intrigeri:
> sajolida:
>> But the certificate pinning done by the extension precisely tries to
>> prevent such an attack, but only on the download of the ISO Description
>> File [2].
>
> It's unclear to me why DAVE v2 will need the ISO Description File since
> it won't download the ISO itself anymore (if I got it right). What did
> I miss?
Thanks for joining the thread! :)
For the record here is the IDF:
https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml
The new verification extension still needs the SHA-256 from the IDF.
But yes, it won't need the URL anymore.
We could still use the size to warn in a specific way when the download
is too short but I didn't think about that until now and I'm not 100%
sure that's very useful in modern browsers who already deal with
download interruptions (Firefox uses a temporary *.part file and only
rename it after the download is finish).