[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: OSI 1-3 attack on Tor? in it.wikipedia
On Thu, Feb 14, 2008 at 08:42:07AM +0100, anon ymous wrote:
> Well, that's all good and valid.
> But as an ISP controls all internet-access
> of the client, it can with little effort fake
> the tor-web+svn-server and some sites
> where tor-packages for distributions are hosted.
> (Unless they are signed like proper debian-packets
> but then again, users often have missing keys and
> thus ignore the warning. )
They are signed. Also, people ought to use https, not http, for the Tor
website -- which we hope takes more than a little effort to fake.
> Thus he can change the initially distributed keys.
> The ISP can also reroute the authorative directory
> servers then and take over the client.
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#KeyManagement
--Roger