It's been a while since there's been a discussion on-list about getting the TBB into Apple's app store [1]. Interest hasn't really gone away in the intervening 13 months, so I just want to open up discussion about it.
Here are the issues as I see them: - Apple has traditionally been at odds with GPL-licensed stuff [3], though of late it seems to have relaxed a bit with dual-licensed material [2]. - If the TBB is added to the app store by Tor, it requires review of and agreement to Apple's terms and also agreeing not to reveal DRM sekrits [4]. - It requires time and energy to keep the app store listing maintained.
Here are some possible solutions: - Submit Apple agreements to Wendy for review and rejection/acceptance. The last mention of this was a year ago on #6540. Status? - A volunteer who doesn't work for Tor maintaining the app store version of TBB. This would also free Tor as an organization from having to sign agreements. (Though this may contravene Apple's terms). - Actively decide to continue without being blessed by Apple, but focusing instead on educating Mac users about their application security options.
Thoughts?
~Griffin
[1] https://trac.torproject.org/projects/tor/ticket/6540 [2] https://www.opensource.apple.com/license/gpl-with-exception/ [3] http://meta.ath0.com/2012/02/05/apples-great-gpl-purge/ [4] https://www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-...
Griffin Boyce griffin@cryptolab.net writes:
Here are the issues as I see them:
- Apple has traditionally been at odds with GPL-licensed stuff [3],
though of late it seems to have relaxed a bit with dual-licensed material [2].
- If the TBB is added to the app store by Tor, it requires review of
and agreement to Apple's terms and also agreeing not to reveal DRM sekrits [4].
- It requires time and energy to keep the app store listing maintained.
It's a little hard to tell what's really going on. A few thoughts:
It seems Apple's terms are incompatible with copyleft, and that isn't likely to change. Is there any copylefted code in TBB? I would expect so, but I haven't enumerated it. People who choose copyleft for their code do so for a reason, and Apple's terms are fundamentally inconsistent with those reasons - this isn't a matter of nits to be smoothed over.
Is the agreement that a company would have to sign public? There seems to be some notion that it is not. I believe that charitable organizations and free software organizations should not enter into secret agreements, and that doing so would be a breach of their duty to act in the public interest.
On 11/11/2013 05:36 AM, Greg Troxel wrote:
It seems Apple's terms are incompatible with copyleft, and that isn't likely to change. Is there any copylefted code in TBB? I would expect so, but I haven't enumerated it. People who choose copyleft for their code do so for a reason, and Apple's terms are fundamentally inconsistent with those reasons - this isn't a matter of nits to be smoothed over.
Is the agreement that a company would have to sign public? There seems to be some notion that it is not. I believe that charitable organizations and free software organizations should not enter into secret agreements, and that doing so would be a breach of their duty to act in the public interest.
I agree with everything that's been said here. I don't trust Apple. If all of these conditions are true, playing the game by their proprietary rules seems too severe a burden for this libre software very much in the public interest. The people who desire to use TBB should already know this and will be prepared for the minor inconvenience of obtaining the app directly from torproject.
Justin
* Griffin Boyce griffin@cryptolab.net [2013:11:10 20:30 -0500]:
It's been a while since there's been a discussion on-list about getting the TBB into Apple's app store [1]. Interest hasn't really gone away in the intervening 13 months, so I just want to open up discussion about it.
Are there a lot of people interested in this? We hear complaints from OSX users about the packages not being signed the OSX way, but if we've received bugs about putting TBB into the app store, they have been so infrequent and long ago that I don't remember them. I'm not disagreeing with your claim, I just wonder where the interest is happening so I can read about it. :)
Here are some possible solutions:
- Submit Apple agreements to Wendy for review and
rejection/acceptance. The last mention of this was a year ago on #6540. Status?
I tried to get the licensing agreements earlier this year and they are, as far as I can tell, not available until you actually sign up. If someone reading this has put something in the app store (which may or may not be different from the app store the iPhone uses? does anyone know?) please send us a copy of any agreements you may have!
- Actively decide to continue without being blessed by Apple, but
focusing instead on educating Mac users about their application security options.
I am at this point in favor of signing OSX packages with their codesigning but in order to acquire a codesigning cert you have to jump through some hoops (and there is the aforementioned issue of "who buys the certs? person or organization?"; see also #10002) This is why this problem has never been "solved" -- every time we look at it we get discouraged, confused, and/or ideologically enraged.
On Sun, Nov 17, 2013 at 09:15:58AM +0000, Georg Koppen wrote:
Erinn Clark:
I am at this point in favor of signing OSX packages with their codesigning but
How is this supposed to work with Gitian?
I don't see the problem. You can still verify the output of your Gitian build against the signed version. After all, signing an app just adds an LC_CODE_SIGNATURE load command plus associated data to your Mach-O files and a Contents/_CodeSignature/CodeResources for the resources to your app bundle. To verify you can simply remove both using command line tools and compare the signed version against the local Gitian build process output.
Cheers, Ralf
On Sat, Nov 16, 2013 at 09:58:40PM -0200, Erinn Clark wrote:
- Griffin Boyce griffin@cryptolab.net [2013:11:10 20:30 -0500]:
It's been a while since there's been a discussion on-list about getting the TBB into Apple's app store [1]. Interest hasn't really gone away in the intervening 13 months, so I just want to open up discussion about it.
Are there a lot of people interested in this? We hear complaints from OSX users about the packages not being signed the OSX way, but if we've received bugs about putting TBB into the app store, they have been so infrequent and long ago that I don't remember them. I'm not disagreeing with your claim, I just wonder where the interest is happening so I can read about it. :)
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version...
Here are some possible solutions:
- Submit Apple agreements to Wendy for review and
rejection/acceptance. The last mention of this was a year ago on #6540. Status?
I tried to get the licensing agreements earlier this year and they are, as far as I can tell, not available until you actually sign up. If someone reading this has put something in the app store (which may or may not be different from the app store the iPhone uses? does anyone know?) please send us a copy of any agreements you may have!
I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540.
- Actively decide to continue without being blessed by Apple, but
focusing instead on educating Mac users about their application security options.
I am at this point in favor of signing OSX packages with their codesigning but in order to acquire a codesigning cert you have to jump through some hoops (and there is the aforementioned issue of "who buys the certs? person or organization?"; see also #10002) This is why this problem has never been "solved" -- every time we look at it we get discouraged, confused, and/or ideologically enraged.
Codesigning is a good countermeasure against some attackers. The bar you have to jump over to get an Apple dev account and enroll for a codesigning cert is significantly lower than the one described in #10002.
Have you spoken to Mozilla how they have obtained their code signing cert?
Cheers, Ralf
* Ralf-Philipp Weinmann ralf@coderpunks.org [2013:11:17 10:25 +0100]:
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version...
IMO this is a very persuasive reason not to put it there.
I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540.
Thank you!
Have you spoken to Mozilla how they have obtained their code signing cert?
I believe this is on Mike's TODO list since he talks to Mozilla people fairly frequently, but it may not be a high priority for him. Mike, let me know if you would prefer for me to take this on?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/18/2013 01:39 PM, Erinn Clark wrote:
- Ralf-Philipp Weinmann ralf@coderpunks.org [2013:11:17 10:25
+0100]:
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version...
IMO this is a very persuasive reason not to put it there.
For what it is worth, this is what we effectively do by putting Orbot in the Google Play store. We heavily promote alternatives (direct APK download, F-droid repo, etc), but Google Play is where the majority of downloads come from.
Now, mobile is different, because the behaviors of users looking to find and install software is quite different than on the web/desktop.
In addition, considering the amount of atrocious free proxy software being peddled in Google Play, I feel I would be doing our intended audience a disservice by not offering a quality option like Orbot, where they are primarily looking to find solutions.
+n
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/18/2013 02:07 PM, Nathan Freitas wrote:
Now, mobile is different, because the behaviors of users looking to find and install software is quite different than on the web/desktop.
As a side note, for those interested, we are really investing in the next 3-6 months in a new project called "Bazaar" which is about decentralized but secure app sharing.
https://dev.guardianproject.info/projects/bazaar/wiki
This includes adding Tor support into the F-Droid open repo mobile client: https://guardianproject.info/2013/11/05/setting-up-your-own-app-store-with-f...
and investigating DropBox-like syncing solutions that work well over Tor: https://guardianproject.info/2013/11/12/your-own-private-dropbox-with-free-s...
If all goes well, it will be fairly easy for people to socially share apps like Orbot in a device-to-device manner over Hidden Services, OTR chat sessions, wifi and bluetooth. Stay tuned!
+n
On Mon, Nov 18, 2013 at 02:07:26PM -0500, Nathan Freitas wrote: | >>> Getting TBB into the App Store would definitely help increase | >>> its visibility on the OSX side. However, I am not really in | >>> favour of giving a US company a list of all users having | >>> downloaded TBB plus information whether or not they are | >>> upgraded to the most recent version... | > IMO this is a very persuasive reason not to put it there.
| For what it is worth, this is what we effectively do by putting Orbot | in the Google Play store. We heavily promote alternatives (direct APK | download, F-droid repo, etc), but Google Play is where the majority of | downloads come from.
I feel this is an important point. Doing the best thing for a small number of people can be supplemented by doing the second-best thing for a larger group.
There's also a security-usability synnergy here. The more users Tor has, the more secure it is. In other words, Tor should be where people expect to find it. The website can say explain the tradeoff.
Adam
Erinn Clark:
- Ralf-Philipp Weinmann ralf@coderpunks.org [2013:11:17 10:25 +0100]:
Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version...
IMO this is a very persuasive reason not to put it there.
Even more concerning is that list of users is vulnerable to other attacks via app stores. App stores are central points of control over the software that runs on your computer. The second an entity provides a way to tie software delivery (especially updates) to a specific user ID, it creates the ability to be coerced or compromised such that it can be used to serve targeted malware to specific user IDs.
I don't think we'll have to wait long before we hear stories of this happening through the major app stores, if it hasn't happened already. This attack vector seems like it would be consistent with the M.O. of the intelligence agencies and other TLAs.
Worse, while our Gitian builds may serve as enough of a deterrent to prevent such malware from targeting Tor directly (because it would be easier to identify and extract the malware bits with confidence), they do not stop the adversary from infecting updates to other apps.
What this means is that as soon as a user ID is identified as a Tor user, they can be targeted to receive malware designed to monitor their Tor usage through an update to *any* app that they already have installed. This also applies to people who are interesting, but who have never installed Tor directly from the app store at all.
Despite this (or perhaps because of that last property), I could be convinced that it is acceptable to provide TBB through the app store to raise awareness of the software, but have the app description warn users that if they need strong anonymity and privacy, they should not use the app store version, and instead use a more private and safe way to obtain a copy.
Something tells me this will make it even harder to get approval by Apple, though. :/
I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540.
Thank you!
Have you spoken to Mozilla how they have obtained their code signing cert?
I believe this is on Mike's TODO list since he talks to Mozilla people fairly frequently, but it may not be a high priority for him. Mike, let me know if you would prefer for me to take this on?
I will try to remember to ask the next time I'm there, but it probably is better if you could handle most of the investigation into Mac and Windows code signing support independently.
On Sat, Nov 16, 2013 at 3:58 PM, Erinn Clark erinn@torproject.org wrote:
... I tried to get the licensing agreements earlier this year and they are, as far as I can tell, not available until you actually sign up. If someone reading this has put something in the app store (which may or may not be different from the app store the iPhone uses? does anyone know?) please send us a copy of any agreements you may have!
checked #6540 and did not see any docs. attached mac_program_agreement_20130610.pdf and ios_program_standard_agreement_20130610.pdf to https://trac.torproject.org/projects/tor/attachment/ticket/6540/
best regards,
Il 11/11/13 2:30 AM, Griffin Boyce ha scritto:
- Actively decide to continue without being blessed by Apple, but
focusing instead on educating Mac users about their application security options.
I think, as already discussed here [1] and [2], that TBB *must* goes in all kind of application store.
We should re-consider which is the KPI (key performance indicator) of the "Effective Security" provided by Tor Browser Bundle.
Is the "Perfectness of the piece of software" ? I think no.
Is the "Amount of Anonymous Web Browsing Hours" spent by the users that need it, worldwide? It think yes.
So, if the "Effectiveness" of the security provided by TBB is measured that way, the "Outreach" to facilitate "Adoption" became a strategical, foundamental part of the "Security Strategy" of TBB.
To improve the "Effective Security" of TBB, we must improve the "Outreach" by facilitating and increasing the "Adoption" .
Practically, it means that the end-user must have a one-click-install solution on all the platform that are used.
This, obviously, include also Apple App Store.
If that kind of evaluation would be a standard measure for Tor Project, then i think that many small stuff will change here and there in the way the software get delivered to the end-user.
[1] TBB Mac App Store https://lists.torproject.org/pipermail/tor-talk/2012-September/thread.html#2... [2] Tor on iOS App Store https://lists.torproject.org/pipermail/tor-dev/2012-March/thread.html#3382
* Fabio Pietrosanti (naif) lists@infosecurity.ch [2013:11:17 11:08 +0100]:
I think, as already discussed here [1] and [2], that TBB *must* goes in all kind of application store.
Please see Ralf's reply to me elsewhere in the thread -- do you still think this while taking into account what we know about US companies' cooperation the NSA/USG with regards to turning over user data? Feels a bit like leading lambs to slaughter. I'm not comfortable with Apple having access to that much user information, especially tied to real names and credit card numbers and stuff.
We should try to increase adoption, yes, but not at the expense of our users' safety, and the calculus involved is more complex than what you have presented here.
On Sun, Nov 10, 2013 at 08:30:23PM -0500, griffin@cryptolab.net wrote 1.7K bytes in 0 lines about: : - Submit Apple agreements to Wendy for review and : rejection/acceptance. The last mention of this was a year ago on #6540.
We have corporate lawyers for The Tor Project. I haven't spent the money to have them review the Apple agreements, because they will have to review not just the Developer Agreement, but Terms and Conditions, Privacy Policy, and other linked agreements to/from the Dev Agreement. Wendy has a very busy full-time job and doesn't have time to be Tor's lawyer. Mostly, I haven't engaged our lawyers because of the answer to the second point below.
: - A volunteer who doesn't work for Tor maintaining the app store : version of TBB. This would also free Tor as an organization from having : to sign agreements. (Though this may contravene Apple's terms).
I agree with this method. I don't think The Tor Project should be the one maintaining Tor-something in the App Store. I'd rather a trusted 3rd party who signs a trademark licensing agreement with us be the person who maintains an App Store presence. This is how we do it in the Android world with Google Play and Amazon App Stores, and others. In the Android world, we encourage people to get Tor on their device through f-droid [0], rather than Google Play. I don't see why it should be different for Apple, Microsoft, or whatever new mobile OS is the fad of the year.
In general, our code should be highly portable to any OS, and others can go through the specifics of getting our highly portable code into various app stores, because they understand the nuances and details of their preferred OS.
Sorry for taking so long to respond to this thread. Responses are (mostly) inline below.
At a training event a couple of days ago, a user was sketched out by the warning her Mac gave her -- in spite of the advance notice she'd been given by the trainers.
Erinn Clark wrote:
Please see Ralf's reply to me elsewhere in the thread -- do you still think this while taking into account what we know about US companies' cooperation the NSA/USG with regards to turning over user data?
This is an extremely important point, and I don't want to minimize user risk in this regard. But I think that it needs to be weighed against the probability that it will expand availability to censored users. (Especially if the bundle uploaded is the pluggable transport bundle, hint hint hint).
The situation is similar to Orbot's deployment (as Nathan points out). Censor X would have to block the app store in order to block access to Orbot, but the trade-off is that Google gets a list of people interested in anonymity.
Part of me feels that if a user is using an Apple device, they're on the hook to do their homework -- responsibility and informed consent and definitely in play there. AFAIK, the last bug submitted was #6540.
However, having said all of that, it turns out that Tor doesn't need to distribute it via app store to distribute a signed app [1] (there are two types of certificates). Though the signing situation itself is complicated (eg, Apple would still likely know that you've downloaded Tor).
andrew@torproject.is wrote:
I agree with this method. I don't think The Tor Project should be the one maintaining Tor-something in the App Store. I'd rather a trusted 3rd party who signs a trademark licensing agreement with us be the person who maintains an App Store presence.
I really like this idea. My only real concerns are about licensing and whether Apple would consider a Tor-licensing dev to be effectively a proxy of the Tor Project Inc. Also, the tpo site right now indicates that someone could just submit TBB to an app store without a licensing agreement, so that could use clarifying.
Other than that, agree with Naif :D To Nathan's point, Macs and Chromebooks subscribe highly to the "walled garden" model of app accessibility, and more users look to Apple's blessed apps than for independent solutions. This is either a good thing or a bad thing, depending on your outlook (broader userbase vs. better-educated users).
abusing his parenthetical privileges, Griffin
[1] Page 11 of: https://developer.apple.com/library/mac/documentation/security/conceptual/Co...
-
Adam Shostack -
andrew@torproject.is -
coderman -
Erinn Clark -
Fabio Pietrosanti (naif) -
Georg Koppen -
Greg Troxel -
Griffin Boyce -
Justin Findlay -
Mike Perry -
Nathan Freitas -
Ralf-Philipp Weinmann