[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Verifying software signatures (Was: Dutch CA issues fake *.torproject.org cert (among many others))
On 2011-09-03 15:39 , Joe Btfsplk wrote:
> On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
>> On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx
>> wrote 4.5K bytes in 109 lines about:
>> : According to a number of bloggers(1), torproject.org was include
>> among those
>> Here's another blogger for your list,
> Thanks for all replies on this. I read over several linked articles.
> Honestly, many avg users won't / can't take time to read it all & may
> not understand it.
> Question - obviously, Tor isn't the only software or site that could be
> targeted. What's to prevent necessity of verifying signatures on every
> d/l software, even mainstream, major developers (if they made it
> possible)? And if they don't, why wouldn't users of other software be
> at same risk? Just because we haven't heard about XYZ software & fake
> certificates, does that mean anything? Sure, verifying Tor may be
> prudent, but what if users have to verify signatures on all software (if
> available)? Unless it becomes a more automated process, avg users
> wouldn't devote that kind of time.
At least three tools can do this for you:
Team Cymru's WinMHR:
Secunia Personal Software Inspector (PSI):
Spybot Search & Destroy:
Note that these primarily focus on malware & spybots and most likely all
depend on the wrong hash to be known at the tool that you are using.
At least they can state in quite a few cases which binaries are known to
them and which standard binaries are off from what they see in the wild.
You are also of course, like in a lot of cases, depending on those
organizations to do the right thing which again boils down to who to trust.
tor-talk mailing list