[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Jacob Appelbaum jacob at appelbaum.net
Tue Aug 6 06:49:01 PDT 2013 

Nadim Kobeissi:
> On 2013-08-06, at 1:23 PM, Jacob Appelbaum <jacob at appelbaum.net>
> wrote:
> 
>> Nadim Kobeissi:
>>> 
>>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum
>>> <jacob at appelbaum.net> wrote:
>>> 
>>>> Nadim Kobeissi:
>>>>> 
>>>>> On 2013-08-06, at 11:46 AM, Al Billings
>>>>> <albill at openbuddha.com> wrote:
>>>>> 
>>>>>> Nadim you seem confused by how this works. Tor doesn't need
>>>>>> to issue advisories for Firefox issues. We, at Mozilla,
>>>>>> already issue them. Perhaps they can link to them clearly
>>>>>> but if you want to know about security issues Mozilla fixes
>>>>>> in Firefox, you're best served by reading Mozilla
>>>>>> advisories. There's not much point in duplicating them on a
>>>>>> second site. Tor would be better served by writing
>>>>>> advisories for its own, unique, security fixes.
>>>>> 
>>>>> Tor doesn't need to issue advisories for Firefox issues. Tor 
>>>>> needs to issue advisories for Tor Browser issues, and not
>>>>> five weeks later when s**t hits the fan. I really don't think
>>>>> one can reasonably disagree with the above statement. Tor
>>>>> Browser is a Firefox fork.
>>>> 
>>>> Should we issue a single advisory for each possible security
>>>> issue that Firefox has already noted in their change log? Each
>>>> confirmed security issue? Should we ask for a second CVE to
>>>> cover each CVE they receive?
>>> 
>>> What's the alternative, Jake?
>> 
>> That was a list of choices and you didn't choose one. Please choose
>> one or more - though not all of them make sense when put together.
>> It was a question and well, your answer isn't much of an answer.
> 
> Yes, to be absolutely clear, I think Tor should issue advisories for
> confirmed security issues in Tor Browser, since Tor Browser is a fork
> of Firefox and is independently maintained. This is exactly what Tor
> did this time, except next time you shouldn't wait five weeks for the
> situation to explode.
> 

This is where the confusion comes into play, I think. Please note the
advisory we released this week:


https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html

We specifically address the one thing we *know* that is being exploited
and we note that there are other issues, though we don't go into depth
as upgrading is the only path forward.

Now note the Mozilla security issues for the Firefox ESR releases:

  https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

You're on the one hand saying that we did the right thing and on the
other, you're saying that we should issue an advisory for *confirmed*
security issues. Mozilla confirmed a handful. Doesn't that imply that
our advisory should have covered every thing Firefox fixed between
versions? And if so, should we note everything, even if it doesn't
*appear* to be a security issue? Just in case?

Now on the one hand, you're saying we waited five weeks - when in fact
we didn't, we released an advisory within a day of discovering that TBB
was being targeted, which is different from Firefox generally I might
add. We did also note with the release of 3.0alpha2 that it included
security and stability fixes as we often do when we bump Firefox.

So clearly between "hey, upgrade" and "exploit discovered" there is a
middle ground. I'm confused by the middle ground you have chosen. It
doesn't seem that we should wait until exploits are in the wild to note
the security features of new releases (which we didn't, but we didn't
issue an advisory for every Firefox issue), and yet, if an exploit is
discovered, we should post an advisory that specifically addresses what
we know about it, no?

>> 
>>> Wait until the NSA exploits an innumerable amount of Tor users
>>> and then quickly write an advisory for a bug that was quietly
>>> fixed without a warning from Tor five weeks but still exploited?
>> 
>> This is not accurate. We heard about attempts at exploitation and
>> within ~24hrs we released an advisory - we had already released
>> fixed code a ~month before exploitation was found in the wild.
>> Please do not mix up the time-line. To restate:
>> 
>> 
>> 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26
>> 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June
>> 30 2013)
>> 
>> 
>> The exploit was found in the wild on last weekend, I learned about
>> it on or around August 4th. Please note that our patched versions
>> were released nearly a month before this was found in the wild.
>> There is no reason to support the conclusion that we "silently"
>> fixed anything in response to an exploit. Please consider that your
>> statement is entirely unsupported by evidence, Nadim.
> 
> I could be mistaken. Where's the advisory that was issued the day
> after, that mentions that a critical Tor Browser vulnerability was
> fixed?
> 

Once we triaged the bug with Mozilla - both Tor and Mozilla posted updates:


https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/


https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable

We even posted a blog before we had all the details:


https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

We also noted on June 30th that 3.0alpha2 included Firefox security
fixes. This wasn't an advisory, it was a release note.

>> 
>>> Because that is exactly what happened this time. Tor can just go
>>> on doing this again and again, or yes, you could issue
>>> advisories. You are maintaining your own browser called Tor
>>> Browser. Stop shifting blame onto Firefox. You're the guy who 
>>> told me to never shift blame when you have a security
>>> vulnerability in the software you yourself are shipping. Practice
>>> what you preach.
>>> 
>> 
>> Your assessment of this situation is incorrect.
>> 
>> We regularly release updates that include updates to included code
>> and often, we make note of the fact that the upstream code has
>> security fixes included. There is no blame shifting, only a
>> question of how to best share that information in a way that users
>> will understand. I have asked repeatedly for examples and for
>> details of how to improve things - you seem only interested in
>> slinging mud. Perhaps this isn't the most useful way forward?
> 
> How am I only interested in slinging mud?! How are you even allowed
> to adopt a tone like this while doing your job as an advocate for
> Tor? I'm simply trying to advocate for Tor not waiting five weeks
> before releasing an advisory next time! Comments like this are really
> just not acceptable, Jake.
> 

We didn't wait five weeks, we had an advisory out for the exploitation
issue within a single day. And if you find the latest security advisory
to be OK, I wonder then what you think about the other Mozilla security
issues involved in the update? Shouldn't each one, by your line of
argument, get their own advisory email and blog post?

Rather than making this personal and talking about what my job is about,
I'd appreciate it if you could focus on the discussion topic at hand. If
you have specific improvements to the process, we're open to hearing
them and please do feel free to cite your process, your example or
another project that does it to your liking. That doesn't mean that
we'll adopt it, it just means that we're open to listening, even if
there is high tension between some of the people involved.

Thanks again for helping to improve Tor Browser!

All the best,
Jacob

More information about the liberationtech mailing list