Re: [Tails-dev] Regarding certificate pinning in verificatio…

Delete this message

Reply to this message
Autore: sajolida
Data:  
To: The Tails public development discussion list, intrigeri, Uzair Farooq
Oggetto: Re: [Tails-dev] Regarding certificate pinning in verification extension
intrigeri:
> sajolida:
>> But the certificate pinning done by the extension precisely tries to
>> prevent such an attack, but only on the download of the ISO Description
>> File [2].
>
> It's unclear to me why DAVE v2 will need the ISO Description File since
> it won't download the ISO itself anymore (if I got it right). What did
> I miss?


Thanks for joining the thread! :)

For the record here is the IDF:

https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml

The new verification extension still needs the SHA-256 from the IDF.

But yes, it won't need the URL anymore.

We could still use the size to warn in a specific way when the download
is too short but I didn't think about that until now and I'm not 100%
sure that's very useful in modern browsers who already deal with
download interruptions (Firefox uses a temporary *.part file and only
rename it after the download is finish).