[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
h0ost
host at mailoo.org
Mon Aug 5 10:45:57 PDT 2013
> Mozilla posted the advisory on June 25th.
> https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a
> TBB update was provided 5 days later:
> https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
> - and uses a version of FF that the advisory says fixes the issue.
>
So what's the problem that Nadim Kobeissi is pointing to? The
vulnerability was patched by Mozilla, then subsequently incorporated in
the TBB.
If TBB is updated, and a user doesn't upgrade their TBB bundle, that's
the user's fault, not Tor.
No?
Yes, I think.
>
> The take home message of the day: keep your shit up to date.
Exactly. Nothing more, nothing less. It's like brushing one's teeth,
you learn that you have to do it for your own good, and then you just do it.
> The only question I have is -- is there anything more that can be
> done to warn users their stuff is out of date? We're already visited
> with a warning that our browser or other tor-related software is out
> of date upon launching it. Do we need scrolling text? blinky lights?
> Should it be disabled once it is out of date? Maybe that can be an
> option set by default. Thoughts?
I don't think so. TBB already warns when there is an updated version of
the TBB, so I really think it's a culture change on part of people who
don't upgrade immediately. Hard thing to fight against, but maybe such
events will make people more cautious in this way.
More information about the liberationtech
mailing list