[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On 9/3/11, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
> On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
>> On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx wrote
>> 4.5K bytes in 109 lines about:
>> : According to a number of bloggers(1), torproject.org was include among
>> those
>> Here's another blogger for your list,
>> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
> Thanks for all replies on this.  I read over several linked articles.
> Honestly, many avg users won't / can't take time to read it all & may
> not understand it.
> Question - obviously, Tor isn't the only software or site that could be
> targeted.  What's to prevent necessity of verifying signatures on every
> d/l software, even mainstream, major developers (if they made it
> possible)?  And if they don't, why wouldn't users of other software be
> at same risk?  Just because we haven't heard about XYZ software & fake
> certificates, does that mean anything?  Sure, verifying Tor may be
> prudent, but what if users have to verify signatures on all software (if
> available)?

These are all rhetorical questions - right?

>  Unless it becomes a more automated process, avg users
> wouldn't devote that kind of time.

And your point is ... what?  I used to not bother locking my car at
home.  Someone stole everything in my car one night so now I always
lock it.   ^shrug^  If the average user gets concerned enough about
security they'll take the time.

> I'm just asking here - other than entities (gov'ts?) targeting anonymity
> software (for now) what prevents this issue from becoming widespread?

I haven't heard of anyone being able to create a fake cert.  As far as
I know, they've all been bought or stolen from trusted CAs.  So how
much do you trust all those CAs in your browser certificate store?
After the Comodo [? from memory - not bothering to check] certificate
kerfluffle I deleted all the non-US CAs from IE.

> If I download an update from MS - how do I know it's the authentic pkg
> from the real MS?


>  There's no authentication (or even check sums) for
> d/l Firefox, IE.

There is on Windows .. see the truecrypt page.

>  Only a small % of all developers offer these capabilities.

if you're concerned about it, ask the developers to offer the capabilities.

tor-talk mailing list