Hi,
sajolida wrote (03 Jul 2015 08:38:25 GMT) :
> intrigeri:
>> sajolida wrote (04 Mar 2015 17:43:01 GMT) :
> You're answering here a quite old message of mine
Yep, sorry about that. Your reply makes it clear that I should have
re-read the blueprint and relevant threads more carefully before
bothering to reply to this old email.
>> Thanks. (Food for thought: this seems to assume that an ISO
>> voluntarily corrupted by an attacker will generally not be smaller
>> than the genuine one. Not sure how good an assumption this is.)
> Not relevant anymore for the same reason.
The goals section still reads "In case of a bad ISO image, help the
user diagnose whether the download has been interrupted or the ISO has
been corrupted", so I don't understand why my side comment isn't
relevant anymore: how can we make the difference between an
interrupted download, and a malicious ISO that's smaller than the
genuine one? In other words:
* if the ISO is too big, then by definition it's been corrupted
(potentially maliciously);
* if the ISO has the right size but not the correct checksum, then by
definition it's been corrupted (potentially maliciously);
* if the ISO is too small, then it's highly probable that the
download was simply interrupted, but we can't guarantee that to the
user. I've no idea what to do with this, and I totally trust you to
take it into account when helping the user make a sensible decision
based on this fact, in case the current wireframes don't (sorry, no
time to check the details right now).
>>> Are you saying that any other website that's been loaded in the
>>> current session could alter the result of this verification?
>>> That sounds very bad...
>>
>> That is what I would assume until some experts in this field tell me
>> that browsers are safe about this. I guess this has been done
>> elsewhere in this thread (still not finished reading it), otherwise
>> you would have switched strategies since then.
> Yes, that's
> https://mailman.boum.org/pipermail/tails-dev/2015-April/008648.html I think.
In that thread, the only answers that are potentially relevant to the
question at hand are:
* a message by Giorgio, who addresses mostly off-topic concerns
someone else posted, but doesn't answer your questions;
* a message by Kathleen, who wrote "absent a bug in Firefox or Tor
Browser, other web pages should not be able to interfere"... after
stating that "Mark and I do not have a lot of expertise in threat
modeling"
JFTR, assuming that you're basing your assessment on that second
reply, I personally find it half-convincing, but giving the timing of
my feedback here, I will cross fingers instead of insisting (I already
feel half pissed off and half guilty wrt. how pushy I've been on this
topic, so it's time for me to stop).
Thanks for your work on this!
Cheers,
--
intrigeri
