[liberationtech] software download over SSL mirrors?

Patrick Schleizer adrelanos at riseup.net
Sun Mar 9 17:09:14 PDT 2014 

TL;DR:

Does anyone know how to set up a mirror network supporting SSL?

The problem is, the domain name will be https://sslmirror.whonix.org,
but the SSL certificate will be provided by
https://some-friendly-mirror.domain. This will likely result in a SSL
mismatch?

Are you aware of any software project, that has already implemented SSL
mirrors?

Long:

We, the people behind Whonix [1] (fortasse, Jason and me) would be
interested to share our software over a https mirror network.

Having SSL supported mirrors may seem like an oxymoron. The common
practice is to say, that mirrors are not to be trusted. Even if the
mirror owners were trusted persons, it's still an open question how good
their server security is. And even if their server security is good,
mirrors are generally also hosted in hosting companies and we can't
trust those. However, not all adversaries share all available
capabilities. Not all adversaries capable of mounting a
man-in-the-middle attack are capable of breaking server security or
forcing the hosting company to turn over the keys etc. Users not caring
to use verification are still better off downloading from a SSL
supported mirror, that works against less sophisticated adversaries. In
numbers, this results in fewer users potentially ending up with
maliciously altered downloads, so we think this is worth going for.

It would also be safer if the download server would be under full
control of the developers and not under control of a big company
(hosting provider). But that's not how things work today. Self-hosting
is very expensive. (Requires fast internet connection, home user
contracts won't be fast enough, many servers, electricity power and
physical security (officers).) Even the servers of The Tor Project are
not hosted in some developer's home.

Of course, providing downloadable images over SSL and/or a hidden
service hosted by Whonix developers in a physically owned and protected
place would be safer. Practically it is difficult to provide SSL
protected downloads at all. Many important software projects can only be
downloaded in the clear, such as Ubuntu, Debian, Tails, Qubes OS, etc.
This is because someone has to pay the bill and SSL (encryption) makes
it more expensive.

The SSL CA system being flawed in the first place is another story, but
in meanwhile it's best we got and we have to deal with it.

Cheers,
Patrick

[1] https://www.whonix.org

More information about the liberationtech mailing list