[Commotion-dev] Commotion download security

Hans-Christoph Steiner hans at guardianproject.info
Wed Oct 24 15:57:46 UTC 2012 

Yeah, I agree. have both the hash and the pgp sig.

.hc

On 10/24/2012 11:45 AM, Josh King wrote:
> We can't really force anyone to do either one. I think we should 
> provide both, so that someone who doesn't have gnupg setup will still 
> be able to verify that they have an uncorrupted download.
> 
> On Wed 24 Oct 2012 11:40:37 AM EDT, Dan Staples wrote:
>> Great, thanks for the feedback! As a quick note about checksums, I worry
>> that people who /would/ verify the checksum, they might leave it at that
>> and not check the PGP signature. Perhaps we should leave out a MD5/SHA1
>> checksum and just include a PGP signature, so that they would be pushed
>> to do a more secure verification...sort of as a way to encourage better
>> security practices.  Or would that just be counterproductive?
>>
>> The website and downloads are all forced HTTPS, using a valid cert (at
>> least in my browser).
>>
>> Dan
>>
>> On Fri 19 Oct 2012 07:20:17 PM EDT, Hans-Christoph Steiner wrote:
>>>
>>>
>>> This is a good idea for sure. One thing would be to use SHA1 instead
>>> of MD5.
>>> Its only a little longer and still not cracked. A PGP signature is
>>> good for
>>> people who actually check these things. For the PGP sig to be
>>> effective, the
>>> downloads should be signed by a key that is signed by as many other
>>> keys as
>>> possible so that people can find a chain of trust to that key.
>>>
>>> For most people, they'll never check a hash or a signature. One thing
>>> that is
>>> not hard to setup and transparent to the user is to force HTTPS for the
>>> downloads, and have a real, valid cert.
>>>
>>> About the download page layout, I think that next to the binaries, there
>>> should be the source code. I don't think having olsrd plugins there
>>> would be
>>> useful since as far as I know they are all distributed as part of olsrd
>>> itself, and never outside of it.
>>>
>>> .hc
>>>
>>> On 10/19/2012 05:05 PM, Dan Staples wrote:
>>>>
>>>> I'd like to bring up the issue of how to best give users the ability to
>>>> verify the integrity and authenticity of Commotion binaries and source
>>>> code they download from the website. Currently, our redmine provides
>>>> md5 checksums of our OpenWRT images. Without even getting into the
>>>> weaknesses of the md5 algorithm (which may or may not be relevant here),
>>>> a checksum doesn't let the user verify that the image they download is
>>>> in fact authentic (e.g. in the case of a man-in-the-middle attack or a
>>>> compromised server).
>>>>
>>>> The TAILS project provides the PGP signature of their ISO image on their
>>>> download page (https://tails.boum.org/download/index.en.html). I like
>>>> this approach because the user is able to check both the integrity and
>>>> authenticity of their download. What would folks think about using a
>>>> PGP signature instead or in addition to an md5 checksum? Another ideas
>>>> is that we could instruct users to use web of trust and public key
>>>> servers to retrieve and verify the PGP signing key, instead of getting
>>>> it from our website. Of course, this brings up the question of who
>>>> would own and manage the signing key for Commotion...
>>>>
>>>> Finally, attached is a screenshot of a Downloads page for the Commotion
>>>> website I'm putting together. Right now it just has OpenWRT, but
>>>> Android will also be added. If anyone has suggestions for what else
>>>> should go on the page or what should be different, please let me know.
>>>> Here (or maybe elsewhere?) we could also list the features that are in
>>>> development or planned, but aren't a part of the core Commotion
>>>> repositories (like OLSRd plugins), and there would be links out to these
>>>> sub-projects.
>>>>
>>>> Dan Staples
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Commotion-dev mailing list
>>>> Commotion-dev at lists.chambana.net
>>>> http://lists.chambana.net/mailman/listinfo/commotion-dev
>>>>
>>>
>>>
>>> _______________________________________________
>>> Commotion-dev mailing list
>>> Commotion-dev at lists.chambana.net
>>> http://lists.chambana.net/mailman/listinfo/commotion-dev
>>>
>>> --
>>> Dan Staples
>>> Program Associate, Open Technology Institute
>>> New America Foundation
>>
>>
>>
>> _______________________________________________
>> Commotion-dev mailing list
>> Commotion-dev at lists.chambana.net
>> http://lists.chambana.net/mailman/listinfo/commotion-dev
> 
> --
> Josh King
> 
> "I am an Anarchist not because I believe Anarchism is the final goal,
> but because there is no such thing as a final goal." -Rudolf Rocker
> 
> 
> 
> _______________________________________________
> Commotion-dev mailing list
> Commotion-dev at lists.chambana.net
> http://lists.chambana.net/mailman/listinfo/commotion-dev
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 937 bytes
Desc: OpenPGP digital signature
URL: <http://lists.chambana.net/pipermail/commotion-dev/attachments/20121024/03aa3168/attachment.sig>

More information about the Commotion-dev mailing list