'Re: [qubes-devel] Re: GitLab'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    Re: [qubes-devel] Re: GitLab
From:       Andrew David Wong <adw () qubes-os ! org>
Date:       2017-05-13 20:18:39
Message-ID: 7dfdcc42-1fe3-5a2e-7cf0-690790c69867 () qubes-os ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2017-05-13 14:53, Leo Gaspard wrote:
> On 05/13/2017 09:40 PM, Andrew David Wong wrote:
> > We agree, but we disagree about what constitutes "more security."
> > We believe that what many people regard as "more security" is
> > actually the illusion of security, and we believe that having
> > more of the illusion of security is worse than having less of
> > it.
> 
> I don't want to take a stance on this GitHub vs GitLab issue, but 
> just a fact that strikes me as a really recent Qubes user 
> (something like a few weeks):
> 
> There *is* need for security in the infrastructure.
> 
> Not when the Qubes system is running. Just during the first 
> installation.
> 
> I didn't have the masterkey at hand. My solution has been to ask a
> few people I know with different ISPs to check out the webpage 
> with it, but it is hosted by GitHub.
> 
> How, for trust initialization, am I to know 427F 11FD 0FAA 4B08 
> 0123 F01C DDFA 1A3E 3687 9494 is actually Qubes master key and not
> GitHub's MitM signing key?
> 
> Now I've made that leap of faith, but I knew no-one who could 
> confirm it to me, except... this GitHub web page.
> 
> > From now on I can be pretty confident about always receiving the
> > updates
> and any of my future system being installed with the same OS, but 
> that's not helpful if the key was not actually Qubes' in the first
> place.
> 
> Even though identity continuity already makes attacks (way) harder,
> in my opinion trust initialization can only be done by some amount
> of trust in the infrastructure, that is not perfect security but
> should be enough to reasonably assume the webpage is indeed showing
> the right fingerprint.
> 
> That said, whether GitLab would provide more or less confidence in
> this is an entirely different debate, to which I'd rather avoid 
> participating.
> 

There are many other methods you could use to attempt to verify the
master key fingerprint aside from relying on the Qubes website. Here's
a brief, non-exhaustive list:

 * Use different search engines to search for the fingerprint.
 * Use Tor to view and search for the fingerprint on various websites.
 * Use various VPNs and proxy servers.
 * Use different Wi-Fi networks (work, school, internet cafe, etc.).
 * Ask people to post the fingerprint in various forums and chat rooms.
 * Check against PDFs and photographs in which the fingerprint appears
   (e.g., slides from a talk or on a T-shirt).
 * Repeat all of the above from different computers and devices.

- -- 
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJZF2odAAoJENtN07w5UDAwyYMP/jknWPBwjDlqAd6haYQjfaBB
f6KoBJ76cva5s3VYY64/FOHAYmRgS/Sci+xFzQrAdIYPiMgBrDZz2Cr6kfasa04o
iZ/iFNQRdvh8JIU2lQ54IrGvUk8LO7cw+4tLkM8HdRCvrR+MaPj5yCNrbontQZhM
fYAL8AYgYkfNnZS2qMsvclBrxCBancZgNkwOtHZpsDPYlmU8K5lHQ2gc59zOE3rZ
kdECElLUwl4CY/ZLFQPDGdIkkwVgKAO2rsaIRAUwY2ck2r1DMcAlQU7QY0VNz6BV
iYXv4VMQyMCAnO2ogJN3ehO2GLNc/4+D+3ZathgIqSWSqOusrRTiaU9TrLHbcSOT
rUS3Dd/HU5X8fzNxufhNGMzpEDi6M8NE1D6XvoNDidTlmzrLP7gvmvZ8tXbczMk8
ejOL7ilb8sQai3aGMasaVAkuWHUSooy9I1ZtSo44JcWGn4DGvu/mI2x9ODOiU/Hg
W2IHg632J0Nln79UWmWEujWZ4nNR3WltxcBopTb3uDFr0TzXI1cryQbq47GPFowZ
0hDIj8F2C1s6h4Ytkdobdnqa4KmxLt8fO+EI0mBzx7+8rzdKaetGVZoOTurKR1UK
lPHPSroCng3c/C87i2tBA5DN+2IYTLffV0Ivx/vaipr4FMWZuLJbkQi+QsCxoOi8
sA9wzmDbFkhbKae+X1Kh
=AlBx
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/7dfdcc42-1fe3-5a2e-7cf0-690790c69867%40qubes-os.org.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic