

Just because the tests passed on CI don't mean everything is fine. I
have experienced this bug as well, and it is a transient error:
restarting the tor browser fixed the issue for me.

> Closing as not a bug.

I am reopening this bug. It has been forwarded upstream, where I have
brought more suggestions on how to improve the user experience here.


Be who you are and say what you feel
Because those who mind don't matter
And those who matter don't mind.
                         - Dr. Seuss

More information about the Pkg-privacy-maintainers mailing list