[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 03/09/11 15:59, Jim wrote:
> I don't have a solution to this problem but I am raising it in case
> somebody else does.  It's great that you not only sign your packages but
> that the page above also lists the fingerprints of the signing keys.
> But in case of a man-in-the-middle attack (or a compromised website) the
> attacker could provide his own signatures for trojaned packages and then
> display a page that shows the signature for *his* signing key(s) in
> place of those for the real keys.

There's no general solution as this is a bootstrapping problem. However
anyone experienced enough to be responsible for signing releases of a
project such as Tor will undoubtedly have left traces elsewhere on the
net (unless they're working anonymously). For instance, they may be a
Debian developer, or have a Twitter account. By comparing fingerprints
or contact details published on different websites you can confirm that
they belong to the same person and therefore haven't been tampered with.
Deciding whether that person *should* be signing packages is a separate
problem, but which can be approached in a similar manner. Once you've
verified a key to your satisfaction, then add it to your keyring and
lsign it (that's "lsign", not "sign"). If ever a future download fails
verification because you don't trust the key, and you haven't been
notified of a change in signing key, then you know something is amiss.

The real problem is in educating people that it's a good idea to go
through this rigmarole. I'd love to see a solution to that.


Attachment: signature.asc
Description: OpenPGP digital signature

tor-talk mailing list