On 4/19/15 1:44 PM, sajolida wrote:
> ...
> The more precise question that I would like to consult you about is
> regarding the threats that could arise **from inside the browser** and
> that could corrupt the verification mechanism or fool the user.
Mark and I do not have a lot of expertise in threat modeling even though
we maintain the Tor Browser updater implementation.
So far, the browser updater is based on the Firefox model for secure
updates, with one addition: starting in Tor Browser 4.5, we require on
all platforms that the MAR files that contain file update data have
digital signatures. Mozilla currently only requires signatures on the
Windows platform, although they are actively working to require them on
all platforms. We also pin the torproject.org certificates inside Tor
Browser to guard against spoofing of the update meta information, which
is downloaded via https.
Future plans for the Tor Browser updater include consulting the Tor
consensus to verify updates; see
https://trac.torproject.org/projects/tor/ticket/10393
Regarding your planned architecture, it is important to remember that
other extensions running inside Firefox have the capability to override
functionality throughout the browser and in other add-ons such as your
ISO verification extension. On the other hand, absent a bug in Firefox
or Tor Browser, other web pages should not be able to interfere.
-- Kathy Brade
-- Pearl Crescent, LLC
