Investigate security issues that may be caused by passing SSL_NO_VERIFY unchanged to tails-upgrade-frontend
Originally created by @intrigeri on #7432 (Redmine)
We pass SSL_NO_VERIFY
unchanged via sudo from the amnesia
user to
the tails-upgrade-frontend
program. Presumably, an adversary who has
taken control of the amnesia
user, and can actively MitM the
connection to https://tails.boum.org/, can e.g. serve an old
upgrade-description file that hides the availability of an upgrade
(indefinite freeze attack), or maybe even incitates the user to
downgrade to an older version of Tails (rollback attack). Note that the
upgrade-description file being served still needs to be signed by the
Tails signing key.
We should investigate the exact consequences of this all.