Publishing the OpenPGP instructions outside of our website
If the instructions on the website are fake due to mim attack or due to the website being compromised, the instructions for the pgp verification will be fake too. If the instructions and the key are published on multiple platforms however, (like irc, i2p, tor, i2p-irc, andoid/iphone app etc.) it will be easy to spot fake instructions and keys even for beginners. To receive fake instructions all the platforms would have to be compromised. For new users this method of cross–checking would allow to trust the pgp instructions on the website for future use.
#1 Updated by goupille almost 4 years ago
- Status changed from New to Rejected
- Priority changed from Elevated to Normal
our PGP public keys are available on the key servers, the certificates of bou.org are verifiable (and available on another server) and there are multiple ways to verify an iso (https://tails.boum.org/download/#verify) so I think this ticket should be closed.
#2 Updated by sajolida almost 4 years ago
- Subject changed from Publishing the instructions and the key on multiple platforms for extra security. to Publishing the OpenPGP instructions on multiple platforms
- Status changed from Rejected to Confirmed
- Assignee set to XiauWu
- QA Check set to Info Needed
All you said goupille is right but:
- Manually checking the SSL certificate for boum.org is not really practical. I mean, who does that?
- It doesn't take into account the server itself temporarily serving rogue content.
So the idea of publishing the OpenPGP instructions on other media (online as well as offline) still makes sense.
I adjusted the title of the ticket to be more clear.
Still, I think that it only make sense to publish in this way the advanced OpenPGP instructions that go through the web-of-trust (otherwise you're trusting https://tails.boum.org anyway). Right now that would be the content of https://tails.boum.org/install/expert/usb/. Until we solve #11027.
XiauWu would you be interested in preparing a copy of https://tails.boum.org/install/expert/usb/ on Github maybe?
How do you think we could reduce the cost of keeping this page up-to-date to the minimum? Could we dump the HTML directly on Github? Part of it?