On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
Thanks for all replies on this. I read over several linked articles. Honestly, many avg users won't / can't take time to read it all & may not understand it.On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx wrote 4.5K bytes in 109 lines about: : According to a number of bloggers(1), torproject.org was include among those Here's another blogger for your list, https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
Question - obviously, Tor isn't the only software or site that could be targeted. What's to prevent necessity of verifying signatures on every d/l software, even mainstream, major developers (if they made it possible)? And if they don't, why wouldn't users of other software be at same risk? Just because we haven't heard about XYZ software & fake certificates, does that mean anything? Sure, verifying Tor may be prudent, but what if users have to verify signatures on all software (if available)? Unless it becomes a more automated process, avg users wouldn't devote that kind of time.
I'm just asking here - other than entities (gov'ts?) targeting anonymity software (for now) what prevents this issue from becoming widespread? If I download an update from MS - how do I know it's the authentic pkg from the real MS? There's no authentication (or even check sums) for d/l Firefox, IE. Only a small % of all developers offer these capabilities.
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk