[liberationtech] secure download tool - doesn't exist?!?

[Guido Witmond]

On 01-07-13 23:01, Eleanor Saitta wrote:
> On 2013.07.01 12.19, adrelanos wrote:
>> - you still have to tell the user "you must download tool X before 
>> you can download Y"
> 
> This, of course, is a global problem everywhere.  A secure channel 
> requires a shared secret, in this case between the developers and
> the end user.  How does the user get their initial OS image if it
> didn't come with their machine or they didn't buy it in a brick and
> mortar store (both hard for FLOSS).  Solutions in the non-general
> case are nice, but we should also remember that we have no general
> case solution either.

There is a (partial) solution for this problem.

The site operator creates a server certificate. Either a global TTP or
self signed. (S)He publishes it with DNSSEC and DANE.

The users who want to download can verify the server certificate with
the Extended DNSSEC Validator add on for Firefox. It creates a trusted
path between the site and the user. Now the user can validate the site
certificate and trust the hashes on the page.

The reason that it's a partial solution is that it defers the
trust-seed-question to the plug-in distribution channel. But that need
only be solved once for the whole to benefit.

The reason that the DNSSEC-chain can be trusted is that it is
*politically secure*. There are too many different parties pulling in
too many different directions so the net result is a stable system. Any
tampering from any party will be loudly complained by any other party.

The only thing you need is to Pin the DNSSEC root key into your browser.

Besides we need monitoring systems such as Perspectives and Certificate
Transparency in the browsers to detect DNSSEC/CA manipulations.

Caveat: the Ext DNSSEC Validator is not production ready but the gist is
there. I think DNSSEC may or may not be the ultimate answer but it is a
good way to go forward.

The 64000 dollar question: Who is going to push Mozilla in this direction?

Guido.