In response to "the tool doesn't exist"... You can create a really great privacy preserving application, Open Source, but when you want to share it with the world, it's difficult to ensure, that users actually get legit versions.
Goal: - big file downloads - at least as secure as TLS - at least as simple as a regular download using a browser - not using TLS itself (too expensive) for bulk download The problem: 1. Unauthenticated downloads can get infected with malware on the fly and we're living in a world were governments are interested in doing so or already doing it. 2. There are no free Open Source hosts providing TLS or any other kind of authentication usable by layman. (github doesn't provide downloads anymore, sourceforge "only" offers unlimited free http downloads, no TLS.) 3. TLS downloads are expensive. I am creating Free Software myself already (Whonix), but I am not willing to pay hundred of dollars every month for TLS downloads and many other producers of Free Software aren't willing to do that as well. That's just the reality. 4. Gpg verification - almost no one uses it. Technically, it works okay, you can share your OpenPGP public key over TLS (web traffic isn't the most expensive thing, downloads are) or even web of trust (non-anonymous people) and it can verify builds. Since only one in twenty persons (or worse) uses it for verification, for whatever reasons, its not the solution. 5. Windows doesn't even have a package manager like Debian has apt-get. (Sorry, I am ignorant about Windows 8 and its app store thingy and not sure if FOSS developers can easily add their software.) 6. Linux distributions, such as Debian have awesome updating systems (Debian has apt-get, which even defeats The Update Framework threat model [1], other distributions may have similar great updaters. Problem: its far from easy to get software into the repository, you need to create packages following their policy, need to be a Debian developer or need a sponsor, thats absoutely non-trivial, many projects just failed or have given up (example: Retroshare). Usually their repository is filled up with high quality packages. Just many projects/newer projects not capable/compatible/etc. with that end up using less secure methods to share their software. There is nothing in the middle such as a PPA service. (Ubuntu has a PPA service, but Ubuntu should be avoided for other privacy issues [2].) 7. Metalink could solve it, if there where metalink downloaders supporting OpenPGP, but there aren't any. 8. Mainstream browsers don't come with Metalink/OpenPGP support out of the box, so you'd still have to tell users "you have to download tool X to download our tool Y". In conclusion: I don't think we need a gpg4win downloader, a TBB downloader, Tails downloader, a Whonix downloader... Thats just a lot duplicate effort and another bootstrap issue: how to share the download tool itself? Make it small and share it over TLS? I think, this kind of tool doesn't exist yet. References: [1] https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses [2] https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
