#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by arma):

 I've heard a variety of proposed ideas for how to make things better. In
 an attempt to organize my thoughts, here they are:

 Option 1: make pinning never expire (i.e. do this ticket). The upside is
 that old Tor Browser users never have to worry about becoming surprisingly
 vulnerable. The downside is that we can't ever change our CA, or people
 with old browsers will be pinned to the wrong CA and will fail to do
 updates. That seems like a pretty big downside, since one day our CA is
 going to have problems and we'll want to switch.

 Option 2: Disable noscript updates between releases. That is, put a
 version of Noscript into Tor Browser when we build Tor Browser, and then
 people stick with that version until the next Tor Browser. (If I
 understand correctly, the only two extensions in Tor Browser that want to
 update themselves are noscript and https-everywhere, and https-everywhere
 uses the updateKey signature mechanism to check its own updates, so we are
 not as worried about it.) The upside of this option is that Tor Browser
 users are no longer vulnerable to today's attack, and in fact they are no
 longer vulnerable to malicious updates by a *real* addons.m.o. That's a
 pretty big upside. The downside is that the Tor Browser folks would need
 to track noscript updates for security issues, and put out a new Tor
 Browser release as needed. That could potentially be a lot more releases.

 Option 3: Convince the noscript maintainer to adopt the updateKey
 signature mechanism. Then nobody is at the mercy of addons.m.o (not the
 key pinning issue and not the malicious updates issue). But I hear that
 apparently updateKey isn't compatible with addons.m.o -- meaning if you
 use addons.m.o then you are forced to rely on their transport security for
 your updates. So for this option I guess we encourage the noscript
 maintainer to both adopt the updateKey signature mechanism, *and* put
 updates somewhere else where signatures can work.

 Other more muddy options include "wait and see if Mozilla fixes some of
 their broken designs in a way that is helpful here".

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to