[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: hidden services spoof
Yes but the sig is only as good as the person you trust. That is why I
haven't released Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a
trusted binary. I don't think they yet have a pgp plugin for NSIS
language yet. I'll see what else can be done for verifying sigs.
Monday, September 11, 2006, 4:49:26 PM, you wrote:
> On Mon, Sep 11, 2006 at 04:10:27PM -0500, Arrakistor wrote:
>> I am writing an updater for tor to automatically grab the latest
>> version. One problem I am coming across is where to host it so they
>> cannot be spoofed. I was thinking of putting it at a server in a
>> .onion address. How easily can a node in the tor network be spoofed?
>> Is there a better solution than hosting the tor updates inside a
>> .onion server?
> Checking the PGP signature on the release should be enough to detect
> fake updates.
> (You've been checking PGP signatures already, right?)