On 4/19/15 1:44 PM, sajolida wrote:
... The more precise question that I would like to consult you about is regarding the threats that could arise **from inside the browser** and that could corrupt the verification mechanism or fool the user.
Mark and I do not have a lot of expertise in threat modeling even though we maintain the Tor Browser updater implementation.
So far, the browser updater is based on the Firefox model for secure updates, with one addition: starting in Tor Browser 4.5, we require on all platforms that the MAR files that contain file update data have digital signatures. Mozilla currently only requires signatures on the Windows platform, although they are actively working to require them on all platforms. We also pin the torproject.org certificates inside Tor Browser to guard against spoofing of the update meta information, which is downloaded via https.
Future plans for the Tor Browser updater include consulting the Tor consensus to verify updates; see https://trac.torproject.org/projects/tor/ticket/10393
Regarding your planned architecture, it is important to remember that other extensions running inside Firefox have the capability to override functionality throughout the browser and in other add-ons such as your ISO verification extension. On the other hand, absent a bug in Firefox or Tor Browser, other web pages should not be able to interfere.
-- Kathy Brade -- Pearl Crescent, LLC _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
