Re: [Tails-dev] [liberationtech] secure download tool - does…

Delete this message

Reply to this message
Autore: Dev Random
Data:  
To: liberationtech
CC: The Tails public development discussion list
Oggetto: Re: [Tails-dev] [liberationtech] secure download tool - doesn't exist?!?
The Gitian tools have this:

https://github.com/devrandom/gitian-builder/blob/master/share/gitian_updater.py

which could be adapted to work with other network protocols (e.g. Torrent).

On 07/01/2013 11:03 AM, adrelanos wrote:
> In response to "the tool doesn't exist"...
>
> You can create a really great privacy preserving application, Open
> Source, but when you want to share it with the world, it's difficult to
> ensure, that users actually get legit versions.
>
> Goal:
>
> - big file downloads
> - at least as secure as TLS
> - at least as simple as a regular download using a browser
> - not using TLS itself (too expensive) for bulk download
>
> The problem:
>
> 1. Unauthenticated downloads can get infected with malware on the fly
> and we're living in a world were governments are interested in doing so
> or already doing it.
>
> 2. There are no free Open Source hosts providing TLS or any other kind
> of authentication usable by layman. (github doesn't provide downloads
> anymore, sourceforge "only" offers unlimited free http downloads, no TLS.)
>
> 3. TLS downloads are expensive. I am creating Free Software myself
> already (Whonix), but I am not willing to pay hundred of dollars every
> month for TLS downloads and many other producers of Free Software aren't
> willing to do that as well. That's just the reality.
>
> 4. Gpg verification - almost no one uses it. Technically, it works okay,
> you can share your OpenPGP public key over TLS (web traffic isn't the
> most expensive thing, downloads are) or even web of trust (non-anonymous
> people) and it can verify builds. Since only one in twenty persons (or
> worse) uses it for verification, for whatever reasons, its not the solution.
>
> 5. Windows doesn't even have a package manager like Debian has apt-get.
> (Sorry, I am ignorant about Windows 8 and its app store thingy and not
> sure if FOSS developers can easily add their software.)
>
> 6. Linux distributions, such as Debian have awesome updating systems
> (Debian has apt-get, which even defeats The Update Framework threat
> model [1], other distributions may have similar great updaters.
>
> Problem: its far from easy to get software into the repository, you need
> to create packages following their policy, need to be a Debian developer
> or need a sponsor, thats absoutely non-trivial, many projects just
> failed or have given up (example: Retroshare).
>
> Usually their repository is filled up with high quality packages. Just
> many projects/newer projects not capable/compatible/etc. with that end
> up using less secure methods to share their software. There is nothing
> in the middle such as a PPA service. (Ubuntu has a PPA service, but
> Ubuntu should be avoided for other privacy issues [2].)
>
> 7. Metalink could solve it, if there where metalink downloaders
> supporting OpenPGP, but there aren't any.
>
> 8. Mainstream browsers don't come with Metalink/OpenPGP support out of
> the box, so you'd still have to tell users "you have to download tool X
> to download our tool Y".
>
> In conclusion:
>
> I don't think we need a gpg4win downloader, a TBB downloader, Tails
> downloader, a Whonix downloader... Thats just a lot duplicate effort and
> another bootstrap issue: how to share the download tool itself? Make it
> small and share it over TLS?
>
> I think, this kind of tool doesn't exist yet.
>
> References:
>
> [1] https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses
> [2]
> https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys@??? or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>