download_extension.mdwn 5.73 KB
Newer Older
1
[[!meta title="Automatic ISO verification extension for Firefox"]]
2
3
4
5

We are planning to create a custom Firefox add-on to download and verify Tails
using SHA-256 checksum.

Tails developers's avatar
Add TOC    
Tails developers committed
6
7
[[!toc]]

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Objectives
==========

  - To fix the ISO verification method using Windows. It has been broken since
    Firefox 20.
  - To simplify the installation process by automating some ISO verification
    during the download process.

This would fix the main stumbling block for Tails verification (and thus
installation) for the vast majority of users.

Security considerations
=======================

  - People are downloading their ISO image from one of our mirrors. Those
    mirrors are run by volunteers and the content of what they serve is not
    authenticated.
  - On the other hand, the information served on tails.boum.org is
    authenticated through HTTPS.
  - Downloading Firefox and installing add-ons is also done through HTTPS on
    mozilla.org.
  - Forcing Firefox users who are downloading the ISO image through HTTP to
    verify its checksum can only increase the average level of verification
    that people do on Windows and Mac OS systems.
  - But HTTPS does not provide strong authentication. So our documentation
    should make that clear and keep providing instructions for authentication
    using OpenPGP but as an additional check.

Tails developers's avatar
Tails developers committed
36
37
<a id="scenario"></a>

38
39
40
41
42
43
44
45
46
47
48
49
50
51
Scenario
========

ISO download
------------

  - When the user clicks on the direct download button from the [[download
    page|download#index2h1]], Firefox proposes to install the extension.
  - The user allows the installation of the extension.
  - The extension starts the download and the user decides where to save it.
  - The webpage is modified and displays a progress bar of the download.
  - The user might or might not close the webpage.
  - The download also appears in the usual list of downloads of Firefox.

52
53
54
55
56
57
Torrent download
----------------

  - If a user has downloaded the ISO using BitTorrent, she can verify
    it through the website using the extension.

58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
ISO verification
----------------

  - When the download finishes, the ISO verification starts.
  - The extension checks the size of the download to verify that the download
    was complete.
  - The extension compares the checksum of the ISO image to a checksum found on
    the website through HTTPS.
  - The extension displays the result to the user:
    - If the original webpage is still open, it now either:
      - Points the user to the installation documentation.
      - Proposes troubleshooting strategies.
    - Otherwise it shows the result in a popup message and points to the
      appropriate page.

Other desirable features
========================

  - Be able to use that extension, once installed to verify ISO images
Tails developers's avatar
Tails developers committed
77
    downloaded using BitTorrent or nightly.tails.boum.org.
78
  - Be able to use that extension to verify other ISO images, testing images,
127.0.0.1's avatar
127.0.0.1 committed
79
    older ISO images, etc. In that case the user would be warned about the
80
    deprectated or experimental status of the ISO image.
81
82
83
84
85
86
87
88
89
90
91
  - Port that extension to Chrome. Usage share of web browsers are
    currently on [Wikimedia](https://en.wikipedia.org/wiki/Usage_share_of_web_browsers):
    - Chrome: 48.1%
    - Internet Explorer: 17.5%
    - Firefox: 16.7%
    - Safari: 4.8%
    - Opera: 1.5%
    - Other: 11.4%

    Still, Firefox make sense as a first target because it's the base
    browser for Tor Browser both in Tails and outside.
92
93
94
95
96
97
98
99
100
101
102
103
104

Open questions
==============

  - Do we want to use that extension to also check the GPG signature?
    - On top of verifying the checksum, this would provide TOFU
      authentication. Then, if the user downloads a genuine app and a
      genuine key on first use, then she will be protected from a later
      compromission of the HTTPS certificate of tails.boum.org.
    - On the other hand, it might be easier and make more sense to push
      the OpenPGP verification to Tails Installer, when run in Debian
      for example. As we would have easier access to `gpg`, we could
      reuse the Debian keyring, etc.
Tails developers's avatar
Tails developers committed
105
106
107
108
109
110
111
  - Do we want to have the same verification workflow for people doing
    HTTP and Torrent downloads?
    - If yes, then ISO verification needs to be separate from download
      in the assistant.
    - Otherwise, ISO verification could be merged with download in the
      assistant and we need a special case for download through Torrent.
  - How do we deal with failed or corrupted downloads?
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
  - Link between the browser and the file system. Could that be
    confusing? What is possible?
  - Change the name of the ISO image once verified?
    tails-1.2_UNVERIFIED.iso → tails-1.2_VERIFIED.iso
    - If so, do we want to distinguish between checksum and OpenPGP
      verification?  tails-1.2_UNVERIFIED.iso →
      tails-1.2_OPENPGP_VERIFIED.iso / tails-1.2_TRUSTED.iso
  - What are the technical solutions to integrate download and
    verification? Can the extension watch the download and propose
    verification once its over?
  - Do we want the extension to have pinning on the boum.org
    certificate?
  - Do we want to push stronger for OpenPGP TOFU?
    - If yes, then people on Windows will trust Mozilla and UUI once,
      and then Tails developers each time.
    - If no, then people on Windows will trust Mozilla and UUI once, and
      then boum.org each time.
  - What happen with the signing key changes or is revoked?
130
131
132
133
134
135
136
137
138

Technical insight
=================

  - That technique should be multiplatform and work from TBB as well.
  - The extension can get the checksum and the URL of the ISO image from the
    `<div id="content">` in following static pages:
    - <https://tails.boum.org/inc/stable_i386_iso_url/>
    - <https://tails.boum.org/inc/stable_i386_hash/>
Tails developers's avatar
Tails developers committed
139
140
  - The same tricks should be used to get the file size.
    See [[!tails_ticket 7417]].