[Pidgin] #14565: Link to .asc file and offer download over TLS

Pidgin trac at pidgin.im
Fri Sep 21 01:15:36 EDT 2012 

#14565: Link to .asc file and offer download over TLS
-------------------------------------------------+-------------------------
 Reporter:  ioerror                              |       Owner:  rekkanoryo
     Type:  task                                 |      Status:  new
Milestone:                                       |   Component:
  Version:                                       |  unclassified
 Keywords:  security https tls pgp signature     |  Resolution:
  win32                                          |
-------------------------------------------------+-------------------------

Comment (by datallah):

 Replying to [comment:10 ioerror]:
 > Replying to [comment:8 datallah]:
 > > Since the 2.10.6 was released on 2012-07-06, there have been ~615K
 downloads.
 > > The vast majority (530K) of these are the Windows installer, which is
 about 10MB.
 > > On the top day for downloads, ~20K downloads, which means there was
 ~200GB downloaded on that day.
 > > The first month after it was released saw ~280K downloads, ~ 2.8TB.
 > >
 >
 > Ok - that isn't very much at all. I can imagine that if you offer a
 secure mirror, you could get a good idea of how many people might use it.
 >

 > > I guess I'm wondering what real benefit SSL downloads will offer.  I
 understand the need for the ability to validate that the download hasn't
 been tampered with, but SSL can't really do that in the same way that a
 signature does.
 > >
 >
 > The main benefit is that nearly no one checks signatures other than
 people who package software. Signatures are good and in some ways, they
 are the best defense when the downloading party understands them. However,
 most users in my experience and in looking at various stats on the
 subject, simple do not check them - there is no easy way to do it on two
 of the major platforms.
 >
 >
 > So the real benefit is that the bar is raised from an attacker who can
 MITM HTTP (trivial) to an attacker who can MITM HTTPS (less than trivial
 but still possible). Practically, I think this really improves the entire
 stack of things, even one would need to check the gpg signature to
 *really* know if things were as expected.

 I have no doubt that you're right - most users don't verify signatures.

 Sure, it does raise the bar for MITM situations, but from a real security
 perspective, it seems to me that hosting with a third party over HTTPS vs.
 over HTTP doesn't really offer much more than the appearance of being
 secure.  I think I'd almost rather people notice that they're downloading
 over "unsecure HTTP" and be worried about (and hopefully verify
 signatures) it than for someone to see the little padlock on their browser
 and think that everything is magically ok.

 >
 > > Sourceforge, for all it's warts, has done a good job of providing
 redundant hosting with lots of mirrors located on several continents.  I
 feel like unless there is a compelling reason to reinvent the wheel, we
 shouldn't be doing that.
 > >
 >
 > I suggest augmenting the wheel and seeing if there is demand. By making
 an option, we'll be able to see if anyone cares to use the option. As I
 stated, I'd be happy to run a secure mirror and I bet we can find some
 others - the Tor Project does mirror some related projects on
 https://archive.torproject.org/ - we might be able to do the same for
 Pidgin.

 I'm not opposed to adding an SSL mirror if it were available and not too
 painful to maintain.  I do have some concerns about how to deal with
 making the download pages not horribly busy and confusing with the
 addition of additional SSL download links, the links to the GPG signatures
 and the link to the page about signatures.

 > Oh, my suggestion is a project in itself that will help all projects who
 are in the current position. Tor has the same need - as does Pidgin -
 Windows users need a way to verify signatures and currently, it is
 basically not happening. I was suggesting a basic Windows application,
 perhaps with wget and gpg embedded that perhaps will fetch a thing,
 certainly verify it and we can make the website for it quite secure. That
 is, we could embed the website's public key in Chrome (as is done for
 Tor's https certs), enable HSTS, and create a unified tutorial for the
 process. I realize it is out of scope for Pidgin but if such a tool is
 interesting to you, I can imagine it might be worth considering...

 Sure, if there were such a tool available and it was functional and
 practical, we'd certainly be interested in looking at it.

-- 
Ticket URL: <https://developer.pidgin.im/ticket/14565#comment:13>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list