[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re[2]: hidden services spoof

To: Jacob Appelbaum <or-talk@xxxxxxxxxxxxx>
Subject: Re[2]: hidden services spoof
From: Arrakistor <arrakistor@xxxxxxxxx>
Date: Mon, 11 Sep 2006 18:41:48 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 11 Sep 2006 19:39:46 -0400
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:date:from:x-mailer:reply-to:organization:x-priority:message-id:to:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding; b=qp06L58XXHlgpl1WQva8Xs/VZpofNk9XAZGZTv+8N/1KqrWHjQiQDOjJj/qJoCG1Sj+gzuyJ9ji4+J4lJ2qHsp64Yrk3p5tSuOYykoXfPAfGNWf3Hq6V4X8TX8k8zZinIVyL1drvxFdXoc4Hzrn3NbP5WNH1rlYtHk6v7S+uj2M=
In-reply-to: <4505F0EA.6040800@appelbaum.net>
Organization: Torpark
References: <922080110.20060911161027@gmail.com> <20060911214926.GQ4634@totoro.wangafu.net> <31524743.20060911173348@gmail.com> <4505F0EA.6040800@appelbaum.net>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

Yes, I am building an updater. If phobos finishes the manual on how to
get it to compile under mingw, I will compile, sign, and release them
myself.

And yes, I am verifying the sigs I use in the release.

Regards,
 Arrakistor

Monday, September 11, 2006, 6:27:38 PM, you wrote:

> Arrakistor wrote:
>> Nick,
>> 
>> Yes but the sig is only as good as the person you trust. That is why I
>> haven't  released  Torpark 2.0b2 with 0.1.2.1-a, I simply don't have a
>> trusted  binary.  I  don't  think  they yet have a pgp plugin for NSIS
>> language yet. I'll see what else can be done for verifying sigs.

> You're not going to get a better way to validate trust than a pgp
> signature. If you don't trust the tor signing release keys, you
> shouldn't trust the code they're signing.

> Some random .onion address given over a mailing list isn't a secure way
> to verify anything. Someone can compromise the server on the other end
> of the .onion address.

> It sounds like you're building an automatic updater for your system.

> I suspect that you should be very careful as you're introducing a method
> for automatically downloading binaries and potentially running untrusted
> code.

> You need to verify the pgp signature of builds just as you would source
> code before building.

> At the cost of repeating what Nick said, you're verifying pgp signatures
> already already, right?

> Something,
> Jacob Appelbaum

References:
- hidden services spoof
  - From: Arrakistor
- Re: hidden services spoof
  - From: Nick Mathewson
- Re[2]: hidden services spoof
  - From: Arrakistor
- Re: hidden services spoof
  - From: Jacob Appelbaum

Prev by Author: Re[2]: hidden services spoof
Next by Author: Torpark 2.0b2 RC1
Previous by thread: Re: hidden services spoof
Next by thread: Torpark 2.0b2 RC1
Index(es):
- Author
- Thread