Tor Browser 5.5.1 seems to auto-update without even asking

Discussion in 'privacy technology' started by Palancar, Feb 5, 2016.

  1. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I had this happen to me while surfing for a few hours. I used about half a dozen TBB's (mission specific) for attending various websites, such as here. When I closed the TBB's and came back I found they had all updated to 5.5.1 during their individual online session. I did NOTHING manually to select the update. Hmmmmm?

    This has never happened before. I have been studying the update feature for awhile now. Its convenient but I am still assessing the safety of the same. It appears pretty solid but I am still testing.


    Has this same AUTO update thing happened to you as well? I have changed no settings, and prior to 5.5.1 I had to manually select the update for it to come down.

    I would have thought a software change sending an update automatically would be mentioned in the release notes!!



    developers: don't get me wrong this is convenient as can be and it will keep "idiots" from running out of date browsers. I just want to be pretty certain its safe and doesn't present MITM concerns for users.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, TBB is now auto-updating by default.

    But hey, remember the Freedom Hosting exploit?
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wait, it does it silently in the background? I remember having to opt-in for the update after an automatic notification.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, I don't recall opting in for automatic updates. But I've set Security Level to High. Maybe automatic updates are part of settings above Low (default). Also, I'm on Whonix 12 now. Maybe Whonix devs have customized the default. I doubt that a download/install script could do that, however.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    Yes it auto updated for me too. There was a brief notification above systray - only for a few seconds - and after restart it was updated. I use default install without tweaking it so it seems that this is by default now.
     
  6. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    I too appreciate the notification message. But the auto updating, not so much.

    For the new users with a lesser experience level:
    Open the Tor Browser GUI -> Open Menu -> Options -> Advanced -> Update -> Tor Browser updates:
    Automatically install updates is now the default installed choice in question.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    Thanks 1PW. I also prefer to have control over installations on my system.
     
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    So guys lets discuss your feelings about the online update VS downloading an entire fresh TBB and then doing a GPG sig validation of the bundle. You can change your "auto" preference, but the next question applies to the update outside of your decision on auto vs manual.

    Obviously if your life was on the line you would do the entire bundle and gpg validate the sig, but in total candor its a pain in the A** compared to auto updating. The update process appears pretty solid with several verifies along the route. I have decided to allow and accept auto update for all but my most sensitive vm's. Curious if you guys are getting used to the online updates and IF you have converted from a total bundle download for each upgradeo_O??
     
  9. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    701
    Location:
    North of the 38th parallel.
    I believe the needs of the user whose life, and the lives of their families etc. depend on the integrity of the Tor Browser. (Yes - I am fully aware of Tails too). I will always defer to those who choose to validate to the extent of their abilities.

    Quite randomly I will manually download the release and then validate to the maximum until I am convinced of the download's integrity. At other times, and on other systems, I solicit the manual update just to check its viability. In the Tor Browser Release topic, here in Wilders, I will continue to publish the raw/unsupported VirusTotal.com assessment + SHA-256 hashes if only to give others one more point of view. Hopefully, our gracious hosts here will continue to humor my posts and the format I have chosen.

    If you are perfectly comfortable with the auto update process, then okay. If you demand every assurance and guarantee that advanced technologies could provide, that too should be supported in the fullest.

    Cheers.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I wonder if Tor browser checks signatures after downloading. I don't see why it couldn't. Packages in Debian etc are signed after all, and apt warns when signatures can't be verified because keys are missing. I'll ask on tor-talk.
     
  11. JDawg

    JDawg Registered Member

    Joined:
    Aug 25, 2015
    Posts:
    17
    Same thing happened to me i was like W*F i prefer to choose if i can update.
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592

    Please let us know, and if possible maybe you could PASTE in their response --- > "seeing is believing".
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I asked:
    Georg Koppen <gk@torproject.org> replied:
    I then asked:
    I don't have a reply yet.

    Edit: Cain Ungothep <ungocain@yandex.com> replied:
     
    Last edited: Feb 12, 2016
  14. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    That is interesting wording on the response. Absent GPG I question how they know if the signature is wrong (MITM attack example)! It does appear to be a solid process but the validation process is out of my reach until I do some more studying of the steps.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Yes, Tor Project is defaulting to the Firefox update process. It makes sense, I suppose. Or at least, it's simple. However, some of the language in the MAR documentation is ambiguous. It seems like some signatures can fail as long as most, or the most crucial ones, pass.

    I'm tempted to use about:config flags to make updating manual. Old school. Download the latest archive, check GPG signature, and install if OK.
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    Old school is sure fire but its much tougher than using the "updater", especially when you are running numerous bundles.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    True.
     
Loading...