[Tails-dev] secure download tool - doesn't exist?!?

Nachricht löschen

Nachricht beantworten
Autor: adrelanos
Datum:  
To: liberationtech
CC: The Tails public development discussion list
Betreff: [Tails-dev] secure download tool - doesn't exist?!?
In response to "the tool doesn't exist"...

You can create a really great privacy preserving application, Open
Source, but when you want to share it with the world, it's difficult to
ensure, that users actually get legit versions.

Goal:

- big file downloads
- at least as secure as TLS
- at least as simple as a regular download using a browser
- not using TLS itself (too expensive) for bulk download

The problem:

1. Unauthenticated downloads can get infected with malware on the fly
and we're living in a world were governments are interested in doing so
or already doing it.

2. There are no free Open Source hosts providing TLS or any other kind
of authentication usable by layman. (github doesn't provide downloads
anymore, sourceforge "only" offers unlimited free http downloads, no TLS.)

3. TLS downloads are expensive. I am creating Free Software myself
already (Whonix), but I am not willing to pay hundred of dollars every
month for TLS downloads and many other producers of Free Software aren't
willing to do that as well. That's just the reality.

4. Gpg verification - almost no one uses it. Technically, it works okay,
you can share your OpenPGP public key over TLS (web traffic isn't the
most expensive thing, downloads are) or even web of trust (non-anonymous
people) and it can verify builds. Since only one in twenty persons (or
worse) uses it for verification, for whatever reasons, its not the solution.

5. Windows doesn't even have a package manager like Debian has apt-get.
(Sorry, I am ignorant about Windows 8 and its app store thingy and not
sure if FOSS developers can easily add their software.)

6. Linux distributions, such as Debian have awesome updating systems
(Debian has apt-get, which even defeats The Update Framework threat
model [1], other distributions may have similar great updaters.

Problem: its far from easy to get software into the repository, you need
to create packages following their policy, need to be a Debian developer
or need a sponsor, thats absoutely non-trivial, many projects just
failed or have given up (example: Retroshare).

Usually their repository is filled up with high quality packages. Just
many projects/newer projects not capable/compatible/etc. with that end
up using less secure methods to share their software. There is nothing
in the middle such as a PPA service. (Ubuntu has a PPA service, but
Ubuntu should be avoided for other privacy issues [2].)

7. Metalink could solve it, if there where metalink downloaders
supporting OpenPGP, but there aren't any.

8. Mainstream browsers don't come with Metalink/OpenPGP support out of
the box, so you'd still have to tell users "you have to download tool X
to download our tool Y".

In conclusion:

I don't think we need a gpg4win downloader, a TBB downloader, Tails
downloader, a Whonix downloader... Thats just a lot duplicate effort and
another bootstrap issue: how to share the download tool itself? Make it
small and share it over TLS?

I think, this kind of tool doesn't exist yet.

References:

[1] https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses
[2]
https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks