[liberationtech] From Snowden's email provider. NSL???
Michael Rogers
michael at briarproject.org
Sat Aug 10 08:43:12 PDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/08/13 17:43, Reed Black wrote:
> CryptoCat is served up by the Chrome app store. Do you have
> control over what binary gets distributed to who? Does any assurace
> exist beyond the app store's own signing validation?
>
> I thought this was like webmasters and third-party script
> inclusions. They will be blind if Google or DoubleClick are
> compelled to selectively swap out the scripts they serve to
> millions of third-party sites.
If we assume that app stores aren't going away any time soon, we need
to address this problem: How can a user who downloads an app from an
app store be satisfied that it was built from published source code?
We might also think about how to solve the problem for apps downloaded
through browsers.
Verifiable builds are necessary but not sufficient here - they allow
an expert auditor to tell whether the binary she downloaded was built
from the published source, but an attacker might target the binaries
downloaded by certain other users without alerting the auditor. So we
also need a way for a non-expert user to tell whether the binary she
downloaded matches the one that was audited.
PGP signatures and hashes aren't currently usable by non-experts, and
signatures or hashes published through the same channel as the binary
can be tampered with in the same way as the binary.
Something along the lines of Certificate Transparency might be useful
here: a public log of software names, versions, and hashes, which a
browser or other download tool can use to verify downloaded binaries
without any manual steps needing to be taken by the user. Software
publishers would be responsible for adding entries to the log for
their own software and monitoring the log for entries added by anyone
else.
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJSBl+QAAoJEBEET9GfxSfMlVAIAJ/JEwbbZBdihiuUT6PEas9v
Bs/eOnr/+/oTvjVJc/OJvcSHXWr8ne97N3kGzBrQsS6HdiDoxZdUMC/9S+WGLQuG
boMD1MJH2qpPQzA7yG0ZDKWUodg+IvHZosC50ahC+su6zZ176Ic/8v4zzDDxnzF5
zLqtY/jhZSrvmdaWixx4yznmrWbOXo1zxb+ulSDZWZ4TIHZKC+890d4CVGDzFNjY
Yzyz0E3BRX7Ctkbt2dW/EqhBPKsG0FtMzwCsFMa6xPIUp5Ykf0YpQ0WF4n/sTJaO
8bY3HyAtxBAma/gZccDLP1OEkjPdaf27cxJNbcSoAYeKy4cqCOMWWXL/gLbuZqo=
=QkIa
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list