Firefox tells me that Linux Tails is an Insecure Connection. I click on Advanced and it says that it has a Pinning Mismatch.
Any opinions? Has the Tails site been corrupted, or possibly my browser has had some sketchy things going on with the CA list it has? OR is it that those at the Tails site are keeping up with the times? Or just that those who do CA's are trying to discourage anyone from using Tails Linux??
Browser Security Pinning Mismatch
Tails Linux Link
https://tails.boum.org/
Sometimes the browsers (Edge or Firefox) simply will not allow me to click on the site. If I remove the Add On from Firefox, I can connect with the Tails website. Google Chrome connects with the Tails website, no problem. Like I said before, it is bizarre that the one thing the Tails website is focused on promoting to make sure I have a valid download, (Tails Download and Verify AddOn) is what does not work.
I also have installed a VPN, Express VPN. Perhaps I should attempt to uninstall it. and reinstall Tor. (Tor does not work with the Express VPN installed) I have seen some times when the Express VPN is turned on to the US, and according to the "what is my IP" website said I was connected to servers in Singapore. Express VPN support said those who provide the "what is my IP" service are known to be inaccurate. I must be connect to the Express VPN Servers in New York.
I can get around using Firefox and the Tails "Download and Verify," I am not experienced with PGP, and my verification with that is not working. Likely that is me.
Still, if their is a problem with the tool ("Download and Verify" Firefox Addon) that the Tails website recommends, then why should I trust anything else off their site? Or maybe it is just my computer somehow.
Bit Defender has a Ransomware module that hates all third party programs, but until now, it always took responsibility for what it blocked. The only time I have seen an Un-Pinning error was for this. I had to look up what an UnPinning Error was on Wiki. I guess all you guys who keep up with Security know all about it.
I have sent a message to the developer for the Addon, he has not responded at all. He is in Italy.
Personally, I would feel better if the Tails website, and Download were someplace outside the US. Perhaps more
the download and its verification available other places, duplicated outside the US.
Given the reputation of Tails, and the NSA, I am a bit perplexed that they are so closely associated with the Anarchist Website, whom the NSA are likely to be trying to get the CA's changed so they can redirect that traffic to the NSA itself. If one back traces the IP for Tails, it goes to a place just outside a US University.
I have gone to the Tails Website on two different computers (Windows 10 Pro), and I still have the UnPinning Error.
I guess I should be using Linux to test all this, but then I have to make sure I have all the updates for browsers, and such. A lot of work, and the problem seems to relate to the CA's and the secondary Pinning security system. Not the OS. Wonder why the guys who do Tails are not concerned. Or maybe they do not have a computer that runs Windows 10 to test on?
Anyway. The question being. The reason I have this problem is either my computers are corrupted. Or there is something really wrong with the Tails website. Most likely, it is something clumsy from my inexperience.
Sometimes the browsers (Edge or Firefox) simply will not allow me to click on the site. If I remove the Add On from Firefox, I can connect with the Tails website. Google Chrome connects with the Tails website, no problem. Like I said before, it is bizarre that the one thing the Tails website is focused on promoting to make sure I have a valid download, (Tails Download and Verify AddOn) is what does not work.
I also have installed a VPN, Express VPN. Perhaps I should attempt to uninstall it. and reinstall Tor. (Tor does not work with the Express VPN installed) I have seen some times when the Express VPN is turned on to the US, and according to the "what is my IP" website said I was connected to servers in Singapore. Express VPN support said those who provide the "what is my IP" service are known to be inaccurate. I must be connect to the Express VPN Servers in New York.
I can get around using Firefox and the Tails "Download and Verify," I am not experienced with PGP, and my verification with that is not working. Likely that is me.
Still, if their is a problem with the tool ("Download and Verify" Firefox Addon) that the Tails website recommends, then why should I trust anything else off their site? Or maybe it is just my computer somehow.
Bit Defender has a Ransomware module that hates all third party programs, but until now, it always took responsibility for what it blocked. The only time I have seen an Un-Pinning error was for this. I had to look up what an UnPinning Error was on Wiki. I guess all you guys who keep up with Security know all about it.
I have sent a message to the developer for the Addon, he has not responded at all. He is in Italy.
Personally, I would feel better if the Tails website, and Download were someplace outside the US. Perhaps more
the download and its verification available other places, duplicated outside the US.
Given the reputation of Tails, and the NSA, I am a bit perplexed that they are so closely associated with the Anarchist Website, whom the NSA are likely to be trying to get the CA's changed so they can redirect that traffic to the NSA itself. If one back traces the IP for Tails, it goes to a place just outside a US University.
I have gone to the Tails Website on two different computers (Windows 10 Pro), and I still have the UnPinning Error.
I guess I should be using Linux to test all this, but then I have to make sure I have all the updates for browsers, and such. A lot of work, and the problem seems to relate to the CA's and the secondary Pinning security system. Not the OS. Wonder why the guys who do Tails are not concerned. Or maybe they do not have a computer that runs Windows 10 to test on?
Anyway. The question being. The reason I have this problem is either my computers are corrupted. Or there is something really wrong with the Tails website. Most likely, it is something clumsy from my inexperience.
TOR 6.0.3 using Firefox 45.3.0
Windows Explorer can't find the Tails 2.5.iso file. Explorer will find the file on search. All right, that does not work now.
Tell us which file you are trying to download and we can download it and computer a few hash values for you.
If the hash values match and the file size is the same then we both should have the same file. If you have even greater security concerns we could try hashing a random portion of the file fist using dd to copy a portion of the file.
Another thing we could perhaps try is comparing our certificates for the tales website. I recall something about foreign governments being able to supply certificates for sites in other countries but I forget the details.
I'm sure we can come up with other security ideas if nothing I suggested is suitable.
**Edit: I bookmarked a sone post which discussed verify an SSL certificate. Unfortunately, I didn't copy it. I will try logging into freenet later and see if the link still works:
http://127.0.0.1:8888/Sone/viewPost.htm ... db0375fd6b
If the hash values match and the file size is the same then we both should have the same file. If you have even greater security concerns we could try hashing a random portion of the file fist using dd to copy a portion of the file.
Another thing we could perhaps try is comparing our certificates for the tales website. I recall something about foreign governments being able to supply certificates for sites in other countries but I forget the details.
I'm sure we can come up with other security ideas if nothing I suggested is suitable.
**Edit: I bookmarked a sone post which discussed verify an SSL certificate. Unfortunately, I didn't copy it. I will try logging into freenet later and see if the link still works:
http://127.0.0.1:8888/Sone/viewPost.htm ... db0375fd6b
I remembered that I discussed the above-linked sone discussion in another post on this forum. See below:
I'm waiting for it load on sone so that I can review the discussion and comment further.
http://murga-linux.com/puppy/viewtopic. ... 01&t=98537Copy the finger prints of interest from his site before you go to an unsecure internet connection because someone could always spoof Steve Gibson's site via man in the middle.Wognath wrote:I gather that man-in-the-middle is the main vulnerability of https. Steve Gibson says that an https fingerprint mismatch will always reveal a man-in-the-middle. In my browser, a couple of clicks gets me to the SHA-1 fingerprint of a site certificate, which I can compare to the fingerprint generated at http://www.grc.com/fingerprints. s243a, is this the tool you refer to? Seems like a good precaution if I have any concern about the network I'm on. (Plus avoiding sites that revert to http after login)
Thanks in advance for correcting me where I'm wrong.
I think the extension that I was referring to was called:
certificate patrol
http://patrol.psyced.org/
It was mentioned in this thread on freenet (via the sone plugin):
http://localhost:8888/Sone/viewPost.htm ... 0bddeeafff
Another tool called conspiracy was also mentioned in the thread:
https://addons.mozilla.org/en-US/firefo ... src=search
The certificate patrol add-on sounds pretty cool but you might want one browser with it and one without, in-case there are too many false positives of if it cause problems connecting to certain sites. I haven't tried it yet so I can't give any reviews.
I'm waiting for it load on sone so that I can review the discussion and comment further.
I remembered that sone had a search feature. After searching some terms such as SSL I found the comment that I remembered.
So from the above it might be worth reviewing what certificate authorities your browser trusts.
http://www.pearltrees.com/s243a/verifyi ... m182229622Adilson_Lanpo
@s243a If you're being targeted by your government then you're screwed pretty much no matter what, remember that we're talking about people who can enter your house while you're out to plant whatever surveillance equipment they want (maybe even legally). Though there is a real problem with CAs able to vouch for every domain, it really should be restricted so that say, Chinese CAs can only sign domains in .cn and associated IDNs.
2 years ago
"
So from the above it might be worth reviewing what certificate authorities your browser trusts.
my last post was lost
I did a bunch of work. As I said before, I could turn off the Firefox Addon, "Tails Download and Verify," and Firefox would allow the webpage for Tails to load. https://tails.boum.org/ I uninstalled ExpressVPN so I could run Tor (Tor 5 plus is supposed to work with the Firefox Tails "Download and Verify Addon."
Turns out the Tor supplied for "Windows is 6.0.3" and is based upon "Firefox 45.3.0." This combination works to download and Verify "Tails-i386-2.5.iso."
The PGP sorta seems to match, but I have not established the Web of Trust needed to make it give a total thumbs up message. I have a previous post about my not feeling good about the PGP keyset I generated, which I think I need for the WebOfTrust thing to work. That is register my own key as being trustworthy, and then trust their PGP key.
Some days ago I wrote to the developer for the Firefox Addon, "Tails Download and Verify," no reply, but he might be on vacation. He says he is in Italy.
The purpose of the Pinning is a second security feature, which I had never heard of before, in addition to verifying the CA, as I understand it. I doubt if Pinning is in the earlier Firefox. Likely Firefox 48 has the feature Pinning.
The website for Tails is: https://tails.boum.org/ Which will display in Chrome, not Windows 10 Pro, Firefox 48 with the addon "Tails Download and Verify." enabled. If one looks at the Tails site, they seem to be very high on how much added security is added for those who are not highly computer literate, or willing to spend a lot of time with computers.
I have now reinstalled ExpressVPN, and it and Tor both seem to work. Strangely, when I use ExpressVPN, and tell it to connect to its US based server, and use the what is my IP website, it give locations like Singapore, etc. ExpressVPN Support Chat said that "what is my IP websites" often had a bad list of places I might be connected to. EDIT: I should have said, "an incorrect list of places," bad is not a good word for this.
Anyway, I downloaded the Tails 2.5.iso, and used its verification tools to have them say it was happy with my download. Now I am concerned that if the original https and its CA was compromised, then I have a Tails that could have been corrupted.
Yes having someone familiar with CA's from other countries might be interesting, along with whatever is involved in the Pinning match. Still it looks like Tails downloads are mostly links to the original site I have,
The website for Tails is: https://tails.boum.org/ Which will display in Chrome, not Windows 10 Pro, Firefox 48 with the addon "Tails Download and Verify." enabled. If one looks at the Tails site, they seem to be very high on how much added security is added for those who are not highly computer literate, or willing to spend a lot of time with computers.
I have now reinstalled ExpressVPN, and it and Tor both seem to work. Strangely, when I use ExpressVPN, and tell it to connect to its US based server, and use the what is my IP website, it give locations like Singapore, etc. ExpressVPN Support Chat said that "what is my IP websites" often had a bad list of places I might be connected to.
I know that the Tails website IP tracks back to a place off a US college campus. I know that the Chat support for Tails requires that I get an different kind of email, that is like the ones supplied by riseup, a sorta of US based server anarchist website. (no violence encouraged or allowed type anarchists) I would feel better if I could actually see the download also from other countries. Seems like the Tails folks trust in the https network, even though they are aware of the problem, is what they go by.
Turns out the Tor supplied for "Windows is 6.0.3" and is based upon "Firefox 45.3.0." This combination works to download and Verify "Tails-i386-2.5.iso."
The PGP sorta seems to match, but I have not established the Web of Trust needed to make it give a total thumbs up message. I have a previous post about my not feeling good about the PGP keyset I generated, which I think I need for the WebOfTrust thing to work. That is register my own key as being trustworthy, and then trust their PGP key.
Some days ago I wrote to the developer for the Firefox Addon, "Tails Download and Verify," no reply, but he might be on vacation. He says he is in Italy.
The purpose of the Pinning is a second security feature, which I had never heard of before, in addition to verifying the CA, as I understand it. I doubt if Pinning is in the earlier Firefox. Likely Firefox 48 has the feature Pinning.
The website for Tails is: https://tails.boum.org/ Which will display in Chrome, not Windows 10 Pro, Firefox 48 with the addon "Tails Download and Verify." enabled. If one looks at the Tails site, they seem to be very high on how much added security is added for those who are not highly computer literate, or willing to spend a lot of time with computers.
I have now reinstalled ExpressVPN, and it and Tor both seem to work. Strangely, when I use ExpressVPN, and tell it to connect to its US based server, and use the what is my IP website, it give locations like Singapore, etc. ExpressVPN Support Chat said that "what is my IP websites" often had a bad list of places I might be connected to. EDIT: I should have said, "an incorrect list of places," bad is not a good word for this.
Anyway, I downloaded the Tails 2.5.iso, and used its verification tools to have them say it was happy with my download. Now I am concerned that if the original https and its CA was compromised, then I have a Tails that could have been corrupted.
Yes having someone familiar with CA's from other countries might be interesting, along with whatever is involved in the Pinning match. Still it looks like Tails downloads are mostly links to the original site I have,
The website for Tails is: https://tails.boum.org/ Which will display in Chrome, not Windows 10 Pro, Firefox 48 with the addon "Tails Download and Verify." enabled. If one looks at the Tails site, they seem to be very high on how much added security is added for those who are not highly computer literate, or willing to spend a lot of time with computers.
I have now reinstalled ExpressVPN, and it and Tor both seem to work. Strangely, when I use ExpressVPN, and tell it to connect to its US based server, and use the what is my IP website, it give locations like Singapore, etc. ExpressVPN Support Chat said that "what is my IP websites" often had a bad list of places I might be connected to.
I know that the Tails website IP tracks back to a place off a US college campus. I know that the Chat support for Tails requires that I get an different kind of email, that is like the ones supplied by riseup, a sorta of US based server anarchist website. (no violence encouraged or allowed type anarchists) I would feel better if I could actually see the download also from other countries. Seems like the Tails folks trust in the https network, even though they are aware of the problem, is what they go by.
Last edited by purple379 on Sun 07 Aug 2016, 22:27, edited 2 times in total.
Re: my last post was lost
What's this PGP web of trust and how do I get in on it? Any links explaining it?purple379 wrote: The PGP sorta seems to match, but I have not established the Web of Trust needed to make it give a total thumbs up message. I have a previous post about my not feeling good about the PGP keyset I generated, which I think I need for the WebOfTrust thing to work. That is register my own key as being trustworthy, and then trust their PGP key.
PGP Web of Trust
The short answer is, if one goes through the process of downloading Tails Linux, then the Tails website provides some public Keys of Firefox Developers for the individual to sign as being trusted, and when one runs the option, "decrypt and verify," the message will reflect that one can trust the ISO one has downloaded. The how to do that is explained on the Tails site.
If one thinks of cryptography, there are several inherent problems. If one is using a single key, then one must somehow give that key to someone else before one can begin encrypted communications. A problem if the two parties are some distance apart. Enter the beauty of mathematics and a two key cryptography. One public key that can be used to encrypt, that the public key I can give to anyone, and a private key that only the receiver of the information has, which can be used to decrypt the information (note, letter, email.) The receiver is to protect his private key in a software program with a Passphrase. Public Keys are kept on a public KeyServer, which anyone can put their public key on. Next problem being, how do I know if the public key I have is from the person I think it is from. Enter the "Web of Trust" I might not know an individuals Public Key is really from them, but I might trust the authentication of someone else who can sign the questioned public key, by someone I do know and trust. Information like that also kept on the public key server. That is, if I sign someone else's Public key and if they have signed another's public key, then my program will allow me to choose to trust the questioned key. Likewise the sender of a message can "sign" his message, so that when I do a decrypt on his message, I can know it is from him. Tails Linux is signed by PGP, a PGP key that I can download. PGP key signing being better thought of as proof of authenticity than other hashing techniques, apparently.
My explanations might be more confusing than helpful. Might be best to have described all of what the options in PGP are, as they are interrelated. Poster has asked a very good question. I started to google PGP tutorials and found search shows documentation that is outdated, like from PGP years ago. Older tutorials which reflect older OS's and PGP programs are like another layer of confusion to understanding PGP as it is implemented today, altho much of the concepts are the same.
I think the first question is, which OS are you using? I have not used PGP in Puppy for some years. Used to be, one would have to not only download and install the PGP programs, but one must have Engimail, which is plug in for Thunderbird. If you are using, or sometimes use Ubuntu, then one would look for Kleopatra, and whatever documentation that goes with it.
I have been playing with PGP on Windows 10, which is an extreme mistake for actually doing secure things, but I know I am only playing and some of my computers have problems with actually using Tails securely. When I am more clear on the relative security of the latest Tails.ISO - I was going to go back to a slower computer which runs Linux to actually get a clean copy of Tails Linux, and to create Keys and such. For Windows 10 I have installed the program "Kleopatra" which includes GpgEX. Some notes refer to GnuPGP.
Kleopatra is also used in the KDE desktop. So to find more complete documentation for PGP and Kleopatra, start a full featured Live DVD of something recent KDE, and read the documentation. Might be Poster already knows a bunch of that anyway.
Several years ago, Edward Snowden trusted an earlier version of Tails Linux, and he was in the very center of what the NSA could then do and not do.
If one thinks of cryptography, there are several inherent problems. If one is using a single key, then one must somehow give that key to someone else before one can begin encrypted communications. A problem if the two parties are some distance apart. Enter the beauty of mathematics and a two key cryptography. One public key that can be used to encrypt, that the public key I can give to anyone, and a private key that only the receiver of the information has, which can be used to decrypt the information (note, letter, email.) The receiver is to protect his private key in a software program with a Passphrase. Public Keys are kept on a public KeyServer, which anyone can put their public key on. Next problem being, how do I know if the public key I have is from the person I think it is from. Enter the "Web of Trust" I might not know an individuals Public Key is really from them, but I might trust the authentication of someone else who can sign the questioned public key, by someone I do know and trust. Information like that also kept on the public key server. That is, if I sign someone else's Public key and if they have signed another's public key, then my program will allow me to choose to trust the questioned key. Likewise the sender of a message can "sign" his message, so that when I do a decrypt on his message, I can know it is from him. Tails Linux is signed by PGP, a PGP key that I can download. PGP key signing being better thought of as proof of authenticity than other hashing techniques, apparently.
My explanations might be more confusing than helpful. Might be best to have described all of what the options in PGP are, as they are interrelated. Poster has asked a very good question. I started to google PGP tutorials and found search shows documentation that is outdated, like from PGP years ago. Older tutorials which reflect older OS's and PGP programs are like another layer of confusion to understanding PGP as it is implemented today, altho much of the concepts are the same.
I think the first question is, which OS are you using? I have not used PGP in Puppy for some years. Used to be, one would have to not only download and install the PGP programs, but one must have Engimail, which is plug in for Thunderbird. If you are using, or sometimes use Ubuntu, then one would look for Kleopatra, and whatever documentation that goes with it.
I have been playing with PGP on Windows 10, which is an extreme mistake for actually doing secure things, but I know I am only playing and some of my computers have problems with actually using Tails securely. When I am more clear on the relative security of the latest Tails.ISO - I was going to go back to a slower computer which runs Linux to actually get a clean copy of Tails Linux, and to create Keys and such. For Windows 10 I have installed the program "Kleopatra" which includes GpgEX. Some notes refer to GnuPGP.
Kleopatra is also used in the KDE desktop. So to find more complete documentation for PGP and Kleopatra, start a full featured Live DVD of something recent KDE, and read the documentation. Might be Poster already knows a bunch of that anyway.
Several years ago, Edward Snowden trusted an earlier version of Tails Linux, and he was in the very center of what the NSA could then do and not do.
I hope I'm not getting too far off topic here but more problems about the DNS system were discussed in the following talk:
DEF CON 22 - Ladar Levison and Stephen Watt - Dark Mail
DEF CON 22 - Ladar Levison and Stephen Watt - Dark Mail