Hi Sina & all,
Sina S wrote (05 Oct 2013 04:25:42 GMT) :
> I know I am new on the list but please accept my 2c input here:
I'd like to make it clear that your input is more than welcome,
regardless of how long you've been on the list!
> While I understand the desire to have a kind of equivalent of debian-server
> for TAILS, I am not so sure it is a clear cut and easy task to accomplish.
Thanks for making this clear. I certainly agree. There are difficult
problems to solve in this area: some are described on the blueprint
already, some are being worked on (IIRC) by folks at APAF and alike.
> 1. The biggest and most important point is that while it's possible to meet
> the simple use case with a reasonable expectation of security and
> anonymity, as soon as the operator of the webserver loads PHP/Python/Perl
> code to run a dynamic website, the "attack surface" is greatly expanded and
> now completely beyond the controls the server can offer.
Right. That's one of the reasons why our intent was to provide
services like Gobby and filesharing over SFTP, to start with something
that's both easier to implement, and has a smaller attack surface.
Still, one has to balance this with what the available alternatives
are: if people use Google Docs instead, or even centralize their data
in the hands of the very nice people at Riseup, it's probably even
worse for many threat models.
> That said, if anyone asked me for this kind of server, I would probably
> consider some combination of grsecurity and a per-site LXC, or even better
> grsecurity and zeroVM as the basis for this. Probably zeroVM is a little
> beyond most peoples understanding even though it fits the threat model most
> appropriately.
I agree this is a good direction to go. (FWIW, our roadmap for Tails
2.0 includes containing Iceweasel + a few AppArmor profiles, and our
plate for 3.0 includes containing Tor + extensive AppArmor confinement.)
Still, I'm wary of our (mine, the Tails team's, the security
community's, pick as many as you wish) tendency to reason at
a theoretical level, to think of usecases that are not the most common
one, and as a result put the bar so high that anyone who could be
interested in working on this will be promptly discouraged, and as
a result users in the field go on using worse solutions.
As a conclusion (and I doubt I'll feed this thread any more unless
someone actually shows up and say they want to work on this), if
anyone wants to tackle this *large* project, by all means please do,
talk to us, take your time, and be ready to walk baby steps (feel free
to call it "Agile" or whatever is your favorite kind of hype :)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
