Actions

Dev/OpenPGP Signed Website

From Whonix

< Dev

OpenPGP Signed Website[edit]

Has been requested in the forum.[1] Having an OpenPGP Signed Website would be desirable. But that would require a software, which does not exist yet.

There is PGPHTML: to make PGP or GPG signed web-pages, but it is from 2002 there are licensing problems. [2]

PGPHTML also wouldn't work as a complete solution.

  • Users most likely won't copy and paste the text, so this would also require a browser or browser addon automating the verification.
  • Adversaries in position to modify website content can always mount a rollback or indefinite freeze attacks (see [3] for definitions of those attacks). I.e. could pick an old message/website, which was signed years ago and now contains insecure/outdated information without the user being informed about the attack. To prevent that, the client application would have to check a field similar to Valid-Until field[4].
  • The website structure or link would have to be signed and verified as well.
  • Should pass the TUF threat model.

While relying on the OpenPGP web of trust, and not the SSL cartel, this could provide strong verification. On the other hand, it probably couldn't provide end-to-end encryption, SSL or .onion would be required for that.

It is an interesting idea, but outside the scope of Whonix ™ to invent such a solution.

Footnotes[edit]

  1. http://sourceforge.net/p/whonix/discussion/general/thread/6d7344a5/
  2. Patrick Schleizer mailed licensing at fsf dot org (name redacted). PGPHTML is probably not Free Software. If that were the case, it wouldn't be usable for Whonix ™. Adrelanos also mailed the author, but there was no response.
    > Is the following license Free Software?
    
    > Is it GPL compatible?
    
    > homepage: http://www.sanface.com/pgphtml.html
    
    > source tarball: http://www.sanface.com/pgphtml.tar.gz
    
    > License text:
    
    >> # pgphtml -- a perl script to make PGP signed web-pages
    >> #
    >> # by SANFACE Software <sanface@sanface.com> 19 June 2002
    >> #
    >> # Requires the PGP or GPG
    >> # GPG support added by John Arundel <john@splange.freeserve.co.uk>
    >> #
    >> # Copy, use, and redistribute freely, but don't take my name off it and
    >> # clearly mark an altered version.  Fixes and enhancements cheerfully
    >> # accepted.
    >> #
    >> # This is version 4.1.
    
    The license doesn't explicitly permit modifications, nor distribution
    for a fee (even the relatively terse Expat license, sometimes
    ambiguously referred to as the MIT License, explicitly states that you
    have: "... without limitation the rights to use, copy, modify, merge,
    publish, distribute, sublicense, and/or sell copies of the Software,
    ...")
    
    It also states that "fixes ...  accepted" in the same block as the
    license text, so it is unclear if that is a part of the license or a
    friendly request.
    
    I can't speak to what was the author's intent when writing the license;
    It is not my place to say "oh, the author of the license probably
    meant..." Therefore I would recommend contacting the author before using
    the software and asking for a copy of the software under a well known
    free software license.
    
  3. Dev/ptt#Definitions
  4. http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html

No comments for now due to spam. Use Whonix forums instead.


Random News:

Interested in becoming an author for the Whonix News Blog or writing about anonymity, privacy and security? Please get in touch!


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.