Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP comm…

Delete this message

Reply to this message
Author: Tobias Frei
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] [RFC] Dropping requirement for OpenPGP communication with HTTP mirror operators?
PS: If the OpenPGP requirement is removed, I'd strongly suggest at least
asking for a confirmation for significant requests (e.g. removal of a
server from the pool). The confirmation should contain a full quote of the
e-mail it is sent in reply to. That way, at least easy spoofing is
prevented. It provides no additional security against a man-in-the-middle
attacker, but sending an e-mail with a forged "From" header is probably
much, much easier ("trivial & legal" vs. "requiring illegal cracking or
being the NSA") than circumventing this additional protection.

2016-03-04 21:39 GMT+01:00 Tobias Frei <tobias@???>:

> Hi,
>
> the requirement to use OpenPGP encryption has been somewhat annoying for
> me personally in the past, especially because it did not allow me to read
> mirror-related e-mails (sometimes relatively time-critical ones) on my
> smartphone. This has happened to me on vacation in another country (I don't
> have a laptop) and at the local university, during breaks that I could have
> used to fix a problem if I had known which one it was.
>
> Also, the information shared via encrypted e-mail about my mirror in any
> direction has never been so confidential that encryption would have been
> necessary in my opinion. I know that it is probably best to encrypt all
> communication to prevent an attacker (e.g. NSA) from understanding which
> e-mails are really interesting, but the cost of encryption has outweighed
> the benefits for me so far.
>
> What I'd absolutely keep, though, is the *signing* of e-mails. I need to
> be able to check if a request has really been sent by the undersigning
> person. If can be sure that the request is valid (e.g. "your server is
> down") without verifying the OpenPGP signature, I might react directly
> (e.g. restart the server) instead of verifying the signature. If I can't, I
> must verify the signature.
> Also, I hope that the same level of verification is applied when I send an
> e-mail about my mirror. If I quote the sender's e-mail in my reply and
> simply confirm fixing a problem, checking my signature might be
> unnecessary. If I request the removal of my mirror from the pool, I really
> hope that the request will be properly verified. If my signature is
> missing, I hope that I'd be asked to provide a valid OpenPGP signature, a
> message on my website or whatever else would be sufficient to identify me
> as the sender of the request.
>
> Sending and receiving encrypted e-mails is rather annoying, sending and
> receiving signed e-mails is necessary, I'd say.
>
> Best regards,
> Tobias Frei
>
>
> 2016-03-04 20:18 GMT+01:00 intrigeri <intrigeri@???>:
>
>> Hi,
>>
>> We'll soon be in a position to add more servers to the pool of HTTP
>> mirrors that server our ISO images and IUKs. Before I publish the
>> corresponding call for help, and get in touch with operators of
>> potential fast mirrors (#11079), I'd like to make sure we get the
>> requirements right.
>>
>> So far, we (or was it perhaps just me?) have insisted on having a way
>> to communicate using OpenPGP with each operator of a HTTP mirror in
>> our pool. I'm starting to question this. [In case anyone here didn't
>> get that memo: yes, it often takes me years to change my mind.]
>>
>> This requirement has one clear disadvantage: it excludes some fast
>> mirrors, e.g. lots of those that are run in universities (I have to
>> trust people who are more in touch with operators of such candidate
>> mirrors, on this one, as I have personally no idea). Also, on our side
>> it adds to the burden of maintaining our pool of mirrors: maintaining
>> a keyring isn't easy, and it gets quite hard if one wants to try to do
>> it seriously.
>>
>> We are in the process of dropping at least another requirement of ours
>> (the need for a dedicated hostname) that might have been a blocker, so
>> I think it's time to check our list of requirements.
>>
>> I think the main advantages of requiring OpenPGP -enabled
>> communication with mirror operators are:
>>
>>  * We can authenticate requests sent to us by mirror operators: e.g.
>>    "please remove my mirror from the pool", that could otherwise be
>>    used to degrade our pool of mirrors, just by spoofing the sender
>>    address.

>>
>>    - Are we seriously checking the OpenPGP signature on such requests?
>>      I used to do it, and used to require a good trust path for key
>>      updates, but I am under the impression that this might all have
>>      been handled in a more flexible way recently. sajolida?

>>
>>    - Perhaps we would notice if too many mirrors were removed (this
>>      calls for a monitoring check, I guess), and perhaps mirror
>>      operators would notice if they don't get the traffic they expect?
>>      IOW, perhaps we have other ways to avoid such attacks from being
>>      effective enough to be attractive in the first place.

>>
>>  * Mirror operators can authenticate instructions we send them, e.g.
>>    "please add this option to your nginx configuration". Without this,
>>    anyone can quite trivially DoS our pool of HTTP mirrors, until
>>    someone notices. The thing is, we have no idea if the operators of
>>    our mirrors check this, i.e. whether they would notice if some
>>    email apparently coming from us was not signed.

>>
>> * More?
>>
>> I'm now less convinced that these advantages are worth the drawbacks,
>> and could be ready to drop the OpenPGP communication requirement.
>>
>> Thoughts?
>>
>> Cheers,
>> --
>> intrigeri
>> _______________________________________________
>> Tails-dev mailing list
>> Tails-dev@???
>> https://mailman.boum.org/listinfo/tails-dev
>> To unsubscribe from this list, send an empty email to
>> Tails-dev-unsubscribe@???.
>>
>
>