Hi security people, after working on the Verification Extension for the USB image project, I proposed to get rid of it and integrate the Javascript code that performs the verification directly into our website [1].
Today I'm writing to you because we need your valuable input on the security implications that such a move might have. We lack these skills in our team and would appreciate your help. Below, I'll describe the current state of things, the possible benefits of this move and then I'll try to outline the security question we have. Current state of things ----------------------- Users download Tails images via mirrors operated by volunteers. When installing Tails, we advise users to verify the files downloaded using the Verification Extension, that currently works in Firefox and Chrome. The extension only downloads a JSON file located at tails.boum.org over HTTPS, and checks that the hashsum we provide matches that of the user downloaded Tails image. We know from Javascript statistics of our download page that roughly ~20% of the downloads of Tails images are verified by users using the verification extension. The optional OpenPGP verification accounts for 9% of downloads (computed using the number of downloads of the OpenPGP signature). This means that >70% of Tails downloads might currently not be verified at all. Benefits of moving this code directly into our website ------------------------------------------------------ - More users could more easily verify the images they download. (Note that we don't have metrics for the percentage of users affected, because we lack a detailed analysis of why so few users verify their download.) - It will increase usability for users, as they won't have to install an extension anymore. - Downloads could possibly be verified using other browsers, like Safari and recent versions of IE. (Note however that these browsers currently represent only 1% of visitors to the download pages.) - There'll be a bit less maintenance work for us, but not much: as we would still have to test the code regularly. General security implications ----------------------------- The question we are asking ourselves is: are there any predictable downsides to move the verification code from an extension to the website? If needed, details about the security threats and measures of the extension can be found in our design documentation [2]. Cost ---- Replacing the extension is going to cost money: A rough estimate is that it'll require ~100 hours of work from developers, UX designers, technical writers, managers, and accountant to make this happen, in two iterations (see [1] for a detailed implementation plan). Glad to read your thoughts! Thank you for your input, u. [1] https://redmine.tails.boum.org/code/issues/16128 [2] https://tails.boum.org/contribute/design/verification_extension/ _______________________________________________ Tails-dev mailing list [email protected] https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
