[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

Roger Dingledine wrote:
Perhaps now is a great time for you to learn how to verify the signatures
on Tor packages you download:

I don't have a solution to this problem but I am raising it in case
somebody else does.  It's great that you not only sign your packages but
that the page above also lists the fingerprints of the signing keys.
But in case of a man-in-the-middle attack (or a compromised website) the
attacker could provide his own signatures for trojaned packages and then
display a page that shows the signature for *his* signing key(s) in
place of those for the real keys.

I presume the general method of solving this for PGP keys is to create a
chain of trust by signing the keys.  But it is not clear to me how that
would work for a project like Tor that distributes software to all
comers where "signing parties" and the like are out of the question.


tor-talk mailing list