[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3861 [Tor bundles/installation]: begin signing Windows packages the Windows way



#3861: begin signing Windows packages the Windows way
--------------------------------------+-------------------------------------
 Reporter:  erinn                     |          Owner:  erinn
     Type:  enhancement               |         Status:  new  
 Priority:  normal                    |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------

Comment(by erinn):

 Yes, that is a very good summary of the situation. I don't think I decided
 not to bother -- it was left as a 'controversial' issue, but I think we
 should explore it more. Right now when you install one of our Windows
 packages, it comes from an 'Unknown' publisher which is much more trivial
 to spoof than one that claims to be from Tor Project, Inc. and has a
 key/cert/whatever to prove it.

 But to reiterate, I think we should explore this in more depth to see what
 the tradeoffs are. Because although it may be more difficult for someone
 to build a fake Windows bundle and then claim to be from us, it will also
 be much more convincing if they pull it off.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3861#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs