Hi Daniel, Kathleen, Mark, and Julien,
I'm part of the people developing Tails.
I'm putting our development list in copy so we can have this discussion
archived and in public.
The idea behind this email is to ask for your expertise to complete the
threat modeling that we are doing as part of our work on a Firefox
extension to verify Tails ISO image. If you're too busy to process this
yourself, don't hesitate to forward it to other relevant people.
Giorgio Maone, from NoScript, will be working on the implementation of
the extension and is also subscribed to this list. He will surely join
in the discussion but we also wanted to consult other experts in the field.
The idea is to provide a usable solution to verify a download done
through HTTP, while relying on cryptographic information fetched
elsewhere through HTTPS (and possibly with stronger authentication
mechanisms such as public key pinning from browser vendors).
You can read more about our idea on this blueprint where we describe
better our goals, user scenario, wireframe, and our initial threat modeling:
https://tails.boum.org/blueprint/bootstrapping/extension
Our idea is currently to integrate the download and verification on a
single web page (see the simplified wireframe in attachment to get an
idea). The extension would interact with the HTML code of the download
page and display, hide, or modify the relevant sections.
The more precise question that I would like to consult you about is
regarding the threats that could arise **from inside the browser** and
that could corrupt the verification mechanism or fool the user.
Possible attackers that might be worth considering:
- Scripts running in other tabs open in the browser
- Scripts running in other tabs open in the browser and from the same
domain
- Other extensions installed in the browser
Possible attacks that we thought about (without really knowing whether
they are possible or not):
- Interfere with the checksum computation
- Interfere with the content of the web page to fool the user
- Modify the downloaded ISO after verification
To give a bit more context, this will be a "bootstrapped" extension (no
restart) and will be meant to run in Tor Browser outside of Tails or
regular Firefox.
Do you think that any of this is possible?
--
sajolida
