PS: If the OpenPGP requirement is removed, I'd strongly suggest at least
asking for a confirmation for significant requests (e.g. removal of a
server from the pool). The confirmation should contain a full quote of the
e-mail it is sent in reply to. That way, at least easy spoofing is
prevented. It provides no additional security against a man-in-the-middle
attacker, but sending an e-mail with a forged "From" header is probably
much, much easier ("trivial & legal" vs. "requiring illegal cracking or
being the NSA") than circumventing this additional protection.2016-03-04 21:39 GMT+01:00 Tobias Frei <[email protected]>: > Hi, > > the requirement to use OpenPGP encryption has been somewhat annoying for > me personally in the past, especially because it did not allow me to read > mirror-related e-mails (sometimes relatively time-critical ones) on my > smartphone. This has happened to me on vacation in another country (I don't > have a laptop) and at the local university, during breaks that I could have > used to fix a problem if I had known which one it was. > > Also, the information shared via encrypted e-mail about my mirror in any > direction has never been so confidential that encryption would have been > necessary in my opinion. I know that it is probably best to encrypt all > communication to prevent an attacker (e.g. NSA) from understanding which > e-mails are really interesting, but the cost of encryption has outweighed > the benefits for me so far. > > What I'd absolutely keep, though, is the *signing* of e-mails. I need to > be able to check if a request has really been sent by the undersigning > person. If can be sure that the request is valid (e.g. "your server is > down") without verifying the OpenPGP signature, I might react directly > (e.g. restart the server) instead of verifying the signature. If I can't, I > must verify the signature. > Also, I hope that the same level of verification is applied when I send an > e-mail about my mirror. If I quote the sender's e-mail in my reply and > simply confirm fixing a problem, checking my signature might be > unnecessary. If I request the removal of my mirror from the pool, I really > hope that the request will be properly verified. If my signature is > missing, I hope that I'd be asked to provide a valid OpenPGP signature, a > message on my website or whatever else would be sufficient to identify me > as the sender of the request. > > Sending and receiving encrypted e-mails is rather annoying, sending and > receiving signed e-mails is necessary, I'd say. > > Best regards, > Tobias Frei > > > 2016-03-04 20:18 GMT+01:00 intrigeri <[email protected]>: > >> Hi, >> >> We'll soon be in a position to add more servers to the pool of HTTP >> mirrors that server our ISO images and IUKs. Before I publish the >> corresponding call for help, and get in touch with operators of >> potential fast mirrors (#11079), I'd like to make sure we get the >> requirements right. >> >> So far, we (or was it perhaps just me?) have insisted on having a way >> to communicate using OpenPGP with each operator of a HTTP mirror in >> our pool. I'm starting to question this. [In case anyone here didn't >> get that memo: yes, it often takes me years to change my mind.] >> >> This requirement has one clear disadvantage: it excludes some fast >> mirrors, e.g. lots of those that are run in universities (I have to >> trust people who are more in touch with operators of such candidate >> mirrors, on this one, as I have personally no idea). Also, on our side >> it adds to the burden of maintaining our pool of mirrors: maintaining >> a keyring isn't easy, and it gets quite hard if one wants to try to do >> it seriously. >> >> We are in the process of dropping at least another requirement of ours >> (the need for a dedicated hostname) that might have been a blocker, so >> I think it's time to check our list of requirements. >> >> I think the main advantages of requiring OpenPGP -enabled >> communication with mirror operators are: >> >> * We can authenticate requests sent to us by mirror operators: e.g. >> "please remove my mirror from the pool", that could otherwise be >> used to degrade our pool of mirrors, just by spoofing the sender >> address. >> >> - Are we seriously checking the OpenPGP signature on such requests? >> I used to do it, and used to require a good trust path for key >> updates, but I am under the impression that this might all have >> been handled in a more flexible way recently. sajolida? >> >> - Perhaps we would notice if too many mirrors were removed (this >> calls for a monitoring check, I guess), and perhaps mirror >> operators would notice if they don't get the traffic they expect? >> IOW, perhaps we have other ways to avoid such attacks from being >> effective enough to be attractive in the first place. >> >> * Mirror operators can authenticate instructions we send them, e.g. >> "please add this option to your nginx configuration". Without this, >> anyone can quite trivially DoS our pool of HTTP mirrors, until >> someone notices. The thing is, we have no idea if the operators of >> our mirrors check this, i.e. whether they would notice if some >> email apparently coming from us was not signed. >> >> * More? >> >> I'm now less convinced that these advantages are worth the drawbacks, >> and could be ready to drop the OpenPGP communication requirement. >> >> Thoughts? >> >> Cheers, >> -- >> intrigeri >> _______________________________________________ >> Tails-dev mailing list >> [email protected] >> https://mailman.boum.org/listinfo/tails-dev >> To unsubscribe from this list, send an empty email to >> [email protected]. >> > >
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
