[Tails-dev] Security implications: moving code from Verifica…

Delete this message

Reply to this message
Author: u
Date:  
To: The Tails public development discussion list
Subject: [Tails-dev] Security implications: moving code from Verification Extension to our website
Hi security people,

after working on the Verification Extension for the USB image project, I
proposed to get rid of it and integrate the Javascript code that
performs the verification directly into our website [1].

Today I'm writing to you because we need your valuable input on the
security implications that such a move might have. We lack these skills
in our team and would appreciate your help. Below, I'll describe the
current state of things, the possible benefits of this move and then
I'll try to outline the security question we have.

Current state of things
-----------------------

Users download Tails images via mirrors operated by volunteers. When
installing Tails, we advise users to verify the files downloaded using
the Verification Extension, that currently works in Firefox and Chrome.
The extension only downloads a JSON file located at tails.boum.org over
HTTPS, and checks that the hashsum we provide matches that of the user
downloaded Tails image.

We know from Javascript statistics of our download page that roughly
~20% of the downloads of Tails images are verified by users using the
verification extension. The optional OpenPGP verification accounts for
9% of downloads (computed using the number of downloads of the OpenPGP
signature). This means that >70% of Tails downloads might currently not
be verified at all.

Benefits of moving this code directly into our website
------------------------------------------------------

- More users could more easily verify the images they download.
(Note that we don't have metrics for the percentage of users affected,
because we lack a detailed analysis of why so few users verify their
download.)

- It will increase usability for users, as they won't have to install an
extension anymore.

- Downloads could possibly be verified using other browsers, like Safari
and recent versions of IE. (Note however that these browsers currently
represent only 1% of visitors to the download pages.)

- There'll be a bit less maintenance work for us, but not much: as we
would still have to test the code regularly.

General security implications
-----------------------------

The question we are asking ourselves is: are there any predictable
downsides to move the verification code from an extension to the website?

If needed, details about the security threats and measures of the
extension can be found in our design documentation [2].

Cost
----

Replacing the extension is going to cost money:

A rough estimate is that it'll require ~100 hours of work from
developers, UX designers, technical writers, managers, and accountant to
make this happen, in two iterations (see [1] for a detailed
implementation plan).

Glad to read your thoughts!

Thank you for your input,
u.

[1] https://redmine.tails.boum.org/code/issues/16128
[2] https://tails.boum.org/contribute/design/verification_extension/