Micah Lee: > On 02/18/2013 12:15 AM, Jacob Appelbaum wrote: >> Do you plan to download TBB over Tor that is provided by the system, say >> by adding a dependency on a system Tor? > > I was assuming that making the launcher depend on a system Tor would be > troublesome. However now that I'm looking at > https://www.torproject.org/docs/debian again, it seems like it could > totally work. What about for Ubuntu users?
For normal Debian GNU/Linux users, I believe it will work. For recent versions of Ubuntu, I also believe it will work. I would also say that the launcher could prompt them to actually *add* the Tor repositories that fix the problems Ubuntu users may or may not face in the future. > > My workaround plan was to download TBB not over Tor the first time. > After extracting it, copy a Firefox extension into the TBB profile, and > then run it. From that point on, the extension would be in charge of > checking for updates, downloading new updates, and telling the user when > they should restart their browser. > I'm not sure I follow? You want to extend TBB to check for updates itself? In the long term, I think that is a fine plan - though in the short term, I think a simple script can be safer, easier and generally better. Imagine for a moment that there was a system wide cache of TBB downloads? One TBB to rule them all, or something. Such a thing wouldn't be easy inside of Firefox. > But I think I'll make a Tor dependency instead. It would make things way > simpler and much less work. > Yeah, I totally agree. I'd also say that the code should be aware of the fact that Tor *may* not work - so you many want to look into using stem to either control it (eg: ask a user to enter a bridge) or simply to see the state. >>> And there are screenshots here: >>> http://imgur.com/a/Mvpwl >>> >> >> These look pretty great. I'd say the wording needs a bit of work but >> generally, it seems reasonable. I'd suggest that if signatures don't >> work, I'd add a 'report' button rather than an exit button. I'd also >> suggest that you might want to ensure that version numbers are always >> increasing and other things that are outlined in the. A MITM may be able >> to replay an old valid signature for a package, does your code handle >> that case? You may enjoy the paper and code on theupdateframework.com to >> look into those kinds of issues... > > That's a good idea about adding a report button. I just opened a bug for > this: > > https://github.com/micahflee/torbrowser-launcher/issues/6 Coolness. > > What do you think the report button should do? What information should > it send back to us, and how should it send it? If there is a real attack > and the user can't successfully download TBB, how can we make sure they > can successfully report the attack? You can post comments on the bug. > I'll add comments to the bug. > I'll read the paper on the update framework. As it stands, it would be > possible for an attacker to replay an old valid signature to get someone > to update to an old version. I just opened a new bug for this: > > https://github.com/micahflee/torbrowser-launcher/issues/4 > Great. >> Do you pin SSL certs? Or fetch from known mirrors? Or...? :) > > No. I assumed that if someone successfully did a MITM attack on the > https connection to torproject.org, they wouldn't get their malicious > software installed because of the signature verification. Also, I didn't > realize urllib2 doesn't check certs automatically. It's a good idea to > implement anyway. Thanks for opening the bug about it. > > https://github.com/micahflee/torbrowser-launcher/issues/1 > Sure - I find it hard to believe that Python's development community actually settled on that as the default behavior. It bites nearly everyone. >>> Before trying to get it in Debian I'd like to make it so it doesn't need >>> to be updated each time TBB is updated. There are more details in the >>> ticket, but this would require Tor to maintain a file on >>> https://www.torproject.org/ that has the current version number of TBB >>> in it and a timestamp, and possibly digital signature of this file too. >>> >> >> TBB has a version check built into it - have you seen how it works? > > I haven't. Doesn't check.torproject.org tell you if your TBB is out of > date? Can you link me to the file where it's implemented? I'm not sure where it is - I'd ask Mike Perry or Erinn. > >>> Do you think this is doable? >>> >> >> I think it is reasonable - I wonder though, can't you just fetch >> https://www.torproject.org/dist/torbrowser/ and parse it to look for >> files that match a given file pattern? As an example, >> https://www.torproject.org/dist/torbrowser/?C=M;O=D will sort by latest >> date, as will https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D >> for GNU/Linux and so on for Mac OS X: >> https://www.torproject.org/dist/torbrowser/osx/?C=M;O=A > > I'd thought about this, but I wasn't sure if this is a reliable way to > know which version to download. For example, when I go to > https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D now, the first > file is: > > tor-browser-gnu-linux-x86_64-2.4.10-alpha-1-dev-en-US.tar.gz.asc > > But when I go to the TBB download page, the version I'm presented with > is 2.3.25-2, not 2.4.10-alpha-1. Maybe TBB's built-in version check will > shed some light onto the best way to know what the latest stable version is. > Well, which should your users be using? From my perspective, I think you should give them the alpha and help them report bugs! :-) >>> I also want to get it localized into all the languages TBB is localized >>> into. Any thoughts or suggestions? >>> >> >> Once the program is structured in a way that the strings are pretty much >> fixed, I'd suggest Transifex: https://www.transifex.com/ as it is what >> Tor uses for most every translation need. > > Cool! I'll wait until this is closer to done and the strings are more > fixed to do this. > Great. >> I'm off to read the code and try it out! Thanks! > > Thanks! > I pushed a code audit first pass to the git repo, did you see the branches that I added? All the best, Jacob _______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
