Re: [T(A)ILS-dev] doc: warnings

Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list
New-Topics: Re: [T(A)ILS-dev] Locking pages [Was: doc: warnings]
Subject: Re: [T(A)ILS-dev] doc: warnings
El 23/04/11 07:44, intrigeri escribió:
> Hi,
>
> sajolida wrote (22 Apr 2011 15:22:01 GMT) :
>> I changed that and put every different warning section as h1.
>
> Well, actually you didn't:
>
>    '====' <=> '# '  <=> 1st level
>    '----' <=> '## ' <=> 2nd level

>
> I've fixed this.
>
>> There seems to be no clear preference on the wiki source between
>> using '-----'-style of '#'-style headers, Right?
>
> Right.
>
>
> I'm not convinced by commit 63259418 ("SHA256 checking howto")'s
> current effects. As currently phrased in doc-rework, the download page
> puts SHA-256 checksum checking at exactly same level as OpenPGP
> signature verification. Since the SHA-256 checksum file is likely to
> be fetched from the very same source as the ISO image, it feels wrong
> to me.
>
> This section's introduction reads "It is important to check the
> integrity of the ISO image you downloaded to make sure that it is
> genuine and that the download went well"."
>
> While we can put at the same level:
>
>   a. Checking the SHA-256 checksum
>   b. Checking the OpenPGP signature is *a* valid one (without more key
>      or owner trust verification)

>
>   => both make sure the downloaded ISO file is the one the *server*
>      wanted us to get. This allows making sure the download went
>      well, but *not* that the downloaded image is genuine.

>
> ... IMHO it's very different to check the OpenPGP signature is valid
> *and* produced by the Tails developers private OpenPGP signing key.
> This is the only way to check the downloaded image is genuine.
>
> On the other hand, I see how hard it is to make this difference clear
> in documentation intented for a wide audience, without writing too
> much text nobody will read :/
>
> What do you and others think?


I agree with you and I shouldn't write that the howto as it is now
allows to check the authenticity of the image. The only way to do that
would be through OpenPGP with a trust path to Tails signing key.

I also agree that using SHA-256 checksums provided on the website or a
OpenPGP key (or key number and fingerprint) downloaded from the same
website has to be put at the same level: it makes you depend on the
trust you can put in the website (which can range from zero if using
HTTP to the trust you are willing to put in its SSL certificate if using
HTTPS or the trust you put in the website not being hacked or modified).

Still, I would put forward in defence of my howto that my idea was to
provide on tails.boum.org the checksums for images that could have been
downloaded on any of the dl.amnesia.boum.org mirrors. That would narrow
the problem to trusting the tails.boum.org website, which I guess should
be a key issue anyway since it will remain the central source of
information for a vast majority of the Tails users.

So what I would propose is:

- Rephrase the howto to talk about integrity and not authenticity. And
add another section about authenticity explaining that a careful check
through OpenPGP is the recommended way of checking Tails authenticity
(since even HTTPS can't always protect you from MitM, blabla).

- Improve the trust people can put on the website. That could mean using
a commercial SSL certificate and force HTTPS on it. Even though I know
that we can't be 100 % satisfied with such a solution, allowing
everybody to use mainstream HTTPS on tails.boum.org could be a good step
forward for the users who won't go through careful OpenPGP checks.

- Have a debate on limiting the open edition of some parts of the
website. I'm not sure how this works right now but I guess, if we decide
to improve the trust people can put on the website, we don't want people
to be able to freely edit the download page, the OpenPGP key page or the
'Download Tails' button, etc.

--
sajolida