Tails download served over http? Mismatched Certificates? hmmmm

Discussion in 'privacy technology' started by papa1234, Jul 22, 2014.

Thread Status:
Not open for further replies.
  1. papa1234

    papa1234 Registered Member

    Joined:
    Jul 21, 2014
    Posts:
    6
    In stark contrast to rest of the tails website, which is all served under SSL, the actual download of the os is served unencrypted. Interesting!
    I attempted to change the link to use https instead of http, and it reveals an incorrectly installed, mismatched or possibly even bogus certificate on their download server. Looks fishy.

    Surprised that whoever setup the site was so concerned about security that they pushed the whole site through SSL, yet left the main download in plain old http with a weird SSL certificate named to some weird 3rd party entity - try it in your browser.

    Anyone care to comment?
     
  2. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Here's a SSL Labs run on their download link: https://www.ssllabs.com/ssltest/analyze.html?d=dl.amnesia.boum.org

    But this might explain it:
    https://tails.boum.org/download/index.en.html#verify


    I don't think they trust HTTPS enough to use it for their Tails download. That, and it might overstress their download server by encrypting every 1GB download of a Tails.iso. That's just my guess, I could be wrong.
    But as long as the Tails.iso is verified and legit, it doesn't matter too much. I just usually download it over their torrent.

    It's not like you can hide the fact you visited and downloaded Tails over a standard vanilla internet connection anyway (without VPN or whatnot):

    https://www.eff.org/deeplinks/2014/07/dear-nsa-privacy-fundamental-right-not-reasonable-suspicion
     
  3. papa1234

    papa1234 Registered Member

    Joined:
    Jul 21, 2014
    Posts:
    6
    They dont trust https but they trust http? seems an illogical argument. I understand compression might put strain on the server, but in this day and age serving files over https is normal, not like you need a supercomputer.
    Above doesnt explain much, points out that even under ssl you can be the victim of a middle man attack and shows how to verify the download.
    I care not about hiding the IP, merely curious about the discrepancy i discovered when looking at tails download server.
    Also, if they cared so much about privacy, why leave the download on a server which shows spammy looking certificates? this could be server misconfiguration for sure, I wouldn't expect to see it on a server relating to privacy however.

    And finally, how do we know its verified and legit, I havent bothered compiling from source and comparing to signatures offered on that site, no time, im just a casual observer :)
    Lacking a support website where to ask these kinds of questions is also rather odd.
     
  4. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Depends on the scenario. It's not like you're logging into a site, sending a message, or filling in your debit card information on a shopping site. Basically, you're not sending or receiving any sensitive information, an attacker would just know you're downloading their .iso. And since by that point you're already on their radar for simply visiting the https://tails.boum.org/ site, so HTTPS or not, the only way you can know if you really received an untampered Tails.iso is to verify it.

    I don't think it'd be a bad thing if it was over HTTPS, but I just think it'd be a false sense of security in this case.

    I wouldn't think it would have a lot of impact, but I also know hardly any other sites do downloads over HTTPS (that aren't personal file storage). But maybe they too just rely on people verifying their downloads. I really don't know what the logic is behind it.

    If you notice though their site is https://tails.boum.org/ I don't know what else https://boum.org/ hosts though.

    See: https://tails.boum.org/download/index.en.html#verify
    Basically, download the tails-signing.key and tails-i386-1.1.iso.sig. Download gpg4win (if you're using Windows). Then just follow the guides. When you get to Decrypt/Verify tails-i386-1.1.iso.sig, enter the Tails.iso in the Input File area.

    Did you look through https://tails.boum.org/support/index.en.html yet? Shoot 'em a email or something.
     
  5. papa1234

    papa1234 Registered Member

    Joined:
    Jul 21, 2014
    Posts:
    6
    What purpose does it serve to implement ssl on the site in the first place then?

    yup, Dropbox uses https for its traffic, just verified via my router. Im sure thats terabytes of encrypted ssl traffic daily. I ssl data arriving from their amazon servers.

    For this to be truly "checked" you would need to check against the source of tails that you compiled yourself, no? I had a look online about other people verifying with the signatures and running into lots of issues, didnt have time to experiment myself.

    I did, when I realised their forum is closed I looked elsewhere, to ask my question in public, so to speak, amongst security experts. :)
     
Loading...
Thread Status:
Not open for further replies.