[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
From: Collin Anderson <collin@xxxxxxxxxxxxxxxxxx>
Date: Fri, 2 Sep 2011 13:31:53 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 02 Sep 2011 13:32:10 -0400
In-reply-to: <20110902171101.GA6618@sescenties>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110902125555.163220@xxxxxxx> <4E60E813.1060409@xxxxxxx> <20110902171101.GA6618@sescenties>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

According to a number of bloggers(1), torproject.org was include among those domains targeted in the certificate breach. In at least the case of Google, these certificates have been offered to Iranian Internet users by a number of ISPs, in a number of city.

Risk is a product of situation, and if you are in Iran, Syria, Belarus, et al, I would exercise at least that level of caution.

(1) http://www.nu.nl/internet/2603449/mogelijk-nepsoftware-verspreid-naast-aftappen-gmail.html

On Fri, Sep 2, 2011 at 1:11 PM, Seth David Schoen <schoen@xxxxxxx> wrote:

Joe Btfsplk writes:

> Is it really a risk, d/l Tor or TBB directly from Tor Project's
> site, that verifying signatures is necessary? What is the reasoning
> here - if getting files from Tor Project server?

How do you know it was really the Tor Project server?

--
Seth Schoen <schoen@xxxxxxx>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--
Collin David Anderson

averysmallbird.com | @cda | Washington, D.C.

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: andrew

References:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Achter Lieber
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Seth David Schoen

Prev by Author: [tor-talk] HTTPS Everywhere
Next by Author: Re: [tor-talk] Dutch Police Investigation & Tor Spike: Correlation Or Also Causation?
Previous by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Index(es):
- Author
- Thread