[Pidgin] #14565: Link to .asc file and offer download over TLS

Pidgin trac at pidgin.im
Thu Sep 20 12:57:58 EDT 2012 

#14565: Link to .asc file and offer download over TLS
-------------------------------------------------+-------------------------
 Reporter:  ioerror                              |       Owner:  rekkanoryo
     Type:  task                                 |      Status:  new
Milestone:                                       |   Component:
  Version:                                       |  unclassified
 Keywords:  security https tls pgp signature     |  Resolution:
  win32                                          |
-------------------------------------------------+-------------------------

Comment (by ioerror):

 Replying to [comment:8 datallah]:
 > Replying to [comment:5 ioerror]:
 > > Replying to [comment:4 datallah]:
 > > > SSL downloads are probably not going to happen any time soon.  The
 bandwidth requirements would be quite high, we'd lose the Sourceforge
 global mirroring, and with the GPG signatures, SSL doesn't really offer
 any security benefits.
 > > >
 > >
 > > I'm not really clear on what those bandwidth requirements are - so I'm
 curious to know  if that is actually such a big deal?
 >
 > Since the 2.10.6 was released on 2012-07-06, there have been ~615K
 downloads.
 > The vast majority (530K) of these are the Windows installer, which is
 about 10MB.
 > On the top day for downloads, ~20K downloads, which means there was
 ~200GB downloaded on that day.
 > The first month after it was released saw ~280K downloads, ~ 2.8TB.
 >

 Ok - that isn't very much at all. I can imagine that if you offer a secure
 mirror, you could get a good idea of how many people might use it.

 > This doesn't include downloads of the GTK+ Bundle.

 That is good to note.

 >
 > > I would for example be more than happy to run a secure mirror if there
 was an easy way to keep my mirror up to date. We could offer it as an
 option to people. Also, we might consider trying to use github - they
 offer HTTPS for their entire site, in theory, even for downloads. I did
 find an issue with it though, so that may or may not be a real option.
 >
 > I guess I'm wondering what real benefit SSL downloads will offer.  I
 understand the need for the ability to validate that the download hasn't
 been tampered with, but SSL can't really do that in the same way that a
 signature does.
 >

 The main benefit is that nearly no one checks signatures other than people
 who package software. Signatures are good and in some ways, they are the
 best defense when the downloading party understands them. However, most
 users in my experience and in looking at various stats on the subject,
 simple do not check them - there is no easy way to do it on two of the
 major platforms.

 So the real benefit is that the bar is raised from an attacker who can
 MITM HTTP (trivial) to an attacker who can MITM HTTPS (less than trivial
 but still possible). Practically, I think this really improves the entire
 stack of things, even one would need to check the gpg signature to
 *really* know if things were as expected.

 > Sourceforge, for all it's warts, has done a good job of providing
 redundant hosting with lots of mirrors located on several continents.  I
 feel like unless there is a compelling reason to reinvent the wheel, we
 shouldn't be doing that.
 >

 I suggest augmenting the wheel and seeing if there is demand. By making an
 option, we'll be able to see if anyone cares to use the option. As I
 stated, I'd be happy to run a secure mirror and I bet we can find some
 others - the Tor Project does mirror some related projects on
 https://archive.torproject.org/ - we might be able to do the same for
 Pidgin.

 > > > What we really should do is to update the download pages to link to
 the GPG signature files and add instructions on how to check the
 signatures of the downloads.
 > >
 > > I agree. Tor's signature checking page is here:
 > > https://www.torproject.org/docs/verifying-signatures.html
 >
 > I'll be working on this soon; more to come.
 >
 > > I almost think we need a common tool for users, available over HTTPS
 that helps them to verify signatures of all the projects who ship GnuPG
 signatures. In theory this is gpg and in practice, a user who can use gpg
 is not the norm. Thoughts?
 >
 > I guess it doesn't seem wise or appropriate to try to create and
 maintain our own tool for doing this; we have our hands full enough
 without taking on an additional challenge of something that's difficult to
 get right.
 > It also seems to me that people who don't (care enough to take the time
 to) understand what it takes to validate the download aren't going to be
 any more secure if there's a tool that that rubber-stamps a download as
 "secure".

 Oh, my suggestion is a project in itself that will help all projects who
 are in the current position. Tor has the same need - as does Pidgin -
 Windows users need a way to verify signatures and currently, it is
 basically not happening. I was suggesting a basic Windows application,
 perhaps with wget and gpg embedded that perhaps will fetch a thing,
 certainly verify it and we can make the website for it quite secure. That
 is, we could embed the website's public key in Chrome (as is done for
 Tor's https certs), enable HSTS, and create a unified tutorial for the
 process. I realize it is out of scope for Pidgin but if such a tool is
 interesting to you, I can imagine it might be worth considering...

-- 
Ticket URL: <https://developer.pidgin.im/ticket/14565#comment:10>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list