Roger Dingledine wrote:
Perhaps now is a great time for you to learn how to verify the signatures on Tor packages you download: https://www.torproject.org/docs/verifying-signatures
I don't have a solution to this problem but I am raising it in case somebody else does. It's great that you not only sign your packages but that the page above also lists the fingerprints of the signing keys. But in case of a man-in-the-middle attack (or a compromised website) the attacker could provide his own signatures for trojaned packages and then display a page that shows the signature for *his* signing key(s) in place of those for the real keys. I presume the general method of solving this for PGP keys is to create a chain of trust by signing the keys. But it is not clear to me how that would work for a project like Tor that distributes software to all comers where "signing parties" and the like are out of the question. Jim _______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk