[prev in list] [next in list] [prev in thread] [next in thread]
List: whonix-devel
Subject: Re: [Whonix-devel] #17216 [Applications/Tor Browser]: Make Tor Browser's updater work over Hidden Se
From: "Tor Bug Tracker & Wiki" <blackhole () torproject ! org>
Date: 2019-02-06 10:42:59
Message-ID: 059.fe8ad875ac3007bc05e0c8d2cb7fcb15 () torproject ! org
[Download RAW message or body]
--===============9145817644208304740==
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
#17216: Make Tor Browser's updater work over Hidden Services
-------------------------------------------------+-------------------------
Reporter: isis | Owner: tbb-
| team
Type: enhancement | Status:
| needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, tbb-security, | Actual Points:
TorBrowserTeam201901, tbb-update |
Parent ID: | Points: medium
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by weasel):
Hi!
Replying to [comment:10 gk]:
> I'd like to test this out, first in the alpha series, sooner than later.
The idea would be to fetch the metadata file (update.xml) over .onion
which is a pretty small file (around 1000 bytes) but *not* the full
update. I am in particular concerned about TLS being the means of
authenticating the contents of that xml file and think we can do better
with an .onion responsible for that.
>
> weasel, ln5: do you feel the current .onion setup for aus1 is robust
enough for that test? Should we wait until we have v3 services available?
Or...?
We discussed this in Brussels a bit. It is our current consensus that the
onion service providing aus1.tpo is not suitable for this purpose.
The onion service is backed by onionbalance, which appears to be
unmaintained upstream and which does not support v3 onion services.
Furthermore, in order for us to be comfortable relying and depending on an
onion service for such an important purpose, we would want that
onionbalance itself could be run in a distributed/redundant way such that
we would not have any SPoFs.
Once these issues are addressed, we can reconsider the issue. For now,
however, we recommend you not rely on the onion for updates.
Cheers,
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17216#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
--===============9145817644208304740==--
[Attachment #3 (text/plain)]
_______________________________________________
You are receiving this e-mail because you subscribed Whonix-devel mailing list. To \
unsubscribe visit https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or \
mail "unsubscribe" to Whonix-devel-unsubscribe@whonix.org.
Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste aboniert haben. Zum \
abbestellen besuchen Sie https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel \
oder mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic