Dev/OpenPGP Signed Website
OpenPGP Signed Website
Has been requested in the forum. Having an OpenPGP Signed Website would be desirable. But that would require a software, which does not exist yet.
PGPHTML also wouldn't work as a complete solution.
- Users most likely won't copy and paste the text, so this would also require a browser or browser addon automating the verification.
- Adversaries in position to modify website content can always mount a rollback or indefinite freeze attacks (see  for definitions of those attacks). I.e. could pick an old message/website, which was signed years ago and now contains insecure/outdated information without the user being informed about the attack. To prevent that, the client application would have to check a field similar to Valid-Until field.
- The website structure or link would have to be signed and verified as well.
- Should pass the TUF [archive] threat model.
While relying on the OpenPGP web of trust, and not the SSL cartel, this could provide strong verification. On the other hand, it probably couldn't provide end-to-end encryption, SSL or .onion would be required for that.
It is an interesting idea, but outside the scope of Whonix ™ to invent such a solution.
- http://sourceforge.net/p/whonix/discussion/general/thread/6d7344a5/ [archive]
- Patrick Schleizer mailed
licensing at fsf dot org(name redacted). PGPHTML is probably not Free Software. If that were the case, it wouldn't be usable for Whonix ™. Adrelanos also mailed the author, but there was no response.
> Is the following license Free Software? > Is it GPL compatible? > homepage: http://www.sanface.com/pgphtml.html > source tarball: http://www.sanface.com/pgphtml.tar.gz > License text: >> # pgphtml -- a perl script to make PGP signed web-pages >> # >> # by SANFACE Software <firstname.lastname@example.org> 19 June 2002 >> # >> # Requires the PGP or GPG >> # GPG support added by John Arundel <email@example.com> >> # >> # Copy, use, and redistribute freely, but don't take my name off it and >> # clearly mark an altered version. Fixes and enhancements cheerfully >> # accepted. >> # >> # This is version 4.1. The license doesn't explicitly permit modifications, nor distribution for a fee (even the relatively terse Expat license, sometimes ambiguously referred to as the MIT License, explicitly states that you have: "... without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, ...") It also states that "fixes ... accepted" in the same block as the license text, so it is unclear if that is a part of the license or a friendly request. I can't speak to what was the author's intent when writing the license; It is not my place to say "oh, the author of the license probably meant..." Therefore I would recommend contacting the author before using the software and asking for a copy of the software under a well known free software license.
- http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html [archive]