Re: [Tails-dev] Tails ISO verification extension for Firefox

This message is part of the following thread:
Mthe complete thread tree sorted by date
MKathleen Brade at <-
Msajolida at ->
Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Tails ISO verification extension for Firefox
Giorgio Maone:
>>> - Modify the downloaded ISO after verification
>> How it can be done, since it's already downloaded? A operating system malicious
>> code?
> In facts, it seems outside the scope of this project: if the local
> system is already compromised, the adversary has already won and there's
> no point in fighting anymore.

I'm not considering here a malicious local operating system in general
(as we can't protect against this). But I was wondering to which extent
other entities in the browser have access to downloaded files and how
much write access is protected on the already downloaded files by other
extensions for example. Our extension will do read-only access on the
download to calculate a checksum, but could another extension modify
this file after it's been downloaded?

> Using a standalone executable, instead, would actually leave us with the
> egg and chicken problem: who does verify the verifier?

Right, that's the point. We're proposing here to use the browser as a
tool that users already have installed, that can do some crypto and that
we should be able to trust in that process anyway. That's why we're not
introducing another standalone executable.

--
sajolida

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] Debian derivatives census: Debian 8 (jessie) released!Re: [Tails-dev] Tails ISO verification extension for Firefox->
lists.autistici.org administrated by postmasterLurker (version 2.3)