control: retitle -1 better protection against downgrade attacks control: tags -1 - moreinfo control: tags -1 + upstream
Hi, as I see it, this is left unaddressed from this bug report, thus changing the bug title accordingly. On Mittwoch, 25. Juni 2014, intrigeri wrote: > When we've thought Tails incremental upgrades through, the best > defense we've found against downgrade attacks is to encode the version > information about a given target file (using the TUF specification > nomenclature [1] here) as part of what's strongly authenticated (in > this case, with OpenPGP), instead of trusting filenames in any way. > > That's what our upgrade-description files [2] are for. But even then, > against an adversary who controls the web space that hosts the > upgrade-description files, or who can break TLS, Indefinite freeze > attacks are still possible. The only way I've see to mitigate it is > short-lived signatures on meta-data. > > In the case of tor-launcher, it may be possible to drop the > indirection layer (upgrade-description files), and protect against > downgrade attacks simply by comparing the currently running version, > with the version information that is, I guess, present in the target > files, once they've been downloaded and authenticated. > > [I'm now realizing that the TUF spec has changed since last time I've > read it. And Tor Browser's upcoming self-upgrade super-power may be > a game changer.] > > [1] > https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt > [2] https://tails.boum.org/contribute/design/incremental_upgrades/ cheers, Holger
signature.asc
Description: This is a digitally signed message part.

