[jitsi-users] Trust issue


#1

Hello,

I wanted to install Jitsi on my Xubuntu, so I went to
https://download.jitsi.org/jitsi/debian/, and downloaded the latest
version. Unfortunately, I didn't found any checksum nor signature.

How am I supposed to check the package ?

Cheers


#2

Hey there,

We are not currently signing packages, so what you can do instead is to
verify that the site you are downloading from is indeed
download.jitsi.organd has a valid certificate for that.

Cheers,
Emil

--sent from my mobile

···

On 10 Nov 2013 01:48, "jvoisin" <julien.voisin@dustri.org> wrote:

Hello,

I wanted to install Jitsi on my Xubuntu, so I went to
https://download.jitsi.org/jitsi/debian/, and downloaded the latest
version. Unfortunately, I didn't found any checksum nor signature.

How am I supposed to check the package ?

Cheers

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Looking ahead to sometime in the future, it should also just be a matter
of time before a proper (x)Ubuntu package is available. This bug
reports that a fix has been released, as of August:

https://bugs.launchpad.net/ubuntu/+bug/846532

I'm not sure what the timeline is for getting it into Ubuntu is though.

Regards,
/Lars

···

On 10 Nov 2013 01:48, "jvoisin" <julien.voisin@dustri.org> wrote:

Hello,

I wanted to install Jitsi on my Xubuntu, so I went to
https://download.jitsi.org/jitsi/debian/, and downloaded the latest
version. Unfortunately, I didn't found any checksum nor signature.

How am I supposed to check the package ?

Cheers


#4

Just to add that, as far as I understand it, there's no way to be sure
that you're connected to the site you think you are, even with SSL, in
IE but Chrome and Firefox support Extended Validation certs, as
explained here https://www.grc.com/fingerprints.htm so if the Jitsi
site used one of those (which it doesn't at the moment) that would
allow users to be sure they're not downloading Jitsi from a MITM
honeytrap.

I appreciate there's probably a cost issue with obtaining one of these
certs but without any way to be sure that we're getting an
uncompromised copy of Jitsi, it would seem rather foolish to just hope
and assume that's the case. Maybe someone else can think of other,
cheaper, ways to solve this problem though.

Derek

···

On 10 November 2013 09:17, Emil Ivov <emcho@jitsi.org> wrote:

Hey there,

We are not currently signing packages, so what you can do instead is to
verify that the site you are downloading from is indeed download.jitsi.org
and has a valid certificate for that.

Cheers,
Emil

--sent from my mobile

On 10 Nov 2013 01:48, "jvoisin" <julien.voisin@dustri.org> wrote:

Hello,

I wanted to install Jitsi on my Xubuntu, so I went to
https://download.jitsi.org/jitsi/debian/, and downloaded the latest
version. Unfortunately, I didn't found any checksum nor signature.

How am I supposed to check the package ?

Cheers

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

Yes, sha1sums with every release, posted not only on the download site but
also (automated?) to some jitsi-announcements mailing list. (Wouldnt apply
to nighties)

FC

···

On Sun, Nov 10, 2013 at 9:44 AM, Derek Moss <dmts@stoptheviolence.co.uk>wrote:

Maybe someone else can think of other,
cheaper, ways to solve this problem though.

--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell


#6

Just to add that, as far as I understand it, there's no way to be sure
that you're connected to the site you think you are, even with SSL, in
IE but Chrome and Firefox support Extended Validation certs, as
explained here https://www.grc.com/fingerprints.htm so if the Jitsi
site used one of those (which it doesn't at the moment) that would
allow users to be sure they're not downloading Jitsi from a MITM
honeytrap.

Evenwith Extended Validation, if the website gets pwnd and releases
replaced, no one will notice.

I appreciate there's probably a cost issue with obtaining one of these
certs but without any way to be sure that we're getting an
uncompromised copy of Jitsi, it would seem rather foolish to just hope
and assume that's the case. Maybe someone else can think of other,
cheaper, ways to solve this problem though.

Since the debian package seems to install the required gpg key to use
Jitsi's repo, why not sign the packet itself with it ?

···

On 11/10/2013 12:44 PM, Derek Moss wrote:


#7

At first I thought this might work, at least for those users who are on the
mailing list, but I think the problem is that if someone is able to run a
MITM honeytrap to trick the user into downloading a compromised Jitsi and
key, then they can probably intercept the e-mail and replace the sha1sum in
that with one that matches the compromised Jitsi as well.

···

On 10 November 2013 13:34, Fernando Cassia <fcassia@gmail.com> wrote:

On Sun, Nov 10, 2013 at 9:44 AM, Derek Moss <dmts@stoptheviolence.co.uk>wrote:

Maybe someone else can think of other,
cheaper, ways to solve this problem though.

Yes, sha1sums with every release, posted not only on the download site but
also (automated?) to some jitsi-announcements mailing list. (Wouldnt apply
to nighties)

FC


#8

> Just to add that, as far as I understand it, there's no way to be sure
> that you're connected to the site you think you are, even with SSL, in
> IE but Chrome and Firefox support Extended Validation certs, as
> explained here https://www.grc.com/fingerprints.htm so if the Jitsi
> site used one of those (which it doesn't at the moment) that would
> allow users to be sure they're not downloading Jitsi from a MITM
> honeytrap.
Evenwith Extended Validation, if the website gets pwnd and releases
replaced, no one will notice.

In which case the pwner will also simply replace the fingerprint on the web
page.

Emil

--sent from my mobile

···

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> wrote:

On 11/10/2013 12:44 PM, Derek Moss wrote:

>
> I appreciate there's probably a cost issue with obtaining one of these
> certs but without any way to be sure that we're getting an
> uncompromised copy of Jitsi, it would seem rather foolish to just hope
> and assume that's the case. Maybe someone else can think of other,
> cheaper, ways to solve this problem though.
Since the debian package seems to install the required gpg key to use
Jitsi's repo, why not sign the packet itself with it ?

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

Just to add that, as far as I understand it, there's no way to be sure
that you're connected to the site you think you are, even with SSL, in
IE but Chrome and Firefox support Extended Validation certs, as
explained here https://www.grc.com/fingerprints.htm so if the Jitsi
site used one of those (which it doesn't at the moment) that would
allow users to be sure they're not downloading Jitsi from a MITM
honeytrap.

Evenwith Extended Validation, if the website gets pwnd and releases
replaced, no one will notice.

In which case the pwner will also simply replace the fingerprint on the web
page.

Indeed, but:
- Users who already have the gpg key will notice it
- People using Web of Trust will notice that something is wrong

···

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> wrote:

On 11/10/2013 12:44 PM, Derek Moss wrote:

Emil

--sent from my mobile

I appreciate there's probably a cost issue with obtaining one of these
certs but without any way to be sure that we're getting an
uncompromised copy of Jitsi, it would seem rather foolish to just hope
and assume that's the case. Maybe someone else can think of other,
cheaper, ways to solve this problem though.

Since the debian package seems to install the required gpg key to use
Jitsi's repo, why not sign the packet itself with it ?

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#10

Of course EVs can't protect against the actual website being pwned but
hopefully that would become obvious quite quickly, not only due to the
reasons you mentioned (although I'm not sure that the WOT addon would
be able to detect that the downloads have been replaced with hacked
versions) but also probably picked up by the site admins, security
audits, etc and once aware of the breach, warnings can be posted and
users told to download a new copy from the re-secured site.

What EVs can protect against is a MITM honeytrap, maybe targeted at
individual users or even a whole country, where those users could
download a compromised copy (and compomised key to go with it) and
never be any the wiser, as the actual website hasn't been compromised
so there's nothing for the site admins to detect and warn about and
with auto-update downloading hacked versions from a different server,
the users may not come back to the real site and get a clean copy for
years.

···

On 10 November 2013 13:37, jvoisin <julien.voisin@dustri.org> wrote:

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> wrote:

On 11/10/2013 12:44 PM, Derek Moss wrote:

Just to add that, as far as I understand it, there's no way to be sure
that you're connected to the site you think you are, even with SSL, in
IE but Chrome and Firefox support Extended Validation certs, as
explained here https://www.grc.com/fingerprints.htm so if the Jitsi
site used one of those (which it doesn't at the moment) that would
allow users to be sure they're not downloading Jitsi from a MITM
honeytrap.

Evenwith Extended Validation, if the website gets pwnd and releases
replaced, no one will notice.

In which case the pwner will also simply replace the fingerprint on the web
page.

Indeed, but:
- Users who already have the gpg key will notice it
- People using Web of Trust will notice that something is wrong

Emil


#11

I do not think web of trust referred to the browser addon but to the
pgp web of trust, wich is build by people signing each others keys.

- --
Yannik V�lker

···

Am 10.11.2013 15:46, schrieb Derek Moss:

On 10 November 2013 13:37, jvoisin <julien.voisin@dustri.org> > wrote:

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> >>> wrote:

Evenwith Extended Validation, if the website gets pwnd and
releases replaced, no one will notice.

In which case the pwner will also simply replace the
fingerprint on the web page.

Indeed, but: - Users who already have the gpg key will notice it
- People using Web of Trust will notice that something is wrong

(although I'm not sure that the WOT addon would be able to detect
that the downloads have been replaced with hacked versions)


#12

Ah, OK. So sure, anyone who's already got the real gpg key or already
has a WOT with others who do and can verify that the one they've just
downloaded is real should be safe but that doesn't help new users who
probably don't even use pgp/gpg (other than for checking software
signatures they've downloaded) or know anyone else who does and so
don't have a WOT.

···

On 10 November 2013 14:57, Yannik Völker <yannikv@yahoo.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 10.11.2013 15:46, schrieb Derek Moss:

On 10 November 2013 13:37, jvoisin <julien.voisin@dustri.org> >> wrote:

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> >>>> wrote:

Evenwith Extended Validation, if the website gets pwnd and
releases replaced, no one will notice.

In which case the pwner will also simply replace the
fingerprint on the web page.

Indeed, but: - Users who already have the gpg key will notice it
- People using Web of Trust will notice that something is wrong

(although I'm not sure that the WOT addon would be able to detect
that the downloads have been replaced with hacked versions)

I do not think web of trust referred to the browser addon but to the
pgp web of trust, wich is build by people signing each others keys.

- --
Yannik Völker


#13

This will solve concern for people having a WoT. It's a step forward.
And if you don't have a WoT, you can build it, and get a trustpath to
the key. You can also ask people you know to confirm that they have the
same key than you.

This is why it would be nice to publish the GPG key, and to sign it :slight_smile:

···

On 11/10/2013 09:10 PM, Derek Moss wrote:

On 10 November 2013 14:57, Yannik V�lker <yannikv@yahoo.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 10.11.2013 15:46, schrieb Derek Moss:

On 10 November 2013 13:37, jvoisin <julien.voisin@dustri.org> >>> wrote:

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> >>>>> wrote:

Evenwith Extended Validation, if the website gets pwnd and
releases replaced, no one will notice.

In which case the pwner will also simply replace the
fingerprint on the web page.

Indeed, but: - Users who already have the gpg key will notice it
- People using Web of Trust will notice that something is wrong

(although I'm not sure that the WOT addon would be able to detect
that the downloads have been replaced with hacked versions)

I do not think web of trust referred to the browser addon but to the
pgp web of trust, wich is build by people signing each others keys.

- --
Yannik V�lker

Ah, OK. So sure, anyone who's already got the real gpg key or already
has a WOT with others who do and can verify that the one they've just
downloaded is real should be safe but that doesn't help new users who
probably don't even use pgp/gpg (other than for checking software
signatures they've downloaded) or know anyone else who does and so
don't have a WOT.


#14

I think I've mentioned this before but it's probably worth reminding:

download.jitsi.org is maintained by the University of Strasbourg. It
runs on a machine where tinkering with the certs is not an option for
us. So, while jitsi.org is already properly set ( see:
https://www.ssllabs.com/ssltest/analyze.html?d=jitsi.org )
strengthening download.jitsi.org is subject to schedules and time
frames that are not entirely under our control.

Emil

···

On Sun, Nov 10, 2013 at 10:10 PM, Derek Moss <dmts@stoptheviolence.co.uk> wrote:

On 10 November 2013 14:57, Yannik Völker <yannikv@yahoo.de> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 10.11.2013 15:46, schrieb Derek Moss:

On 10 November 2013 13:37, jvoisin <julien.voisin@dustri.org> >>> wrote:

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> >>>>> wrote:

Evenwith Extended Validation, if the website gets pwnd and
releases replaced, no one will notice.

In which case the pwner will also simply replace the
fingerprint on the web page.

Indeed, but: - Users who already have the gpg key will notice it
- People using Web of Trust will notice that something is wrong

(although I'm not sure that the WOT addon would be able to detect
that the downloads have been replaced with hacked versions)

I do not think web of trust referred to the browser addon but to the
pgp web of trust, wich is build by people signing each others keys.

- --
Yannik Völker

Ah, OK. So sure, anyone who's already got the real gpg key or already
has a WOT with others who do and can verify that the one they've just
downloaded is real should be safe but that doesn't help new users who
probably don't even use pgp/gpg (other than for checking software
signatures they've downloaded) or know anyone else who does and so
don't have a WOT.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#15

There is literaly no way to help those.

- --
Yannik V�lker

···

Am 10.11.2013 22:10, schrieb Derek Moss:

On 10 November 2013 14:57, Yannik V�lker <yannikv@yahoo.de> wrote:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Am 10.11.2013 15:46, schrieb Derek Moss:

On 10 November 2013 13:37, jvoisin <julien.voisin@dustri.org> >>> wrote:

On 11/10/2013 01:32 PM, Emil Ivov wrote:

On 10 Nov 2013 14:25, "jvoisin" <julien.voisin@dustri.org> >>>>> wrote:

Evenwith Extended Validation, if the website gets pwnd
and releases replaced, no one will notice.

In which case the pwner will also simply replace the
fingerprint on the web page.

Indeed, but: - Users who already have the gpg key will notice
it - People using Web of Trust will notice that something is
wrong

(although I'm not sure that the WOT addon would be able to
detect that the downloads have been replaced with hacked
versions)

I do not think web of trust referred to the browser addon but to
the pgp web of trust, wich is build by people signing each others
keys.

- -- Yannik V�lker

Ah, OK. So sure, anyone who's already got the real gpg key or
already has a WOT with others who do and can verify that the one
they've just downloaded is real should be safe but that doesn't
help new users who probably don't even use pgp/gpg (other than for
checking software signatures they've downloaded) or know anyone
else who does and so don't have a WOT.


#16

That's clearly not true as using an EV cert for the website would help
them. That might not be possible at the moment due to the reasons
Emil's mentioned but that's a different matter.

···

On 10 November 2013 21:23, Yannik Völker <yannikv@yahoo.de> wrote:

Ah, OK. So sure, anyone who's already got the real gpg key or
already has a WOT with others who do and can verify that the one
they've just downloaded is real should be safe but that doesn't
help new users who probably don't even use pgp/gpg (other than for
checking software signatures they've downloaded) or know anyone
else who does and so don't have a WOT.

There is literaly no way to help those.


#17

Indeed and I didn't mean to suggest it wasn't worth doing just because
it will only help some people.

···

On 10 November 2013 21:17, jvoisin <julien.voisin@dustri.org> wrote:

On 11/10/2013 09:10 PM, Derek Moss wrote:

Ah, OK. So sure, anyone who's already got the real gpg key or already
has a WOT with others who do and can verify that the one they've just
downloaded is real should be safe but that doesn't help new users who
probably don't even use pgp/gpg (other than for checking software
signatures they've downloaded) or know anyone else who does and so
don't have a WOT.

This will solve concern for people having a WoT. It's a step forward.
And if you don't have a WoT, you can build it, and get a trustpath to
the key. You can also ask people you know to confirm that they have the
same key than you.

This is why it would be nice to publish the GPG key, and to sign it :slight_smile:


#18

So, what should I do to make this happen ?
Open a bug on the bugtracker ?


#19

So, what should I do to make this happen ?

Create a script that does what you are looking for?

Open a bug on the bugtracker ?

That's going to make a ticket happen ...

···

On Thu, Nov 14, 2013 at 8:28 PM, jvoisin <julien.voisin@dustri.org> wrote:


#20

So, what should I do to make this happen ?

Create a script that does what you are looking for?

A script, to put the gpg key on jitsi.org, and to get this key signed ?

Open a bug on the bugtracker ?

That's going to make a ticket happen ...

Isn't this the first step to get a bug closed ?

···

On 11/14/2013 08:48 PM, Emil Ivov wrote:

On Thu, Nov 14, 2013 at 8:28 PM, jvoisin <julien.voisin@dustri.org> wrote:

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users