[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
Thanks for all replies on this. I read over several linked articles.
Honestly, many avg users won't / can't take time to read it all & may
not understand it.
On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx wrote 4.5K bytes in 109 lines about:
: According to a number of bloggers(1), torproject.org was include among those
Here's another blogger for your list,
Question - obviously, Tor isn't the only software or site that could be
targeted. What's to prevent necessity of verifying signatures on every
d/l software, even mainstream, major developers (if they made it
possible)? And if they don't, why wouldn't users of other software be
at same risk? Just because we haven't heard about XYZ software & fake
certificates, does that mean anything? Sure, verifying Tor may be
prudent, but what if users have to verify signatures on all software (if
available)? Unless it becomes a more automated process, avg users
wouldn't devote that kind of time.
I'm just asking here - other than entities (gov'ts?) targeting anonymity
software (for now) what prevents this issue from becoming widespread?
If I download an update from MS - how do I know it's the authentic pkg
from the real MS? There's no authentication (or even check sums) for
d/l Firefox, IE. Only a small % of all developers offer these capabilities.
tor-talk mailing list