Dev/OpenPGP Signed Website
< Dev
Donate
Dev/Documentation Markup Format Converters
Design
Dev/SSL Certificate Pinning
Previous page: Dev/Documentation Markup Format Converters
Index page: Design
Next page: Dev/SSL Certificate Pinning
Dev/OpenPGP Signed Website
Development Notes about OpenPGP Signed Website
OpenPGP Signed Website[edit]
This has been requested in the forum. [1] Having an OpenPGP Signed Website would be desirable, but that would require software which does not yet exist.
There is PGPHTML: to make PGP or GPG signed web-pages
, but it is from 2002 and has licensing problems. [2]
PGPHTML also wouldn't work as a complete solution.
- Users most likely won't copy and paste the text, so this would also require a browser or browser addon to automate the verification.
- Adversaries in a position to modify website content can always mount rollback or indefinite freeze attacks (see [3] for definitions of those attacks). For example, they could serve an old message or website that was signed years ago and now contains insecure or outdated information, without the user being aware of the attack. To prevent that, the client application would have to check a field similar to the Valid-Until field [4].
- The website structure or link would also have to be signed and verified.
- It should pass the TUF threat model.
While relying on the OpenPGP web of trust instead of the SSL cartel could provide strong verification, it likely wouldn't offer end-to-end encryption. SSL or .onion would still be required for that.
This is an interesting idea, but developing such a solution is outside the scope of Kicksecure.
Footnotes[edit]
- ↑ https://sourceforge.net/p/whonix/discussion/general/thread/6d7344a5/
- ↑ Patrick Schleizer emailed
licensing at fsf dot org(name redacted). PGPHTML is probably not Free Software. If that is the case, it would not be usable for Kicksecure. Adrelanos also emailed the author, but there was no response.> Is the following license Free Software? > Is it GPL compatible? > homepage: https://www.sanface.com/pgphtml.html > source tarball: https://www.sanface.com/pgphtml.tar.gz > License text: >> # pgphtml -- a perl script to make PGP signed web-pages >> # >> # by SANFACE Software <sanface@sanface.com> 19 June 2002 >> # >> # Requires the PGP or GPG >> # GPG support added by John Arundel <john@splange.freeserve.co.uk> >> # >> # Copy, use, and redistribute freely, but don't take my name off it and >> # clearly mark an altered version. Fixes and enhancements cheerfully >> # accepted. >> # >> # This is version 4.1. The license doesn't explicitly permit modifications, nor distribution for a fee (even the relatively terse Expat license, sometimes ambiguously referred to as the MIT License, explicitly states that you have: "... without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, ...") It also states that "fixes ... accepted" in the same block as the license text, so it is unclear if that is a part of the license or a friendly request. I can't speak to what was the author's intent when writing the license; It is not my place to say "oh, the author of the license probably meant..." Therefore I would recommend contacting the author before using the software and asking for a copy of the software under a well known free software license.
- ↑ Dev/Permanent_Takedown_Attack_Defender#Definitions
- ↑
https://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-release-f.html
Kicksecure
A secure by default operating system with the latest security research in place.
A secure by default operating system with the latest security research in place.
Follow us on social media
Supported by Power Up Privacy
Kicksecure is proudly supported until 2025 by
Power Up Privacy,
a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place.
(Strictly subject to our sponsorship policy.)
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements:
Terms of Service,
Privacy Policy,
Cookie Policy,
E-Sign Consent,
DMCA,
Imprint
2012-
2025 ENCRYPTED SUPPORT LLC
2012-
2025 ENCRYPTED SUPPORT LLC
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!