At the PET workshop (http://petworkshop.org/2006) I gave a brief talk on a simple idea relating to Tor. One known weakness of open source software is that, even if the source is well auditied, an attacker could still implant a backdoor in the version downloaded by one person, and have a very low chance of detection. I suggested a mechanism for allowing users to detect if they were the victim of such a targetted attack. The threat is very specialised and the solution is not foolproof but I hope it will be of interest. I describe the basics of the idea in this blog post: http://www.lightbluetouchpaper.org/2006/07/13/protecting-software-distribution-with-a-cryptographic-build-process/ Also, there are more details in the comments. I would be happy to receive any questions or comments. Thanks, Steven. -- w: http://www.cl.cam.ac.uk/users/sjm217/
Attachment:
pgpLmj03OZGc1.pgp
Description: PGP signature