[Gpg4win-users-en] Untrused Site Certification

Michael Carbone michael at accessnow.org
Fri Jul 31 02:29:36 CEST 2015 

Bernhard Reiter:
> Hi Michael,
> 
> thanks for asking!
> 
> On Wednesday 22 July 2015 at 15:06:10, Michael Carbone wrote:
>> Any updates on the progress of setting up gpg4win.org with its own SSL
>> certificate? It's been two months.
> 
> We haven't made progress so far.
> 
> For us, it is mainly a "perception" issue, 
> so most other points took precedence.
> We know that perception is important,
> but having a heavy workload this took the low end over
> other issues with less "perception" to them.
> 
Great, thanks for the update, it is much appreciated!

I agree it has a negative impact on the perception of the project.

>> As others have highlighted on this list and elsewhere, this is a basic
>> step towards enabling users to obtain gpg4win in a relatively secure &
>> verified way.
> 
> The added real security is quite minimal.
> 
> The Gpg4win installer is code-signed, which means being secured by a 
> certificate with usually is more expensive than typical TLS certificates for 
> webpages. In addition it is signed with an OpenPGP cert.
> 
The issue is that without a TLS cert, the user may not receive that
code-signed package, but something else.

Modifying a binary downloaded over HTTP is much easier than modifying a
binary downloaded over HTTPS. On one hand, the adversary has to
compromise a CA. On the other, it is sufficient to be on the same cafe
wifi as the user in question, or access to the ISP, or control the Tor
exit node they use.[1][2] These are attacks non-state actors can easily
achieve.

Making that more difficult for an adversary is a very clear security
improvement.

Right now we have to recommend users install the Chrome/Chromium
extension Satori, which provides HSTS downloads and checksuming of
gpg4win, because gpg4win doesn't provide even HTTPS downloads itself.

Having users install an additional tool -- potentially two, counting
Chrome/Chromium -- just to enable them to download gpg4win in a
relatively secure way is not something that should be asked of users.

[1] https://firstlook.org/theintercept/2014/08/15/cat-video-hack/
[2]
https://threatpost.com/researcher-finds-tor-exit-node-adding-malware-to-binaries/109008

> Having a green or just a regular "lock" icon in the web-browser may be 
> something that people are trained to look for, so Gpg4win currently deviates
> from this pattern and goes against this training.

Agreed.

> As the "lock" icon in many cases it does not give users a better assurance, 
> this would be a chance for us as crypto community to explain why,
> but we haven't gone around doing this, so your criticsm has a point.
> 
Yep the CA system is broken and not secure and not trustworthy.

And yet delivering software over HSTS rather than HTTP is still more
secure than over HTTP. Feel free to add cert pinning if you feel HSTS is
insufficient.

Or provide an onion service, then you don't have to worry about the cert
or the CA infrastructure.

> I hope we'll get around doing something in September or October.
> 
Looking forward to it!

Michael

-- 
Michael Carbone
Manager of Tech Policy & Programs
Access | https://www.accessnow.org

GPG fingerprint: 2DBE 2014 E7B0 0730 303D 7AAB 99AB 0624 6EEB F5A8


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20150730/a7569cb4/attachment.sig>

More information about the Gpg4win-users-en mailing list