OpenPGP Signed Website[edit]

Has been requested in the forum.^[1] Having an OpenPGP Signed Website would be desirable. But that would require a software, which does not exist yet.

There is PGPHTML: to make PGP or GPG signed web-pages ^[archive], but it is from 2002 there are licensing problems. ^[2]

PGPHTML also wouldn't work as a complete solution.

Users most likely won't copy and paste the text, so this would also require a browser or browser addon automating the verification.
Adversaries in position to modify website content can always mount a rollback or indefinite freeze attacks (see ^[3] for definitions of those attacks). I.e. could pick an old message/website, which was signed years ago and now contains insecure/outdated information without the user being informed about the attack. To prevent that, the client application would have to check a field similar to Valid-Until field^[4].
The website structure or link would have to be signed and verified as well.
Should pass the TUF ^[archive] threat model.

While relying on the OpenPGP web of trust, and not the SSL cartel, this could provide strong verification. On the other hand, it probably couldn't provide end-to-end encryption, SSL or .onion would be required for that.

It is an interesting idea, but outside the scope of Whonix ™ to invent such a solution.

Footnotes[edit]

↑ http://sourceforge.net/p/whonix/discussion/general/thread/6d7344a5/ ^[archive]

↑ Patrick Schleizer mailed licensing at fsf dot org (name redacted). PGPHTML is probably not Free Software. If that were the case, it wouldn't be usable for Whonix ™. Adrelanos also mailed the author, but there was no response.

> Is the following license Free Software?

> Is it GPL compatible?

> homepage: http://www.sanface.com/pgphtml.html

> source tarball: http://www.sanface.com/pgphtml.tar.gz

> License text:

>> # pgphtml -- a perl script to make PGP signed web-pages
>> #
>> # by SANFACE Software <sanface@sanface.com> 19 June 2002
>> #
>> # Requires the PGP or GPG
>> # GPG support added by John Arundel <john@splange.freeserve.co.uk>
>> #
>> # Copy, use, and redistribute freely, but don't take my name off it and
>> # clearly mark an altered version.  Fixes and enhancements cheerfully
>> # accepted.
>> #
>> # This is version 4.1.

The license doesn't explicitly permit modifications, nor distribution
for a fee (even the relatively terse Expat license, sometimes
ambiguously referred to as the MIT License, explicitly states that you
have: "... without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
...")

It also states that "fixes ...  accepted" in the same block as the
license text, so it is unclear if that is a part of the license or a
friendly request.

I can't speak to what was the author's intent when writing the license;
It is not my place to say "oh, the author of the license probably
meant..." Therefore I would recommend contacting the author before using
the software and asking for a copy of the software under a well known
free software license.