[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)



According to a number of bloggers(1), torproject.org was include among those domains targeted in the certificate breach. In at least the case of Google, these certificates have been offered to Iranian Internet users by a number of ISPs, in a number of city. 

Risk is a product of situation, and if you are in Iran, Syria, Belarus, et al, I would exercise at least that level of caution.

(1) http://www.nu.nl/internet/2603449/mogelijk-nepsoftware-verspreid-naast-aftappen-gmail.html

On Fri, Sep 2, 2011 at 1:11 PM, Seth David Schoen <schoen@xxxxxxx> wrote:
Joe Btfsplk writes:

> Is it really a risk, d/l  Tor or TBB directly from Tor Project's
> site, that verifying signatures is necessary?  What is the reasoning
> here - if getting files from Tor Project server?

How do you know it was really the Tor Project server?

--
Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk



--
Collin David Anderson
averysmallbird.com | @cda | Washington, D.C.

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk