[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https

To: tor-mirrors@xxxxxxxxxxxxxx
Subject: Re: https
From: "Kiss Gabor (Bitman)" <kissg@xxxxxxxxxxxxx>
Date: Sun, 20 Dec 2009 08:01:35 +0100 (CET)
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-mirrors-outgoing@xxxxxxxx
Delivered-to: tor-mirrors@xxxxxxxx
Delivery-date: Sun, 20 Dec 2009 02:01:51 -0500
In-reply-to: <20091219220850.GD10101@xxxxxxxxxxxxxx>
References: <alpine.DEB.1.10.0912191307510.8683@xxxxxxxxxxxxxxxxxx> <20091219220850.GD10101@xxxxxxxxxxxxxx>
Reply-to: tor-mirrors@xxxxxxxxxxxxxx
Sender: owner-tor-mirrors@xxxxxxxxxxxxxx
User-agent: Alpine 1.10 (DEB 962 2008-03-14)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bryon Eldridge:

> It also discourages tampering with the content of the traffic.

If I were a bad guy I would not manipulate network traffic but
set up a false mirror site. I could modify any file much more easy. :-)

Roger Dingledine:

> The main goal of https is to prevent a man-in-the-middle attacker
> (think country-level firewall, but also think ISP) from swapping out
> the intended download with one of his own. Pretty much nobody checks
> signatures on their downloads:

As well as certificate chain.
AFAIK some application level firewalls are able to play man-in-the-middle.
They generate certificates on-the-fly that are signed by an other one
that is signed by a trusted root certificate preinstalled in your browser.
Browser will not warn you and you won't recognize your HTTPS channel
ends not in the target host but the firewall unless you examine
the certificate chain.

> But even then, you'll still have the bootstrapping problem: how do you
> make sure the first thing you download is really the thing we wrote?

It is your point! :-)

Maybe a list of md5sums signed by you would help.
(Including HTML pages.)
Unfortunately content of the site changes too often.

And how can anybody check if I serve the original files hold by
www.torproject.org?

BTW.
Should I mirror everything? Including .*.swp files and .svn/ directories?

Cheers

Gabor

P.s. Is it acceptable/required to sign posts on this list?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Made with pgp4pine 1.76

iEYEARECAAYFAksty9AACgkQd2oiOrtquzjoRwCeOohXiyrTRkDcirOICfH5rxiO
tm0AoIndv+UZBq61o+9sO7Vq57Rqa01i
=zdxZ
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: https
  - From: Andrew Lewman

References:
- https
  - From: Kiss Gabor (Bitman)
- Re: https
  - From: Roger Dingledine

Prev by Author: https
Next by Author: A new mirror is up
Previous by thread: Re: https
Next by thread: Re: https
Index(es):
- Author
- Thread