Re: [Tails-dev] Security implications: moving code from Ver…

Supprimer ce message

Répondre à ce message
Auteur: u
Date:  
À: tails-dev
Sujet: Re: [Tails-dev] Security implications: moving code from Verification Extension to our website
Hi!

On 26.04.19 14:51, intrigeri wrote:
> u:
>> On 16.04.19 14:29, intrigeri wrote:
>
>>> One rather minor implementation note, that's relevant in this context
>>> only because any software is only as secure as the _version run by
>>> actual users_: this migration increases the need to ensure web
>>> browsers use the correct version of the relevant web resources (such
>>> as JavaScript files), to replace the extension version check we
>>> currently have, which is done for every download. At the moment JS can
>>> be cached for 24h. We have a ticket about this already; I think it
>>> needs to be part of the migration plan.
>
>> I don't think this increases this need: it's still the same as it is
>> now, as the Installation Assistant already uses Javascript files hosted
>> on the server.
>
> Fair point, a component of the big picture is already subject to this
> problem, so perhaps having even more code subject to this problem does
> not change anything substantially. I don't know and I don't feel
> competent to analyze the consequences of this further myself. The best
> I can do is to clarify some technical details that might be useful to
> whoever wants to dig deeper. So, this proposal replaces:
>
> A. code, that currently lives in the current extension, and does its
>    own version checking independently of JS caching policy: it only
>    relies on data it gets from a HTML page that should not be cached
>    by browsers

>
> with:
>
> B. code that can be retrieved from the browser cache
>
> And in both cases, as Ulrike mentioned, there's another piece of
> cooperating JS code, that lives on our website and can already be
> retrieved from the browser cache.


I've noted some of your remarks (cross-origin policy + file caching)
this on the ticket description of
https://redmine.tails.boum.org/code/issues/16128

However, currently we do this version check to check if the extension
verification is up to date on user's browsers. When implementing the
code on the website instead, the worst that will happen is that some
users live with 24 hours of cached JS code - that we can actually force
to be reloaded with methods described in the ticket I linked previously,
hence I believe the concern is even less concerning than in the current
setup (that requires intervention from users to update their extension).

>> Is the ticket you are talking about this one:
>> https://redmine.tails.boum.org/code/issues/16091? (It's about CSS, not
>> JS, but I suspect the exact same issue applies.)
>
> Yes. I've just made it more generic :)


Seen :)

Cheers!