[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hidden services spoof



On Mon, Sep 11, 2006 at 04:10:27PM -0500, Arrakistor wrote:
> I  am  writing  an  updater  for  tor to automatically grab the latest
> version.  One  problem  I am coming across is where to host it so they
> cannot  be  spoofed.  I  was  thinking  of putting it at a server in a
> .onion  address.  How easily can a node in the tor network be spoofed?
> Is  there  a  better  solution  than  hosting the tor updates inside a
> .onion server?

Checking the PGP signature on the release should be enough to detect
fake updates.

(You've been checking PGP signatures already, right?)

-- 
Nick Mathewson

Attachment: pgpGK1h6rfycu.pgp
Description: PGP signature