Re: [Tails-dev] Tails ISO verification extension for Firefox

Delete this message

Reply to this message
Author: Giorgio Maone
Date:  
To: The Tails public development discussion list
CC: mcs, jvoisin, brade
Subject: Re: [Tails-dev] Tails ISO verification extension for Firefox
On 19/04/2015 23:49, L.R. D.S. wrote:
>
> - Interfere with the checksum computation
> This seems a infinite regress to me. What will verify the verifier? How can
> we make sure this extension are not corrupted?

The relatively safe and trusted Mozilla add-ons distribution platform,
which includes secure transport / checksums and signing (the latter
having being optional so far, but very soon mandatory and made by
Mozilla itself):
https://blog.mozilla.org/addons/2015/02/10/extension-signing-safer-experience/

>
>> - Interfere with the content of the web page to fool the user
> DNS spoof? That will not be a problem if you guys do a SSH server...

DNS spoof won't work if the web page is served over HTTPS with HSTS
(better if pre-seeded).
Also, the UI may be hardcoded, even if as HTML content for presentation
consistency, in the extension itself which could not be tampered with
over the wire.

>
>> - Modify the downloaded ISO after verification
> How it can be done, since it's already downloaded? A operating system malicious
> code?

In facts, it seems outside the scope of this project: if the local
system is already compromised, the adversary has already won and there's
no point in fighting anymore.

>
>> work on a Firefox extension to verify Tails ISO image.
> Why a Firefox extension after all?

First and foremost, most potential users already use (or should use) the
Tor Browser (based on Firefox and compatible with Firefox extensions) to
access the Web, and this provides us with a cross-platform foundation
for our software.
Then, using an extension hosted by https://addons.mozilla.org provides
us with the aforementioned "bootstrap" distribution properties, i.e. the
extension itself could be downloaded and installed in a relatively
seamless and safe manner by virtue of Mozilla's already in place
infrastructure.

Using a standalone executable, instead, would actually leave us with the
egg and chicken problem: who does verify the verifier?

--
Giorgio Maone
https://maone.net