Speaking as maintainer of Whonix here.
Jacob Appelbaum:
> When upgrading a tails machine today, I noticed that the default
> download link is HTTP.
This is actually a problem for many (security related) application
downloads, not only for Tails. For example, also the gpg4win homepage
has no https download.
And how is a Windows user supposed to download gpg4win? Over an
unauthenticated channel? How many join a real life gpg community, get
the signatures for gpg itself and verify it? 1 to 1000?
> We've done some statistics on the number of users
> that actually bother to download signatures - it basically borders on
> none for some software. Does Tails find that for every ISO, users
> download the signature? Ten to one? Perhaps one out of ever thousand
> downloads?
Switching topic to Whonix... Actually its more like twenty to one
(little worse).
Whonix-Gateway.ova downloads [1] per week: 668
Whonix-Gateway.ova.sig downloads [2] per week: 30
And some may think: verification is for paranoids only. It's not. It's a
real issue already, not theoretical. And Whonix already got attention
from the GFW. [3]
There are already state sponsored malware attacks. Infecting an
unauthenticated download on the fly isn't rocket science. Something
which could happen very soon and no one should be surprised. Yet, I
don't see any awareness.
> I really strongly encourage that the default download link should be
> secure -
Thats a fine goal.
> if there was a tool to download updates and it automatically
> checked the signatures, I'd think it was perhaps OK to use HTTP.
Thats the point. Is there such a tool already?
I don't think we need a Tails download tool, a gpg4win downloader, a
Whonix download tool, a TBB download tool...
> Without such a tool, I think this is merely a
> recipe for disaster.
Agreed.
> We carry a secure mirror here:
>
> https://archive.torproject.org/amnesia.boum.org/tails/stable/
>
> If you guys can't handle HTTPS traffic, I really encourage you to link
> to our HTTPS site as the default. If nothing else, I believe that some
> browsers also pin our certs. That at least changes the game to something
> a bit harder.
Thats a nice offer. Unfortunately, not everyone has someone to foot the
bill and I think many projects are affected.
So I'd like to brainstorm about this secure download tool.
References:
[1]
https://sourceforge.net/projects/whonix/files/whonix-0.5.6/
[2]
https://sourceforge.net/projects/whonix/files/whonix-0.5.6-sig/
[3]
http://whonix.sourceforge.net/screenshots/greatfire.html