[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hidden services spoof



Arrakistor wrote:
> Nick,
> 
> Yes but the sig is only as good as the person you trust. That is why I
> haven't  released  Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a
> trusted  binary.  I  don't  think  they yet have a pgp plugin for NSIS
> language yet. I'll see what else can be done for verifying sigs.

You're not going to get a better way to validate trust than a pgp
signature. If you don't trust the tor signing release keys, you
shouldn't trust the code they're signing.

Some random .onion address given over a mailing list isn't a secure way
to verify anything. Someone can compromise the server on the other end
of the .onion address.

It sounds like you're building an automatic updater for your system.

I suspect that you should be very careful as you're introducing a method
for automatically downloading binaries and potentially running untrusted
code.

You need to verify the pgp signature of builds just as you would source
code before building.

At the cost of repeating what Nick said, you're verifying pgp signatures
already already, right?

Something,
Jacob Appelbaum