TL;DR: Does anyone know how to set up a mirror network supporting SSL?
The problem is, the domain name will be https://sslmirror.whonix.org, but the SSL certificate will be provided by https://some-friendly-mirror.domain. This will likely result in a SSL mismatch? Are you aware of any software project, that has already implemented SSL mirrors? Long: We, the people behind Whonix [1] (fortasse, Jason and me) would be interested to share our software over a https mirror network. Having SSL supported mirrors may seem like an oxymoron. The common practice is to say, that mirrors are not to be trusted. Even if the mirror owners were trusted persons, it's still an open question how good their server security is. And even if their server security is good, mirrors are generally also hosted in hosting companies and we can't trust those. However, not all adversaries share all available capabilities. Not all adversaries capable of mounting a man-in-the-middle attack are capable of breaking server security or forcing the hosting company to turn over the keys etc. Users not caring to use verification are still better off downloading from a SSL supported mirror, that works against less sophisticated adversaries. In numbers, this results in fewer users potentially ending up with maliciously altered downloads, so we think this is worth going for. It would also be safer if the download server would be under full control of the developers and not under control of a big company (hosting provider). But that's not how things work today. Self-hosting is very expensive. (Requires fast internet connection, home user contracts won't be fast enough, many servers, electricity power and physical security (officers).) Even the servers of The Tor Project are not hosted in some developer's home. Of course, providing downloadable images over SSL and/or a hidden service hosted by Whonix developers in a physically owned and protected place would be safer. Practically it is difficult to provide SSL protected downloads at all. Many important software projects can only be downloaded in the clear, such as Ubuntu, Debian, Tails, Qubes OS, etc. This is because someone has to pay the bill and SSL (encryption) makes it more expensive. The SSL CA system being flawed in the first place is another story, but in meanwhile it's best we got and we have to deal with it. Cheers, Patrick [1] https://www.whonix.org -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
