Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to start tor browser - gpg hangs refreshing keys (possible key servers DoS) #401

Closed
arvidjaar opened this issue Jul 3, 2019 · 6 comments

Comments

Projects
None yet
7 participants
@arvidjaar
Copy link

commented Jul 3, 2019

See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

What I have now looks very much like it:

UID        PID  PPID  C STIME TTY          TIME CMD
bor      31474 31391 97 06:30 ?        00:13:46 /usr/bin/gpg --status-fd 2 --homedir /home/bor/.local/share/torbrowser/gnupg_homedir --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file /usr/share/torbrowser-launcher/sks-keyservers.netCA.pem include-revoked no-honor-keyserver-url no-honor-pka-record --refresh-keys

Yes, 13 minutes processing time!!!

Please make key server configurable to allow mitigation.

@momo42

This comment has been minimized.

Copy link

commented Jul 4, 2019

I have the exact same problem. At first I thought that Tor browser is not starting at all but some minutes later it finally popped up. Then I realized that the launcher triggers the problem. On my machine gpg runs with 100% load on one core before launcher window appears. OS is Linux Mint 19.1 and Tor Browser has been installed via sudo apt install torbrowser-launcher.
Please fix that. :-)

@maieul

This comment has been minimized.

Copy link

commented Jul 4, 2019

same problem

@baptx

This comment has been minimized.

Copy link

commented Jul 8, 2019

The workaround I used is to kill all GPG processes with the command killall gpg, then Tor Browser started and I could use it.
But isn't this workaround removing the following security feature?
Verifies Tor Browser's signature for you, to ensure the version you downloaded was cryptographically signed by Tor developers and was not tampered with
Then it would be considered a security vulnerability that we can start Tor Browser just by killing GPG, users should not be able to disable a security feature without giving an explicit permission (e.g. through a command parameter --disable-gpg) and a warning should be displayed when the browser starts.

This issue looks similar to a previous one: #305
Here is a cleaner workaround to start Tor Browser: ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser.

Related: #400

@Argentino84

This comment has been minimized.

Copy link

commented Jul 12, 2019

Same problem and the suggested workaround doesn't work for me. After killing gpg I only can choose to download everything again or close.

@P9at4Kic

This comment has been minimized.

Copy link

commented Jul 13, 2019

this may not be an issue with tor but an attack on OpenPGP

https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

@Wikinaut

This comment has been minimized.

Copy link

commented Jul 20, 2019

@micahflee thanks for swift reaction and fix (confirmed: works).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.