[liberationtech] secure download tool - doesn't exist?!?
Jonathan Wilkes
jancsika at yahoo.com
Tue Jul 2 14:57:01 PDT 2013
On 07/02/2013 12:46 PM, Jonathan Wilkes wrote:
> On 07/02/2013 04:51 AM, intrigeri wrote:
>> Hi,
>>
>> adrelanos wrote (01 Jul 2013 18:03:01 GMT) :
>>> Goal:
>>> - big file downloads
>>> - at least as secure as TLS
>>> - at least as simple as a regular download using a browser
>>> - not using TLS itself (too expensive) for bulk download
>>> The problem: [...]
>> + verify that the signed file you've downloaded is actually the
>> version you intended to download, and not an older, also properly
>> signed one.
>>
>> See tools that take this into account:
>> - Thandy (already mentioned by Moritz)
>> - our design for incremental updates:
>> https://tails.boum.org/todo/incremental_upgrades/
>> - TUF:
>> https://www.updateframework.com/
>
> Does Debian's "Valid-Until" field in the release files solve this
> problem?
After getting some help on #debian-apt, I can at least say that the
"Valid-Until"
field in the release file for Debian security updates is indeed intended
to address
replay attacks. The first two papers referenced at
https://www.updateframework.com/
were written before that field was added.
-Jonathan
>
> -Jonathan
>
>>
>> Other than this, our current take on it is, I believe, making it
>> easier to verify OpenPGP detached signatures. E.g. we're working to
>> make it work flawlessly on the GNOME desktop.
>>
>> Cheers,
>> --
>> intrigeri
>> | GnuPG key @
>> https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
>> | OTR fingerprint @
>> https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
>> --
>> Too many emails? Unsubscribe, change to digest, or change password by
>> emailing moderator at companys at stanford.edu or changing your settings
>> at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings
> at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
More information about the liberationtech
mailing list