Re: [tor-bugs] #32498 [Applications/Tor Browser]: Consider updating MAR_CHANNEL_ID for nightly build (and maybe alpha too)

Tue, 19 Nov 2019 07:12:46 -0800 

#32498: Consider updating MAR_CHANNEL_ID for nightly build (and maybe alpha too)
-------------------------------------------------+-------------------------
 Reporter:  boklm                                |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-rbm, boklm201911, tbb-update,    |  Actual Points:
  TorBrowserTeam201911                           |
Parent ID:  #18867                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by boklm):

 Replying to [comment:1 mcs]:
 > Using different MAR channel IDs would prevent the updater from accepting
 a mar file from a different channel (probably better from a security point
 of view). If I remember correctly, doing so would also prevent use of MAR
 tools such as `signmar` across releases. That would probably be OK, but
 might lead to some confusion for developers.

 Preventing an attacker from being able to switch stable users to alpha
 seems useful. Although that does not seems to be a major threat, so it is
 probably not urgent to do it.

 Looking at `modules/libmar/tool/mar.c`, I see that some of the commands
 have a `-H MARChannelID` option (for example the one to create a MAR
 file), but it seems the signing one does not have that option. We normally
 use the martools from the corresponding version when generating mar and
 incremental mars, so this should not be an issue.

 >
 > If we do switch the MAR channel for in our alpha series we need to think
 about how to make the transition. I believe that such a transition will
 require a "watershed" update, but I have not spent a lot of time thinking
 about it.

 As there is no urgency to do the switch, maybe we could have an
 `ACCEPTED_MAR_CHANNEL_IDS` containing both channels for something like 9
 months, before doing the switch without a watershed update (or taking
 advantage the watershed update to the next ESR if one is needed). This
 would break update for alpha users who did not update in a few months, but
 maybe there are not so many users of 9 month-old alpha versions.

 For the nightly, switching channels is already prevented by using
 different signing keys, but since there is no transition needed, maybe we
 can use a separate channel ID from the beginning.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32498#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Reply via email to