Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone wrote: On 10/07/2014 23:35, sajol...@pimienta.org wrote: Still, I'd suggest not losing focus with that discussion now, and moving on to the initial implementation to verify SHA-256 and reconsider all that later on :) I agree and I'm almost done with that: I managed to make Firefox perform SHA-256 verification of the current ISO asynchronously, without blocking the browser GUI at all, in 7 seconds, which oddly seems significantly faster than the native GPG CLI (blocking), at least on my system. Woh, exciting! Now I just have to wrap this code in a nice UI and package ;) And just tell us if you need a Git repo to host our code on our infrastructure. -- sajolida signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/07/2014 23:35, sajol...@pimienta.org wrote: Still, I'd suggest not losing focus with that discussion now, and moving on to the initial implementation to verify SHA-256 and reconsider all that later on :) I agree and I'm almost done with that: I managed to make Firefox perform SHA-256 verification of the current ISO asynchronously, without blocking the browser GUI at all, in 7 seconds, which oddly seems significantly faster than the native GPG CLI (blocking), at least on my system. Now I just have to wrap this code in a nice UI and package ;) I created #7552 on our Redmine to track that project. Feel free to create yourself an account and assign that task to you. I registered an account, nickname ma1, but I didn't manage to assign the task to myself. Should anybody add me as a member to the project first? Thanks - -- G -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTytVyAAoJECMag6/anCQ013AH/jWv7MANQ3kW2WHAVYePYAjY UcsZaejvsnFGlM0MHZ7BSz292R+x0646SBue+sHo62fcqiGwNHAGR8O5B/yuq/Ln kmHZgEhUDfSjz3OynYH0DrCkK5BKlA49NDq/4efw154RIcM9fSq2X0yAEq6RJ0WH WTr/fbksXO/ZT9t1+2XFqhsGBqAxBAcXilr3O0EQwo9UeigkpR0AcwvnyHgoHTNp XrZF5UjuYnpvlbmP2mmDlWUAfGC2uWfVzv/SAbZEvjPwwH6IGKB4CZGx2nEmv/gl SqxSYCLZYEa/1zf6LxgYdgic5YHo+TUmrhCshdj9B7gIezvKG5OBfl1xYYhqn9E= =AK5o -END PGP SIGNATURE- ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone: [...] I created #7552 on our Redmine to track that project. Feel free to create yourself an account and assign that task to you. I registered an account, nickname ma1, but I didn't manage to assign the task to myself. Should anybody add me as a member to the project first? Done :) Cheers, BitingBird ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
While you're at it, would it be a lot more effort to make it a generic download extension? I certainly enjoyed to have this issue that many software projects suffer from solved in a generic way. Otherwise it might get forked some day to have a download extension for gpg, TBB, Whonix, etc.? :) ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Hi, sajolida wrote (06 Jul 2014 15:01:07 GMT) : Together with Giorgio Maone from NoScript and tchou we designed a crazy new plan to solve a great deal of ISO verification for the masses. Here it is: https://tails.boum.org/blueprint/download_extension/ Now that the plan was apparently checked by several people, this needs to be tracked as a sub-task of #6851, right? (And maybe other #6851's children need to be updated or closed.) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone wrote: On 09/07/2014 01:41, Alasdair Young wrote: I'm not a fan of openpgp.js for a lot of reasons. http://tonyarcieri.com/whats-wrong-with-webcrypto explains why in a much better way than I ever could. I'm very new to this community and its mindset, so I know I've got a lot to learn and I'm certainly missing something essential, but I fail to understand how those (mostly valid) objections apply to our scenario, since they are directed either against the webcrypto standardization process or aganst cryptography performed in the context of a web page: 1. OpenPGP.js does not *depend* on webcrypto, even if it supports it 2. We wouldn't run as web content, but as privileged code, with the same powers and the same isolation as the browser itself (much like any platform-native program, even if written in cross-platform JavaScript). 3. We don't need to deal with private keys Hey Giorgio! Thanks for clarifying that. Your reasoning sounds good to me, but I don't have the technical insight to validate everything that we are saying here. I added the idea to the blueprint (d5bc710) feel free to add more technical details. Still, I'd suggest not losing focus with that discussion now, and moving on to the initial implementation to verify SHA-256 and reconsider all that later on :) I created #7552 on our Redmine to track that project. Feel free to create yourself an account and assign that task to you. -- sajolida signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone wrote (07 Jul 2014 11:48:38 GMT) : Furthermore, if tails-dev has or can obtain a code signing certificate compatible with Mozilla XPIs ( https://developer.mozilla.org/en-US/docs/Signing_a_XPI ), we could ship a signed XPI as a mitigation against MITM concerns. Data point: we have no such certificate yet. Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- sajolida signature.asc Description: OpenPGP digital signature ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
OpenPGP.js doesn't require the user to have GPG installed on their system. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- sajolida ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. -- Sent from my tracking device. Please excuse brevity and cat photos.___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
On 09/07/2014 00:46, Griffin Boyce wrote: OpenPGP.js doesn't require the user to have GPG installed on their system. And keeps things cross-platform. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. Yes, that was the idea. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. It would be nice, but if the user cannot trust the extension he installed he pretty much lost anyway, so this setup would generally mitigate the risk of a MITM while grabbing the hash. However I agree, this is for a future version and shouldn't prevent us from shipping basic download+verification. -- G best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- Sent from my tracking device. Please excuse brevity and cat photos. -- -- Giorgio Maone http://maone.net ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
I'm not a fan of openpgp.js for a lot of reasons. http://tonyarcieri.com/whats-wrong-with-webcrypto explains why in a much better way than I ever could. - alasdair On Jul 8, 2014 3:47 PM, Griffin Boyce grif...@cryptolab.net wrote: OpenPGP.js doesn't require the user to have GPG installed on their system. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- Sent from my tracking device. Please excuse brevity and cat photos. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
On 09/07/2014 01:41, Alasdair Young wrote: I'm not a fan of openpgp.js for a lot of reasons. http://tonyarcieri.com/whats-wrong-with-webcrypto explains why in a much better way than I ever could. I'm very new to this community and its mindset, so I know I've got a lot to learn and I'm certainly missing something essential, but I fail to understand how those (mostly valid) objections apply to our scenario, since they are directed either against the webcrypto standardization process or aganst cryptography performed in the context of a web page: 1. OpenPGP.js does not *depend* on webcrypto, even if it supports it 2. We wouldn't run as web content, but as privileged code, with the same powers and the same isolation as the browser itself (much like any platform-native program, even if written in cross-platform JavaScript). 3. We don't need to deal with private keys -- G On Jul 8, 2014 3:47 PM, Griffin Boyce grif...@cryptolab.net mailto:grif...@cryptolab.net wrote: OpenPGP.js doesn't require the user to have GPG installed on their system. Ideally, in this case, the pubkey would be already packaged within the extension, with only signed updates being able to overwrite it. However, I think to some extent this still relies on a user making an effort to verify the key's validity via its web of trust. best, Griffin On July 8, 2014 6:19:07 PM EDT, sajol...@pimienta.org mailto:sajol...@pimienta.org wrote: Giorgio Maone wrote: Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. I didn't put that idea on the blueprint so far, for the following reasons: - OpenPGP for verifying our ISO image is only stronger than SHA256 if the WoT is used to build strong trust in the signing key. Otherwise, you might as well get an HTTPS MitM while receiving the key, as much as while receiving the hash. - Our past experience with Firegpg [1] taught us that doing GPG inside of a browser is usually a bad idea. The same might not apply to an ISO verification but I would check this very carefully before going this way. - I don't know how portable it would be to do such GPG operations from inside the browser. Would the user need to have GPG installed on their Windows or Mac OS X? Would we ship a GPG ourselves? All those options sounds scary to me :) Those are the reasons why I'm not convinced by that idea. We might also want to further discuss the role of the OpenPGP verification in the broad installation process with UX people. But anyway, that discussion shouldn't block in any way the first implementation... [1]: https://tails.boum.org/doc/encryption_and_privacy/FireGPG_susceptible_to_devastating_attacks/index.en.html -- Sent from my tracking device. Please excuse brevity and cat photos. ___ Tails-dev mailing list Tails-dev@boum.org mailto:Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org mailto:tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org. -- -- Giorgio Maone http://maone.net ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
On 06/07/2014 17:01, sajolida wrote: Ah, and tell us in case you subscribed to the mailing list, and we will stop putting you in copy. Just done. Also, I found Griffin's message in this thread from the public archive: I can confirm that an option to select an arbitrary file from the filesystem and automatically verify it as a known Tails ISO or for show its hash for manual verification is planned. Furthermore, if tails-dev has or can obtain a code signing certificate compatible with Mozilla XPIs ( https://developer.mozilla.org/en-US/docs/Signing_a_XPI ), we could ship a signed XPI as a mitigation against MITM concerns. -- G ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Firefox extension for downloading Tails
Together with Giorgio Maone from NoScript and tchou we designed a crazy new plan to solve a great deal of ISO verification for the masses. Here it is: https://tails.boum.org/blueprint/download_extension/ Please everybody, check the scenario that we are proposing there, so we all agree on the plan. Giorgio: tell me if you need any additional information to start with your work. At some point you will have to dig into our Git repositories, and ikiwiki setup, and etc. But I bet that you can start working on a prototype without doing so for the moment. But you can already add information to the blueprint which is world editable. Ah, and tell us in case you subscribed to the mailing list, and we will stop putting you in copy. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
sajolida wrote: Together with Giorgio Maone from NoScript and tchou we designed a crazy new plan to solve a great deal of ISO verification for the masses. Here it is: https://tails.boum.org/blueprint/download_extension/ Please everybody, check the scenario that we are proposing there, so we all agree on the plan. I like this idea a *lot* (and am doing something similar for distributing Tor). Are the repos public? Would love to take a peek. One issue that I see is that this method relies on people having a secure connection to the Firefox add-ons site. This is not always the case, and there are lots of MITM anecdotes involving FF extension installation/updating. Also, this extension should allow users to select any local file to verify the hash. I would additionally request that there be an option to simply generate a sha256 hash so that users can attempt to verify other software as well. best, Griffin ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Firefox extension for downloading Tails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi everybody. The blueprint should be enough for me to start hacking a prototype together. If nobody has suggestions, I'd propose to call the extension with the catchy (!) name of Tails Catcher. I'd just add that a future version might embed tails developer's key and perform OpenPGP authentication itself. - -- G On 06/07/2014 17:01, sajolida wrote: Together with Giorgio Maone from NoScript and tchou we designed a crazy new plan to solve a great deal of ISO verification for the masses. Here it is: https://tails.boum.org/blueprint/download_extension/ Please everybody, check the scenario that we are proposing there, so we all agree on the plan. Giorgio: tell me if you need any additional information to start with your work. At some point you will have to dig into our Git repositories, and ikiwiki setup, and etc. But I bet that you can start working on a prototype without doing so for the moment. But you can already add information to the blueprint which is world editable. Ah, and tell us in case you subscribed to the mailing list, and we will stop putting you in copy. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTucDuAAoJECMag6/anCQ0jiIH/jdEm9ctga+orh9Cfr5cQRkX fGofQvvXXDYF0U8nPhDiIl+mCTThxzLQ6GhPf6BrqnzStEzg64phSdssXGva1m0Z SIK7k1hHtnRh4BNcXL4Dp4Aq7mo8xx0m15saylaJcfz8K8KSxS22xH+b6n6SqY67 Ncy+oNWnvzsDQ5alK3RDq1UTBpqy6ZfFOwVTR6cTfaNSfwPbA+YxpP8W2RsTamU+ O1hudQQLs6BsQraoKGeBUFphyZtHFkAvywY3x0ErBLYdhqdAaPTLsq7mjyPcX+xd Gg93NWMD1rrwYdnaqg7pxTlZhu05hwKm8/oD8/gEW0ChPGO+smBh3+7kQsX7/wI= =90O3 -END PGP SIGNATURE- ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.