Information
ID: 145
PHID: PHID-TASK-gadkusif53cjgwegkdon
Author: Patrick
Status at Migration Time: wontfix
Priority at Migration Time: Normal
Description
Migrated from:
https://github.com/Whonix/Whonix/issues/177
Justification:
SSL mirrors may sound like a bad idea for security, may seem like an oxymoron. A justification why we believe it improves security can be found here:
As another justification. Here is an argument from authority, as I understand, Jacob Appelbaum preferred if Tails download was https by default. Source:
https://mailman.boum.org/pipermail/tails-dev/2013-June/003211.html
Implementation ideas:
SSL/TLS Mirrors are difficult to implement because of the trust / key issues.
Let mirrors use whatever certs/domains they have (hopefully from a “trusted” CA so it doesn’t throw alerts to the user), and include their URL in a list. When a user visits the download page, one of those URL is placed into the article using something like Extension:RandomInclude. This would be a little cumbersome with caching. Perhaps we could have a static link to something like “whonix.org/download/ssl.php”, which would then in turn point to an SSL mirror randomly.
There was a helpful answer on libtech mailing list on how to implement this:
https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013130.html
Comments by Mick:
https://github.com/Whonix/Whonix/issues/96#issuecomment-26475207
@fortasse and I agreed on the following plan:
- We indefinitely keep all http mirrors.
- Those are useful as backup.
- Useful for users who do manual verification.
- Useful for possible later Whonix downloader/installer that does verification.
- Useful as host for Whonix’s APT repository and Whonix News (#178) [those use verification using gpg, no https required].
- We need a mirror manager (one that contacts prospective new mirrors, stays in touch with mirrors in case of issues).
- After we have a stable http mirror network and enough mirror contacts - we’re not there yet - we ask them if they would be willing to provide optional ssl access. If not, they stay http mirrors. If yes, they become http + https mirrors.
Non-Solutions:
Sharing a separate SSL private key with mirrors. Because once that key is just one in false hands, all mirrors are compromised.
Comments
Patrick
2016-04-11 15:51:45 UTC