Re: [Tails-ux] Wireframes for DAVE 2

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: Tails user experience & user interface design
Subject: Re: [Tails-ux] Wireframes for DAVE 2
hi,

sajolida:
> intrigeri:
>> s/loose/lose/>
>> I'm not a big fan of "You might get hacked while using Tails if our
>> servers have been compromised and are serving malicious downloads":
>> it suggests that the verification step is worthwhile even if our
>> website has been compromised, which is wrong. Perhaps replace
>> "servers" with "download servers" or similar?


> Yeah. I thought that in people's mind there's no difference between
> "servers" and "download servers" and opted for the shorted version.


> So what about "download mirrors"? Our audience might know what a mirror
> is (cf. WikiLeaks back in the days, censorship events here and there,
> etc.) plus the context should help understanding what this is about to
> those who don't know yet.


I didn't dare proposing "download mirrors" as it felt too technical,
but if you think it's fine, then yeah, go ahead :)

>> I'm not a big fan of "You might get hacked while using Tails if your
>> download is modified by an attacker in your country or on your local
>> network" + the link to the DigiNotar compromise either:


[...]

>>  - This text seems to only address targeted attacks in a specific
>>    country or against a specific user, but an adversary who can break
>>    HTTPS can exploit it anywhere between the download servers and the
>>    client. And when downloading using Tor, an adversary who can break
>>    HTTPS can also exploit it close to the exit node being used.
>>    We would detect such a compromise ourselves only when facing an
>>    not-too-sophisticated adversary. I kinda remember having had this
>>    discussion already, sorry if I was arguing in the other direction
>>    last time ;)


> As you can guess I don't remember this discussion at all.


> I changed the sentence to:


> You might get hacked while using Tails if your download is modified
> on-the-fly by an attacker on the network.


> So the attacker can be anywhere.


> Better?


Yes!

Also, when building the website from the current master branch, I see
a bunch of po4a errors:

wiki/src/install/inc/steps/download_2.inline.html:56: (po4a::xml)
               Unexpected closing tag </a> found. The main document may be wrong.  
               Continuing...


… that is noisy and worrying for anyone building the website locally.
The worst that can happen is that it prevents po4a from extracting
strings for translators as well as we would hope (but I didn't check
that).

Cheers,
--
intrigeri