[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
From: Lee <ler762@xxxxxxxxx>
Date: Sat, 3 Sep 2011 14:10:18 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 03 Sep 2011 14:10:37 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=lDuko9r4FFcALkt1XjXWFPFXJoNLComHNePu6A/2pdU=; b=rFDAK/OHL6w35bk1xvdsbr/9eX55Gl6riCuVONdmpVYvCRGC+MGKkOyrdstLDvCzDL BihE5etJY1jJvAB6CX6zlevzP5Ri1Cm71GsdsBDJsTeGUCaQJv/8c28RRPyFcBCoLubp t0uYWvRwpD8zYkQFrKHbucoRYt7t7LLlks100=
In-reply-to: <4E622E22.80501@xxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110902125555.163220@xxxxxxx> <4E60E813.1060409@xxxxxxx> <20110902171101.GA6618@sescenties> <CAC+VsLuHVypfqnyW=KPHdE6B83OmWYp0nauhpW-tzaoaQNh_Gw@xxxxxxxxxxxxxx> <20110902214612.GD17375@xxxxxxxxxxxxxxxx> <4E622E22.80501@xxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On 9/3/11, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
> On 9/2/2011 4:46 PM, andrew@xxxxxxxxxxxxxx wrote:
>> On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin@xxxxxxxxxxxxxxxxxx wrote
>> 4.5K bytes in 109 lines about:
>> : According to a number of bloggers(1), torproject.org was include among
>> those
>>
>> Here's another blogger for your list,
>> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
> Thanks for all replies on this.  I read over several linked articles.
> Honestly, many avg users won't / can't take time to read it all & may
> not understand it.
>
> Question - obviously, Tor isn't the only software or site that could be
> targeted.  What's to prevent necessity of verifying signatures on every
> d/l software, even mainstream, major developers (if they made it
> possible)?  And if they don't, why wouldn't users of other software be
> at same risk?  Just because we haven't heard about XYZ software & fake
> certificates, does that mean anything?  Sure, verifying Tor may be
> prudent, but what if users have to verify signatures on all software (if
> available)?

These are all rhetorical questions - right?

>  Unless it becomes a more automated process, avg users
> wouldn't devote that kind of time.

And your point is ... what?  I used to not bother locking my car at
home.  Someone stole everything in my car one night so now I always
lock it.   ^shrug^  If the average user gets concerned enough about
security they'll take the time.

> I'm just asking here - other than entities (gov'ts?) targeting anonymity
> software (for now) what prevents this issue from becoming widespread?

I haven't heard of anyone being able to create a fake cert.  As far as
I know, they've all been bought or stolen from trusted CAs.  So how
much do you trust all those CAs in your browser certificate store?
After the Comodo [? from memory - not bothering to check] certificate
kerfluffle I deleted all the non-US CAs from IE.

> If I download an update from MS - how do I know it's the authentic pkg
> from the real MS?

http://www.truecrypt.org/digital-sig-note

>  There's no authentication (or even check sums) for
> d/l Firefox, IE.

There is on Windows .. see the truecrypt page.

>  Only a small % of all developers offer these capabilities.

if you're concerned about it, ask the developers to offer the capabilities.

Lee
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Achter Lieber
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Seth David Schoen
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Collin Anderson
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: andrew
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk

Prev by Author: [tor-talk] TBB and Portable Firefox
Next by Author: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Previous by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by thread: [tor-talk] TBB + vanilla Firefox
Index(es):
- Author
- Thread