Project

General

Profile

Feature #11039

Publishing the OpenPGP instructions outside of our website

Added by XiauWu over 3 years ago. Updated about 1 year ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
02/01/2016
Due date:
% Done:

0%

Feature Branch:
Type of work:
End-user documentation
Blueprint:
Starter:
Affected tool:

Description

If the instructions on the website are fake due to mim attack or due to the website being compromised, the instructions for the pgp verification will be fake too. If the instructions and the key are published on multiple platforms however, (like irc, i2p, tor, i2p-irc, andoid/iphone app etc.) it will be easy to spot fake instructions and keys even for beginners. To receive fake instructions all the platforms would have to be compromised. For new users this method of cross–checking would allow to trust the pgp instructions on the website for future use.


Related issues

Related to Tails - Bug #15697: Downloading ISO and verifying signature not giving result shown in instructions Confirmed 07/01/2018

History

#1 Updated by goupille over 3 years ago

  • Status changed from New to Rejected
  • Priority changed from Elevated to Normal

Hi !

our PGP public keys are available on the key servers, the certificates of bou.org are verifiable (and available on another server) and there are multiple ways to verify an iso (https://tails.boum.org/download/#verify) so I think this ticket should be closed.

#2 Updated by sajolida over 3 years ago

  • Subject changed from Publishing the instructions and the key on multiple platforms for extra security. to Publishing the OpenPGP instructions on multiple platforms
  • Status changed from Rejected to Confirmed
  • Assignee set to XiauWu
  • QA Check set to Info Needed

All you said goupille is right but:

  • Manually checking the SSL certificate for boum.org is not really practical. I mean, who does that?
  • It doesn't take into account the server itself temporarily serving rogue content.

So the idea of publishing the OpenPGP instructions on other media (online as well as offline) still makes sense.

I adjusted the title of the ticket to be more clear.

Still, I think that it only make sense to publish in this way the advanced OpenPGP instructions that go through the web-of-trust (otherwise you're trusting https://tails.boum.org anyway). Right now that would be the content of https://tails.boum.org/install/expert/usb/. Until we solve #11027.

XiauWu would you be interested in preparing a copy of https://tails.boum.org/install/expert/usb/ on Github maybe?

How do you think we could reduce the cost of keeping this page up-to-date to the minimum? Could we dump the HTML directly on Github? Part of it?

#3 Updated by u about 1 year ago

  • Assignee deleted (XiauWu)
  • QA Check deleted (Info Needed)
  • Type of work changed from Security Audit to End-user documentation

#4 Updated by u about 1 year ago

  • Related to Bug #15697: Downloading ISO and verifying signature not giving result shown in instructions added

#5 Updated by sajolida about 1 year ago

  • Subject changed from Publishing the OpenPGP instructions on multiple platforms to Publishing the OpenPGP instructions outside of our website
  • Priority changed from Normal to Low

Also available in: Atom PDF