Commit bf20025b authored by Tails developers's avatar Tails developers
Browse files

Remove thread modelling now that we're pretty much decided

parent 0a983ed2
[[!meta title="ISO verification"]]
Who's who
---------
- Objective: installing a genuine Tails system
- Simplified workflow: WWW → Download/Torrent → ISO → Install/Burn → Tails
- Possible attacks:
- Faulty download
- Rogue mirror
- Censorship
- Targeted malware on the OS
- Targeted malware download of third-party software
- SSL MitM
- Possible defenses:
- HTTPS
- HTTPS pinning
- OpenPGP TOFU
- OpenPGP download correlation
- OpenPGP WoT
- Tools involved:
- HTTPS on Tails website
- Browser app store
- Written documentation
- Third-party software
- Browser extension
- Tails Installer (future)
- Scenarios
- Windows
- Mac
- Debian
- Other Linux
<a id="automation"></a>
Automation proposals
--------------------
The idea behind this section is to understand better what to in 2015
regarding the UX of ISO verification, and try to envision what can
happen after we get the technical improvements described for
[[2015|bootstrapping_workflow#index2h1]].
### Questions we are trying to answer
- How far shall we go regarding ISO verification in the [[browser
extension|download extension]] over 2015? For example, do we add
OpenPGP support to the extension?
- What additional techniques do we still need to document on the
website?
- What do we need to integrate to the [[web assistant]]?
- Are there any technical improvements that could be done over 2015
and would make a big difference?
- What should come next? As this might influence what to do today.
### Hypothesis
- We call "basic verification" techniques: HTTPS, HTTPS with pinning,
and OpenPGP with TOFU (by order of strength).
- We call "extended verification" techniques: OpenPGP with download
correlation, OpenPGP with WoT (by order of strength).
- We can't rely on people doing OpenPGP verification properly, even
"basic" (thinks about downgrade attacks). So both "basic" and
"extended" verification are currently broken for all operating
systems (maybe not that much on Debian, ok).
- We want to automate ISO verification as much as we can.
- We can automate OpenPGP download correlation and WoT, at least in
some environments.
- Global verification level is as high as the least verified tool
involved.
### Proposals
To further automate ISO verification we considered two options:
- Pushing more verification logic into the browser extension.
- Pushing some verification logic into Tails Installer (as it is getting
multiplatform). This goes along with having a multiplatform
installer, which would be a huge UX improvement of its own.
We did a quick thread modelling on 5 scenarios:
- [[Proposal 0: Minimum improvements over 2015|bootstrapping_workflow#index6h3]]
- [[Proposal 1: Extended verification in extension|bootstrapping_workflow#index7h3]]
- [[Proposal 1bis: Extended verification in extension + multiplatform installer|bootstrapping_workflow#index8h3]]
- [[Proposal 2: Extended verification in installer|bootstrapping_workflow#index9h3]]
- [[Proposal 2bis: Extended verification in multiplatform installer|bootstrapping_workflow#index10h3]]
### Graphical summary
We [[summarized graphically|iso_verification_automation_proposals.ods]]
the possible attacks on someone willing to install Tails on USB stick on
Mac, Windows, and Debian (Stretch).
According to this, proposal 1bis and 2bis are similarly secure.
### Open technical questions
- For all operating systems, is it safer to build extended verification in the
host operating system or to rely on a first Tails to install others?
- Is it easier or better to port code across browsers (in the case of
the extension) or across operating system (in the case of the
installer)?
- How secure, widespread, and reactive to upgrades are the Mozilla, Chrome,
Windows, and Apple app stores?
[[!tails_ticket 8815]] [[!tails_ticket 8816]] [[!tails_ticket 8817]]
- How technically feasible is it to push OpenPGP verification to browser
extensions or a multiplatform installer?
- How easy and safe is it to do simple or complex OpenPGP operations in the
browser?
Below come the details for each proposal.
### Proposal 0: Minimum improvements over 2015
Description:
- Browser extension does HTTPS pinning.
- Tails Installer does no verification (as of now).
- Tails Installer is packaged in Debian.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- SSL MitM on:
- Browser app store (#8815)
- boum.org (on each use)
- Targeted malware (hard)
UX questions:
- How do we go beyond HTTPS pinning?
- What do we do with seahorse-nautilus, Gpg4win and GPGTools?
- Do we do that in the assistant?
- We need a multiplatform installer!
- Controlled environment
- No more bootstrapping medium
### Proposal 1: Extended verification in extension
Description (on top of proposal 0):
- Browser extension does TOFU OpenPGP, OpenPGP correlation, and WoT.
- Browser extension is packaged in Debian.
Possible attacks:
- Windows:
- SSL MitM:
- Browser app store (#8815)
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM:
- Browser app store (#8815)
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- Debian app store :)
- Targeted malware (hard)
UX questions:
- What happen if people are in TBB?
- Based on which keys do we do WoT on Windows and Mac?
- How far do we want to automate?
- What do we make transparent?
Pros (over proposal 2):
- Verification logic is in one place and multiplatform.
- Verification logic can grow more complex and robust than HTTPS with
pinning.
- Stronger to SSL MitM on boum.org as we rely on OpenPGP WoT.
- It might make more sense to reuse the verification mechanisms from the
extension to verify other downloads, for example of the installer if not
installed automatically from OS app store.
Cons:
- Put security code in browser.
- Less autonomy regarding development (we need external help).
### Proposal 1bis: Extended verification in extension + multiplatform installer
Description (on top of proposal 1):
- Tails Installer is available on Windows and Mac.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- Targeted malware (easy)
- Mac:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- Targeted malware (harder)
- Debian:
- Debian app store :)
- Targeted malware (hard)
Pros (on top of proposal 1):
- Stronger to malware attack on UUI.
Cons (over proposal 2bis):
- Rely on both Browser app store and Tails Installer.
### Proposal 2: Extended verification in installer
Description (on top of proposal 0):
- Tails Installer does TOFU OpenPGP, OpenPGP correlation, and WoT.
- Browser extension is packaged in Debian.
- Use Tails Installer for burning DVD as well.
Possible attacks:
- Windows:
- SSL MitM on:
- Browser app store (#8815)
- boum.org
- if USB, HTTP MitM on UUI
- Targeted malware (easy)
- Mac:
- SSL MitM:
- Browser app store (#8815)
- boum.org
- if USB, no graphical solution so far (#8802)
- Targeted malware (harder)
- Debian:
- Debian app store
- Targeted malware (hard)
Pros (over proposal 1):
- More autonomy regarding development (we know how to do that).
- Independent from browser vendor (except for DVD users).
Cons:
- HTTPS pinning verification at best on Windows and Mac. It's ok not
to do OpenPGP verification on Windows: we can't really be more
secure than the base OS anyway.
- Verification logic is partly duplicated in browser extension and
installer.
### Proposal 2bis: Extended verification in multiplatform installer
Description (on top of proposal 2):
- Tails Installer is available on Windows and Mac.
Possible attacks:
- Windows:
- SSL MitM:
- boum.org
- Targeted malware (easy)
- Mac:
- SSL MitM:
- boum.org
- Targeted malware (harder)
- Debian:
- Debian app store
- Targeted malware (hard)
Pros (on top of proposal 2):
- Don't rely on UUI anymore.
Cons:
- Harder to port to Windows and Mac than current Tails Installer.
<a id="seahorse"></a>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment