Re: [Tails-dev] Firefox sha256sum checker

Supprimer ce message

Répondre à ce message
Auteur: sajolida
Date:  
À: Griffin Boyce
CC: The Tails public development discussion list
Sujet: Re: [Tails-dev] Firefox sha256sum checker
> That's an interesting question. Firefox/Iceweasel has a lot going for
> it outside of a possible hash checker. This seems like something that
> should perhaps be asked of the community rather than myself.
> Chrome/Chromium[1] is an interesting browser, but unless it's in the
> Tails environment, I wouldn't recommend it for use with Tor. Mike Perry
> would have more information on the security implications of switching
> from Firefox to Chrome.


There is a misunderstand here I think, the point is not to have Chrome
replace Firefox in Tails. But only to document how to verify the
download of a Tails ISO image when running Windows, Mac OS, or some
other OS not running GNOME.

So I'm only referring to the content of this page:

https://tails.boum.org/doc/get/verify_the_iso_image_using_other_operating_systems/

When we first wrote that page, using Firefox made sense for the reasons
I mention earlier (multiplatform and software authentication) but now
this technique is broken because MD5 Reborned Hasher is dead.

>> Can you confirm that the same arguments would work for Chrome too?
>
> A&B, definitely. Chrome and Chromium[2] use https for download, but
> not sure about pgp authentication. Wasn't able to find anything on it
> during a quick search, so am assuming not.


So the level of authentication when the end user installs Chrome or
Chromium would basically be the same as with Firefox: HTTPS if
downloading from the website, OpenPGP if installing from Debian and
Ubuntu. That OpenPGP verification is part of the package mechanism of
Debian and Ubuntu, that's automatic and the user has nothing special to
do for it to work.

>> Then, I never used Chrome before, but how would I got and use your app
>> actually? Is that an extension to install or what? :)
>
> To install manually, get the zip: https://github.com/glamrock/satori
>
> * Go to chrome://extensions/
> * ☑ Developer mode
> * Click "Load unpacked extension"
> * Choose Satori/chrome directory
>
> Then go to chrome://apps/ to launch (just like launching any other
> app). Once development slows slightly, that repository will have a
> gpg-signed zip file to make it easier to install securely outside of
> Google's walled garden[3]. Once you have it open, scroll down to the
> hash generator, and select a file you have downloaded. Then compare the
> displayed hash with what you are expecting.


I think it would be easier to document how to install and use it from
the Chrome Web Store, no? Whether people download your app through the
HTTPS of Google or the HTTPS of Github doesn't make much difference. And
we don't want to teach our users how to verify your app with OpenPGP
because those instructions are actually to *avoid* them having to
manipulate OpenPGP in the first place.

> If it were included in Tails, that would certainly affect UI/design.
> Right now, the hash checker is close to the bottom.


I checked on the Chrome Web Store and actually found several other
extensions that seems to do the trick:

https://chrome.google.com/webstore/detail/crypto-tools-encryptioncr/pbbjnobglkpbfmpabbgogbnlffkmgbii/details

https://chrome.google.com/webstore/detail/sha1-and-md5-checksum/ifdcfgpkdlceolbamlkmlbdcffgndkgk/details

https://chrome.google.com/webstore/detail/filehash/mlfnjicohdcbglkgmdkckpomajahokfo/details

Do you know or recommend any of those? Or do you think your app would be
more suitable to our needs?

I created a ticket for that:

#7261: Research ISO verification using checksum on Chrome
https://labs.riseup.net/code/issues/7261

Subtask of:

#6851: Fix ISO verification using checksum
https://labs.riseup.net/code/issues/6851

--
sajolida