Re: [tor-dev] Apple App Store Redux
Erinn Clark: > * Ralf-Philipp Weinmann [2013:11:17 10:25 +0100]: > > Getting TBB into the App Store would definitely help increase its > > visibility on > > the OSX side. However, I am not really in favour of giving a US company a > > list > > of all users having downloaded TBB plus information whether or not they are > > upgraded > > to the most recent version... > > IMO this is a very persuasive reason not to put it there. Even more concerning is that list of users is vulnerable to other attacks via app stores. App stores are central points of control over the software that runs on your computer. The second an entity provides a way to tie software delivery (especially updates) to a specific user ID, it creates the ability to be coerced or compromised such that it can be used to serve targeted malware to specific user IDs. I don't think we'll have to wait long before we hear stories of this happening through the major app stores, if it hasn't happened already. This attack vector seems like it would be consistent with the M.O. of the intelligence agencies and other TLAs. Worse, while our Gitian builds may serve as enough of a deterrent to prevent such malware from targeting Tor directly (because it would be easier to identify and extract the malware bits with confidence), they do not stop the adversary from infecting updates to other apps. What this means is that as soon as a user ID is identified as a Tor user, they can be targeted to receive malware designed to monitor their Tor usage through an update to *any* app that they already have installed. This also applies to people who are interesting, but who have never installed Tor directly from the app store at all. Despite this (or perhaps because of that last property), I could be convinced that it is acceptable to provide TBB through the app store to raise awareness of the software, but have the app description warn users that if they need strong anonymity and privacy, they should not use the app store version, and instead use a more private and safe way to obtain a copy. Something tells me this will make it even harder to get approval by Apple, though. :/ > > I think I still have access to both. Let me pull the latest version of both > > agreements (iPhone and OSX developer) and attach them to #6540. > > Thank you! > > > Have you spoken to Mozilla how they have obtained their code signing cert? > > I believe this is on Mike's TODO list since he talks to Mozilla people fairly > frequently, but it may not be a high priority for him. Mike, let me know if > you > would prefer for me to take this on? I will try to remember to ask the next time I'm there, but it probably is better if you could handle most of the investigation into Mac and Windows code signing support independently. -- Mike Perry signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
On Sat, Nov 16, 2013 at 3:58 PM, Erinn Clark wrote: > ... > I tried to get the licensing agreements earlier this year and they are, as far > as I can tell, not available until you actually sign up. If someone reading > this has put something in the app store (which may or may not be different > from > the app store the iPhone uses? does anyone know?) please send us a copy of any > agreements you may have! checked #6540 and did not see any docs. attached mac_program_agreement_20130610.pdf and ios_program_standard_agreement_20130610.pdf to https://trac.torproject.org/projects/tor/attachment/ticket/6540/ best regards, ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
On Mon, Nov 18, 2013 at 02:07:26PM -0500, Nathan Freitas wrote: | >>> Getting TBB into the App Store would definitely help increase | >>> its visibility on the OSX side. However, I am not really in | >>> favour of giving a US company a list of all users having | >>> downloaded TBB plus information whether or not they are | >>> upgraded to the most recent version... | > IMO this is a very persuasive reason not to put it there. | For what it is worth, this is what we effectively do by putting Orbot | in the Google Play store. We heavily promote alternatives (direct APK | download, F-droid repo, etc), but Google Play is where the majority of | downloads come from. I feel this is an important point. Doing the best thing for a small number of people can be supplemented by doing the second-best thing for a larger group. There's also a security-usability synnergy here. The more users Tor has, the more secure it is. In other words, Tor should be where people expect to find it. The website can say explain the tradeoff. Adam ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
Sorry for taking so long to respond to this thread. Responses are (mostly) inline below. At a training event a couple of days ago, a user was sketched out by the warning her Mac gave her -- in spite of the advance notice she'd been given by the trainers. Erinn Clark wrote: > Please see Ralf's reply to me elsewhere in the thread -- do you still > think this while taking into account what we know about US companies' > cooperation the NSA/USG with regards to turning over user data? This is an extremely important point, and I don't want to minimize user risk in this regard. But I think that it needs to be weighed against the probability that it will expand availability to censored users. (Especially if the bundle uploaded is the pluggable transport bundle, hint hint hint). The situation is similar to Orbot's deployment (as Nathan points out). Censor X would have to block the app store in order to block access to Orbot, but the trade-off is that Google gets a list of people interested in anonymity. Part of me feels that if a user is using an Apple device, they're on the hook to do their homework -- responsibility and informed consent and definitely in play there. AFAIK, the last bug submitted was #6540. However, having said all of that, it turns out that Tor doesn't need to distribute it via app store to distribute a signed app [1] (there are two types of certificates). Though the signing situation itself is complicated (eg, Apple would still likely know that you've downloaded Tor). and...@torproject.is wrote: > I agree with this method. I don't think The Tor Project should be the > one maintaining Tor-something in the App Store. I'd rather a trusted 3rd > party who signs a trademark licensing agreement with us be the person > who maintains an App Store presence. I really like this idea. My only real concerns are about licensing and whether Apple would consider a Tor-licensing dev to be effectively a proxy of the Tor Project Inc. Also, the tpo site right now indicates that someone could just submit TBB to an app store without a licensing agreement, so that could use clarifying. Other than that, agree with Naif :D To Nathan's point, Macs and Chromebooks subscribe highly to the "walled garden" model of app accessibility, and more users look to Apple's blessed apps than for independent solutions. This is either a good thing or a bad thing, depending on your outlook (broader userbase vs. better-educated users). abusing his parenthetical privileges, Griffin [1] Page 11 of: https://developer.apple.com/library/mac/documentation/security/conceptual/CodeSigningGuide/CodeSigningGuide.pdf -- Be kind, for everyone you meet is fighting a hard battle. PGP: 0xD9D4CADEE3B67E7AB2C05717E331FD29AE792C97 OTR: sa...@jabber.ccc.de ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/18/2013 02:07 PM, Nathan Freitas wrote: > Now, mobile is different, because the behaviors of users looking > to find and install software is quite different than on the > web/desktop. As a side note, for those interested, we are really investing in the next 3-6 months in a new project called "Bazaar" which is about decentralized but secure app sharing. https://dev.guardianproject.info/projects/bazaar/wiki This includes adding Tor support into the F-Droid open repo mobile client: https://guardianproject.info/2013/11/05/setting-up-your-own-app-store-with-f-droid/ and investigating DropBox-like syncing solutions that work well over Tor: https://guardianproject.info/2013/11/12/your-own-private-dropbox-with-free-software/ If all goes well, it will be fairly easy for people to socially share apps like Orbot in a device-to-device manner over Hidden Services, OTR chat sessions, wifi and bluetooth. Stay tuned! +n -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSime4AAoJEKgBGD5ps3qp2+QP/0LWlxW5p20OT4m1UKZFSEGL Cd92kX7ogfjFAIMc2x8BeMc0ic03lfziTLwao+mf3+IvIDnp4AJDyGwlNjyZ/pE2 t0PFioM/h24DTBkwHEd/oD0SUE9Idg8bJH66NadyA3aZLdh3vARFkddpjiVSVMnm K5m1w46HlD5EcBjMUt0LGyIYCzVncblqI2zkP6YCpt0F4oB8/lCaWZGLAap/Yhn0 eX+P5GOZjL3T3Vy5Cm7Zo44saPoClElSJ2lfJNmUXYe735IO0u6CkomQ8wlB/VpV ZlTrGd6xcB2g64jjkDUvcgWreKB/5jXJIWu0zi9V8GHZ5S9lSbvhfwoVlGGLWmh1 jUQGB9zsKQqNM6xMxoGsMcXXIKuHuqGW8wZxdff1HMp8ZhI9NVCcxXNdHT3kbduZ cT50co2j0Td4DifuZohKWSnXAkLtVVBKH9QN21x+qNmSjmNcMlkSfkUDQRQ+fJqL +zc77i1q/BZoK4Ht4C7l/Yk5RIhpn6H1wRaDr7OZetbbs/I322JZto3NUYZDmNNy 236G/5GmNnJEjQfymino6iRLipTPzr07eBI8FWChxhvWn1q9gs4Koo/yH8WVQ7EE vr5D2P2NTwdZFSch6PFybyKWA2AIzRevBiS0Fmojsni6w4cZ28V2WP5KonKXrh8V G1LSfFcwhhxBTj5lcmNF =gzhF -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/18/2013 01:39 PM, Erinn Clark wrote: > * Ralf-Philipp Weinmann [2013:11:17 10:25 > +0100]: >>> Getting TBB into the App Store would definitely help increase >>> its visibility on the OSX side. However, I am not really in >>> favour of giving a US company a list of all users having >>> downloaded TBB plus information whether or not they are >>> upgraded to the most recent version... > IMO this is a very persuasive reason not to put it there. > For what it is worth, this is what we effectively do by putting Orbot in the Google Play store. We heavily promote alternatives (direct APK download, F-droid repo, etc), but Google Play is where the majority of downloads come from. Now, mobile is different, because the behaviors of users looking to find and install software is quite different than on the web/desktop. In addition, considering the amount of atrocious free proxy software being peddled in Google Play, I feel I would be doing our intended audience a disservice by not offering a quality option like Orbot, where they are primarily looking to find solutions. +n -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSimVnAAoJEKgBGD5ps3qpbAYP/3XemdFRrhXOV5J1BUrKPbzP YyasI66Nirgo7XAzcjukCRYUBR2uF8tNhNyQW7EIL373CgCDKGWsAwebtyIa7ry1 V6jW31VVd0Iory9Vl/ZCTEpTXWKyfp/EhuLpUXZeeASi5H/R/qKQg+3j2/mO4j3h OpowQFQmm5Z2s6oJ09HFQZ/2UfBExHnxV0oPLmYUOQ3hftRoD/uxsSIrWSO9u+OW 6u6z0HKgyg/+vcm1QXV7ozYaGXboaZ00NuJjhsm1aNQYGbtnn/gpFQfYmiMW85Pr oM02pS0dk3RDk++9hyv8LAzdNxj/C2kUSvtL1xsgZMgReCC0rBJnBaHf3XESwkeG njouArjw3RG6r/QNtpY/9lWM+ZFJcDHjkUHXyym7aVUgg520TruVyLwHn4fmzXL5 6EJDQktnPySamaimf1uI3zGUSQJv/nhiU1XNSUnNCEnRsVnNLxHh2+7FRC/gVOIw XYGgQ0+Afk0sXlZRBB0yaARljWeWDSHhNARvvRSvAxnbtWm+/ltAa55m2CvA1Chg AZYNwTZDYyzJ3xnDf5jXSeAxAEj0+VFcVM8evEGNiFcguQwBxWG5rzrSm3gR5hqG dsTASZWa377NNVfNicMlnra+OAgJnPc1kFC3NPXMMlmLMsPwACN1GRd16HdxrDn1 u3gg39s2LoUQJZPOIWPe =x52u -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
* Fabio Pietrosanti (naif) [2013:11:17 11:08 +0100]: > I think, as already discussed here [1] and [2], that TBB *must* goes in > all kind of application store. Please see Ralf's reply to me elsewhere in the thread -- do you still think this while taking into account what we know about US companies' cooperation the NSA/USG with regards to turning over user data? Feels a bit like leading lambs to slaughter. I'm not comfortable with Apple having access to that much user information, especially tied to real names and credit card numbers and stuff. We should try to increase adoption, yes, but not at the expense of our users' safety, and the calculus involved is more complex than what you have presented here. signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
* Ralf-Philipp Weinmann [2013:11:17 10:25 +0100]: > Getting TBB into the App Store would definitely help increase its visibility > on > the OSX side. However, I am not really in favour of giving a US company a list > of all users having downloaded TBB plus information whether or not they are > upgraded > to the most recent version... IMO this is a very persuasive reason not to put it there. > I think I still have access to both. Let me pull the latest version of both > agreements (iPhone and OSX developer) and attach them to #6540. Thank you! > Have you spoken to Mozilla how they have obtained their code signing cert? I believe this is on Mike's TODO list since he talks to Mozilla people fairly frequently, but it may not be a high priority for him. Mike, let me know if you would prefer for me to take this on? signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
On Sun, Nov 10, 2013 at 08:30:23PM -0500, grif...@cryptolab.net wrote 1.7K bytes in 0 lines about: : - Submit Apple agreements to Wendy for review and : rejection/acceptance. The last mention of this was a year ago on #6540. We have corporate lawyers for The Tor Project. I haven't spent the money to have them review the Apple agreements, because they will have to review not just the Developer Agreement, but Terms and Conditions, Privacy Policy, and other linked agreements to/from the Dev Agreement. Wendy has a very busy full-time job and doesn't have time to be Tor's lawyer. Mostly, I haven't engaged our lawyers because of the answer to the second point below. : - A volunteer who doesn't work for Tor maintaining the app store : version of TBB. This would also free Tor as an organization from having : to sign agreements. (Though this may contravene Apple's terms). I agree with this method. I don't think The Tor Project should be the one maintaining Tor-something in the App Store. I'd rather a trusted 3rd party who signs a trademark licensing agreement with us be the person who maintains an App Store presence. This is how we do it in the Android world with Google Play and Amazon App Stores, and others. In the Android world, we encourage people to get Tor on their device through f-droid [0], rather than Google Play. I don't see why it should be different for Apple, Microsoft, or whatever new mobile OS is the fad of the year. In general, our code should be highly portable to any OS, and others can go through the specifics of getting our highly portable code into various app stores, because they understand the nuances and details of their preferred OS. [0] https://f-droid.org/ -- Andrew http://tpo.is/contact pgp 0x6B4D6475 ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
Il 11/11/13 2:30 AM, Griffin Boyce ha scritto: > - Actively decide to continue without being blessed by Apple, but > focusing instead on educating Mac users about their application security > options. I think, as already discussed here [1] and [2], that TBB *must* goes in all kind of application store. We should re-consider which is the KPI (key performance indicator) of the "Effective Security" provided by Tor Browser Bundle. Is the "Perfectness of the piece of software" ? I think no. Is the "Amount of Anonymous Web Browsing Hours" spent by the users that need it, worldwide? It think yes. So, if the "Effectiveness" of the security provided by TBB is measured that way, the "Outreach" to facilitate "Adoption" became a strategical, foundamental part of the "Security Strategy" of TBB. To improve the "Effective Security" of TBB, we must improve the "Outreach" by facilitating and increasing the "Adoption" . Practically, it means that the end-user must have a one-click-install solution on all the platform that are used. This, obviously, include also Apple App Store. If that kind of evaluation would be a standard measure for Tor Project, then i think that many small stuff will change here and there in the way the software get delivered to the end-user. [1] TBB Mac App Store https://lists.torproject.org/pipermail/tor-talk/2012-September/thread.html#25503 [2] Tor on iOS App Store https://lists.torproject.org/pipermail/tor-dev/2012-March/thread.html#3382 -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
On Sun, Nov 17, 2013 at 09:15:58AM +, Georg Koppen wrote: > Erinn Clark: > > I am at this point in favor of signing OSX packages with their codesigning > > but > > How is this supposed to work with Gitian? I don't see the problem. You can still verify the output of your Gitian build against the signed version. After all, signing an app just adds an LC_CODE_SIGNATURE load command plus associated data to your Mach-O files and a Contents/_CodeSignature/CodeResources for the resources to your app bundle. To verify you can simply remove both using command line tools and compare the signed version against the local Gitian build process output. Cheers, Ralf ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
On Sat, Nov 16, 2013 at 09:58:40PM -0200, Erinn Clark wrote: > * Griffin Boyce [2013:11:10 20:30 -0500]: > > It's been a while since there's been a discussion on-list about > > getting the TBB into Apple's app store [1]. Interest hasn't really gone > > away in the intervening 13 months, so I just want to open up discussion > > about it. > > Are there a lot of people interested in this? We hear complaints from OSX > users > about the packages not being signed the OSX way, but if we've received bugs > about putting TBB into the app store, they have been so infrequent and long > ago > that I don't remember them. I'm not disagreeing with your claim, I just wonder > where the interest is happening so I can read about it. :) Getting TBB into the App Store would definitely help increase its visibility on the OSX side. However, I am not really in favour of giving a US company a list of all users having downloaded TBB plus information whether or not they are upgraded to the most recent version... > > Here are some possible solutions: > > - Submit Apple agreements to Wendy for review and > > rejection/acceptance. The last mention of this was a year ago on #6540. > > Status? > > I tried to get the licensing agreements earlier this year and they are, as far > as I can tell, not available until you actually sign up. If someone reading > this has put something in the app store (which may or may not be different > from > the app store the iPhone uses? does anyone know?) please send us a copy of any > agreements you may have! I think I still have access to both. Let me pull the latest version of both agreements (iPhone and OSX developer) and attach them to #6540. > > - Actively decide to continue without being blessed by Apple, but > > focusing instead on educating Mac users about their application security > > options. > > I am at this point in favor of signing OSX packages with their codesigning but > in order to acquire a codesigning cert you have to jump through some hoops > (and > there is the aforementioned issue of "who buys the certs? person or > organization?"; see also #10002) This is why this problem has never been > "solved" -- every time we look at it we get discouraged, confused, and/or > ideologically enraged. Codesigning is a good countermeasure against some attackers. The bar you have to jump over to get an Apple dev account and enroll for a codesigning cert is significantly lower than the one described in #10002. Have you spoken to Mozilla how they have obtained their code signing cert? Cheers, Ralf ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
Erinn Clark: > I am at this point in favor of signing OSX packages with their codesigning but How is this supposed to work with Gitian? Georg signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
* Griffin Boyce [2013:11:10 20:30 -0500]: > It's been a while since there's been a discussion on-list about > getting the TBB into Apple's app store [1]. Interest hasn't really gone > away in the intervening 13 months, so I just want to open up discussion > about it. Are there a lot of people interested in this? We hear complaints from OSX users about the packages not being signed the OSX way, but if we've received bugs about putting TBB into the app store, they have been so infrequent and long ago that I don't remember them. I'm not disagreeing with your claim, I just wonder where the interest is happening so I can read about it. :) > Here are some possible solutions: > - Submit Apple agreements to Wendy for review and > rejection/acceptance. The last mention of this was a year ago on #6540. > Status? I tried to get the licensing agreements earlier this year and they are, as far as I can tell, not available until you actually sign up. If someone reading this has put something in the app store (which may or may not be different from the app store the iPhone uses? does anyone know?) please send us a copy of any agreements you may have! > - Actively decide to continue without being blessed by Apple, but > focusing instead on educating Mac users about their application security > options. I am at this point in favor of signing OSX packages with their codesigning but in order to acquire a codesigning cert you have to jump through some hoops (and there is the aforementioned issue of "who buys the certs? person or organization?"; see also #10002) This is why this problem has never been "solved" -- every time we look at it we get discouraged, confused, and/or ideologically enraged. signature.asc Description: Digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
On 11/11/2013 05:36 AM, Greg Troxel wrote: It seems Apple's terms are incompatible with copyleft, and that isn't likely to change. Is there any copylefted code in TBB? I would expect so, but I haven't enumerated it. People who choose copyleft for their code do so for a reason, and Apple's terms are fundamentally inconsistent with those reasons - this isn't a matter of nits to be smoothed over. Is the agreement that a company would have to sign public? There seems to be some notion that it is not. I believe that charitable organizations and free software organizations should not enter into secret agreements, and that doing so would be a breach of their duty to act in the public interest. I agree with everything that's been said here. I don't trust Apple. If all of these conditions are true, playing the game by their proprietary rules seems too severe a burden for this libre software very much in the public interest. The people who desire to use TBB should already know this and will be prepared for the minor inconvenience of obtaining the app directly from torproject. Justin ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Apple App Store Redux
Griffin Boyce writes: > Here are the issues as I see them: > - Apple has traditionally been at odds with GPL-licensed stuff [3], > though of late it seems to have relaxed a bit with dual-licensed > material [2]. > - If the TBB is added to the app store by Tor, it requires review of > and agreement to Apple's terms and also agreeing not to reveal DRM > sekrits [4]. > - It requires time and energy to keep the app store listing maintained. It's a little hard to tell what's really going on. A few thoughts: It seems Apple's terms are incompatible with copyleft, and that isn't likely to change. Is there any copylefted code in TBB? I would expect so, but I haven't enumerated it. People who choose copyleft for their code do so for a reason, and Apple's terms are fundamentally inconsistent with those reasons - this isn't a matter of nits to be smoothed over. Is the agreement that a company would have to sign public? There seems to be some notion that it is not. I believe that charitable organizations and free software organizations should not enter into secret agreements, and that doing so would be a breach of their duty to act in the public interest. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
