Commit be81ed06 authored by Tails developers's avatar Tails developers

Move ISO verification to a dedicated blueprint

parent 2617f97e
......@@ -66,359 +66,6 @@ Notes:
**Rufus**, see [[!tails_ticket 7034]].
- **DiskUtils** should be tested on Mac, see [[!tails_ticket 8802]].
[[Diagram of the detailed workflow as of January 2015|2015.fodg]] (work in progress)
<a id="verification"></a>
ISO verification
================
Who's who
---------
- Objective: installing a genuine Tails system
- Simplified workflow: WWW → Download/Torrent → ISO → Install/Burn → Tails
- Possible attacks:
- Faulty download
- Rogue mirror
- Censorship
- Targeted malware on the OS
- Targeted malware download of third-party software
- SSL MitM
- Possible defenses:
- HTTPS
- HTTPS pinning
- OpenPGP TOFU
- OpenPGP download correlation
- OpenPGP WoT
- Tools involved:
- HTTPS on Tails website
- Browser app store
- Written documentation
- Third-party software
- Browser extension
- Tails Installer (future)
- Scenarios
- Windows
- Mac
- Debian
- Other Linux
<a id="automation"></a>
Automation proposals
--------------------
The idea behind this section is to understand better what to in 2015
regarding the UX of ISO verification, and try to envision what can
happen after we get the technical improvements described for
[[2015|bootstrapping_workflow#index2h1]].
### Questions we are trying to answer
- How far shall we go regarding ISO verification in the [[browser
extension|download extension]] over 2015? For example, do we add
OpenPGP support to the extension?
- What additional techniques do we still need to document on the
website?
- What do we need to integrate to the [[web assistant]]?
- Are there any technical improvements that could be done over 2015
and would make a big difference?
- What should come next? As this might influence what to do today.
### Hypothesis
- We call "basic verification" techniques: HTTPS, HTTPS with pinning,
and OpenPGP with TOFU (by order of strength).
- We call "extended verification" techniques: OpenPGP with download
correlation, OpenPGP with WoT (by order of strength).
- We can't rely on people doing OpenPGP verification properly, even
"basic" (thinks about downgrade attacks). So both "basic" and
"extended" verification are currently broken for all operating
systems (maybe not that much on Debian, ok).
- We want to automate ISO verification as much as we can.
- We can automate OpenPGP download correlation and WoT, at least in
some environments.
- Global verification level is as high as the least verified tool
involved.
### Proposals
To further automate ISO verification we considered two options:
- Pushing more verification logic into the browser extension.
- Pushing some verification logic into Tails Installer (as it is getting
multiplatform). This goes along with having a multiplatform
installer, which would be a huge UX improvement of its own.
We did a quick thread modelling on 5 scenarios:
- [[Proposal 0: Minimum improvements over 2015|bootstrapping_workflow#index6h3]]
- [[Proposal 1: Extended verification in extension|bootstrapping_workflow#index7h3]]
- [[Proposal 1bis: Extended verification in extension + multiplatform installer|bootstrapping_workflow#index8h3]]
- [[Proposal 2: Extended verification in installer|bootstrapping_workflow#index9h3]]
- [[Proposal 2bis: Extended verification in multiplatform installer|bootstrapping_workflow#index10h3]]
### Graphical summary
We [[summarized graphically|iso_verification_automation_proposals.ods]]
the possible attacks on someone willing to install Tails on USB stick on
Mac, Windows, and Debian (Stretch).
According to this, proposal 1bis and 2bis are similarly secure.
### Open technical questions
- For all operating systems, is it safer to build extended verification in the
host operating system or to rely on a first Tails to install others?
- Is it easier or better to port code across browsers (in the case of
the extension) or across operating system (in the case of the
installer)?
- How secure, widespread, and reactive to upgrades are the Mozilla, Chrome,
Windows, and Apple app stores?
[[!tails_ticket 8815]] [[!tails_ticket 8816]] [[!tails_ticket 8817]]
- How technically feasible is it to push OpenPGP verification to browser
extensions or a multiplatform installer?
- How easy and safe is it to do simple or complex OpenPGP operations in the
browser?
Below come the details for each proposal.
### Proposal 0: Minimum improvements over 2015
Description:
- Browser extension does HTTPS pinning.
- Tails Installer does no verification (as of now).
- Tails Installer is packaged in Debian.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- Targeted malware (hard)
UX questions:
- How do we go beyond HTTPS pinning?
- What do we do with seahorse-nautilus, Gpg4win and GPGTools?
- Do we do that in the assistant?
- We need a multiplatform installer!
- Controlled environment
- No more bootstrapping medium
### Proposal 1: Extended verification in extension
Description (on top of proposal 0):
- Browser extension does TOFU OpenPGP, OpenPGP correlation, and WoT.
- Browser extension is packaged in Debian.
Possible attacks:
- Windows:
- SSL MitM:
- Browser app store (#8815)
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM:
- Browser app store (#8815)
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- Debian app store :)
- Targeted malware (hard)
UX questions:
- What happen if people are in TBB?
- Based on which keys do we do WoT on Windows and Mac?
- How far do we want to automate?
- What do we make transparent?
Pros (over proposal 2):
- Verification logic is in one place and multiplatform.
- Verification logic can grow more complex and robust than HTTPS with
pinning.
- Stronger to SSL MitM on boum.org as we rely on OpenPGP WoT.
- It might make more sense to reuse the verification mechanisms from the
extension to verify other downloads, for example of the installer if not
installed automatically from OS app store.
Cons:
- Put security code in browser.
- Less autonomy regarding development (we need external help).
### Proposal 1bis: Extended verification in extension + multiplatform installer
Description (on top of proposal 1):
- Tails Installer is available on Windows and Mac.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- Targeted malware (easy)
- Mac:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- Targeted malware (harder)
- Debian:
- Debian app store :)
- Targeted malware (hard)
Pros (on top of proposal 1):
- Stronger to malware attack on UUI.
Cons (over proposal 2bis):
- Rely on both Browser app store and Tails Installer.
### Proposal 2: Extended verification in installer
Description (on top of proposal 0):
- Tails Installer does TOFU OpenPGP, OpenPGP correlation, and WoT.
- Browser extension is packaged in Debian.
- Use Tails Installer for burning DVD as well.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM:
- Browser app store (#8815)
- boum.org
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- Debian app store
- Targeted malware (hard)
Pros (over proposal 1):
- More autonomy regarding development (we know how to do that).
- Independent from browser vendor (except for DVD users).
Cons:
- HTTPS pinning verification at best on Windows and Mac. It's ok not
to do OpenPGP verification on Windows: we can't really be more
secure than the base OS anyway.
- Verification logic is partly duplicated in browser extension and
installer.
### Proposal 2bis: Extended verification in multiplatform installer
Description (on top of proposal 2):
- Tails Installer is available on Windows and Mac.
Possible attacks:
- Windows:
- SSL MitM:
- boum.org
- Targeted malware (easy)
- Mac:
- SSL MitM:
- boum.org
- Targeted malware (harder)
- Debian:
- Debian app store
- Targeted malware (hard)
Pros (on top of proposal 2):
- Don't rely on UUI anymore.
Cons:
- Harder to port to Windows and Mac than current Tails Installer.
<a id="seahorse"></a>
About the removal of Seahorse Nautilus
--------------------------------------
As of now, we are explaining how to [[verify ISO images using
`seahorse-nautilus` for GNOME|doc/get/verify_the_iso_image_using_gnome]].
While reworking the ISO verification scenarios, we pretty much settled on the
idea of removing Seahorse Nautilus as a verification option, at least from the
assistant. Here is why.
Once we get the Firefox extension for ISO verification, Seahorse Nautilus will
partly duplicate its work. We could then recommend one, the other, or both to
people with GNOME.
The idea behind Seahorse Nautilus was to allow an OpenPGP verification even for
people with no or little understanding of OpenPGP. The advantages are:
- seahorse-nautilus runs from outside of the browser.
- seahorse-nautilus can be authenticated through APT even in Debian Jessie.
- If you get the right OpenPGP key, you rely on the developers and not on the
boum.org website.
But documenting Seahorse Nautilus has we have been doing until now is only
stronger than the Firefox extension if TOFU is done well. And we believe that
this requires explaining much more that what is intended for a first-time Linux
user:
- TOFU only work if trusted once :) While with Seahorse Nautilus, importing
the same key, or a different key for the same email address several times
produces the same notification: "Key Imported". In order to have our users do
TOFU for real, we would have to go through the list of existing keys and
check whether it's imported or not.
- What happen if we revoke our signing key? We'd have to explain how to
remove the old key and how to import the new key. Whereas the browser
extension (either through HTTPS or OpenPGP) could do that job on its own.
So we think that this is too much for the assistant, and everybody should
instead go through the browser extension. Still, Seahorse Nautilus might still
fit in the advanced documentation for OpenPGP verification.
Use cases
=========
......
[[!meta title="ISO verification"]]
Who's who
---------
- Objective: installing a genuine Tails system
- Simplified workflow: WWW → Download/Torrent → ISO → Install/Burn → Tails
- Possible attacks:
- Faulty download
- Rogue mirror
- Censorship
- Targeted malware on the OS
- Targeted malware download of third-party software
- SSL MitM
- Possible defenses:
- HTTPS
- HTTPS pinning
- OpenPGP TOFU
- OpenPGP download correlation
- OpenPGP WoT
- Tools involved:
- HTTPS on Tails website
- Browser app store
- Written documentation
- Third-party software
- Browser extension
- Tails Installer (future)
- Scenarios
- Windows
- Mac
- Debian
- Other Linux
<a id="automation"></a>
Automation proposals
--------------------
The idea behind this section is to understand better what to in 2015
regarding the UX of ISO verification, and try to envision what can
happen after we get the technical improvements described for
[[2015|bootstrapping_workflow#index2h1]].
### Questions we are trying to answer
- How far shall we go regarding ISO verification in the [[browser
extension|download extension]] over 2015? For example, do we add
OpenPGP support to the extension?
- What additional techniques do we still need to document on the
website?
- What do we need to integrate to the [[web assistant]]?
- Are there any technical improvements that could be done over 2015
and would make a big difference?
- What should come next? As this might influence what to do today.
### Hypothesis
- We call "basic verification" techniques: HTTPS, HTTPS with pinning,
and OpenPGP with TOFU (by order of strength).
- We call "extended verification" techniques: OpenPGP with download
correlation, OpenPGP with WoT (by order of strength).
- We can't rely on people doing OpenPGP verification properly, even
"basic" (thinks about downgrade attacks). So both "basic" and
"extended" verification are currently broken for all operating
systems (maybe not that much on Debian, ok).
- We want to automate ISO verification as much as we can.
- We can automate OpenPGP download correlation and WoT, at least in
some environments.
- Global verification level is as high as the least verified tool
involved.
### Proposals
To further automate ISO verification we considered two options:
- Pushing more verification logic into the browser extension.
- Pushing some verification logic into Tails Installer (as it is getting
multiplatform). This goes along with having a multiplatform
installer, which would be a huge UX improvement of its own.
We did a quick thread modelling on 5 scenarios:
- [[Proposal 0: Minimum improvements over 2015|bootstrapping_workflow#index6h3]]
- [[Proposal 1: Extended verification in extension|bootstrapping_workflow#index7h3]]
- [[Proposal 1bis: Extended verification in extension + multiplatform installer|bootstrapping_workflow#index8h3]]
- [[Proposal 2: Extended verification in installer|bootstrapping_workflow#index9h3]]
- [[Proposal 2bis: Extended verification in multiplatform installer|bootstrapping_workflow#index10h3]]
### Graphical summary
We [[summarized graphically|iso_verification_automation_proposals.ods]]
the possible attacks on someone willing to install Tails on USB stick on
Mac, Windows, and Debian (Stretch).
According to this, proposal 1bis and 2bis are similarly secure.
### Open technical questions
- For all operating systems, is it safer to build extended verification in the
host operating system or to rely on a first Tails to install others?
- Is it easier or better to port code across browsers (in the case of
the extension) or across operating system (in the case of the
installer)?
- How secure, widespread, and reactive to upgrades are the Mozilla, Chrome,
Windows, and Apple app stores?
[[!tails_ticket 8815]] [[!tails_ticket 8816]] [[!tails_ticket 8817]]
- How technically feasible is it to push OpenPGP verification to browser
extensions or a multiplatform installer?
- How easy and safe is it to do simple or complex OpenPGP operations in the
browser?
Below come the details for each proposal.
### Proposal 0: Minimum improvements over 2015
Description:
- Browser extension does HTTPS pinning.
- Tails Installer does no verification (as of now).
- Tails Installer is packaged in Debian.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- Targeted malware (hard)
UX questions:
- How do we go beyond HTTPS pinning?
- What do we do with seahorse-nautilus, Gpg4win and GPGTools?
- Do we do that in the assistant?
- We need a multiplatform installer!
- Controlled environment
- No more bootstrapping medium
### Proposal 1: Extended verification in extension
Description (on top of proposal 0):
- Browser extension does TOFU OpenPGP, OpenPGP correlation, and WoT.
- Browser extension is packaged in Debian.
Possible attacks:
- Windows:
- SSL MitM:
- Browser app store (#8815)
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM:
- Browser app store (#8815)
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- Debian app store :)
- Targeted malware (hard)
UX questions:
- What happen if people are in TBB?
- Based on which keys do we do WoT on Windows and Mac?
- How far do we want to automate?
- What do we make transparent?
Pros (over proposal 2):
- Verification logic is in one place and multiplatform.
- Verification logic can grow more complex and robust than HTTPS with
pinning.
- Stronger to SSL MitM on boum.org as we rely on OpenPGP WoT.
- It might make more sense to reuse the verification mechanisms from the
extension to verify other downloads, for example of the installer if not
installed automatically from OS app store.
Cons:
- Put security code in browser.
- Less autonomy regarding development (we need external help).
### Proposal 1bis: Extended verification in extension + multiplatform installer
Description (on top of proposal 1):
- Tails Installer is available on Windows and Mac.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- Targeted malware (easy)
- Mac:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- Targeted malware (harder)
- Debian:
- Debian app store :)
- Targeted malware (hard)
Pros (on top of proposal 1):
- Stronger to malware attack on UUI.
Cons (over proposal 2bis):
- Rely on both Browser app store and Tails Installer.
### Proposal 2: Extended verification in installer
Description (on top of proposal 0):
- Tails Installer does TOFU OpenPGP, OpenPGP correlation, and WoT.
- Browser extension is packaged in Debian.
- Use Tails Installer for burning DVD as well.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM:
- Browser app store (#8815)
- boum.org
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- Debian app store
- Targeted malware (hard)
Pros (over proposal 1):
- More autonomy regarding development (we know how to do that).
- Independent from browser vendor (except for DVD users).
Cons:
- HTTPS pinning verification at best on Windows and Mac. It's ok not
to do OpenPGP verification on Windows: we can't really be more
secure than the base OS anyway.
- Verification logic is partly duplicated in browser extension and
installer.
### Proposal 2bis: Extended verification in multiplatform installer
Description (on top of proposal 2):
- Tails Installer is available on Windows and Mac.