path: root/wiki/src/blueprint/download_extension.mdwn
diff options
Diffstat (limited to 'wiki/src/blueprint/download_extension.mdwn')
1 files changed, 0 insertions, 90 deletions
diff --git a/wiki/src/blueprint/download_extension.mdwn b/wiki/src/blueprint/download_extension.mdwn
deleted file mode 100644
index b2bed3f..0000000
--- a/wiki/src/blueprint/download_extension.mdwn
+++ /dev/null
@@ -1,90 +0,0 @@
-[[!meta title="Automatic ISO verification extension for Firefox"]]
-We are planning to create a custom Firefox add-on to download and verify Tails
-using SHA-256 checksum.
- - To fix the ISO verification method using Windows. It has been broken since
- Firefox 20.
- - To simplify the installation process by automating some ISO verification
- during the download process.
-This would fix the main stumbling block for Tails verification (and thus
-installation) for the vast majority of users.
-Security considerations
- - People are downloading their ISO image from one of our mirrors. Those
- mirrors are run by volunteers and the content of what they serve is not
- authenticated.
- - On the other hand, the information served on is
- authenticated through HTTPS.
- - Downloading Firefox and installing add-ons is also done through HTTPS on
- - Forcing Firefox users who are downloading the ISO image through HTTP to
- verify its checksum can only increase the average level of verification
- that people do on Windows and Mac OS systems.
- - But HTTPS does not provide strong authentication. So our documentation
- should make that clear and keep providing instructions for authentication
- using OpenPGP but as an additional check.
-<a id="scenario"></a>
-ISO download
- - When the user clicks on the direct download button from the [[download
- page|download#index2h1]], Firefox proposes to install the extension.
- - The user allows the installation of the extension.
- - The extension starts the download and the user decides where to save it.
- - The webpage is modified and displays a progress bar of the download.
- - The user might or might not close the webpage.
- - The download also appears in the usual list of downloads of Firefox.
-ISO verification
- - When the download finishes, the ISO verification starts.
- - The extension checks the size of the download to verify that the download
- was complete.
- - The extension compares the checksum of the ISO image to a checksum found on
- the website through HTTPS.
- - The extension displays the result to the user:
- - If the original webpage is still open, it now either:
- - Points the user to the installation documentation.
- - Proposes troubleshooting strategies.
- - Otherwise it shows the result in a popup message and points to the
- appropriate page.
-Other desirable features
- - Be able to use that extension, once installed to verify ISO images
- downloaded using BitTorrent for example.
- - Be able to use that extension to verify other ISO images, testing images,
- older ISO images, etc. In that case the user would be warned about the
- deprectated or experimental status of the ISO image.
- - Be able to use that extension to check the GPG signature. On top of
- verifying the checksum, this would provide TOFU authentication. Then, if the
- user downloads a genuine app and a genuine key on first use, then she will
- be protected from a later compromision of the HTTPS certificate of
-Technical insight
- - That technique should be multiplatform and work from TBB as well.
- - The extension can get the checksum and the URL of the ISO image from the
- `<div id="content">` in following static pages:
- - <>
- - <>
- - The same tricks should be used to get the file size.
- See [[!tails_ticket 7417]].