Page MenuHomePhabricator

SSL/TLS Mirrors
Closed, WontfixPublic

Description

Migrated from:
https://github.com/Whonix/Whonix/issues/177


Justification:

SSL mirrors may sound like a bad idea for security, may seem like an oxymoron. A justification why we believe it improves security can be found here:

As another justification. Here is an argument from authority, as I understand, Jacob Appelbaum preferred if Tails download was https by default. Source:
https://mailman.boum.org/pipermail/tails-dev/2013-June/003211.html


Implementation ideas:

SSL/TLS Mirrors are difficult to implement because of the trust / key issues.

Let mirrors use whatever certs/domains they have (hopefully from a "trusted" CA so it doesn't throw alerts to the user), and include their URL in a list. When a user visits the download page, one of those URL is placed into the article using something like Extension:RandomInclude. This would be a little cumbersome with caching. Perhaps we could have a static link to something like "whonix.org/download/ssl.php", which would then in turn point to an SSL mirror randomly.

There was a helpful answer on libtech mailing list on how to implement this:
https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013130.html

Comments by Mick:
https://github.com/Whonix/Whonix/issues/96#issuecomment-26475207

@fortasse and I agreed on the following plan:

  • We indefinitely keep all http mirrors.
  • Those are useful as backup.
  • Useful for users who do manual verification.
  • Useful for possible later Whonix downloader/installer that does verification.
  • Useful as host for Whonix's APT repository and Whonix News (#178) [those use verification using gpg, no https required].
  • We need a mirror manager (one that contacts prospective new mirrors, stays in touch with mirrors in case of issues).
  • After we have a stable http mirror network and enough mirror contacts - we're not there yet - we ask them if they would be willing to provide optional ssl access. If not, they stay http mirrors. If yes, they become http + https mirrors.

Non-Solutions:

Sharing a separate SSL private key with mirrors. Because once that key is just one in false hands, all mirrors are compromised.

Event Timeline

Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: infrastructure, security.
Patrick added subscribers: Patrick, fortasse, HulaHoop and 2 others.
Patrick claimed this task.

We are now serving all downloads from whonix.org over https. Therefore no need to implement this ticket.