Author: Nicolas Vigier Date: To: The Tails public development discussion list Subject: Re: [Tails-dev] Security implications: moving code from
Verification Extension to our website
On Fri, 22 Mar 2019, sajolida wrote:
>
> Whether there's a security loss for the 20% of users who currently use
> the extension is precisely what we are asking more opinions about.
>
> For example, jvoisin's primary reaction on this thread is that it's
> doesn't have any significant downsides.
>
> What makes you think that doing the verification in the extension would
> be less secure than doing the verification on the website? What kind of
> attacks are we talking about here?
It seems the extension is currently only downloading an unsigned json
file with https to verify the checksums, so someone controlling the
website could return a bad json file.
So it looks like in both cases (the extension and javascript on the
website), an attacker controlling the website could make it possible
for a bad download to be seen as good by the user. However there is
still maybe a small difference:
- with javascript on the website, an attacker controlling the website
could just disable the verification and claim that any download is
good.
- with the extension, an attacker controlling the website could replace
the json file with one that contain a different checksum. However
they have to guess what the user will have downloaded from the mirrors,
which is maybe not easy if only one of the mirrors is bad. This is
assuming that the extension only accepts json files containing only
one value for the checksum, which I don't know if it is the case.
With the current version of the extension, I don't know if it makes a
big difference. However if there was some plan to improve the extension
to make it verify gpg signatures, then that could be a big difference.
