Delivery-Date: Thu, 19 Feb 2015 17:35:04 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 2ADBE1E1088
	for <archiver@seul.org>; Thu, 19 Feb 2015 17:35:02 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 2C3C031D97;
	Thu, 19 Feb 2015 22:34:59 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A835F317F0
 for <tor-talk@lists.torproject.org>; Thu, 19 Feb 2015 22:34:55 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nkLup57lbUGE for <tor-talk@lists.torproject.org>;
 Thu, 19 Feb 2015 22:34:55 +0000 (UTC)
Received: from turtles.fscked.org (turtles.fscked.org [76.73.17.194])
 by eugeni.torproject.org (Postfix) with ESMTP id 7761730950
 for <tor-talk@lists.torproject.org>; Thu, 19 Feb 2015 22:34:55 +0000 (UTC)
Date: Thu, 19 Feb 2015 14:34:28 -0800
From: Mike Perry <mikeperry@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150219223428.GG4708@torproject.org>
References: <54E59856.7080006@riseup.net>
 <20150219081021.GI26363@mail2.eff.org>
MIME-Version: 1.0
In-Reply-To: <20150219081021.GI26363@mail2.eff.org>
Subject: Re: [tor-talk] Tor Browser Bundle with Chromium
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0856665921861233007=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============0856665921861233007==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="V32M1hWVjliPHW+c"
Content-Disposition: inline


--V32M1hWVjliPHW+c
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Seth David Schoen:
> Luis writes:
>=20
> > What are the reasons that makes building a Tor Browser using Chromium
> > not such a good idea? I recall reading somewhere that while making a Tor
> > Browser with a Chromium base would have its benefits due to Chromium's
> > superior security model (i.e. sandboxing), there are "serious privacy
> > issues" that would have to be solved to make that possible.
> > My question is what are those issues? What is preventing someone from
> > digging out all the Google integration and possible privacy-endangering
> > features and making a Tor Browser Bundle out of it?
>=20
> https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBu=
gs
>=20
> I think that list is kept relatively up-to-date.

You might also like:
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardeni=
ng-study#chrome

In particular, this paragraph is relevant to the recent Superfish MITM
(see http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-th=
e-middle-adware-that-breaks-https-connections/):

"The worst offender on this front is the use of the Microsoft Windows
CryptoAPI for certificate validation, without any alternative. This bug
means that certificate revocation checking and intermediate certificate
retrieval happen outside of the browser's proxy settings, and is subject
to alteration by the OEM and/or the enterprise administrator. Worse,
beyond the Tor proxy issues, the use of this OS certificate validation
API means that the OEM and enterprise also have a simple entry point for
installing their own root certificates to enable transparent HTTPS
man-in-the-middle, with full browser validation and no user consent or
awareness."

In fact, I tried to argue with Ryan Sleevi and Adam Langley about the
dangers of using CryptoAPI in this way, but I got crickets in response.
I believe that supporting such MITMs is a deliberate policy from Google
corporate that they cannot change. Adam went so far as to tell me that I
should just fork Chromium, because they would not even consider merging
an alternate browser-only cert store, even as a user option.

However, since our ultimate goal with any browser fork is to re-merge
with upstream so we don't have to maintain invasive patches like this, a
corporate-level blocker on basic security patches is a non-starter for
any project involving Chrome.



P.S. How I miss the days when the outlandish doomsday scenarios that I
imagined were still merely hypothetical. It seems every week a new
nightmare comes true. (Man, I sure hope I'm wrong about the likelihood
of wide-scale software build system attacks. I kind of like having
computers).



--=20
Mike Perry

--V32M1hWVjliPHW+c
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJU5mT0AAoJEEEC+JXS8eGGcFAP/Ayw+WI7ADiUweFXtkLwDMam
1rCSgSw6qi7/S0iLZljo0OOvIncGOPYI0WrQbydv7cH0qlfSOsvqOO4Y2nhw0o//
Y0tqRIyawz2SDB+2Qi39/lVjBFlvQZBd9F6GqdbfqvSwq50nEbC0So5xg3EiW/TM
bJeVfgflqRwq97Z0hJ1sR3fmb6wGjFM1xA92r6wEmecKsgLhVpCSXo4fXv9DF2G2
np1vQFPhHw7f006zXRFddbI0EDMX38/DY1Py2dvctXsI9b1mNW7ONNXlbTuEOlsQ
i3PvL53uPrHxDkav5T4XpbLFVN3phrtWlN/O084XzHMDCAo+iHGlWpKXf0GUgrur
0ibcvrrrWe07BSWlGMN9ymvmoy8/9ZuBFjAERZAMk8FFJSplaEUVSCiMBYoO9EHe
2X+oAHRowjKxoYYBStA4m/sQWTUKOg2EN58drb6Qi0NNA43INohO3VRm1WkyOW3Q
SC8N2EdyzzgezDlIp3WaaDqAy858Ao8BB4rUZAD1DJYRvfi3FWAxQDpEiXcNOlFc
3/aKMg4s1sj7hu5Nm9zY+jJGiS3sOy6CiRxBQ7Sdobp7ZDmjRFcKT+c4XDRkna/t
gkNM+3Im0misaeyyYrNYGjmf6Esm6k0ybTO+MJ8VoItREOv3cG2os5VDMW+qlsCz
HzpfvrrOgIqUoeV72n6x
=UGdK
-----END PGP SIGNATURE-----

--V32M1hWVjliPHW+c--

--===============0856665921861233007==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============0856665921861233007==--

