[Commotion-dev] Commotion download security

Josh King jking at chambana.net
Wed Oct 24 15:45:49 UTC 2012 

We can't really force anyone to do either one. I think we should 
provide both, so that someone who doesn't have gnupg setup will still 
be able to verify that they have an uncorrupted download.

On Wed 24 Oct 2012 11:40:37 AM EDT, Dan Staples wrote:
> Great, thanks for the feedback! As a quick note about checksums, I worry
> that people who /would/ verify the checksum, they might leave it at that
> and not check the PGP signature. Perhaps we should leave out a MD5/SHA1
> checksum and just include a PGP signature, so that they would be pushed
> to do a more secure verification...sort of as a way to encourage better
> security practices.  Or would that just be counterproductive?
>
> The website and downloads are all forced HTTPS, using a valid cert (at
> least in my browser).
>
> Dan
>
> On Fri 19 Oct 2012 07:20:17 PM EDT, Hans-Christoph Steiner wrote:
>>
>>
>> This is a good idea for sure. One thing would be to use SHA1 instead
>> of MD5.
>> Its only a little longer and still not cracked. A PGP signature is
>> good for
>> people who actually check these things. For the PGP sig to be
>> effective, the
>> downloads should be signed by a key that is signed by as many other
>> keys as
>> possible so that people can find a chain of trust to that key.
>>
>> For most people, they'll never check a hash or a signature. One thing
>> that is
>> not hard to setup and transparent to the user is to force HTTPS for the
>> downloads, and have a real, valid cert.
>>
>> About the download page layout, I think that next to the binaries, there
>> should be the source code. I don't think having olsrd plugins there
>> would be
>> useful since as far as I know they are all distributed as part of olsrd
>> itself, and never outside of it.
>>
>> .hc
>>
>> On 10/19/2012 05:05 PM, Dan Staples wrote:
>>>
>>> I'd like to bring up the issue of how to best give users the ability to
>>> verify the integrity and authenticity of Commotion binaries and source
>>> code they download from the website. Currently, our redmine provides
>>> md5 checksums of our OpenWRT images. Without even getting into the
>>> weaknesses of the md5 algorithm (which may or may not be relevant here),
>>> a checksum doesn't let the user verify that the image they download is
>>> in fact authentic (e.g. in the case of a man-in-the-middle attack or a
>>> compromised server).
>>>
>>> The TAILS project provides the PGP signature of their ISO image on their
>>> download page (https://tails.boum.org/download/index.en.html). I like
>>> this approach because the user is able to check both the integrity and
>>> authenticity of their download. What would folks think about using a
>>> PGP signature instead or in addition to an md5 checksum? Another ideas
>>> is that we could instruct users to use web of trust and public key
>>> servers to retrieve and verify the PGP signing key, instead of getting
>>> it from our website. Of course, this brings up the question of who
>>> would own and manage the signing key for Commotion...
>>>
>>> Finally, attached is a screenshot of a Downloads page for the Commotion
>>> website I'm putting together. Right now it just has OpenWRT, but
>>> Android will also be added. If anyone has suggestions for what else
>>> should go on the page or what should be different, please let me know.
>>> Here (or maybe elsewhere?) we could also list the features that are in
>>> development or planned, but aren't a part of the core Commotion
>>> repositories (like OLSRd plugins), and there would be links out to these
>>> sub-projects.
>>>
>>> Dan Staples
>>>
>>>
>>>
>>> _______________________________________________
>>> Commotion-dev mailing list
>>> Commotion-dev at lists.chambana.net
>>> http://lists.chambana.net/mailman/listinfo/commotion-dev
>>>
>>
>>
>> _______________________________________________
>> Commotion-dev mailing list
>> Commotion-dev at lists.chambana.net
>> http://lists.chambana.net/mailman/listinfo/commotion-dev
>>
>> --
>> Dan Staples
>> Program Associate, Open Technology Institute
>> New America Foundation
>
>
>
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> http://lists.chambana.net/mailman/listinfo/commotion-dev

--
Josh King

"I am an Anarchist not because I believe Anarchism is the final goal,
but because there is no such thing as a final goal." -Rudolf Rocker

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20121024/a8a01f5b/attachment.sig>

More information about the Commotion-dev mailing list