subject:"Re\: \[tor\-bugs\] #22971 \[Applications\/Tor Browser\]\: The XPI signing mechanism needs to use different hash functions."

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2019-02-08 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security, ff60-esr|  Actual Points:
Parent ID:  #26553| Points:
 Reviewer:|Sponsor:
--+--
Changes (by intrigeri):

 * cc: intrigeri (added)


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2018-06-28 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security, ff60-esr|  Actual Points:
Parent ID:  #26553| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * parent:   => #26553


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-08-08 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security, ff59-esr|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by gk):

 * keywords:  tbb-security => tbb-security, ff59-esr


Comment:

 We need to sign our extensions ourselves anyway when switching to ESR59.
 If we get to it earlier then it can't hurt, though.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-07-19 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by gk):

 Replying to [comment:5 yawning]:
 > If I were to try to mitigate this without breaking things for lots of
 users, I would replace the SHA1 implementation used for XPI verification
 with the hardened variant that came out of the shattered.io research.
 >
 > https://github.com/cr-marcstevens/sha1collisiondetection

 Sounds like a useful thing to look at, thanks.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-07-19 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by yawning):

 If I were to try to mitigate this without breaking things for lots of
 users, I would replace the SHA1 implementation used for XPI verification
 with the hardened variant that came out of the shattered.io research.

 https://github.com/cr-marcstevens/sha1collisiondetection

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-07-19 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by yawning):

 Upstream bug has been around for years apparently:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1169532

 Fun facts:

  * The MD5 digest is ignored (sigh).
  * The PKCS7 RSA signature *also* uses SHA1 (I should have checked this).
  * Their plan apparently is to move to *also* include SHA256 digests and
 transition to ECDSA.

 I'm uncertain if we should treat this more severely.  I'm not exactly
 thrilled about "keeping the same old busted manifest format, adding yet
 another M-D construct hash, and doing absolutely shit fuckall to mitigate
 length extension attacks" as the upstream response.

 At a minimum, I think we can do better by patching the XPI verification
 code at least for our addons (like we do for the MAR signatures), but what
 do I know.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-07-18 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by isis):

 Replying to [comment:2 yawning]:
 > This is probably more an upstream issue since the practical result is
 "Extension Signing is worthless vs adversaries that can produce SHA1
 collisions".

 Ugh. And yeah, this seems to be an upstream issue, we should see if
 they've already got a fix they're working on.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-07-18 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  High  |  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Major | Resolution:
 Keywords:  tbb-security  |  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--
Changes (by yawning):

 * keywords:   => tbb-security
 * priority:  Medium => High
 * severity:  Normal => Major


Comment:

 This is probably more an upstream issue since the practical result is
 "Extension Signing is worthless vs adversaries that can produce SHA1
 collisions".

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

2017-07-18 Thread Tor Bug Tracker & Wiki

#22971: The XPI signing mechanism needs to use different hash functions.
--+--
 Reporter:  yawning   |  Owner:  tbb-team
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+--

Comment (by yawning):

 https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

Re: [tor-bugs] #22971 [Applications/Tor Browser]: The XPI signing mechanism needs to use different hash functions.

9 matches

Site Navigation

Mail list logo

Footer information