Actions

Dev/OpenPGP Signed Website

From Whonix

< Dev


OpenPGP Signed Website[edit]

Has been requested in the forum.[1] Having an OpenPGP Signed Website would be desirable. But that would require a software, which does not exist yet.

There is PGPHTML: to make PGP or GPG signed web-pages [archive], but it is from 2002 there are licensing problems. [2]

PGPHTML also wouldn't work as a complete solution.

  • Users most likely won't copy and paste the text, so this would also require a browser or browser addon automating the verification.
  • Adversaries in position to modify website content can always mount a rollback or indefinite freeze attacks (see [3] for definitions of those attacks). I.e. could pick an old message/website, which was signed years ago and now contains insecure/outdated information without the user being informed about the attack. To prevent that, the client application would have to check a field similar to Valid-Until field[4].
  • The website structure or link would have to be signed and verified as well.
  • Should pass the TUF [archive] threat model.

While relying on the OpenPGP web of trust, and not the SSL cartel, this could provide strong verification. On the other hand, it probably couldn't provide end-to-end encryption, SSL or .onion would be required for that.

It is an interesting idea, but outside the scope of Whonix ™ to invent such a solution.

Footnotes[edit]

  1. http://sourceforge.net/p/whonix/discussion/general/thread/6d7344a5/ [archive]
  2. Patrick Schleizer mailed licensing at fsf dot org (name redacted). PGPHTML is probably not Free Software. If that were the case, it wouldn't be usable for Whonix ™. Adrelanos also mailed the author, but there was no response.
    > Is the following license Free Software?
    
    > Is it GPL compatible?
    
    > homepage: http://www.sanface.com/pgphtml.html
    
    > source tarball: http://www.sanface.com/pgphtml.tar.gz
    
    > License text:
    
    >> # pgphtml -- a perl script to make PGP signed web-pages
    >> #
    >> # by SANFACE Software <sanface@sanface.com> 19 June 2002
    >> #
    >> # Requires the PGP or GPG
    >> # GPG support added by John Arundel <john@splange.freeserve.co.uk>
    >> #
    >> # Copy, use, and redistribute freely, but don't take my name off it and
    >> # clearly mark an altered version.  Fixes and enhancements cheerfully
    >> # accepted.
    >> #
    >> # This is version 4.1.
    
    The license doesn't explicitly permit modifications, nor distribution
    for a fee (even the relatively terse Expat license, sometimes
    ambiguously referred to as the MIT License, explicitly states that you
    have: "... without limitation the rights to use, copy, modify, merge,
    publish, distribute, sublicense, and/or sell copies of the Software,
    ...")
    
    It also states that "fixes ...  accepted" in the same block as the
    license text, so it is unclear if that is a part of the license or a
    friendly request.
    
    I can't speak to what was the author's intent when writing the license;
    It is not my place to say "oh, the author of the license probably
    meant..." Therefore I would recommend contacting the author before using
    the software and asking for a copy of the software under a well known
    free software license.
    
  3. Dev/ptt#Definitions
  4. http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html [archive]


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Please help in testing new features and bug fixes in Whonix ™.

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.