Author: sajolida Date: To: Kathleen Brade, mcs, The Tails public development discussion list Subject: Re: [Tails-dev] Tails ISO verification extension for Firefox
Kathleen Brade: > On 4/19/15 1:44 PM, sajolida wrote:
>> ...
>> The more precise question that I would like to consult you about is
>> regarding the threats that could arise **from inside the browser** and
>> that could corrupt the verification mechanism or fool the user.
>
> Mark and I do not have a lot of expertise in threat modeling even though
> we maintain the Tor Browser updater implementation.
>
> So far, the browser updater is based on the Firefox model for secure
> updates, with one addition: starting in Tor Browser 4.5, we require on
> all platforms that the MAR files that contain file update data have
> digital signatures. Mozilla currently only requires signatures on the
> Windows platform, although they are actively working to require them on
> all platforms. We also pin the torproject.org certificates inside Tor
> Browser to guard against spoofing of the update meta information, which
> is downloaded via https.
>
> Future plans for the Tor Browser updater include consulting the Tor
> consensus to verify updates; see
> https://trac.torproject.org/projects/tor/ticket/10393 >
> Regarding your planned architecture, it is important to remember that
> other extensions running inside Firefox have the capability to override
> functionality throughout the browser and in other add-ons such as your
> ISO verification extension.
So we should consider other extensions as possible attackers with the
capacity of doing basically anything, right? Thankfully, extensions are
verified by the Firefox crew and will soon by cryptographically signed.
> On the other hand, absent a bug in Firefox
> or Tor Browser, other web pages should not be able to interfere.
