Silk Road forums

Discussion => Security => Topic started by: TA on September 18, 2013, 03:46 am

Title: Tails .20.1 Release
Post by: TA on September 18, 2013, 03:46 am
So the Tails website says the .20.1 update will be a minor bugfix only release. I thought it was going to incorporate Tor 2.4? Does anyone know anything about this?
Title: Re: Tails .20.1 Release
Post by: comsec on September 18, 2013, 04:23 am
You can download nightlies/experimental here: http://nightly.tails.boum.org/build_Tails_ISO_experimental/
They already include 2.4

Hah, I tried https:// over Tor and was promptly MITM attacked with a fake cert. Guess download these clearnet, or ask on their IRC channel if torrents are available for nightlies, probably are.

More info:
https://mailman.boum.org/pipermail/tails-dev/2013-September/003607.html

Note none of them are signed, so would exercise caution using this for critical secrets.

Title: Re: Tails .20.1 Release
Post by: TA on September 18, 2013, 04:36 am
Dude, you are always on top of it. +1

So .20.1 wont have tor 2.4?
Title: Re: Tails .20.1 Release
Post by: astor on September 18, 2013, 03:30 pm
Quote from: comsec on September 18, 2013, 04:23 am
Hah, I tried https:// over Tor and was promptly MITM attacked with a fake cert. Guess download these clearnet, or ask on their IRC channel if torrents are available for nightlies, probably are.

It's not an MITM attack, just a self-signed certificate. You can verify by changing identities and seeing that it's the same certificate serial and fingerprints no matter which exit node you use.
Title: Re: Tails .20.1 Release
Post by: comsec on September 18, 2013, 05:51 pm
Quote from: astor on September 18, 2013, 03:30 pm
Quote from: comsec on September 18, 2013, 04:23 am
Hah, I tried https:// over Tor and was promptly MITM attacked with a fake cert. Guess download these clearnet, or ask on their IRC channel if torrents are available for nightlies, probably are.

It's not an MITM attack, just a self-signed certificate. You can verify by changing identities and seeing that it's the same certificate serial and fingerprints no matter which exit node you use.

Over Tor, the self signed cert was issued to "boum.org" instead of the usual "*.boum.org" and SHA-1 fingerprint did not match. On clearnet for that same site the cert is issued to "www.lizard"
Title: Re: Tails .20.1 Release
Post by: astor on September 18, 2013, 08:55 pm
nightly.tails.boum.org is a different server (or IP address at least) from tails.boum.org. The cert that I get over Tor is also for www.lizard, serial numbers starts with 00:92:34.

You might have been MITMed, but it's still a self-signed cert for that server, which is the error most people will see. Weirdly, it asks for authorization over HTTPS but not over HTTP.

They should upload a PGP signature and then it wouldn't matter.
Title: Re: Tails .20.1 Release
Post by: astor on September 18, 2013, 08:59 pm
Which exit node injected a different cert? That should be reported.
Title: Re: Tails .20.1 Release
Post by: JesusHChr1st on September 19, 2013, 03:55 am
Quote from: astor on September 18, 2013, 08:59 pm
Which exit node injected a different cert? That should be reported.

I'm interested too......if you were man in the middle'd immediately on your first attempt that is a fairly worrying piece of information
Title: Re: Tails .20.1 Release
Post by: TA on September 19, 2013, 03:58 am
Still wondering if the update will have 2.4.............