[liberationtech] Fwd: [Tails-dev] download over http by default?

Douglas Lucas dal at riseup.net
Sun Aug 31 18:30:11 PDT 2014 

A similar problem exists for UNetbootin, one of the primary install
vehicles for GNU/Linux operating systems. In March of this year, I
noticed the problem and forwarded it to Kevin Gallagher who wrote it up
well on Github as a ticket. It's still an open ticket!

https://github.com/gkovacs/unetbootin/issues/9

Here's Kevin's write-up:

===
UNetbootin is one of the primary install vehicles for GNU/Linux
operating systems. Ergo, it requires a high level of trust.

Given what we know, this project absolutely needs to adopt more secure
and verifiable means of delivering the binaries. Currently, users have
no way to know whether backdoors are being inserted into their
installation media by the NSA or GCHQ or another advanced adversary via
compromise of UNetbootin with MITM, HTTP/DNS or browser exploits.

Your downloads
http://sourceforge.net/projects/unetbootin/files/UNetbootin/585/ are not
signed, but there are SHA1 and MD5 checksums available. Yet these too
are served over plain HTTP so could be modified in transit.

Please come up with a key and start signing the files with it, and also
secure the SourceForge project page
http://sourceforge.net/projects/unetbootin with an SSL certificate, and
force HTTPS.
===

On 07/01/2013 12:40 PM, adrelanos wrote:
> Originally posted on Tails-dev by Jacob Appelbaum. Interesting,
> important topic. Thanks! I took the freedom to forward it to
> liberationtech, since one of the topics lately was "the tool doesn't
> exist". Just as reference.
> 
> -------- Original Message --------
> Subject: [Tails-dev] download over http by default?
> Date: Sun, 30 Jun 2013 00:46:27 +0000
> From: Jacob Appelbaum <jacob at appelbaum.net>
> Reply-To: The Tails public development discussion list <tails-dev at boum.org>
> To: The Tails public development discussion list <tails-dev at boum.org>
> 
> Hi,
> 
> When upgrading a tails machine today, I noticed that the default
> download link is HTTP. We've done some statistics on the number of users
> that actually bother to download signatures - it basically borders on
> none for some software. Does Tails find that for every ISO, users
> download the signature? Ten to one? Perhaps one out of ever thousand
> downloads?
> 
> I really strongly encourage that the default download link should be
> secure - if there was a tool to download updates and it automatically
> checked the signatures, I'd think it was perhaps OK to use HTTP.
> Probably not but well, I could at least believe that someone might
> complete both steps. Without such a tool, I think this is merely a
> recipe for disaster.
> 
> We carry a secure mirror here:
> 
>   https://archive.torproject.org/amnesia.boum.org/tails/stable/
> 
> If you guys can't handle HTTPS traffic, I really encourage you to link
> to our HTTPS site as the default. If nothing else, I believe that some
> browsers also pin our certs. That at least changes the game to something
> a bit harder.
> 
> All the best,
> Jacob
> _______________________________________________
> tails-dev mailing list
> tails-dev at boum.org
> https://mailman.boum.org/listinfo/tails-dev
> 
> 
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>

More information about the liberationtech mailing list