[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Verifying software signatures (Was: Dutch CA issues fake *.torproject.org cert (among many others))

On 2011-09-03 15:39 , Joe Btfsplk wrote:
> On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
>> On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx
>> wrote 4.5K bytes in 109 lines about:
>> : According to a number of bloggers(1), torproject.org was include
>> among those
>> Here's another blogger for your list,
>> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
> Thanks for all replies on this.  I read over several linked articles. 
> Honestly, many avg users won't / can't take time to read it all & may
> not understand it.
> Question - obviously, Tor isn't the only software or site that could be
> targeted.  What's to prevent necessity of verifying signatures on every
> d/l software, even mainstream, major developers (if they made it
> possible)?  And if they don't, why wouldn't users of other software be
> at same risk?  Just because we haven't heard about XYZ software & fake
> certificates, does that mean anything?  Sure, verifying Tor may be
> prudent, but what if users have to verify signatures on all software (if
> available)?  Unless it becomes a more automated process, avg users
> wouldn't devote that kind of time.

At least three tools can do this for you:

Team Cymru's WinMHR:

Secunia Personal Software Inspector (PSI):

Spybot Search & Destroy:

Note that these primarily focus on malware & spybots and most likely all
depend on the wrong hash to be known at the tool that you are using.
At least they can state in quite a few cases which binaries are known to
them and which standard binaries are off from what they see in the wild.

You are also of course, like in a lot of cases, depending on those
organizations to do the right thing which again boils down to who to trust.

tor-talk mailing list