[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hidden services spoof

To: or-talk@xxxxxxxxxxxxx
Subject: Re: hidden services spoof
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Mon, 11 Sep 2006 17:49:26 -0400
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 11 Sep 2006 17:49:56 -0400
In-reply-to: <922080110.20060911161027@gmail.com>
Mail-followup-to: Nick Mathewson <nickm@xxxxxxxxxxxxx>, or-talk@xxxxxxxxxxxxx
References: <922080110.20060911161027@gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.2.1i

On Mon, Sep 11, 2006 at 04:10:27PM -0500, Arrakistor wrote:
> I  am  writing  an  updater  for  tor to automatically grab the latest
> version.  One  problem  I am coming across is where to host it so they
> cannot  be  spoofed.  I  was  thinking  of putting it at a server in a
> .onion  address.  How easily can a node in the tor network be spoofed?
> Is  there  a  better  solution  than  hosting the tor updates inside a
> .onion server?

Checking the PGP signature on the release should be enough to detect
fake updates.

(You've been checking PGP signatures already, right?)

-- 
Nick Mathewson

Attachment: pgpGK1h6rfycu.pgp
Description: PGP signature

Follow-Ups:
- Re[2]: hidden services spoof
  - From: Arrakistor

References:
- hidden services spoof
  - From: Arrakistor

Prev by Author: Let us know if Tor compiles with warnings
Next by Author: Re: [INFO] new anonymizing software
Previous by thread: hidden services spoof
Next by thread: Re[2]: hidden services spoof
Index(es):
- Author
- Thread