[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)



Joe Btfsplk wrote:
I'm just asking here - other than entities (gov'ts?) targeting anonymity software (for now) what prevents this issue from becoming widespread? If I download an update from MS - how do I know it's the authentic pkg from the real MS? There's no authentication (or even check sums) for d/l Firefox, IE. Only a small % of all developers offer these capabilities.

I agree that all projects ought to offer digital signatures for their
downloads (or at least a digitally signed list of cryptographically
secure hashes values -- no MD5s please!) and far too few projects do.
But I do wonder if you are wrong about Firefox not supplying hash
values.  I know SeaMonkey (also hosted by Mozilla although not an
official Mozilla project) offers hashes, but you have to go looking for
them.  I suspect the same is true for FF although I don't know if I have
ever looked.  Of course while I consider them (slightly) better than
nothing, hash values alone won't thwart a determined and knowledgeable
attacker.

Jim




_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk