Please Vivaldi, emulate Mint for Security.
[color=#440088]Sporadically i read in these fora [& suspect i might have previously also posted about it] comments by / requests from some Users for the Devs to beef up the security integrity of the Vivaldi downloaded installation files. As best i recall, these posts usually result in one of two possibilities: 1. Nothing, zilch, zero, nada. Simply a deafening silence. 2. Dismissive, sometimes disdainful rejections... by other Users, not Devs [who so far as i remember, haven't responded] I have never understood either reaction. On my computers, the pre-eminent software wrt functionality & security is the OS. The second-most important item is my default browser, ie, since Feb 2015 that's Vivaldi. It is my window to the world, in high usage all day & long into the nights. So much of me, my life, passes through Vivaldi in my myriad digital interactions with the world. Not least of these, in terms of needing comprehensive high confidence-interval privacy & security, are my various financial interactions. Linux Mint takes user security very seriously... https://linuxmint.com/verify.php . Why cannot / does not Vivaldi come to us with comparable security integrity measures? These days there's actually nothing exotic or extravagant about this stuff, & for vital software like a browser i feel it should be axiomatic that installation file downloads should have this demonstrable integrity. Many browsers make no attempt. Slimjet also used to make no effort, but last year i [& presumably many others] wrote to them requesting they improve. They eventually responded, but the current status http://www.slimjet.com/en/dlpage.php?update=1 shows they either don't really get it, or don't really care [the page is not https, the hash is only MD5, & there's GPG, signed keys, & fingerprints [i]nowhere[/i]]. Mint can do it, Mint [i]does[/i] do it. [b]Please V Devs, emulate this Mint security priority for us with V[/b]. ....................................................................................... My on-SSD OS = Linux Mint x64 17.3 KDE 4.14.2.[/color]
I pinged a Dev to add a GPG signature and (signed) checksums for the download page.
Thanks GD. I really hope they do this.
I try to nag the devs for adding it
The Linux dev said (my shortening of answers in chat):
The packages are signed within deb and rpm meta data. You can check integrity from dpkg and rpm directly.
For the deb you can check the signature manually. The signing of .deb format is such that that is a gpg file within the ar archive container. The file _gpgbuilder is gpg signature file and it confirms the integrity on the other files that make up deb meta data and contents.
With deb packages:
$ ar t vivaldi-stable_1.3.551.30-1_amd64.deb debian-binary control.tar.gz data.tar.xz _gpgbuilder $ ar p vivaldi-stable_1.3.551.30-1_amd64.deb _gpgbuilder -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Version: 4 Signer: Date: Wed Aug 10 14:19:01 2016 Role: builder Files: 3cf918272ffa5de195752d73f3da3e5e 7959c969e092f2a5a8604e2287807ac5b1b384ad 4 debian-binary 63dd64c1f247d78af9da5bd4face8496 8c8a0f40496c541922826bd655da18246215e39e 12980 control.tar.gz 2504882b23b57feb3667ff9d2c425129 1c40d45195c8859a1295493bb4d299a11b06e53d 45819424 data.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXqxu1AAoJECzCb3d7i0ShLgEQAJd25CDe44Z25n/606PAC5Rd AF9AMmDr83PcR/6LnyXVDJRXH4+QBf5ESvQBNyCN2+VNBEvKHkbYIgDgwjbl9oe4 WJ3LdhYksFIA96UaYEUcFpejyPWeimakhHUJ2GFDPd+qGiG4sM6mUjCfNWHq4iTN jAX8i2C3j3B4mWzlTgNNHBUJkOIwfXw1QH4xULKjg9CDNjIsH6BHrkDUifWlvR6Q mWwUIuHL9w/IsudfImCf+a79/6Sq7Xdtr8hEMOyzgl9wblQ3FYUpAypLG3gEJpou US0nNzioUOHB3JhL9M8VWGaSJrj6Q0qr8oVYjgs05colVs66xWHM/z+ag7qvuER7 JkAeyrBpr3ExFS9NNK9KQx2fDy8xvpYdqX4F03F8Nsz9vh+tG8i/qeI3eO7BTWu2 NI2bHMMyTaJ9c88+2MEGYMW/aKOgve/WvQmuiOfkeFlJrFZng82hz7lSvsLs0knW dBF/oLnjAazrVcxWOchw3UB57oTL5kb9v93Uif0OMpnwG/+W5yTe1tbMWi2psHxc SiNEkeQwtABkYwQQmK+UdaECwOzzeLt4a9+pX57+8vvhXagyvoXIEjSwxSNdFLTy /vh/vujJjOdmAwlnFqOaJo31DrhJhe0rWGN2JcCWaTwcwUK8MRV+2pOiJAoUuhMY huI2qUkVEE7lLoqa08Ax =6e7t
WIth rpm packages:
$ rpm -K vivaldi-stable-1.3.551.30-1.x86_64.rpm vivaldi-stable-1.3.551.30-1.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
Vielen dank for chasing this up, GD. I'm sorry for my ignorance, but i don't really understand HOW i should use your new information. Let's say i have downloaded vivaldi-stable_1.3.551.30-1_amd64.deb to my SSD, for example [just like your example].
If i had access to the other data like Mint [per my original post], i would know exactly how to verify this file:
" _The following steps should be performed to verify an ISO image:
Import the signing key:
gpg –keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
Browse the main mirror, or choose a mirror near you, and download the ISO image, the sha256sum.txt https://ftp.heanet.ie/mirrors/linuxmint.com/testing/sha256sum.txt and the sha256sum.txt.gpg https://ftp.heanet.ie/mirrors/linuxmint.com/testing/sha256sum.txt.gpg files into the same directory.
Verify the signature on the sha256sum files with the following command (The output of this command should mention that the signature is "Good". Also, if you didn't import keys before on your computer you can ignore the warning "This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner."):
gpg –verify sha256sum.txt.gpg sha256sum.txt
Once this is done, the sha256sum.txt can be trusted.
Generate the sha256 sum of your ISO image, and compare it to the sum present in the sha256sums.txt file.
sha256sum -b yourisoimagefile.iso
If the signature was "Good" and the sha256 sums match, you successfully verified the integrity and authenticity of the ISO image._ "
However with your [= the Dev's] method, if i understand correctly [but maybe i do not correctly understand?], all the info resides in the single file vivaldi-stable_1.3.551.30-1_amd64.deb. I ran your two commands in a terminal, ar t vivaldi-stable_1.3.551.30-1_amd64.deb and ar p vivaldi-stable_1.3.551.30-1_amd64.deb _gpgbuilder , & i saw then the same generated info as you showed. but… BUT... so what? How does that unambiguously prove the legitimacy of the file i downloaded? What if, for instance, i had thought i was at the legitimate Vivaldi page, but was instead at a maliciously spoofed page, & the file i downloaded was actually carrying malicious payload, but the miscreants had replaced the real Vivaldi PGP Signature etc with their own versions? HOW would i know? What would protect me from installing it unwittingly, & creating a big problem for myself?
I do not claim any cryptographic expertise [as i have none], but to my untrained inexperienced eye, the Mint process still seems more robust than this Vivaldi one. I do hope i'm completely wrong.
My on-SSD OS = Linux Mint x64 17.3 KDE 4.14.2.
I understand you.
If you distrust the whole package content you cant install it.
if you distrust the public signers GPG key from http://repo.vivaldi.com/archive/linux_signing_key.pub you cant install.
The internal signature of the deb packages cant be checked easily and may be untrustable.
A signed shasum file would better.
And the publishers key uploaded to a key server and signed as trusted by some others.
You know the Devs, i do not. Do you think they will be interested in arranging that extra level of security for we cautious users? I know that means more work for them, but security is pretty important…
I ask the Linux dev if he can add information. Perhaps signed files in in repo.vivaldi.com. I hope…
They are already sticking with Mint's security model (and that of Debian, Ubuntu and others). The fingerprints for the ISOs are there so you can verify that you have an untampered installation medium, but not to verify the integrity of all your software once the OS is installed. That part is taken care of by signing each package with keys that you trust. So the Vivaldi devs are doing exactly the right thing, they provide a signing key that you can trust or not trust. Same as Debian, same as Mint, same as Ubuntu.
So even if the package you download directly from Vivaldi had been tampered with, you would notice because there would be a signature mismatch when you try to install it (the package would not have been signed with Vivaldi's signing key). And if someone steals Vivaldi's signing key and its credentials, you're fucked anyhow and can throw away that particular system.
That said, it's always nice to print e.g. MD5 sums next to downloadable things. That would go even for the Windows and Mac versions.
The Linux division of Vivaldi devs explained me.
I tell you in my own words:
You have to trust always the downloaded file and information at first time. A shasum or separate GPG sign for the files is not as safe as you think, the content if these files can be compromized as the webserver can be compromized.
Fetch deb file over SSL from vivaldi.com or in case of a snapshot vivaldi.net blog
Install with deb -i ….
While install deb checks integrity and signature of content by integrated shasums/GPG key
At this time the installer adds the GPG key to apt keys
Next time at updates with apt will check the next packages by this local key
SHAsums and extra GPG attached signature files brings not more security or trust, i think.
for deb packages the shasums can bee fetched by:
wget -qO- http://repo.vivaldi.com/archive/deb/dists/stable/main/binary-amd64/Packages
Hi Steffie. I have not read the whole thread but I will reply to this one quickly and if it does not answer everything I will come back later and try again.
Tell me, why do you trust the sums on https://linuxmint.com/verify.php ? I presume because they are shared via https, using a cert from a reputable certificate authority? And how does a user first install Vivaldi? Via a link such as https://downloads.vivaldi.com/stable/vivaldi-stable_1.3.551.30-1_amd64.deb (using a cert from a reputable certificate authority). What is the difference in your opinion? Your trust is in the authority of the CA.
Once you have the deb and you install it we install the public key for our repository and configure the repository as part of the post install scripts within the deb. You then receive updates via apt. These updates are over http BUT the apt meta data of our repository is signed and apt uses our key to check this meta data. The meta data in turn contains sha512 sums for the packages and uses these to verify that the packages are valid. If the meta data or packages are tampered with, apt will let you know.
In summary our system appears to be to be very bit as secure as Mint's system (the initial trust is based on a https certificate), expect that all of it is automatic in our case and a user doesn't need to do any manual steps to check the SHA sums. So tell me, which system is better? Perhaps they should be copying us?
I think the issue is the understanding of what you can trust, and what that trust must extend to.
- If you can't trust the file you downloaded over HTTPS, it means you can't trust the checksum/GPG Key you got from that same server. Because someone who could have tampered with the file could have tampered with the CS/key too.
- If you can't trust the HTTPS connection (because of a Man in the Middle attack), it means you can't trust anything on the web, because this HTTPS connection is verified by a third party.
That's what Ruari meant by saying "why do you trust the sums on linuxmint.com/verify.php ?". Because you have to trust the fact they are in control of their webserver (giving you the right keys), and that no one tampered with that page while it was getting to you (you trust the SSL certificate and HTTPS connection).
It's the same with Vivaldi : you trust they are in control of their webserver, and giving you the right file (which contains the keys to auto-check the file), and you trust no one tampered on the way because of the SSL certificate.
Dear Gwen-Dragon & Ruari [oh, & now also [i]Cqoicebordel, who i just noticed has contributed too], i'd like to say a big fat sincere THANK YOU to you
boththree for your patience in explaining this to me. Now it DOES make sense to me, & i feel much better about the process.
The part i've always struggled with conceptually in the whole "web of trust" GPG model is the very first step. That's where the leap of faith is required, it's always seemed to me. However that said, all i can do to assure myself of the integrity of that first step, the original download, is to put faith in the https CA process… just as you said... & thereafter be comforted by the apt update process for all future V updates.
I'm going to bookmark this thread as i have learnt a lot of cool stuff from it. Yay.
I do have one remaining question [yes, sorry]: Wouldn't it be better if http://repo.vivaldi.com was actually https/repo.vivaldi.com ?
BTW, i just love that excellent wget -qO- http://repo.vivaldi.com/archive/deb/dists/stable/main/binary-amd64/Packages trick… now i can see all the SHA512 sums [which i acknowledge that i now no longer actually need to see]; how cool is that!!
I wish i'd refreshed the page before writing my previous reply, as i'd not seen your post Psy-Q. Many thanks also to you!!
Yes, having repo.vivaldi.com over https could be done and would be (a tiny bit) better. But not by much, because, all it would prevent is a man in the middle attack (the file it tampered while in transit to you, in the pipes).
BUT, when the package is on your computer, and APT is trying to install it, it will be checked against the public key that is stored on your computer (from the first install, which was over HTTPS). So if the file was tampered with during transit, at the install part the check will throw a big error in your face saying that there was an issue.
And even better, if the server got hacked and the files were tampered directly on the server, since the public key was already on your computer, it will be detected too when the file is checked
The only thing that could improve security here, which will be set in motion shortly (I hope), is to put the public GPG key on a third party website, to be double sure that it's the right key.
MitM attacks were indeed why i felt https would be better, but then the rest of your excellent comment further calmed & enlightened me.
How good is this?… i get to use the world's best browser, learn more about security, & slowly expand my nowhere-near-good-enough-yet Linux CLI tricks.
That's internet for me : if you don't know, ask, if you know, share