intrigeri:
> sajolida:
>> And you can see my (ongoing) HTML prototyping work on the production
>> website:
>
>> http://tails.boum.org/install/download_2
Thanks for reviewing this! I didn't dare asking you explicitly but I'm
very happy you do it :)
> s/loose/lose/>
> I'm not a big fan of "You might get hacked while using Tails if our
> servers have been compromised and are serving malicious downloads":
> it suggests that the verification step is worthwhile even if our
> website has been compromised, which is wrong. Perhaps replace
> "servers" with "download servers" or similar?
Yeah. I thought that in people's mind there's no difference between
"servers" and "download servers" and opted for the shorted version.
So what about "download mirrors"? Our audience might know what a mirror
is (cf. WikiLeaks back in the days, censorship events here and there,
etc.) plus the context should help understanding what this is about to
those who don't know yet.
> I'm not a big fan of "You might get hacked while using Tails if your
> download is modified by an attacker in your country or on your local
> network" + the link to the DigiNotar compromise either:
>
> - The DigiNotar link suggests that the weakness verification protects
> against is only about HTTPS, which is only the case when JS is
> enabled (#12833). Now, when JS is disabled perhaps the "Why?" popup
> can't be displayed anyway; if that's the case then you can ignore
> this comment :)
Yeah, people with no JS get no popup :)
> - This text seems to only address targeted attacks in a specific
> country or against a specific user, but an adversary who can break
> HTTPS can exploit it anywhere between the download servers and the
> client. And when downloading using Tor, an adversary who can break
> HTTPS can also exploit it close to the exit node being used.
> We would detect such a compromise ourselves only when facing an
> not-too-sophisticated adversary. I kinda remember having had this
> discussion already, sorry if I was arguing in the other direction
> last time ;)
As you can guess I don't remember this discussion at all.
I changed the sentence to:
You might get hacked while using Tails if your download is modified
on-the-fly by an attacker on the network.
So the attacker can be anywhere.
Better?
