[Tails-dev] Regarding certificate pinning in verification ex…

Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list, Uzair Farooq
Subject: [Tails-dev] Regarding certificate pinning in verification extension
Hi,

While working on the port of our verification extension to Web
Extension, Uzair told us that the crypto primitives that we are using to
do certification pinning are no longer available to Web Extensions:

https://mailman.boum.org/pipermail/tails-dev/2017-October/011800.html

When discussing this with anonym on Monday we wondered why we had this
certificate pinning in the first place.

According to our thread modeling [1], the extension cannot protect from
a man-in-the-middle attack on our website -- thread (B). As a MitM or
exploit on our website could defeat any verification technique by
providing simplified instructions or by faking ISO verification.

[1]: https://tails.boum.org/blueprint/bootstrapping/extension/

But the certificate pinning done by the extension precisely tries to
prevent such an attack, but only on the download of the ISO Description
File [2]. So we're saying, on one hand, that we can't protect from a
MitM on our website at large, but on the other hand, we're trying to
protect against it by pinning the certificate on the download of this
one file. That seems incoherent and unnecessary.

[2]: https://tails.boum.org/install/v1/Tails/i386/stable/latest.yml

So unless someone has a better rationale to keep the certificate
pinning, we'll drop it in the migration.