Giorgio Maone: >>> - Modify the downloaded ISO after verification >> How it can be done, since it's already downloaded? A operating system >> malicious >> code? > In facts, it seems outside the scope of this project: if the local > system is already compromised, the adversary has already won and there's > no point in fighting anymore.
I'm not considering here a malicious local operating system in general (as we can't protect against this). But I was wondering to which extent other entities in the browser have access to downloaded files and how much write access is protected on the already downloaded files by other extensions for example. Our extension will do read-only access on the download to calculate a checksum, but could another extension modify this file after it's been downloaded? > Using a standalone executable, instead, would actually leave us with the > egg and chicken problem: who does verify the verifier? Right, that's the point. We're proposing here to use the browser as a tool that users already have installed, that can do some crypto and that we should be able to trust in that process anyway. That's why we're not introducing another standalone executable. -- sajolida _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
