-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-12-28 11:11, john.david.r.smith wrote: >>> this may be a source of errors for some users, or even insecure >>> (mitm + exchanging the master signing key information on the >>> website + patching the downloaded image). >> >> I know what you mean, but it's worth remembering that the Qubes >> Master Signing Key fingerprint is supposed to be verified >> out-of-band/multiband. So, in principle, replacing the key and/or >> fingerprint only just qubes-os.org shouldn't work as a successful >> attack vector. > > > the problem is (as you wrote) 'supposed to be verified > out-of-band'. for some less technical people, even verifying the > signature is a huge step.
Yes, this is why we go to such great lengths to educate users about this. Qubes is the sort of system that places ultimate trust in users to safeguard their own security. There are too many ways for users to shoot themselves in the feet that we can't prevent. Verifying the ISO is just the first step, before Qubes is even installed. After Qubes is installed, just think about how many ways there are for a user to compromise dom0 or a TemplateVM if they're being reckless. (We try to mitigate this by cutting off all network access from dom0 and allowing network access only to the Updates Proxy for TemplateVMs, but there are still uncountable ways to harm oneself.) Ultimately, Qubes is the sort of OS where we have to educate users, and users have to be willing to be educated. It's not the sort of OS where we can always protect users from themselves. > i am a fan of providing easy accessible security and using already > existing infrastructure. Agreed. > (in case of the dom0 repo, an ultimately trusted source). > (I see that this was clarified in the other subthread.) > also depending on the situation a mitm could replace the > fingerprint of different channels, too. > The greater the number of alternative channels and the more different they are (in terms of protocol, form, ownership, control, etc.), the more difficult it would be for an attacker to replace them all. If a user is very careful (e.g., checks from multiple computers over different internet connections, VPNs, Tor circuits, Wi-Fi hotspots, searches for and checks the fingerprint on webpages, PDFs, photos, etc.), I think it would be exceedingly difficult even for a nation state attacker to substitute every instance of the fingerprint that the user could find on the internet (not to mention meatspace channels). It would almost surely be easier to mount an attack in other ways. >>> also checking signatures manually should unnecessary since a >>> package manager is build to do such stuff. >>> >>> i would propose to add the qubes-images as packages to the >>> repos. >>> >> >> Interesting idea. I wonder whether this would count as a misuse >> of the repos/package manager. >> >> One thing is that we'd like to offload most of the traffic to a >> mirror (e.g., mirrors.kernel.org, as we currently do). > > if offloading is not done for isos: ad a "qubes-images" repo > providing the files and host it on your servers. > We *do* want to (and currently do) offload most of the ISO-download traffic onto third-party servers, since they're better able to handle the load. This is why we provide mirrors.kernel.org as the default download source for Qubes ISOs. > if offloading is done for isos: ship the master key with qubes and > provide a convenience command to the user. this command should > download (e.g. via torrent) and verify the image (a step the user > can'd do wrong anymore). this command could spawn a dispvm, > install torrent software, load the torrent and copy it to dom0. > from there the user could qvm-copy it to the vm with the install > medium. > This is a different proposal, and it would be a much larger undertaking. It's certainly not something that the core Qubes devs have time to do, so it would have to be a community-developed feature. Would you like to take this project on? >>> maybe you could get other official repos to add them, too. >>> (debian (+ubuntu), fedora and arch should reach a significant >>> portion of the linux users) >> >> Another interesting idea. I've never heard of a distro adding a >> different OS's ISO as a package of their own, though. > > asking can't hurt. > Well... why don't you ask them, then? :) After all, Qubes is free and open-source software. You don't need our permission to distribute it. :) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYZCMdAAoJENtN07w5UDAwBSMP/jhfnxe9QGFU4JzCyuoLtKHK XfUAPibLUeSmum0lL0UpV9y3+v0gk0aKMVIXz4emthUSLjHgyTA8NmMzzqPXDl2g YQQ0geO6aHgKNi2EM7V0ga/+o1jM96eS1DOzTEhvgcICBx14NpCG9E0zMs6NyS0n n+nhqvp3/+sislXnTdVD71jWyfPTwIvubg3hHtle0ly5i+9iMb5nd0X7DCZy4Kga 1/OD6G4Ijpg5hRV6nJMYrrzh6vQX+E17M6dLNfddFXFJbiQZBTJYZvVnFS74uL86 8mUNzRoAK+c+nCmM09Rd+EKQktrmVn4TLm3bRas9aVNsq/iSr8v9lAVRqEM44I63 Rtq6XrAKav636VMjGB2us/Ffgk5NO1KjVBdu3xFj7okMw0pAL7JgIGnOHEZ5Golb 2nrPwsd5wVkJHxW1BZQ79wbd5Mlj76WOcWxZ2mAh8wSDqm7B16VJBaICVCY98K5L KBnlfBq4UPGKFhFuVwQzqZCD0ksLc8Ph9s4rkDCpWzzZ0n9yt9wyTYoU/tbg724V ap0IjLySTUzQtZ9gIWFfJxP151c1reroWwbIZ2/ePjhVkd9ye6iHet/blGomhuUO 3GOoCx1t9+KvLvBl6ejnBghHNXikGUOGZgOoIfHOBu2+PreE7F4MYeWEYEBpK60B YDIth+4aNjRZY1naN+EC =2Nfe -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e70e7573-51a9-9036-1f60-5137cfa461b1%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
