[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: OSI 1-3 attack on Tor? in it.wikipedia



On Thu, Feb 14, 2008 at 08:42:07AM +0100, anon ymous wrote:
> Well, that's all good and valid.
> But as an ISP controls all internet-access
> of the client, it can with little effort fake
> the tor-web+svn-server and some sites
> where tor-packages for distributions are hosted.
> (Unless they are signed like proper debian-packets
>  but then again, users often have missing keys and
>  thus ignore the warning. )

They are signed. Also, people ought to use https, not http, for the Tor
website -- which we hope takes more than a little effort to fake.

> Thus he can change the initially distributed keys.
> The ISP can also reroute the authorative directory
> servers then and take over the client.

https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#KeyManagement

--Roger