sajolida:
> And you can see my (ongoing) HTML prototyping work on the production
> website:
> http://tails.boum.org/install/download_2
s/loose/lose/
I'm not a big fan of "You might get hacked while using Tails if our
servers have been compromised and are serving malicious downloads":
it suggests that the verification step is worthwhile even if our
website has been compromised, which is wrong. Perhaps replace
"servers" with "download servers" or similar?
I'm not a big fan of "You might get hacked while using Tails if your
download is modified by an attacker in your country or on your local
network" + the link to the DigiNotar compromise either:
- The DigiNotar link suggests that the weakness verification protects
against is only about HTTPS, which is only the case when JS is
enabled (#12833). Now, when JS is disabled perhaps the "Why?" popup
can't be displayed anyway; if that's the case then you can ignore
this comment :)
- This text seems to only address targeted attacks in a specific
country or against a specific user, but an adversary who can break
HTTPS can exploit it anywhere between the download servers and the
client. And when downloading using Tor, an adversary who can break
HTTPS can also exploit it close to the exit node being used.
We would detect such a compromise ourselves only when facing an
not-too-sophisticated adversary. I kinda remember having had this
discussion already, sorry if I was arguing in the other direction
last time ;)
Cheers,
--
intrigeri
