-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-05-13 14:53, Leo Gaspard wrote: > On 05/13/2017 09:40 PM, Andrew David Wong wrote: >> We agree, but we disagree about what constitutes "more security." >> We believe that what many people regard as "more security" is >> actually the illusion of security, and we believe that having >> more of the illusion of security is worse than having less of >> it. > > I don't want to take a stance on this GitHub vs GitLab issue, but > just a fact that strikes me as a really recent Qubes user > (something like a few weeks): > > There *is* need for security in the infrastructure. > > Not when the Qubes system is running. Just during the first > installation. > > I didn't have the masterkey at hand. My solution has been to ask a > few people I know with different ISPs to check out the webpage > with it, but it is hosted by GitHub. > > How, for trust initialization, am I to know 427F 11FD 0FAA 4B08 > 0123 F01C DDFA 1A3E 3687 9494 is actually Qubes master key and not > GitHub's MitM signing key? > > Now I've made that leap of faith, but I knew no-one who could > confirm it to me, except... this GitHub web page. > >> From now on I can be pretty confident about always receiving the >> updates > and any of my future system being installed with the same OS, but > that's not helpful if the key was not actually Qubes' in the first > place. > > Even though identity continuity already makes attacks (way) harder, > in my opinion trust initialization can only be done by some amount > of trust in the infrastructure, that is not perfect security but > should be enough to reasonably assume the webpage is indeed showing > the right fingerprint. > > That said, whether GitLab would provide more or less confidence in > this is an entirely different debate, to which I'd rather avoid > participating. >
There are many other methods you could use to attempt to verify the master key fingerprint aside from relying on the Qubes website. Here's a brief, non-exhaustive list: * Use different search engines to search for the fingerprint. * Use Tor to view and search for the fingerprint on various websites. * Use various VPNs and proxy servers. * Use different Wi-Fi networks (work, school, internet cafe, etc.). * Ask people to post the fingerprint in various forums and chat rooms. * Check against PDFs and photographs in which the fingerprint appears (e.g., slides from a talk or on a T-shirt). * Repeat all of the above from different computers and devices. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZF2odAAoJENtN07w5UDAwyYMP/jknWPBwjDlqAd6haYQjfaBB f6KoBJ76cva5s3VYY64/FOHAYmRgS/Sci+xFzQrAdIYPiMgBrDZz2Cr6kfasa04o iZ/iFNQRdvh8JIU2lQ54IrGvUk8LO7cw+4tLkM8HdRCvrR+MaPj5yCNrbontQZhM fYAL8AYgYkfNnZS2qMsvclBrxCBancZgNkwOtHZpsDPYlmU8K5lHQ2gc59zOE3rZ kdECElLUwl4CY/ZLFQPDGdIkkwVgKAO2rsaIRAUwY2ck2r1DMcAlQU7QY0VNz6BV iYXv4VMQyMCAnO2ogJN3ehO2GLNc/4+D+3ZathgIqSWSqOusrRTiaU9TrLHbcSOT rUS3Dd/HU5X8fzNxufhNGMzpEDi6M8NE1D6XvoNDidTlmzrLP7gvmvZ8tXbczMk8 ejOL7ilb8sQai3aGMasaVAkuWHUSooy9I1ZtSo44JcWGn4DGvu/mI2x9ODOiU/Hg W2IHg632J0Nln79UWmWEujWZ4nNR3WltxcBopTb3uDFr0TzXI1cryQbq47GPFowZ 0hDIj8F2C1s6h4Ytkdobdnqa4KmxLt8fO+EI0mBzx7+8rzdKaetGVZoOTurKR1UK lPHPSroCng3c/C87i2tBA5DN+2IYTLffV0Ivx/vaipr4FMWZuLJbkQi+QsCxoOi8 sA9wzmDbFkhbKae+X1Kh =AlBx -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/7dfdcc42-1fe3-5a2e-7cf0-690790c69867%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.