Represent! I am really proud to be part of a community making this statement. Thanks to all who have pulled this together. peace, gunner On 03/21/2016 09:04 AM, Kate Krauss wrote: > > A Statement from The Tor Project on Software Integrity and Apple > > The Tor Project exists to provide privacy and anonymity for millions of > people, including human rights defenders across the globe whose lives > depend on it. The strong encryption built into our software is essential > for their safety. > > In an age when people have so little control over the information > recorded about their lives, we believe that privacy is worth fighting for. > > We therefore stand with Apple to defend strong encryption and to oppose > government pressure to weaken it. We will never backdoor our software. > > Our users face very serious threats. These users include bloggers > reporting on drug violence in Latin America; dissidents in China, > Russia, and the Middle East; police and military officers who use our > software to keep themselves safe on the job; and LGBTI individuals who > face persecution nearly everywhere. Even in Western societies, studies > demonstrate that intelligence agencies such as the NSA are chilling > dissent and silencing political discourse > <http://m.jmq.sagepub.com/content/early/2016/02/25/1077699016630255.full.pdf?ijkey=1jxrYu4cQPtA6&keytype=ref&siteid=spjmq> > merely through the threat of pervasive surveillance. > > For all of our users, their privacy is their security. And for all of > them, that privacy depends upon the integrity of our software, and on > strong cryptography. Any weakness introduced to help a particular > government would inevitably be discovered and could be used against all > of our users. > > The Tor Project employs several mechanisms to ensure the security and > integrity of our software. Our primary product, the Tor Browser, is > fully open source. Moreover, anyone can obtain our source code and > produce bit-for-bit identical copies of the programs we distribute using > Reproducible Builds > <https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise>, > eliminating the possibility of single points of compromise or coercion > in our software build process. The Tor Browser downloads its software > updates anonymously using the Tor network, and update requests contain > no identifying information that could be used to deliver targeted > malicious updates > <http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/> > to specific users. These requests also use HTTPS encryption > <https://www.eff.org/pages/tor-and-https> and pinned HTTPS certificates > (a security mechanism that allows HTTPS websites to resist being > impersonated by an attacker by specifying exact cryptographic keys for > sites). Finally, the updates themselves are also protected by strong > cryptography, in the form of package-level cryptographic signatures (the > Tor Project signs the update files themselves). This use of multiple > independent cryptographic mechanisms and independent keys reduces the > risk of single points of failure. > > The Tor Project has never received a legal demand to place a backdoor in > its programs or source code, nor have we received any requests to hand > over cryptographic signing material. This isn't surprising: we've been > public about our "no backdoors, ever > <https://www.torproject.org/docs/faq#Backdoor>" stance, we've had clear > public support from our friends at EFF and ACLU, and it's well-known > that our open source engineering processes and distributed architecture > make it hard to add a backdoor quietly. > >>From an engineering perspective, our code review and open source > development processes make it likely that such a backdoor would be > quickly discovered. We are also currently accelerating the development > of a vulnerability-reporting reward program to encourage external > software developers to look for and report any vulnerabilities that > affect our primary software products. > > The threats that Apple faces to hand over its cryptographic signing keys > <http://fortune.com/2016/03/11/apple-fbi-source-code-signature/> to the > US government (or to sign alternate versions of its software for the US > government) are no different than threats of force or compromise that > any of our developers or our volunteer network operators may face from > any actor, governmental or not. For this reason, regardless of the > outcome of the Apple decision, we are exploring further ways to > eliminate single points of failure, so that even if a government or a > criminal obtains our cryptographic keys, our distributed network and its > users would be able to detect this fact and report it to us as a > security issue. > > Like those at Apple > <http://www.nytimes.com/2016/03/18/technology/apple-encryption-engineers-if-ordered-to-unlock-iphone-might-resist.html>, > several of our developers have already stated that they would rather > resign than honor any request to introduce a backdoor or vulnerability > into our software that could be used to harm our users. We look forward > to making an official public statement on this commitment as the > situation unfolds. However, since requests for backdoors or > cryptographic key material so closely resemble many other forms of > security failure, we remain committed to researching and developing > engineering solutions to further mitigate these risks, regardless of > their origin. > > We congratulate Apple on their commitment to the privacy and security of > their users, and we admire their efforts to advance the debate over the > right to privacy and security for all. > -- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Follow us: Facebook: www.facebook.com/aspirationtech Twitter: www.twitter.com/aspirationtech --
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-project mailing list tor-project@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project