Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP comm…

Delete this message

Reply to this message
Author: Tobias Frei
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP communication with HTTP mirror operators?
Hi,

the requirement to use OpenPGP encryption has been somewhat annoying for me
personally in the past, especially because it did not allow me to read
mirror-related e-mails (sometimes relatively time-critical ones) on my
smartphone. This has happened to me on vacation in another country (I don't
have a laptop) and at the local university, during breaks that I could have
used to fix a problem if I had known which one it was.

Also, the information shared via encrypted e-mail about my mirror in any
direction has never been so confidential that encryption would have been
necessary in my opinion. I know that it is probably best to encrypt all
communication to prevent an attacker (e.g. NSA) from understanding which
e-mails are really interesting, but the cost of encryption has outweighed
the benefits for me so far.

What I'd absolutely keep, though, is the *signing* of e-mails. I need to be
able to check if a request has really been sent by the undersigning person.
If can be sure that the request is valid (e.g. "your server is down")
without verifying the OpenPGP signature, I might react directly (e.g.
restart the server) instead of verifying the signature. If I can't, I must
verify the signature.
Also, I hope that the same level of verification is applied when I send an
e-mail about my mirror. If I quote the sender's e-mail in my reply and
simply confirm fixing a problem, checking my signature might be
unnecessary. If I request the removal of my mirror from the pool, I really
hope that the request will be properly verified. If my signature is
missing, I hope that I'd be asked to provide a valid OpenPGP signature, a
message on my website or whatever else would be sufficient to identify me
as the sender of the request.

Sending and receiving encrypted e-mails is rather annoying, sending and
receiving signed e-mails is necessary, I'd say.

Best regards,
Tobias Frei


2016-03-04 20:18 GMT+01:00 intrigeri <intrigeri@???>:

> Hi,
>
> We'll soon be in a position to add more servers to the pool of HTTP
> mirrors that server our ISO images and IUKs. Before I publish the
> corresponding call for help, and get in touch with operators of
> potential fast mirrors (#11079), I'd like to make sure we get the
> requirements right.
>
> So far, we (or was it perhaps just me?) have insisted on having a way
> to communicate using OpenPGP with each operator of a HTTP mirror in
> our pool. I'm starting to question this. [In case anyone here didn't
> get that memo: yes, it often takes me years to change my mind.]
>
> This requirement has one clear disadvantage: it excludes some fast
> mirrors, e.g. lots of those that are run in universities (I have to
> trust people who are more in touch with operators of such candidate
> mirrors, on this one, as I have personally no idea). Also, on our side
> it adds to the burden of maintaining our pool of mirrors: maintaining
> a keyring isn't easy, and it gets quite hard if one wants to try to do
> it seriously.
>
> We are in the process of dropping at least another requirement of ours
> (the need for a dedicated hostname) that might have been a blocker, so
> I think it's time to check our list of requirements.
>
> I think the main advantages of requiring OpenPGP -enabled
> communication with mirror operators are:
>
>  * We can authenticate requests sent to us by mirror operators: e.g.
>    "please remove my mirror from the pool", that could otherwise be
>    used to degrade our pool of mirrors, just by spoofing the sender
>    address.

>
>    - Are we seriously checking the OpenPGP signature on such requests?
>      I used to do it, and used to require a good trust path for key
>      updates, but I am under the impression that this might all have
>      been handled in a more flexible way recently. sajolida?

>
>    - Perhaps we would notice if too many mirrors were removed (this
>      calls for a monitoring check, I guess), and perhaps mirror
>      operators would notice if they don't get the traffic they expect?
>      IOW, perhaps we have other ways to avoid such attacks from being
>      effective enough to be attractive in the first place.

>
>  * Mirror operators can authenticate instructions we send them, e.g.
>    "please add this option to your nginx configuration". Without this,
>    anyone can quite trivially DoS our pool of HTTP mirrors, until
>    someone notices. The thing is, we have no idea if the operators of
>    our mirrors check this, i.e. whether they would notice if some
>    email apparently coming from us was not signed.

>
> * More?
>
> I'm now less convinced that these advantages are worth the drawbacks,
> and could be ready to drop the OpenPGP communication requirement.
>
> Thoughts?
>
> Cheers,
> --
> intrigeri
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.
>