[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 9/2/2011 9:28 AM, Joe Btfsplk wrote:
On 9/2/2011 7:55 AM, Achter Lieber wrote:
----- Original Message -----
From: Roger Dingledine
Sent: 09/01/11 03:47 PM
To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

  New bundles are out now: https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps now is a great time for you to learn how to verify the signatures on Tor packages you download: https://www.torproject.org/docs/verifying-signatures
Is it really a risk, d/l  Tor or TBB directly from Tor Project's site, that verifying signatures is necessary?  What is the reasoning here - if getting files from Tor Project server?

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

I believe that the point of Roger's message was that you or I may not really be downloading the package from TorProject, if we are using SSL that is authenticated to a fake certificate.

I do not use a Mac, but I was able to use GPA and Kleopatra in Windows to verify that the bundles I downloaded were signed by Erinn. 
In < 
https://www.torproject.org/docs/verifying-signatures>

the procedure for verification spelled out for use on a Mac should work to verify files containing Windows code.The procedure applies to the verification computer, not the target computer.

David Carlson


      
  


Attachment:
0xDC7C8BF3.asc

Description: application/pgp-keys


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk