[Whonix-devel] #17216 [Applications/Tor Browser]: Make Tor Browser's updater work over Hidden Services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 6 11:42:59 CET 2019
#17216: Make Tor Browser's updater work over Hidden Services
-------------------------------------------------+-------------------------
Reporter: isis | Owner: tbb-
| team
Type: enhancement | Status:
| needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tor-hs, tbb-security, | Actual Points:
TorBrowserTeam201901, tbb-update |
Parent ID: | Points: medium
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by weasel):
Hi!
Replying to [comment:10 gk]:
> I'd like to test this out, first in the alpha series, sooner than later.
The idea would be to fetch the metadata file (update.xml) over .onion
which is a pretty small file (around 1000 bytes) but *not* the full
update. I am in particular concerned about TLS being the means of
authenticating the contents of that xml file and think we can do better
with an .onion responsible for that.
>
> weasel, ln5: do you feel the current .onion setup for aus1 is robust
enough for that test? Should we wait until we have v3 services available?
Or...?
We discussed this in Brussels a bit. It is our current consensus that the
onion service providing aus1.tpo is not suitable for this purpose.
The onion service is backed by onionbalance, which appears to be
unmaintained upstream and which does not support v3 onion services.
Furthermore, in order for us to be comfortable relying and depending on an
onion service for such an important purpose, we would want that
onionbalance itself could be run in a distributed/redundant way such that
we would not have any SPoFs.
Once these issues are addressed, we can reconsider the issue. For now,
however, we recommend you not rely on the onion for updates.
Cheers,
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17216#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the Whonix-devel
mailing list