Re: [Tails-dev] Security implications: moving code from Veri…

Delete this message

Reply to this message
Author: Daniel Kahn Gillmor
Date:  
To: u, The Tails public development discussion list
Subject: Re: [Tails-dev] Security implications: moving code from Verification Extension to our website
hi all--

thanks for bringing this discussion, and your reasoning for it, to the
broader community.

On Wed 2019-03-20 14:25:50 +0100, u. wrote:
> We know from Javascript statistics of our download page that roughly
> ~20% of the downloads of Tails images are verified by users using the
> verification extension. The optional OpenPGP verification accounts for
> 9% of downloads (computed using the number of downloads of the OpenPGP
> signature). This means that >70% of Tails downloads might currently not
> be verified at all.


These numbers are pretty interesting. how do you know that OpenPGP
verification accounts for 9% of the downloads? are you just measuring
the number of signature files downloaded?

In any event, it sounds like you're making a (sensible) case for moving
from:

70% unprotected +
20% extension-protected +
10% OpenPGP-protected.

to:

90% website-protected +
10% OpenPGP protected

That's clearly a net win for 70% of downloads, which go from unprotected
to website-protected, but it's also a net loss for 20% of users, who go
from protection by the extension to protection by website javascript.

This would a clearer, unequivocal win if we retained the extension,
right? then it would go to:

70% website-protected +
20% extension-protected +
10% OpenPGP-protected

which is strictly better than all the other scenarios from a
verification standpoint.

Is the concern that it's too expensive to maintain both the extension
and the javascript going forward?

If the expense of maintaining the extension is too much, i wonder
whether image verification is the ultimate concern at all. For example,
should we be considering other approaches like external, spot-checked
download verification with monitoring and reporting, as some measure of
resilience against non-targeted attack? (maybe this is already in place
and i just don't know about it)

thanks for thinking about these tradeoffs clearly and publicly. i wish
all projects were capable of communicating these legitimate concerns as
effectively as Tails does.

    --dkg