[prev in list] [next in list] [prev in thread] [next in thread]
List: qubes-devel
Subject: Re: [qubes-devel] Re: GitLab
From: Andrew David Wong <adw () qubes-os ! org>
Date: 2017-05-13 20:18:39
Message-ID: 7dfdcc42-1fe3-5a2e-7cf0-690790c69867 () qubes-os ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2017-05-13 14:53, Leo Gaspard wrote:
> On 05/13/2017 09:40 PM, Andrew David Wong wrote:
> > We agree, but we disagree about what constitutes "more security."
> > We believe that what many people regard as "more security" is
> > actually the illusion of security, and we believe that having
> > more of the illusion of security is worse than having less of
> > it.
>
> I don't want to take a stance on this GitHub vs GitLab issue, but
> just a fact that strikes me as a really recent Qubes user
> (something like a few weeks):
>
> There *is* need for security in the infrastructure.
>
> Not when the Qubes system is running. Just during the first
> installation.
>
> I didn't have the masterkey at hand. My solution has been to ask a
> few people I know with different ISPs to check out the webpage
> with it, but it is hosted by GitHub.
>
> How, for trust initialization, am I to know 427F 11FD 0FAA 4B08
> 0123 F01C DDFA 1A3E 3687 9494 is actually Qubes master key and not
> GitHub's MitM signing key?
>
> Now I've made that leap of faith, but I knew no-one who could
> confirm it to me, except... this GitHub web page.
>
> > From now on I can be pretty confident about always receiving the
> > updates
> and any of my future system being installed with the same OS, but
> that's not helpful if the key was not actually Qubes' in the first
> place.
>
> Even though identity continuity already makes attacks (way) harder,
> in my opinion trust initialization can only be done by some amount
> of trust in the infrastructure, that is not perfect security but
> should be enough to reasonably assume the webpage is indeed showing
> the right fingerprint.
>
> That said, whether GitLab would provide more or less confidence in
> this is an entirely different debate, to which I'd rather avoid
> participating.
>
There are many other methods you could use to attempt to verify the
master key fingerprint aside from relying on the Qubes website. Here's
a brief, non-exhaustive list:
* Use different search engines to search for the fingerprint.
* Use Tor to view and search for the fingerprint on various websites.
* Use various VPNs and proxy servers.
* Use different Wi-Fi networks (work, school, internet cafe, etc.).
* Ask people to post the fingerprint in various forums and chat rooms.
* Check against PDFs and photographs in which the fingerprint appears
(e.g., slides from a talk or on a T-shirt).
* Repeat all of the above from different computers and devices.
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJZF2odAAoJENtN07w5UDAwyYMP/jknWPBwjDlqAd6haYQjfaBB
f6KoBJ76cva5s3VYY64/FOHAYmRgS/Sci+xFzQrAdIYPiMgBrDZz2Cr6kfasa04o
iZ/iFNQRdvh8JIU2lQ54IrGvUk8LO7cw+4tLkM8HdRCvrR+MaPj5yCNrbontQZhM
fYAL8AYgYkfNnZS2qMsvclBrxCBancZgNkwOtHZpsDPYlmU8K5lHQ2gc59zOE3rZ
kdECElLUwl4CY/ZLFQPDGdIkkwVgKAO2rsaIRAUwY2ck2r1DMcAlQU7QY0VNz6BV
iYXv4VMQyMCAnO2ogJN3ehO2GLNc/4+D+3ZathgIqSWSqOusrRTiaU9TrLHbcSOT
rUS3Dd/HU5X8fzNxufhNGMzpEDi6M8NE1D6XvoNDidTlmzrLP7gvmvZ8tXbczMk8
ejOL7ilb8sQai3aGMasaVAkuWHUSooy9I1ZtSo44JcWGn4DGvu/mI2x9ODOiU/Hg
W2IHg632J0Nln79UWmWEujWZ4nNR3WltxcBopTb3uDFr0TzXI1cryQbq47GPFowZ
0hDIj8F2C1s6h4Ytkdobdnqa4KmxLt8fO+EI0mBzx7+8rzdKaetGVZoOTurKR1UK
lPHPSroCng3c/C87i2tBA5DN+2IYTLffV0Ivx/vaipr4FMWZuLJbkQi+QsCxoOi8
sA9wzmDbFkhbKae+X1Kh
=AlBx
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-devel+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-devel@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/7dfdcc42-1fe3-5a2e-7cf0-690790c69867%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic