[liberationtech] Tails ISO verification extension for Firefox
sajolida
sajolida at pimienta.org
Sun Apr 19 07:33:13 PDT 2015
Hi,
I'm part of the people developing Tails: https://tails.boum.org/.
We're working over 2015 on a Firefox extension to automatically do
checksum verification of our ISO downloads.
Software verification is a critical step in the use of secure
applications but it has traditionally been hard to provide, especially
from a user perspective. Usual solutions are:
- Using HTTPS to download. But in the case of Tails, we are serving
so many downloads that we have to rely on mirrors hosted by third
parties.
- Providing OpenPGP signatures. But this really works only for the
few of us who know how to verify an OpenPGP signature and use the
OpenPGP Web-of-Trust correctly.
We are trying here to provide a usable solution to verify a download
done through HTTP, while relying on cryptographic information fetched
elsewhere through HTTPS (and possibly with stronger authentication
mechanisms such as public key pinning from browser vendors).
You can read more about our idea on this blueprint where we describe
better our goals, user scenario, wireframe, and threat model:
https://tails.boum.org/blueprint/bootstrapping/extension
We still have to carry on a more in depth thread modeling of everything
bad that can happen inside the browser to fool the verification process.
I writing to the list to ask if there are other similar projects around.
We already know of Satori by Griffin Boyce (https://github.com/satori)
but we want to make sure we didn't miss any other similar project before
it's too late.
--
sajolida
More information about the liberationtech
mailing list