Tor browser downloader

Support
1

Hi all,
Have recently re-installed Whonix (virtualbox on Ubuntu) Had it all working well on previous occasions (until met with a problem - story for another time) but after this fresh install - I could not get the Tor Browser Download (via desktop link) to complete.
After about half an hour of slow downloading I would get the error message:

Failed to download
Possible reasons:

The download server is down.

File size exceeded (endless data attack triggered).

Tor Browser Downloader (by Whonix developers) has been broken due to upstream changes.
Recommendations:

Try again later. If the error persists it probably won’t solve itself before the next update.

I attempted many times, same result, but never happened with my previous installation.

Searching these forums I found the suggestion to use command instead:

update-torbrowser --ordinary

This worked so quickly and easily, even though I thought this was essentially starting the same process, except from Command line rather than desktop link.

So I’m confused as to what the problem was? Or how about if the original attempt was sabotaged from the endless data attack - how would I know if so…? Also, although the command line succeeded, it gave this in the output:

INFO: Hash check ok.
Installation confirmation
Currently installed version: None installed. (Folder /home/user/.tb/tor-browser does not exist.)
Downloaded version : 7.5.3
We have not previously accepted a signature yet. Therefore assisted check for downgrade or indefinite freeze attacks skipped. Please check the Current Signature Creation Date looks sane.
Previous Signature Creation Date: Unknown. Probably never downloaded a signature before.
Last Signature Creation Date : March 26 09:44:32 UTC 2018
The signature looks quite old already.

Either,

  • your clock might be fast (at least 6 days 6 hours 13 minutes 34 seconds fast). In that case, please check your clock is correct.
  • there is really no newer signature yet. The signature is really older than 30 days already. (Older than 6 days 6 hours 13 minutes 34 seconds already.)
  • this is a update-torbrowser bug
  • this is an attack
    gpg reports:
    gpg: Signature made Mon 26 Mar 2018 09:44:32 AM UTC using RSA key ID C3C07136
    gpg: Good signature from "Tor Browser Developers (signing key) "

So suggesting that the signature is maybe old or that this is an attack…
How would I tell whether its an attack or not…? Is 6 days really too old for a signature? why did command download so quickly when the desktop link took almost an hour to inevitably fail…? If anyone could please help me to understand whats going on here I would be very grateful…!
Thanks

2

As per this post the problem you experienced is a bug:

https://forums.whonix.org/t/tor-browser-download-issues-due-to-connection-interruption/2626/17

It can be very difficult to tell.

https://whonix.org/wiki/Warning#Man-in-the-middle_Attacks

https://whonix.org/wiki/Dev/TimeSync#Attacks

https://whonix.org/wiki/FAQ#Compromise_Indicators

Explained in the first link.

3 Likes
3

Hi 0brand,
Thanks for your reply.
So is the command line download of tor browser trust-able generally…? Is there anyway I can check the authenticity of download, or does it check itself automatically…? And the warning given:

The signature looks quite old already

…is that of concern…?

Also: Tor exit nodes: are they more likely to be subject to man in the middle attacks as they are a central point for attackers to focus upon…??

Thanks again

4

Hi bfl88

Generally, yes. I would say its not less “trustable” than using the GUI (desktop)

When you download and update software with APT package manager the download/update is automatically verified.

“Trust” in computer security may mean something different than what many users thing it means.

There are a number of reasons this could happen. Not all of them are malicious. The correct version of Tor Browser was verified with a signing key with a good signature. Thats all I can tell you.

There are attacks of this nature called “indefinite freeze attacks” “rollback (downgrade) attacks” which are essentially man-in-the-middle attacks that could be used to keep the targets system from getting security updates or roll back the packages on the targets computer to an older version etc. Then attacker could then use one of the older (known) exploits on that system.

One way to tell for both of those attacks is the new (download) signature is older than the current signature on your system. Since this is the first time downloading Tor Browser? This would not be helpful.

Im not saying this is what happened. Its just an FYI. :wink:

This could also be circumvented by changing the exit node for updates or by updating from a different location.

1 Like
5

Thanks very much for your help, and for all of the information, will get reading…!
all the best