Re: [Tails-dev] Security implications: moving code from Veri…

Üzenet törlése

Válasz az üzenetre
Szerző: intrigeri
Dátum:  
Címzett: tails-dev
Tárgy: Re: [Tails-dev] Security implications: moving code from Verification Extension to our website
Hi,

u:
> On 16.04.19 14:29, intrigeri wrote:


>> One rather minor implementation note, that's relevant in this context
>> only because any software is only as secure as the _version run by
>> actual users_: this migration increases the need to ensure web
>> browsers use the correct version of the relevant web resources (such
>> as JavaScript files), to replace the extension version check we
>> currently have, which is done for every download. At the moment JS can
>> be cached for 24h. We have a ticket about this already; I think it
>> needs to be part of the migration plan.


> I don't think this increases this need: it's still the same as it is
> now, as the Installation Assistant already uses Javascript files hosted
> on the server.


Fair point, a component of the big picture is already subject to this
problem, so perhaps having even more code subject to this problem does
not change anything substantially. I don't know and I don't feel
competent to analyze the consequences of this further myself. The best
I can do is to clarify some technical details that might be useful to
whoever wants to dig deeper. So, this proposal replaces:

A. code, that currently lives in the current extension, and does its
own version checking independently of JS caching policy: it only
relies on data it gets from a HTML page that should not be cached
by browsers

with:

B. code that can be retrieved from the browser cache

And in both cases, as Ulrike mentioned, there's another piece of
cooperating JS code, that lives on our website and can already be
retrieved from the browser cache.

> Is the ticket you are talking about this one:
> https://redmine.tails.boum.org/code/issues/16091? (It's about CSS, not
> JS, but I suspect the exact same issue applies.)


Yes. I've just made it more generic :)

Cheers!
--
intrigeri