[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [webwml/master] Started updating verify signatures page
commit 8660abe1d94824795ed7e231f2dbee3eb62852a6
Author: hiromipaw <hiro@xxxxxxxxxxxxxx>
Date: Fri Jul 7 13:08:25 2017 +0200
Started updating verify signatures page
---
docs/en/verifying-signatures.wml | 48 ++++++++++++++++++++++++++++------------
1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml
index 485e509..c6e3b27 100644
--- a/docs/en/verifying-signatures.wml
+++ b/docs/en/verifying-signatures.wml
@@ -12,24 +12,44 @@
<h1>How to verify signatures for packages</h1>
<hr>
+ <p>Digital signature is a process ensuring that a certain package was
+ generated by its developers and has not been tampered with. Below we explain
+ why it is important and how to verify that the Tor program you download is
+ the one we have created and has not been modified by some attacker.</p>
+
+ <p>Digital signature is a cryptographic mechanism. If you want to learn more
+ about how it works see <a href="https://www.gnupg.org/documentation/">
+ https://www.gnupg.org/documentation/</a>.</p>
+
<h3>What is a signature and why should I check it?</h3>
<hr>
- <p>How do you know that the Tor program you have is really the
- one we made? Many Tor users have very real adversaries who might
- try to give them a fake version of Tor — and it doesn't matter
- how secure and anonymous Tor is if you're not running the real Tor.</p>
+ <p>How do you know that the Tor program you have is really the one we made?
+ Digital signatures ensure that the package you are downloading was created by
+ our developers. It uses a cryptographic mechanism which outputs a sequence of
+ characters that is always the same unless the software has not been tampered
+ with.</p>
+
+ <p>For many Tor users it is important to verify that the Tor software is authentic
+ as they have very real adversaries who might try to give them a fake version
+ of Tor.</p>
- <p>An attacker could try a variety of attacks to get you to download
- a fake Tor. For example, he could trick you into thinking some other
+ <p>If the Tor package has been modified by some attacker it is not safe to use.
+ It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>
+
+ <p>There are a variety of attacks that can be used to make you download a fake
+ version of Tor. For example, an attacker could trick you into thinking some other
website is a great place to download Tor. That's why you should
- always download Tor from <b>https</b>://www.torproject.org/. The
- https part means there's encryption and authentication between your
- browser and the website, making it much harder for the attacker
+ always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>
+
+ <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.
+ Https is the secure version of the http protocol which uses encryption and authentication between your
+ browser and the website. This makes it much harder for the attacker
to modify your download. But it's not perfect. Some places in the
- world block the Tor website, making users try <a href="<page
- docs/faq>#GetTor">somewhere else</a>. Large
- companies sometimes force employees to use a modified browser,
+ world block the Tor website, making users to download Tor <a href="<page
+ docs/faq>#GetTor">somewhere else</a>.</p>
+
+ <p>Large companies sometimes force employees to use a modified browser,
so the company can listen in on all their browsing. We've even <a
href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
attackers who have the ability to trick your browser into thinking
@@ -93,8 +113,8 @@
<p>To verify the signature of the package you downloaded, you will need
to download the ".asc" file as well. Assuming you downloaded the
package and its signature to your Desktop, run:</p>
- <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify
- C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc
+ <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \
+ C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \
C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
<p>The output should say "Good signature": </p>
<pre>
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits