hi all--
thanks for bringing this discussion, and your reasoning for it, to the
broader community.
On Wed 2019-03-20 14:25:50 +0100, u. wrote:
> We know from Javascript statistics of our download page that roughly
> ~20% of the downloads of Tails images are verified by users using the
> verification extension. The optional OpenPGP verification accounts for
> 9% of downloads (computed using the number of downloads of the OpenPGP
> signature). This means that >70% of Tails downloads might currently not
> be verified at all.
These numbers are pretty interesting. how do you know that OpenPGP
verification accounts for 9% of the downloads? are you just measuring
the number of signature files downloaded?
In any event, it sounds like you're making a (sensible) case for moving
from:
70% unprotected +
20% extension-protected +
10% OpenPGP-protected.
to:
90% website-protected +
10% OpenPGP protected
That's clearly a net win for 70% of downloads, which go from unprotected
to website-protected, but it's also a net loss for 20% of users, who go
from protection by the extension to protection by website javascript.
This would a clearer, unequivocal win if we retained the extension,
right? then it would go to:
70% website-protected +
20% extension-protected +
10% OpenPGP-protected
which is strictly better than all the other scenarios from a
verification standpoint.
Is the concern that it's too expensive to maintain both the extension
and the javascript going forward?
If the expense of maintaining the extension is too much, i wonder
whether image verification is the ultimate concern at all. For example,
should we be considering other approaches like external, spot-checked
download verification with monitoring and reporting, as some measure of
resilience against non-targeted attack? (maybe this is already in place
and i just don't know about it)
thanks for thinking about these tradeoffs clearly and publicly. i wish
all projects were capable of communicating these legitimate concerns as
effectively as Tails does.
--dkg