Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
G
gettor
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 45
    • Issues 45
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 3
    • Merge Requests 3
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
    • A
      Anti-censorship
  • GetTor Project
  • gettor
  • Issues
  • #73

Closed
Open
Opened Oct 23, 2020 by Philipp Winter@phwMaintainer

Consider attaching Tor Browser signing key to response emails

It turns out that censored users are unlikely to be able to fetch our Tor Browser signing key: tpo/applications/tor-browser#40195 (closed)

One way to fix this issue is to attach the signing key to GetTor's email autoresponse. That's easy for us and convenient for the user. The downside is that users have to place more trust in GetTor's autoresponse. So far, if Alice receives a spoofed GetTor response and downloads a malicious Tor Browser, she can still detect this attack by getting her signing key from an independent source. If GetTor's response email provides both Tor Browser links and the signing key, Alice would fall for the attack.

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: tpo/anti-censorship/gettor-project/gettor#73