[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Jacob Appelbaum jacob at appelbaum.net
Tue Aug 6 03:41:06 PDT 2013 

Asa Rossoff:
> Jacob Appelbaum:
>> Nadim Kobeissi:
>>>
>>> On 2013-08-06, at 11:46 AM, Al Billings <albill at openbuddha.com>
>>> wrote:
>>>
>>>> Nadim you seem confused by how this works. Tor doesn't need to
>>>> issue advisories for Firefox issues. We, at Mozilla, already issue
>>>> them. Perhaps they can link to them clearly but if you want to know
>>>> about security issues Mozilla fixes in Firefox, you're best served
>>>> by reading Mozilla advisories. There's not much point in
>>>> duplicating them on a second site. Tor would be better served by
>>>> writing advisories for its own, unique, security fixes.
>>>
>>> Tor doesn't need to issue advisories for Firefox issues. Tor needs to
>>> issue advisories for Tor Browser issues, and not five weeks later
>>> when s**t hits the fan. I really don't think one can reasonably
>>> disagree with the above statement. Tor Browser is a Firefox fork.
>>
>> Should we issue a single advisory for each possible security issue that
>> Firefox has already noted in their change log? Each confirmed security
>> issue? Should we ask for a second CVE to cover each CVE they receive?
>>
>> Your point is unclear in practice. Please do spell it out and if
>> possible, please demonstrate how you do so in your own projects?
> 
> Just a couple friendly concepts.
> Your message wasn't addressed to me.  By the way, it didn't occur to me to
> blame the Tor Project.

Thanks for your response!

> 
> I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the
> streets of the world, but it is obvious to me from my user standpoint that
> the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to
> determine which version of the underlying Firefox it is based on, which I
> wouldn't expect the average user do to or know.).  Ther average user of
> neither software likely doesn't see or read security adviseries, although I
> think they happily allow the latest versions o Firefox to automatically
> update themselves.
> 

Understood.

> 
> TBB users are at special risk of being targeted for spying (according to
> recent news reports), hacking/exploits (as is the case in this instance),
> and this may be increasingly true in the future.
> 

Probably, yes. I think that is a fair assessment - though it applies to
anyone who uses privacy, security and anonymity software, I think.

> Oops. I'm a slow typist (just getting up):
> 
>>From Jacob Applebaum's next mail to a mail:
>> I tend to like the Tails way of doing things - I have advocated for a
>> little more linkage to security advisories. Still, I think it is not as
>> critical as a secure updater or packaging TBB for various packaging
>> systems. We're understaffed, so we tend to pick the few things we might
>> accomplish and writing such advisory emails is weird unless there is an
>> exceptional event. Firefox bugs and corresponding updates are not
>> exceptional events. :(
>>
>> Also, I'll note even Tails doesn't reference sub-modules of the specific
>> projects - they are just linking to DSA and related pages.
> 
> The point I was getting to is that several parrallel strategies come to
> mind:
> (1) It would not be a bad idea to post applicable Firefox-issued security
> avisories to one of your lists

Part of the issue - from my perspective - is that 'applicable' is a bit
nebulous. Nearly every bug *might* turn into an anonymity destroying bug
with some engineering effort.

> (2) Even have an RSS feed of them available through the TBB, as well as RSS
> of TBB releases, and what security issues are covred including one advised
> by Firefox.  This could notify of stable, alpha and beta releases, so
> everyone knows when security updates are available, possibly at the cost of
> stability.

I like this idea - though I wonder how users would feel about it? Will
they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
data?

> (3) When you get an update mechanism going, for stability reasons, you
> probably want it to automatically only update to stable or beta releases[?].

I tend to prefer 'secure' update over 'automatic' update.

> However, you could have a parrallel release schedule to get these upstream
> patches out ASAP.   I realize labor is involved here; but if at all
> possible, updating your last stable patch to work with the latest Firefox
> release ASAP and releasing it as a stable/beta while continuuing development
> on a more major/feature-related update that will start as an alpha release
> when ready. (possibly backporting some TBB-only-security fixes only to your
> last patch when it makes sense).

Sure, that seems reasonable.

> 
> Obviously, this is free software, and you must work ithin the constraints of
> your resources.  The frequent security updates would have the most tangible
> benefit for most users, but it would be a decent user service to notify of
> security issues that apply/could apply to the TBB as well.
> 

I think there is a balance here and I think adding more specific data to
release notes is a reasonable improvement. I also think an RSS feed is a
really good idea, thanks for that! I'll pass it on to those more
involved with TBB releases these days and see what they think.

> Thanks for your invaluable work.
> 

Thanks for your positive feedback!

All the best,
Jacob

More information about the liberationtech mailing list