On Mon, Sep 11, 2006 at 04:10:27PM -0500, Arrakistor wrote: > I am writing an updater for tor to automatically grab the latest > version. One problem I am coming across is where to host it so they > cannot be spoofed. I was thinking of putting it at a server in a > .onion address. How easily can a node in the tor network be spoofed? > Is there a better solution than hosting the tor updates inside a > .onion server? Checking the PGP signature on the release should be enough to detect fake updates. (You've been checking PGP signatures already, right?) -- Nick Mathewson
Attachment:
pgpGK1h6rfycu.pgp
Description: PGP signature