Speaking as maintainer of Whonix here. Jacob Appelbaum: > When upgrading a tails machine today, I noticed that the default > download link is HTTP.
This is actually a problem for many (security related) application downloads, not only for Tails. For example, also the gpg4win homepage has no https download. And how is a Windows user supposed to download gpg4win? Over an unauthenticated channel? How many join a real life gpg community, get the signatures for gpg itself and verify it? 1 to 1000? > We've done some statistics on the number of users > that actually bother to download signatures - it basically borders on > none for some software. Does Tails find that for every ISO, users > download the signature? Ten to one? Perhaps one out of ever thousand > downloads? Switching topic to Whonix... Actually its more like twenty to one (little worse). Whonix-Gateway.ova downloads [1] per week: 668 Whonix-Gateway.ova.sig downloads [2] per week: 30 And some may think: verification is for paranoids only. It's not. It's a real issue already, not theoretical. And Whonix already got attention from the GFW. [3] There are already state sponsored malware attacks. Infecting an unauthenticated download on the fly isn't rocket science. Something which could happen very soon and no one should be surprised. Yet, I don't see any awareness. > I really strongly encourage that the default download link should be > secure - Thats a fine goal. > if there was a tool to download updates and it automatically > checked the signatures, I'd think it was perhaps OK to use HTTP. Thats the point. Is there such a tool already? I don't think we need a Tails download tool, a gpg4win downloader, a Whonix download tool, a TBB download tool... > Without such a tool, I think this is merely a > recipe for disaster. Agreed. > We carry a secure mirror here: > > https://archive.torproject.org/amnesia.boum.org/tails/stable/ > > If you guys can't handle HTTPS traffic, I really encourage you to link > to our HTTPS site as the default. If nothing else, I believe that some > browsers also pin our certs. That at least changes the game to something > a bit harder. Thats a nice offer. Unfortunately, not everyone has someone to foot the bill and I think many projects are affected. So I'd like to brainstorm about this secure download tool. References: [1] https://sourceforge.net/projects/whonix/files/whonix-0.5.6/ [2] https://sourceforge.net/projects/whonix/files/whonix-0.5.6-sig/ [3] http://whonix.sourceforge.net/screenshots/greatfire.html -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
