Summary:
I propose a mechanism to securely download project metadata,
which includes censor resistance, prevents feeding old/outdated project
metadata and load balancing.
Project metadata is defined as version information, news, update
information, project homepage and so on.
Motivation:
What happens if an adversary ever manages to ban project websites such
as Tails or Whonix? Boum.org domain and server seizure, Whonix kicked
from sf.net.
The project admins will lose the ability to inform their users about
critical security updates and communications break down. Users will no
longer be able to visit the original homepage, which could even get
replaced with a malicious version.
It would take some time to reorganize hosting, move to censor resistant
hosting and to inform the existing user base.
Discussion:
Using a single server, i.e. single domain/server for project metadata is
recommend against, as it introduces a single point of failure. When the
server goes offline, project metadata can no longer be distributed. The
server could also serve either due to a bug or by malicious indent a gpg
signed, but outdated project metadata.
To prevent disclosing which software is fetching project metadata,
the request must go through Tor. Identity correlation through circuit
sharing must be circumvented by using a separate circuit for project
metadata fetches.
GPG signing of project metadata is a must, since it's independent from
SSL certficate authorities.
The public key of the signer must be included into the software project
at build time. Distributed trust could be implemented by using X
signing keys and defining, that project metadata has to be signed by at
least Y of X signers to be accepted as valid.
To my knowledge, there are is no distributed censor resistant data
storages available over Tor. Freenet is a distributed censor resistant
data storage, which can unfortunately not be accesed over Tor. [1]
Otherwise Freenet could be well suited for this purpose.
Implementation:
Distributed trust for the signers has not yet been considered. The
signers gpg key is fully trusted.
There are web services run by different organizations, which allow
(free) web hosting, which can be used for project metadata. Exampels are
github pages, sourceforge file release system and a free onion hosting
service. [2]
Below is an example, how a project metadata file could look like.
version: 0.4.5
homepage:
http://whonix.sourceforge.net/
news: No important News.
mirror 1:
http://whonix.sourceforge.net/whonix_news.asc
mirror 2:
http://su6ephfi7dtxnbtb.onion/whonix_news.asc
mirror 3:
https://adrelanos.pages.github.com/whonix_news.asc
Such a project metadata file is supposed to be initially copied into the
project's binary distribution at build time. The purpose is to initially
equip the metadata fetcher with a list of mirrors.
>From all available mirrors the metadata fetcher uses one random mirror
at each run time to download the current project metadata. If metadata
mirros are modified or expanded, the updated file will possibly be
stored persistently and overrule the metadata file which was included at
build time.
Footnotes:
[1] Freenet could be accessed over Tor, by tunneling UDP over Tor using
a VPN. This is too unsuitable for most users to be considered as a
workaround. Most VPNs cost money, VPN over Tor is a hack alone and there
are not as many VPN nodes as Tor exits, are there?
[2] I didn't get permission to advertise it in public, found it in
public thought.
