Re[2]: hidden services spoof

[Arrakistor <arrakistor@xxxxxxxxx>]

Nick,

Yes but the sig is only as good as the person you trust. That is why I
haven't  released  Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a
trusted  binary.  I  don't  think  they yet have a pgp plugin for NSIS
language yet. I'll see what else can be done for verifying sigs.

Regards,
 Arrakistor
 

Monday, September 11, 2006, 4:49:26 PM, you wrote:

> On Mon, Sep 11, 2006 at 04:10:27PM -0500, Arrakistor wrote:
>> I  am  writing  an  updater  for  tor to automatically grab the latest
>> version.  One  problem  I am coming across is where to host it so they
>> cannot  be  spoofed.  I  was  thinking  of putting it at a server in a
>> .onion  address.  How easily can a node in the tor network be spoofed?
>> Is  there  a  better  solution  than  hosting the tor updates inside a
>> .onion server?

> Checking the PGP signature on the release should be enough to detect
> fake updates.

> (You've been checking PGP signatures already, right?)