On Wed, Aug 07, 2013 at 07:20:21AM +0300, Nadim Kobeissi wrote: > You will note that this was posted recently. However, 5 weeks ago, >Mozilla posted a security advisory for Firefox and fixed the issue. Tor >then updated the Tor Browser Bundle with the fix, 5 weeks ago, *without >releasing a security advisory.* You released the security advisory after >shit hit the fan, this week
Just to clarify: the security advisory I wrote this week was telling users that an exploit had been seen in the wild, and explaining what we knew about that. This was not intended to be a five-weeks-late by-the-way-there-was-a-vulnerability announcement. We already told people, five weeks ago, to upgrade, and set the TBB homepage to tell them "There is a security update available for the Tor Browser Bundle. Click here to go to the download page." The novel thing here was that a potential vulnerability, which Mozilla had described as "This crash is potentially exploitable" when they put out their fix, was actually exploitable in practice and was being actively exploited. The advisory was intended to make people aware of the new situation, and also collect some facts into one place. > The advisory you released this week should have >been released 5 weeks ago for Tor Browser, on the day Mozilla released >an advisory for Firefox, and on the day you updated Tor Browser. > > I spoke with Roger and he in fact confirmed that no advisory was >released by Tor five weeks ago when Tor fixed the vulnerability. Tor >waited until the exploit was in the wild. We did in fact wait until the exploit was in the wild to tell people that the exploit was in the wild. How we (including the broader community) can keep users informed about the security state of their software is indeed a fine question to ponder. But it's not clear to me that this "you didn't tell them" "yes we did" "well you should have told them differently" format is the right way to make progress. (And we should also listen to folks like Andy, who point out that there's never going to be a simple answer. I've been involved in too many "I wonder if that bug we just fixed is really exploitable, and how we should classify it" discussions to believe that the predictions are always accurate -- and they can be inaccurate either by overestimating or by underestimating.) --Roger -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
