[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)



On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx wrote 4.5K bytes in 109 lines about:
: According to a number of bloggers(1), torproject.org was include among those

Here's another blogger for your list,
https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
Thanks for all replies on this. I read over several linked articles. Honestly, many avg users won't / can't take time to read it all & may not understand it.

Question - obviously, Tor isn't the only software or site that could be targeted. What's to prevent necessity of verifying signatures on every d/l software, even mainstream, major developers (if they made it possible)? And if they don't, why wouldn't users of other software be at same risk? Just because we haven't heard about XYZ software & fake certificates, does that mean anything? Sure, verifying Tor may be prudent, but what if users have to verify signatures on all software (if available)? Unless it becomes a more automated process, avg users wouldn't devote that kind of time.

I'm just asking here - other than entities (gov'ts?) targeting anonymity software (for now) what prevents this issue from becoming widespread? If I download an update from MS - how do I know it's the authentic pkg from the real MS? There's no authentication (or even check sums) for d/l Firefox, IE. Only a small % of all developers offer these capabilities.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk