Hi!
On 22.03.19 15:47, Nicolas Vigier wrote:
> On Fri, 22 Mar 2019, sajolida wrote:
>> Whether there's a security loss for the 20% of users who currently use
>> the extension is precisely what we are asking more opinions about.
>>
>> For example, jvoisin's primary reaction on this thread is that it's
>> doesn't have any significant downsides.
>>
>> What makes you think that doing the verification in the extension would
>> be less secure than doing the verification on the website? What kind of
>> attacks are we talking about here?
>
> It seems the extension is currently only downloading an unsigned json
> file with https to verify the checksums, so someone controlling the
> website could return a bad json file.
Correct.
> So it looks like in both cases (the extension and javascript on the
> website), an attacker controlling the website could make it possible
> for a bad download to be seen as good by the user. However there is
> still maybe a small difference:
> - with javascript on the website, an attacker controlling the website
> could just disable the verification and claim that any download is
> good.
Correct.
> - with the extension, an attacker controlling the website could replace
> the json file with one that contain a different checksum. However
> they have to guess what the user will have downloaded from the mirrors,
> which is maybe not easy if only one of the mirrors is bad. This is
> assuming that the extension only accepts json files containing only
> one value for the checksum, which I don't know if it is the case.
The JSON file can technically contain many files and their checksums.
> With the current version of the extension, I don't know if it makes a
> big difference. However if there was some plan to improve the extension
> to make it verify gpg signatures, then that could be a big difference.
Agreed.
Cheers!
u.
