Hi Everyone,
(moving this email from the support-team ML to tor-dev as Runa suggested.)
I am starting to work on a small GUI tool for file verification because I find guiding users through the verification process on Windows/Mac through the command line painful.
Tools in use: - Python 3.3 or 2.7 (still didn't decide yet). - PyQT - python-gnupg-0.3.5
I might also add a log window and a save log button to see what went wrong during the verification process.
Attached is a draft design of how the tool would look like.
On Mon, Sep 23, 2013 at 7:12 PM, Lunar lunar@torproject.org wrote:
How do you think users will be able to install such a tool on their system?
There won't be any installation required It's a single executable.
More importantly, how will they be able to ensure that it's not a tampered version?
I've thought about that and few things came to mind: - Include the executable inside TBB. - Host it somewhere and also provide a SHA-256 hash on a website or in a file.
But this is all an endless chain because lets say I download TBB, then download gpg to verify it but then how do I make sure that gpg it self wasn't tampered with? (assuming I don't have it installed already.)
Any help or suggestions would be much appreciated.
Thanks.
Sherief Alaa wrote:
I am starting to work on a small GUI tool for file verification because I find guiding users through the verification process on Windows/Mac through the command line painful.
Tools in use:
- Python 3.3 or 2.7 (still didn't decide yet).
- PyQT
- python-gnupg-0.3.5
I might also add a log window and a save log button to see what went wrong during the verification process.
Just a thought: have you considered doing this through a Firefox extension instead? I remember GetTor recommended a Firefox add-on for checking the hash of the bundle it sent out [0].
Note that I haven't thought about this approach completely but the reason this came to mind is because:
- distribution through Mozilla Add-ons is easy and secure. - this does not require installation of extra components.
[0] - https://addons.mozilla.org/en-US/firefox/addon/md5-reborned-hasher/
On Mon, Sep 23, 2013 at 05:45:36PM -0400, Sukhbir Singh wrote:
I am starting to work on a small GUI tool for file verification because I find guiding users through the verification process on Windows/Mac through the command line painful.
Just a thought: have you considered doing this through a Firefox extension instead?
It does seem like a Firefox extension is a better alternative. The "here's an executable you just fetched from the Internet, please run it" model is likely bad news, and also isn't the right habit to be teaching users.
See also the thread on the blog about this topic: https://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation#comm...
This is not an easy topic.
--Roger
Sherief Alaa:
But this is all an endless chain because lets say I download TBB, then download gpg to verify it but then how do I make sure that gpg it self wasn't tampered with? (assuming I don't have it installed already.)
Indeed that's an endless chain and turtles all the way down. plus (as you already mentioned) you also need to install gpg for osx and windows; Which in windows case there's absolutely no secure way to download pgp itself. Poor windows users are screwed by *design*
That being said, I totally support making this process easier. In fact, I dream a day where TBB could itself (or TorButton perhaps) check and see if all of it's executable files are identical to the latest version on repository in a secure way without confusing (or even say noticing) the average user.
Maybe this can be part of the auto-update project?
But whatever it is, it can't be a simple tiny app.
Nima:
Sherief Alaa:
But this is all an endless chain because lets say I download TBB, then download gpg to verify it but then how do I make sure that gpg it self wasn't tampered with? (assuming I don't have it installed already.)
Indeed that's an endless chain and turtles all the way down. plus (as you already mentioned) you also need to install gpg for osx and windows;
Yes.
Which in windows case there's absolutely no secure way to download pgp itself.
I agree.
(There is at least a more secure than no security at all way to obtain it.) [tor-talk] Getting a GnuPG version for Windows in a secure way https://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html
Poor windows users are screwed by *design*
That being said, I totally support making this process easier. In fact, I dream a day where TBB could itself (or TorButton perhaps) check and see if all of it's executable files are identical to the latest version on repository in a secure way without confusing (or even say noticing) the average user.
Maybe this can be part of the auto-update project?
This wouldn't solve how users could safely obtain it in the first place. Having the auto-updater working is a separate issue worth solving.
But whatever it is, it can't be a simple tiny app.
I totally agreed with that in a separate mail.
Hi Sherief,
this is actually a complex problem. Thanks for trying to solve it.
With all due respect, I must say, what you are trying is just another hack to attempt to solve a problem at a higher level, which can not be solved at the level you are trying to solve it.
Some time ago, I wrote about it: [liberationtech] secure download tool - doesn't exist?!? https://mailman.stanford.edu/pipermail/liberationtech/2013-July/009620.html
See also my comments in Tor trac ticket 2340: https://trac.torproject.org/projects/tor/ticket/2340#comment:14
The whole approach of "you must download a verification tool or downloader to download what you really want to download" is something from an usability perspective, which only a small fraction of geeky users will do. I am sure, you can create something useful for a few people, I might even use it myself, but it's up to you if you want to solve it for the majority of users.
Do you speak C? If so, a solution which could work for more users, could be adding metalink + OpenPGP support to Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=331979
Then verification would work out of the box without installing other software.
If you agree with my points, I see two realistic ways to solve this. For one, solving the issue in Firefox. I am quite sure, Microsoft won't be helpful. Or ditch Firefox/Microsoft Windows at all and solve it in popular Linux distributions.
In case you are interested to solve the deeper issues, solving this is an interesting problem, which you could advocate. You could summarize the current problem why currently only a small fraction of downloaders uses verification, then do the draft work on how it could be solved (my comments in Tor trac ticket 2340), discuss it with Linux distributions how they would accept, then implement it and get Linux distributions to install it by default. The actual implementation could then also be done in python.
I'd do it myself, but I am already maintaining a Free Software project (Whonix), so I am happy that you showed up, interested to solve it.
Cheers, adrelanos
Sherief Alaa transcribed 13K bytes:
Hi Everyone,
(moving this email from the support-team ML to tor-dev as Runa suggested.)
I am starting to work on a small GUI tool for file verification because I find guiding users through the verification process on Windows/Mac through the command line painful.
Tools in use:
- Python 3.3 or 2.7 (still didn't decide yet).
- PyQT
- python-gnupg-0.3.5
Hi Sherief,
I'm not sure if you were planning on using the upstream version, or the python-gnupg that I (re)wrote to fix the arbitrary code exec vulns, but the one you mention (python-gnupg-0.3.5) is upstream, not mine. Though, granted, they have fixed some of the vulns in the latest version.
I probably should also point out if you're thinking of using the upstream, that their "unittests" are run encased in try/except blocks, and thus never fail even when they should.
Third, the upstream version doesn't handle unicode very well. If you're using it for file verification of TBB sha256sum files, it shouldn't matter as much, but if the user tries to verify anything containing non-ascii characters it's going to quickly become ten times as painful.
I might also add a log window and a save log button to see what went wrong during the verification process.
Attached is a draft design of how the tool would look like.
On Mon, Sep 23, 2013 at 7:12 PM, Lunar lunar@torproject.org wrote:
How do you think users will be able to install such a tool on their system?
There won't be any installation required It's a single executable.
Neither my version nor upstream's is an implementation of the OpenPGP spec. In other words, they both expect you to have a GnuPG binary already present on the system. My version will handle multiple versions of GnuPG, up to builds of branches 2.0.x. I don't recall what upstream handles, though if I recall correctly, just GnuPG 1.4.12-14.
So, at bare minimum, you have two executables, if you ship GPG4Win (horribly out of date, I don't recommend it) and you compile your script and its Python dependencies into executables. You might want to check on how the APAF folks are getting along with their work; they intend to create some sort of cross-platform Python App runner.
More importantly, how will they be able to ensure that it's not a tampered version?
I've thought about that and few things came to mind:
- Include the executable inside TBB.
- Host it somewhere and also provide a SHA-256 hash on a website or in a
file.
Also, copies of the keys which made the signatures.
Hope this helps a bit,