Document current mitigation of some attacks against our incremental upgrade system.

c30dbaa4 · Tails developers · f945b8a3 · c30dbaa4
Commit c30dbaa4 authored Jan 21, 2015 by Tails developers
--- a/wiki/src/contribute/design/incremental_upgrades.mdwn
+++ b/wiki/src/contribute/design/incremental_upgrades.mdwn
@@ -577,6 +577,15 @@ Both with the old and new Tails upgrade systems, mounting such an
 attack requires either to take control of the Tails website or to
 break the SSL/TLS connection between the client and the server.

+This attack is slightly mitigated by the fact that we are announcing
+new releases in other ways:
+
+* one that does not rely on our website at all (Twitter);
+* one that does not rely on our website to be safe at the time Tails
+  Upgrader checks for available upgrades, as long as it was safe at
+  the time the new release was published (<amnesia-news@boum.org>
+  announce mailing-list).
+
 The move to a secure upgrade system, such as TUF, would make this
 stronger, thanks to short-lived signatures on meta-data.

@@ -599,6 +608,10 @@ The upgrade-description files downloader and verifier could refuse to
 download upgrade-description files bigger than some reasonable
 constant, but this is not implemented yet.

+This attack, when performed against the upgrade-description files
+downloader and verifier is slightly mitigated in the same way as
+"Indefinite freeze attacks" are.
+
 ### Slow retrieval attacks

 > An attacker responds to clients with a very slow stream of data that