[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

whonix shows older versions of tbb from tbb-downloader

can we make it only shows up the newest versions ? (stable&tester)

No. The text included in the screenshot

Only versions still considered secure should be listed here. Higher version numbers does not necessarily mean more secure here. Could be alpha or beta versions. In most cases you are best off choosing the lowest version number among them.

does still apply.

but how is that true ?

7.5.6 is more secure than 7.5.5 because its the stable upgrade of it. and using 7.5.5 is recommended against for sure.

so i see that message is wrong and maybe describing tbb-downloader in the old times but not now.

1 Like

The information comes from https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions. Parsing that file is hard since its format changed several times in past. So it was settled “lowest among them” to prevent suggesting alpha/beta versions. But if old versions keep being listed there, parsing gets even harder. Thanks for getting through!

Maybe Tor Project bug. Reported here:
https://trac.torproject.org/projects/tor/ticket/27193

1 Like

Got a good answer.

https://trac.torproject.org/projects/tor/ticket/27193#comment:1

Any opinion what is better to parse from a security point of view? json or xml? //cc @iry @troubadour @HulaHoop

(We could call a python (or anything) script from tb-updater to do the Tor Browser version file parsing, so don’t have to do it using bash.)

1 Like

JSON and XML are merely different data structures and so considered neutral in that case [0]. The parsers for either have had serious vuln classes sometimes causing RCE and many of the same sec bugs that browsers run into [1]. So the question should be which is the safest parser avaialble for either of these?

Using python standard libs to parse XML or JSON (Pickle) not a good idea [2].

A modern and minimalist JSON parser is YAJL used in libvirt. Available in Debian [3]. My recommendation is to use YAJL in addition to having TB-updater connect via an onion address or over pinned TPO cert. To contact the author about further info related to security implementations contact: #yajl channel on Freenode or subscribe to Yajl mailing list by emailing yajl@librelist.com (librelist.com) [4]

Assuming we don’t want any heavy duty parsing and something familiar then using grep on fetched JSON data is a potential solution [5]. Combined with onion security for communication is again the way to go IMO.

[0] https://stackoverflow.com/a/16293901
[1] https://blog.securityevaluators.com/xml-vs-json-security-risks-22e5320cf529
[2] https://hackernoon.com/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
[3] https://packages.debian.org/stretch/yajl-tools
https://packages.debian.org/stretch/libyajl2
[4] https://lloyd.github.io/yajl/
[5] https://stackoverflow.com/a/6852427

1 Like

stop showing old versions in tb-updater / improve version parser / port version parser to python3 or so
https://phabricator.whonix.org/T823