On 10 August 2013 16:43, Michael Rogers <mich...@briarproject.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/08/13 17:43, Reed Black wrote: >> CryptoCat is served up by the Chrome app store. Do you have >> control over what binary gets distributed to who? Does any assurace >> exist beyond the app store's own signing validation? >> >> I thought this was like webmasters and third-party script >> inclusions. They will be blind if Google or DoubleClick are >> compelled to selectively swap out the scripts they serve to >> millions of third-party sites. > > If we assume that app stores aren't going away any time soon, we need > to address this problem: How can a user who downloads an app from an > app store be satisfied that it was built from published source code? > > We might also think about how to solve the problem for apps downloaded > through browsers. > > Verifiable builds are necessary but not sufficient here - they allow > an expert auditor to tell whether the binary she downloaded was built > from the published source, but an attacker might target the binaries > downloaded by certain other users without alerting the auditor. So we > also need a way for a non-expert user to tell whether the binary she > downloaded matches the one that was audited. > > PGP signatures and hashes aren't currently usable by non-experts, and > signatures or hashes published through the same channel as the binary > can be tampered with in the same way as the binary. > > Something along the lines of Certificate Transparency might be useful > here: a public log of software names, versions, and hashes, which a > browser or other download tool can use to verify downloaded binaries > without any manual steps needing to be taken by the user. Software > publishers would be responsible for adding entries to the log for > their own software and monitoring the log for entries added by anyone > else.
FWIW, the Certificate Transparency code already has (primitive) support for Binary Transparency: https://code.google.com/p/certificate-transparency/source/browse/src/server/blob-server.cc. Patches, as always, welcome. > > Cheers, > Michael > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQEcBAEBAgAGBQJSBl+QAAoJEBEET9GfxSfMlVAIAJ/JEwbbZBdihiuUT6PEas9v > Bs/eOnr/+/oTvjVJc/OJvcSHXWr8ne97N3kGzBrQsS6HdiDoxZdUMC/9S+WGLQuG > boMD1MJH2qpPQzA7yG0ZDKWUodg+IvHZosC50ahC+su6zZ176Ic/8v4zzDDxnzF5 > zLqtY/jhZSrvmdaWixx4yznmrWbOXo1zxb+ulSDZWZ4TIHZKC+890d4CVGDzFNjY > Yzyz0E3BRX7Ctkbt2dW/EqhBPKsG0FtMzwCsFMa6xPIUp5Ykf0YpQ0WF4n/sTJaO > 8bY3HyAtxBAma/gZccDLP1OEkjPdaf27cxJNbcSoAYeKy4cqCOMWWXL/gLbuZqo= > =QkIa > -----END PGP SIGNATURE----- > -- > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
