Re: [Tails-dev] flaw in: Correlates several downloads of Tai…

Delete this message

Reply to this message
Author: adev
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] flaw in: Correlates several downloads of Tails signing key
> Hi!
>
> https://tails.boum.org/doc/get/trusting_tails_signing_key/index.en.html#index1h1
>
> As far I understand, this chapter assumes an adversary in a position to
> break SSL or strip SSL (and the user not noticing).
>
> With that assumption in mind, look at the graphic below.
>
> user <-> user ISP <-> internet <-> boum.org ISP <-> boum.org server
> MITM less likely for this route | no help for this route
>
> This suggestion does not help against an adversary able to tamper with
> traffic going through the boum.org ISP. No matter from which place the
> user visits boum.org, an adversary in that position can always tamper
> with the traffic.
>
> This is still a useful suggestion for many people. For example for
> people in censored countries, which get the key several times through
> different Tor nodes and trust that more than their own network.
>
> I think these limitations should be noted nonetheless.
>
> Cheers,
> adrelanos
> _______________________________________________
> tails-dev mailing list
> tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
>




Yes an advanced attacker could implant a device in the uplinks(s) that
gives tails boum server internet access, and have access to SSL root
private keys, and serve false versions