Please Vivaldi, emulate Mint for Security.

Steffie

[color=#440088]Sporadically i read in these fora [& suspect i might have previously also posted about it] comments by / requests from some Users for the Devs to beef up the security integrity of the Vivaldi downloaded installation files. As best i recall, these posts usually result in one of two possibilities: 1. Nothing, zilch, zero, nada. Simply a deafening silence. 2. Dismissive, sometimes disdainful rejections... by other Users, not Devs [who so far as i remember, haven't responded] I have never understood either reaction. On my computers, the pre-eminent software wrt functionality & security is the OS. The second-most important item is my default browser, ie, since Feb 2015 that's Vivaldi. It is my window to the world, in high usage all day & long into the nights. So much of me, my life, passes through Vivaldi in my myriad digital interactions with the world. Not least of these, in terms of needing comprehensive high confidence-interval privacy & security, are my various financial interactions. Linux Mint takes user security very seriously... https://linuxmint.com/verify.php . Why cannot / does not Vivaldi come to us with comparable security integrity measures? These days there's actually nothing exotic or extravagant about this stuff, & for vital software like a browser i feel it should be axiomatic that installation file downloads should have this demonstrable integrity. Many browsers make no attempt. Slimjet also used to make no effort, but last year i [& presumably many others] wrote to them requesting they improve. They eventually responded, but the current status http://www.slimjet.com/en/dlpage.php?update=1 shows they either don't really get it, or don't really care [the page is not https, the hash is only MD5, & there's GPG, signed keys, & fingerprints [i]nowhere[/i]]. Mint can do it, Mint [i]does[/i] do it. [b]Please V Devs, emulate this Mint security priority for us with V[/b]. ....................................................................................... My on-SSD OS = Linux Mint x64 17.3 KDE 4.14.2.[/color]

Steffie

Thanks GD. I really hope they do this.

Steffie

Vielen dank for chasing this up, GD. I'm sorry for my ignorance, but i don't really understand HOW i should use your new information. Let's say i have downloaded vivaldi-stable_1.3.551.30-1_amd64.deb to my SSD, for example [just like your example].

If i had access to the other data like Mint [per my original post], i would know exactly how to verify this file:
https://linuxmint.com/verify.php :
" _The following steps should be performed to verify an ISO image:

Import the signing key:
gpg –keyserver keyserver.ubuntu.com --recv-key "27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09"
Browse the main mirror, or choose a mirror near you, and download the ISO image, the sha256sum.txt https://ftp.heanet.ie/mirrors/linuxmint.com/testing/sha256sum.txt and the sha256sum.txt.gpg https://ftp.heanet.ie/mirrors/linuxmint.com/testing/sha256sum.txt.gpg files into the same directory.
Verify the signature on the sha256sum files with the following command (The output of this command should mention that the signature is "Good". Also, if you didn't import keys before on your computer you can ignore the warning "This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner."):
gpg –verify sha256sum.txt.gpg sha256sum.txt
Once this is done, the sha256sum.txt can be trusted.
Generate the sha256 sum of your ISO image, and compare it to the sum present in the sha256sums.txt file.
sha256sum -b yourisoimagefile.iso
If the signature was "Good" and the sha256 sums match, you successfully verified the integrity and authenticity of the ISO image._ "

However with your [= the Dev's] method, if i understand correctly [but maybe i do not correctly understand?], all the info resides in the single file vivaldi-stable_1.3.551.30-1_amd64.deb. I ran your two commands in a terminal, ar t vivaldi-stable_1.3.551.30-1_amd64.deb and ar p vivaldi-stable_1.3.551.30-1_amd64.deb _gpgbuilder , & i saw then the same generated info as you showed. but… BUT... so what? How does that unambiguously prove the legitimacy of the file i downloaded? What if, for instance, i had thought i was at the legitimate Vivaldi page, but was instead at a maliciously spoofed page, & the file i downloaded was actually carrying malicious payload, but the miscreants had replaced the real Vivaldi PGP Signature etc with their own versions? HOW would i know? What would protect me from installing it unwittingly, & creating a big problem for myself?

I do not claim any cryptographic expertise [as i have none], but to my untrained inexperienced eye, the Mint process still seems more robust than this Vivaldi one. I do hope i'm completely wrong.

…....................................................................................
My on-SSD OS = Linux Mint x64 17.3 KDE 4.14.2.

Steffie

Yes, exactly!

You know the Devs, i do not. Do you think they will be interested in arranging that extra level of security for we cautious users? I know that means more work for them, but security is pretty important…

Steffie

Psy-Q

They are already sticking with Mint's security model (and that of Debian, Ubuntu and others). The fingerprints for the ISOs are there so you can verify that you have an untampered installation medium, but not to verify the integrity of all your software once the OS is installed. That part is taken care of by signing each package with keys that you trust. So the Vivaldi devs are doing exactly the right thing, they provide a signing key that you can trust or not trust. Same as Debian, same as Mint, same as Ubuntu.

So even if the package you download directly from Vivaldi had been tampered with, you would notice because there would be a signature mismatch when you try to install it (the package would not have been signed with Vivaldi's signing key). And if someone steals Vivaldi's signing key and its credentials, you're fucked anyhow and can throw away that particular system.

That said, it's always nice to print e.g. MD5 sums next to downloadable things. That would go even for the Windows and Mac versions.

Ruarí

Hi Steffie. I have not read the whole thread but I will reply to this one quickly and if it does not answer everything I will come back later and try again.

Tell me, why do you trust the sums on https://linuxmint.com/verify.php ? I presume because they are shared via https, using a cert from a reputable certificate authority? And how does a user first install Vivaldi? Via a link such as https://downloads.vivaldi.com/stable/vivaldi-stable_1.3.551.30-1_amd64.deb (using a cert from a reputable certificate authority). What is the difference in your opinion? Your trust is in the authority of the CA.

Once you have the deb and you install it we install the public key for our repository and configure the repository as part of the post install scripts within the deb. You then receive updates via apt. These updates are over http BUT the apt meta data of our repository is signed and apt uses our key to check this meta data. The meta data in turn contains sha512 sums for the packages and uses these to verify that the packages are valid. If the meta data or packages are tampered with, apt will let you know.

In summary our system appears to be to be very bit as secure as Mint's system (the initial trust is based on a https certificate), expect that all of it is automatic in our case and a user doesn't need to do any manual steps to check the SHA sums. So tell me, which system is better? Perhaps they should be copying us?

Cqoicebordel

I think the issue is the understanding of what you can trust, and what that trust must extend to.

• If you can't trust the file you downloaded over HTTPS, it means you can't trust the checksum/GPG Key you got from that same server. Because someone who could have tampered with the file could have tampered with the CS/key too.
• If you can't trust the HTTPS connection (because of a Man in the Middle attack), it means you can't trust anything on the web, because this HTTPS connection is verified by a third party.

That's what Ruari meant by saying "why do you trust the sums on linuxmint.com/verify.php ?". Because you have to trust the fact they are in control of their webserver (giving you the right keys), and that no one tampered with that page while it was getting to you (you trust the SSL certificate and HTTPS connection).

It's the same with Vivaldi : you trust they are in control of their webserver, and giving you the right file (which contains the keys to auto-check the file), and you trust no one tampered on the way because of the SSL certificate.

Steffie

Dear Gwen-Dragon & Ruari [oh, & now also [i]Cqoicebordel, who i just noticed has contributed too], i'd like to say a big fat sincere THANK YOU to you both three for your patience in explaining this to me. Now it DOES make sense to me, & i feel much better about the process.

The part i've always struggled with conceptually in the whole "web of trust" GPG model is the very first step. That's where the leap of faith is required, it's always seemed to me. However that said, all i can do to assure myself of the integrity of that first step, the original download, is to put faith in the https CA process… just as you said... & thereafter be comforted by the apt update process for all future V updates.

I'm going to bookmark this thread as i have learnt a lot of cool stuff from it. Yay.

I do have one remaining question [yes, sorry]: Wouldn't it be better if http://repo.vivaldi.com was actually https://repo.vivaldi.com ?

BTW, i just love that excellent wget -qO- http://repo.vivaldi.com/archive/deb/dists/stable/main/binary-amd64/Packages trick… now i can see all the SHA512 sums [which i acknowledge that i now no longer actually need to see]; how cool is that!!

Steffie

I wish i'd refreshed the page before writing my previous reply, as i'd not seen your post Psy-Q. Many thanks also to you!!

Cqoicebordel

Yes, having repo.vivaldi.com over https could be done and would be (a tiny bit) better. But not by much, because, all it would prevent is a man in the middle attack (the file it tampered while in transit to you, in the pipes).
BUT, when the package is on your computer, and APT is trying to install it, it will be checked against the public key that is stored on your computer (from the first install, which was over HTTPS). So if the file was tampered with during transit, at the install part the check will throw a big error in your face saying that there was an issue.
And even better, if the server got hacked and the files were tampered directly on the server, since the public key was already on your computer, it will be detected too when the file is checked

The only thing that could improve security here, which will be set in motion shortly (I hope), is to put the public GPG key on a third party website, to be double sure that it's the right key.

Steffie

MitM attacks were indeed why i felt https would be better, but then the rest of your excellent comment further calmed & enlightened me.

How good is this?… i get to use the world's best browser, learn more about security, & slowly expand my nowhere-near-good-enough-yet Linux CLI tricks.

Thanks again.

Cqoicebordel

No problem

That's internet for me : if you don't know, ask, if you know, share