intrigeri: > sajolida: >> But the certificate pinning done by the extension precisely tries to >> prevent such an attack, but only on the download of the ISO Description >> File [2]. > > It's unclear to me why DAVE v2 will need the ISO Description File since > it won't download the ISO itself anymore (if I got it right). What did > I miss?
Thanks for joining the thread! :) For the record here is the IDF: https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml The new verification extension still needs the SHA-256 from the IDF. But yes, it won't need the URL anymore. We could still use the size to warn in a specific way when the download is too short but I didn't think about that until now and I'm not 100% sure that's very useful in modern browsers who already deal with download interruptions (Firefox uses a temporary *.part file and only rename it after the download is finish). _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
