[Commotion-dev] Commotion download security

Dan Staples danstaples at opentechinstitute.org
Wed Oct 24 15:40:37 UTC 2012 

Great, thanks for the feedback! As a quick note about checksums, I worry
that people who /would/ verify the checksum, they might leave it at that
and not check the PGP signature. Perhaps we should leave out a MD5/SHA1
checksum and just include a PGP signature, so that they would be pushed
to do a more secure verification...sort of as a way to encourage better
security practices.  Or would that just be counterproductive?

The website and downloads are all forced HTTPS, using a valid cert (at
least in my browser).

Dan

On Fri 19 Oct 2012 07:20:17 PM EDT, Hans-Christoph Steiner wrote:
>
>
> This is a good idea for sure. One thing would be to use SHA1 instead
> of MD5.
> Its only a little longer and still not cracked. A PGP signature is
> good for
> people who actually check these things. For the PGP sig to be
> effective, the
> downloads should be signed by a key that is signed by as many other
> keys as
> possible so that people can find a chain of trust to that key.
>
> For most people, they'll never check a hash or a signature. One thing
> that is
> not hard to setup and transparent to the user is to force HTTPS for the
> downloads, and have a real, valid cert.
>
> About the download page layout, I think that next to the binaries, there
> should be the source code. I don't think having olsrd plugins there
> would be
> useful since as far as I know they are all distributed as part of olsrd
> itself, and never outside of it.
>
> .hc
>
> On 10/19/2012 05:05 PM, Dan Staples wrote:
>>
>> I'd like to bring up the issue of how to best give users the ability to
>> verify the integrity and authenticity of Commotion binaries and source
>> code they download from the website. Currently, our redmine provides
>> md5 checksums of our OpenWRT images. Without even getting into the
>> weaknesses of the md5 algorithm (which may or may not be relevant here),
>> a checksum doesn't let the user verify that the image they download is
>> in fact authentic (e.g. in the case of a man-in-the-middle attack or a
>> compromised server).
>>
>> The TAILS project provides the PGP signature of their ISO image on their
>> download page (https://tails.boum.org/download/index.en.html). I like
>> this approach because the user is able to check both the integrity and
>> authenticity of their download. What would folks think about using a
>> PGP signature instead or in addition to an md5 checksum? Another ideas
>> is that we could instruct users to use web of trust and public key
>> servers to retrieve and verify the PGP signing key, instead of getting
>> it from our website. Of course, this brings up the question of who
>> would own and manage the signing key for Commotion...
>>
>> Finally, attached is a screenshot of a Downloads page for the Commotion
>> website I'm putting together. Right now it just has OpenWRT, but
>> Android will also be added. If anyone has suggestions for what else
>> should go on the page or what should be different, please let me know.
>> Here (or maybe elsewhere?) we could also list the features that are in
>> development or planned, but aren't a part of the core Commotion
>> repositories (like OLSRd plugins), and there would be links out to these
>> sub-projects.
>>
>> Dan Staples
>>
>>
>>
>> _______________________________________________
>> Commotion-dev mailing list
>> Commotion-dev at lists.chambana.net
>> http://lists.chambana.net/mailman/listinfo/commotion-dev
>>
>
>
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> http://lists.chambana.net/mailman/listinfo/commotion-dev
>
> -- 
> Dan Staples
> Program Associate, Open Technology Institute
> New America Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20121024/279f7a8a/attachment.html>

More information about the Commotion-dev mailing list