[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Asa Rossoff asa at lovetour.info
Tue Aug 6 03:33:14 PDT 2013 

Jacob Appelbaum:
> Nadim Kobeissi:
>> 
>> On 2013-08-06, at 11:46 AM, Al Billings <albill at openbuddha.com>
>> wrote:
>> 
>>> Nadim you seem confused by how this works. Tor doesn't need to
>>> issue advisories for Firefox issues. We, at Mozilla, already issue
>>> them. Perhaps they can link to them clearly but if you want to know
>>> about security issues Mozilla fixes in Firefox, you're best served
>>> by reading Mozilla advisories. There's not much point in
>>> duplicating them on a second site. Tor would be better served by
>>> writing advisories for its own, unique, security fixes.
>> 
>> Tor doesn't need to issue advisories for Firefox issues. Tor needs to
>> issue advisories for Tor Browser issues, and not five weeks later
>> when s**t hits the fan. I really don't think one can reasonably
>> disagree with the above statement. Tor Browser is a Firefox fork.
>
> Should we issue a single advisory for each possible security issue that
> Firefox has already noted in their change log? Each confirmed security
> issue? Should we ask for a second CVE to cover each CVE they receive?
>
> Your point is unclear in practice. Please do spell it out and if
> possible, please demonstrate how you do so in your own projects?

Just a couple friendly concepts.
Your message wasn't addressed to me.  By the way, it didn't occur to me to
blame the Tor Project.

I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the
streets of the world, but it is obvious to me from my user standpoint that
the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to
determine which version of the underlying Firefox it is based on, which I
wouldn't expect the average user do to or know.).  Ther average user of
neither software likely doesn't see or read security adviseries, although I
think they happily allow the latest versions o Firefox to automatically
update themselves.


TBB users are at special risk of being targeted for spying (according to
recent news reports), hacking/exploits (as is the case in this instance),
and this may be increasingly true in the future.

Oops. I'm a slow typist (just getting up):

>From Jacob Applebaum's next mail to a mail:
> I tend to like the Tails way of doing things - I have advocated for a
> little more linkage to security advisories. Still, I think it is not as
> critical as a secure updater or packaging TBB for various packaging
> systems. We're understaffed, so we tend to pick the few things we might
> accomplish and writing such advisory emails is weird unless there is an
> exceptional event. Firefox bugs and corresponding updates are not
> exceptional events. :(
> 
> Also, I'll note even Tails doesn't reference sub-modules of the specific
> projects - they are just linking to DSA and related pages.

The point I was getting to is that several parrallel strategies come to
mind:
(1) It would not be a bad idea to post applicable Firefox-issued security
avisories to one of your lists
(2) Even have an RSS feed of them available through the TBB, as well as RSS
of TBB releases, and what security issues are covred including one advised
by Firefox.  This could notify of stable, alpha and beta releases, so
everyone knows when security updates are available, possibly at the cost of
stability.
(3) When you get an update mechanism going, for stability reasons, you
probably want it to automatically only update to stable or beta releases[?].
However, you could have a parrallel release schedule to get these upstream
patches out ASAP.   I realize labor is involved here; but if at all
possible, updating your last stable patch to work with the latest Firefox
release ASAP and releasing it as a stable/beta while continuuing development
on a more major/feature-related update that will start as an alpha release
when ready. (possibly backporting some TBB-only-security fixes only to your
last patch when it makes sense).

Obviously, this is free software, and you must work ithin the constraints of
your resources.  The frequent security updates would have the most tangible
benefit for most users, but it would be a decent user service to notify of
security issues that apply/could apply to the TBB as well.

Thanks for your invaluable work.

Asa

More information about the liberationtech mailing list