Feature #11039
Publishing the OpenPGP instructions outside of our website
0%
Description
If the instructions on the website are fake due to mim attack or due to the website being compromised, the instructions for the pgp verification will be fake too. If the instructions and the key are published on multiple platforms however, (like irc, i2p, tor, i2p-irc, andoid/iphone app etc.) it will be easy to spot fake instructions and keys even for beginners. To receive fake instructions all the platforms would have to be compromised. For new users this method of cross–checking would allow to trust the pgp instructions on the website for future use.
Subtasks
Related issues
Related to Tails - |
Resolved | 2018-07-01 |
History
#1 Updated by goupille 2016-02-15 14:55:01
- Status changed from New to Rejected
- Priority changed from Elevated to Normal
Hi !
our PGP public keys are available on the key servers, the certificates of bou.org are verifiable (and available on another server) and there are multiple ways to verify an iso (https://tails.boum.org/download/#verify) so I think this ticket should be closed.
#2 Updated by sajolida 2016-02-16 07:54:28
- Subject changed from Publishing the instructions and the key on multiple platforms for extra security. to Publishing the OpenPGP instructions on multiple platforms
- Status changed from Rejected to Confirmed
- Assignee set to XiauWu
- QA Check set to Info Needed
All you said goupille is right but:
- Manually checking the SSL certificate for boum.org is not really practical. I mean, who does that?
- It doesn’t take into account the server itself temporarily serving rogue content.
So the idea of publishing the OpenPGP instructions on other media (online as well as offline) still makes sense.
I adjusted the title of the ticket to be more clear.
Still, I think that it only make sense to publish in this way the advanced OpenPGP instructions that go through the web-of-trust (otherwise you’re trusting https://tails.boum.org anyway). Right now that would be the content of https://tails.boum.org/install/expert/usb/. Until we solve Feature #11027.
XiauWu would you be interested in preparing a copy of https://tails.boum.org/install/expert/usb/ on Github maybe?
How do you think we could reduce the cost of keeping this page up-to-date to the minimum? Could we dump the HTML directly on Github? Part of it?
#3 Updated by Anonymous 2018-08-18 09:20:17
- Assignee deleted (
XiauWu) - QA Check deleted (
Info Needed) - Type of work changed from Security Audit to End-user documentation
#4 Updated by Anonymous 2018-08-18 09:23:03
- related to
Bug #15697: Downloading ISO and verifying signature not giving result shown in instructions added
#5 Updated by sajolida 2018-08-25 10:16:20
- Subject changed from Publishing the OpenPGP instructions on multiple platforms to Publishing the OpenPGP instructions outside of our website
- Priority changed from Normal to Low