"Tor Browser Downloader" cancels the download with an error message

Klamm · April 29, 2016, 8:18pm

Hello everyone,

Tor Browser Downloader (by Whonix developers) cancels the download. I have tried it in the last 5 days several times. It cancels the download at different levels of completions between 50% to 70% (~45 minutes) with the error message below. I have not recieved any error message during installation. I can use Tor browser from my host OS(Win10) and can download big files without any problem.

I can download it manually but I want to understand the reason because I experienced a trojan infection before in my other computers. This one is new with a new connection.

Thank you for your help

ERROR: Failed to download: https://dist.torproject.org/torbrowser/5.5.5/tor-browser-linux32-5.5.5_en-US.tar.xz
Possible reasons:

The download server is down.
File size exceeded (endless data attack triggered).
Tor Browser Downloader (by Whonix developers) has been broken due to upstream changes.
Recommendations:
Try again later. If the error persists it probably won’t solve itself before the next update.
Check News: https://www.whonix.org/wiki/Download#Stay_tuned
Manually update: https://www.whonix.org/wiki/Manually_Updating_Tor_Browser
(Debugging information: curl_status_message: [28] - [Operation timeout. The specified time-out period was reached according to the conditions.])

Ego · April 29, 2016, 8:23pm

Good day,

As is standard with the TBD, you may select different versions of the TBB for download. Did you try each of them? Sometimes only a limited amount of versions are downloadable at a given point in time.

Have a nice day,

Ego

Klamm · April 29, 2016, 9:26pm

Thank you for your answer.

The rest are alpha or hardened alpha versions. I tried them but I am not sure if I tried all of them. I will check it. But interesting thing is that it starts downloading and downlads 70% approximately and cancels it (with a speed under 1Kb/s). Why it starts downloading I don’t understand. I can browse the internet with Iceweasel in a normal speed.

entr0py · April 29, 2016, 10:46pm

Sounds like this (unsolved) thread: tor browser downloader install fail

I have not experienced this issue myself.

You weren’t infected by the trojan because you downloaded manually - you were infected because you presumably didn’t verify the gpg signature. There is no material difference between using Tor Browser Downloader and doing it yourself manually (other than convenience).

https://www.whonix.org/wiki/Manually_Downloading_Tor_Browser
https://www.torproject.org/docs/verifying-signatures.html.en

EDIT: Maybe I misunderstood last quote. Are you concerned that present symptoms might be the result of a current trojan infection? Only way to be reasonably certain is to re-install verified images…

Klamm · April 29, 2016, 11:11pm

The infections were in my previous computers. I was using Windows, flashdisks, etc. I was aware of nothing.

After this bad experience I read about the topic and bought a new laptop and a connection. I verified the Whonix images by gpg4win with different signature files downloaded from different Tor circuits. I downloded gpg4win using the certificate from https://ssl.intevation.de

May be I became paranoid but I had enough reasons. Before Whonix I wanted to install Qubes and decided to buy it from www.osdics.com by air-mail and I asked a question to Marek Marczykowski Gorecki about the trust level of that company. He said to me that the web page did not sell qubes and maybe someone wanted to send me a fake DVD. I checked it from a different computer and connection that yes! they were not selling Qubes! This is something like Postman-In-The-Middle-Attack.

If this download promlem is not a virus-infection indication, there is no problem for me. I can download Tor browser manually and verify it.

Klamm · April 30, 2016, 12:07am

I tried each of them and couldn’t download.[quote=“entr0py, post:4, topic:2396”]

There is no material difference between using Tor Browser Downloader and doing it yourself manually
[/quote]

I receive curl_status_message: [28]. The code [28] means “certificate rejected” if I am correct. What I am trying to understand is that is this because of the process difference which “Tor Browser Downloader” uses or is it an indication of an infection…

Patrick · April 30, 2016, 12:26am

Might indicate a very slow connection (for whatever reason, slow Tor entry guard or otherwise). To get around that you can try to increase the timeout. Currently only possible by manually editing with root rights.

kdesudo kwrite /usr/bin/update-torbrowser

Search for curl_download_max_time= and increase the timeout (in seconds).

Unlikely. I think we need a wiki entry for this, but no, for any serious malware it would be a disgrace of the malware author if you could spot it through this.

Klamm · April 30, 2016, 12:44pm

I increased the value from 180sec to different values. At the end I used 14400sec and got an error message about partial file download (below). Does the Tor Browser Downloader use a different protocol for downloadig? I can download files using Iceweasel which uses the same Tor.

ERROR: Failed to download: https://dist.torproject.org/torbrowser/5.5.5/tor-browser-linux32-5.5.5_en-US.tar.xz
Possible reasons:

The download server is down.
File size exceeded (endless data attack triggered).
Tor Browser Downloader (by Whonix developers) has been broken due to upstream changes.
Recommendations:
Try again later. If the error persists it probably won’t solve itself before the next update.
Check News: https://www.whonix.org/wiki/Download#Stay_tuned
Manually update: https://www.whonix.org/wiki/Manually_Updating_Tor_Browser
(Debugging information: curl_status_message: [18] - [Partial file. Only a part of the file was transferred.])

Patrick · April 30, 2016, 3:48pm

It uses curl.

entr0py · April 30, 2016, 4:21pm

/usr/bin/update-torbrowser has several instances of curl_download_max_time.

The instances that use a default of 180 secs are for downloading small stuff: connectivity checks, version numbers, signatures.

The instance of curl_download_max_time that you need to change is the one that defaults to 3600. This is the one related to the download of the package itself. (Or increase all of the timeouts. You can get a better idea of what is failing by running update-torbrowser in a terminal.)

The whole point of verifying using GPG signatures is that you don’t need to trust your counterparty (for file integrity that is). Feel free to download from piratebay, over http, or anywhere else that works for you. The important thing is that you need to verify the fingerprint of the key using an independent channel. For example, you could send encrypted email to random people on the mailing list asking for the Qubes Master Signing Key fingerprint. Unless they are all part of a giant conspiracy, you should wind up with the correct fingerprint. Using multiple Tor circuits may help with a MITM attack but it won’t help if the key hoster is compromised to begin with.

Klamm · April 30, 2016, 4:59pm

Before I said that I got an error message about partial download, but after I tried 3 times more it downloaded the browser with a good signature. Thank you very much for the help.

I didn’t think of that before! Thank you very much for the help.

Patrick · April 30, 2016, 5:21pm

FYI: https://www.whonix.org/wiki/Trust#What_do_Digital_Signatures_Prove_and_What_They_DO_NOT_Prove