Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Tails ISO verification extension for Firefox

sajolida sajolida at pimienta.org
Sun Apr 19 07:33:13 PDT 2015


Hi,

I'm part of the people developing Tails: https://tails.boum.org/.

We're working over 2015 on a Firefox extension to automatically do
checksum verification of our ISO downloads.

Software verification is a critical step in the use of secure
applications but it has traditionally been hard to provide, especially
from a user perspective. Usual solutions are:

  - Using HTTPS to download. But in the case of Tails, we are serving
    so many downloads that we have to rely on mirrors hosted by third
    parties.
  - Providing OpenPGP signatures. But this really works only for the
    few of us who know how to verify an OpenPGP signature and use the
    OpenPGP Web-of-Trust correctly.

We are trying here to provide a usable solution to verify a download
done through HTTP, while relying on cryptographic information fetched
elsewhere through HTTPS (and possibly with stronger authentication
mechanisms such as public key pinning from browser vendors).

You can read more about our idea on this blueprint where we describe
better our goals, user scenario, wireframe, and threat model:

	https://tails.boum.org/blueprint/bootstrapping/extension

We still have to carry on a more in depth thread modeling of everything
bad that can happen inside the browser to fool the verification process.

I writing to the list to ask if there are other similar projects around.
We already know of Satori by Griffin Boyce (https://github.com/satori)
but we want to make sure we didn't miss any other similar project before
it's too late.

-- 
sajolida



More information about the liberationtech mailing list