[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https

To: tor-mirrors@xxxxxxxxxxxxxx
Subject: Re: https
From: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
Date: Sun, 20 Dec 2009 13:39:59 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-mirrors-outgoing@xxxxxxxx
Delivered-to: tor-mirrors@xxxxxxxx
Delivery-date: Sun, 20 Dec 2009 13:40:03 -0500
In-reply-to: <alpine.DEB.1.10.0912200731380.3863@xxxxxxxxxxxxxxxxxx>
Openpgp: url=http://lewman.com/0x31b0974b.asc
Organization: The Tor Project, Inc.
References: <alpine.DEB.1.10.0912191307510.8683@xxxxxxxxxxxxxxxxxx> <20091219220850.GD10101@xxxxxxxxxxxxxx> <alpine.DEB.1.10.0912200731380.3863@xxxxxxxxxxxxxxxxxx>
Reply-to: tor-mirrors@xxxxxxxxxxxxxx
Sender: owner-tor-mirrors@xxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

On 12/20/2009 02:01 AM, Kiss Gabor (Bitman) wrote:
 > Maybe a list of md5sums signed by you would help.
> (Including HTML pages.)
> Unfortunately content of the site changes too often.

We did this with sha1 hashes and very few checked them.  Even worse is
that if the man in the middle can swap binaries on the fly, they can
sure send a new sha1/md5sum too.  So now the user thinks they've done
the right thing and verified the false md5/sha1 hash successfully.

The pgp signature can't be faked easily, which is why we use them.

> And how can anybody check if I serve the original files hold by
> www.torproject.org?

The pgp signature.

> Should I mirror everything? Including .*.swp files and .svn/ directories?

Just use the rsync server to keep it all in sync.  See
https://www.torproject.org/running-a-mirror.html.en

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject

Follow-Ups:
- Re: https
  - From: Kiss Gabor (Bitman)

References:
- https
  - From: Kiss Gabor (Bitman)
- Re: https
  - From: Roger Dingledine
- Re: https
  - From: Kiss Gabor (Bitman)

Next by Author: Re: A new mirror is up
Previous by thread: Re: https
Next by thread: Re: https
Index(es):
- Author
- Thread