Feature #11039

Publishing the OpenPGP instructions outside of our website

Added by XiauWu 2016-02-01 11:53:42 . Updated 2018-08-25 10:16:20 .

Status:
Confirmed
Priority:
Low
Assignee:
Category:
Target version:
Start date:
2016-02-01
Due date:
% Done:

0%

Feature Branch:
Type of work:
End-user documentation
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

If the instructions on the website are fake due to mim attack or due to the website being compromised, the instructions for the pgp verification will be fake too. If the instructions and the key are published on multiple platforms however, (like irc, i2p, tor, i2p-irc, andoid/iphone app etc.) it will be easy to spot fake instructions and keys even for beginners. To receive fake instructions all the platforms would have to be compromised. For new users this method of cross–checking would allow to trust the pgp instructions on the website for future use.

Subtasks

Related issues

Related to Tails - Bug #15697: Downloading ISO and verifying signature not giving result shown in instructions Resolved 2018-07-01

History

#1 Updated by goupille 2016-02-15 14:55:01

  • Status changed from New to Rejected
  • Priority changed from Elevated to Normal

Hi !

our PGP public keys are available on the key servers, the certificates of bou.org are verifiable (and available on another server) and there are multiple ways to verify an iso (https://tails.boum.org/download/#verify) so I think this ticket should be closed.

#2 Updated by sajolida 2016-02-16 07:54:28

  • Subject changed from Publishing the instructions and the key on multiple platforms for extra security. to Publishing the OpenPGP instructions on multiple platforms
  • Status changed from Rejected to Confirmed
  • Assignee set to XiauWu
  • QA Check set to Info Needed

All you said goupille is right but:

  • Manually checking the SSL certificate for boum.org is not really practical. I mean, who does that?
  • It doesn’t take into account the server itself temporarily serving rogue content.

So the idea of publishing the OpenPGP instructions on other media (online as well as offline) still makes sense.

I adjusted the title of the ticket to be more clear.

Still, I think that it only make sense to publish in this way the advanced OpenPGP instructions that go through the web-of-trust (otherwise you’re trusting https://tails.boum.org anyway). Right now that would be the content of https://tails.boum.org/install/expert/usb/. Until we solve Feature #11027.

XiauWu would you be interested in preparing a copy of https://tails.boum.org/install/expert/usb/ on Github maybe?

How do you think we could reduce the cost of keeping this page up-to-date to the minimum? Could we dump the HTML directly on Github? Part of it?

#3 Updated by Anonymous 2018-08-18 09:20:17

  • Assignee deleted (XiauWu)
  • QA Check deleted (Info Needed)
  • Type of work changed from Security Audit to End-user documentation

#4 Updated by Anonymous 2018-08-18 09:23:03

  • related to Bug #15697: Downloading ISO and verifying signature not giving result shown in instructions added

#5 Updated by sajolida 2018-08-25 10:16:20

  • Subject changed from Publishing the OpenPGP instructions on multiple platforms to Publishing the OpenPGP instructions outside of our website
  • Priority changed from Normal to Low