On 02/18/2013 12:15 AM, Jacob Appelbaum wrote:
Do you plan to download TBB over Tor that is provided by the system, say by adding a dependency on a system Tor?
I was assuming that making the launcher depend on a system Tor would be troublesome. However now that I'm looking at https://www.torproject.org/docs/debian again, it seems like it could totally work. What about for Ubuntu users?
My workaround plan was to download TBB not over Tor the first time. After extracting it, copy a Firefox extension into the TBB profile, and then run it. From that point on, the extension would be in charge of checking for updates, downloading new updates, and telling the user when they should restart their browser.
But I think I'll make a Tor dependency instead. It would make things way simpler and much less work.
And there are screenshots here: http://imgur.com/a/Mvpwl
These look pretty great. I'd say the wording needs a bit of work but generally, it seems reasonable. I'd suggest that if signatures don't work, I'd add a 'report' button rather than an exit button. I'd also suggest that you might want to ensure that version numbers are always increasing and other things that are outlined in the. A MITM may be able to replay an old valid signature for a package, does your code handle that case? You may enjoy the paper and code on theupdateframework.com to look into those kinds of issues...
That's a good idea about adding a report button. I just opened a bug for this:
https://github.com/micahflee/torbrowser-launcher/issues/6
What do you think the report button should do? What information should it send back to us, and how should it send it? If there is a real attack and the user can't successfully download TBB, how can we make sure they can successfully report the attack? You can post comments on the bug.
I'll read the paper on the update framework. As it stands, it would be possible for an attacker to replay an old valid signature to get someone to update to an old version. I just opened a new bug for this:
https://github.com/micahflee/torbrowser-launcher/issues/4
Do you pin SSL certs? Or fetch from known mirrors? Or...? :)
No. I assumed that if someone successfully did a MITM attack on the https connection to torproject.org, they wouldn't get their malicious software installed because of the signature verification. Also, I didn't realize urllib2 doesn't check certs automatically. It's a good idea to implement anyway. Thanks for opening the bug about it.
https://github.com/micahflee/torbrowser-launcher/issues/1
Before trying to get it in Debian I'd like to make it so it doesn't need to be updated each time TBB is updated. There are more details in the ticket, but this would require Tor to maintain a file on https://www.torproject.org/ that has the current version number of TBB in it and a timestamp, and possibly digital signature of this file too.
TBB has a version check built into it - have you seen how it works?
I haven't. Doesn't check.torproject.org tell you if your TBB is out of date? Can you link me to the file where it's implemented?
Do you think this is doable?
I think it is reasonable - I wonder though, can't you just fetch https://www.torproject.org/dist/torbrowser/ and parse it to look for files that match a given file pattern? As an example, https://www.torproject.org/dist/torbrowser/?C=M;O=D will sort by latest date, as will https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D for GNU/Linux and so on for Mac OS X: https://www.torproject.org/dist/torbrowser/osx/?C=M;O=A
I'd thought about this, but I wasn't sure if this is a reliable way to know which version to download. For example, when I go to https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D now, the first file is:
tor-browser-gnu-linux-x86_64-2.4.10-alpha-1-dev-en-US.tar.gz.asc
But when I go to the TBB download page, the version I'm presented with is 2.3.25-2, not 2.4.10-alpha-1. Maybe TBB's built-in version check will shed some light onto the best way to know what the latest stable version is.
I also want to get it localized into all the languages TBB is localized into. Any thoughts or suggestions?
Once the program is structured in a way that the strings are pretty much fixed, I'd suggest Transifex: https://www.transifex.com/ as it is what Tor uses for most every translation need.
Cool! I'll wait until this is closer to done and the strings are more fixed to do this.
I'm off to read the code and try it out! Thanks!
Thanks!