[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
From: Lee <ler762@xxxxxxxxx>
Date: Sat, 3 Sep 2011 14:36:54 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 03 Sep 2011 14:37:11 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=yPx25+VuFIKaGx5yJYm2jFMF+LQljhMMp3YQT5bAxkM=; b=MyT75Pm8Un6MJiBrzytoWiuDKk3AI0wk7RtUoIBtxI77U+OA6slMmWe8bngUleDFeq q9Kx0SHnfJfJZvDuwyj4AnQAUve2KzPh3GtxVoBCwM4qF4mpnLwTCIpC2CvlE8QsNug5 XaZX3XeZyftHauVH4EhjMiQ6XrzBi4BNOMw1g=
In-reply-to: <4E626A99.3010400@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110901084723.GK20497@xxxxxxxxxxxxxx> <4E6240E3.5020805@xxxxxxxxxx> <4E626A99.3010400@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On 9/3/11, Julian Yon <julian@xxxxxxxxxx> wrote:
> On 03/09/11 15:59, Jim wrote:
>> I don't have a solution to this problem but I am raising it in case
>> somebody else does.  It's great that you not only sign your packages but
>> that the page above also lists the fingerprints of the signing keys.
>> But in case of a man-in-the-middle attack (or a compromised website) the
>> attacker could provide his own signatures for trojaned packages and then
>> display a page that shows the signature for *his* signing key(s) in
>> place of those for the real keys.
>
> There's no general solution as this is a bootstrapping problem.

Is there a solution for this specific case?  Someone claiming to be
Roger Dingledine included a PGP signature block in the msg that
started this thread.  Nobody's responded "Hey! That wasn't me!!" or
"That's not my PGP sig!" so it seems safe enough to trust that sig.

Is there a secure way to get from that PGP sig to whatever's necessary
for verifying a TOR package one just downloaded?

Lee


> However
> anyone experienced enough to be responsible for signing releases of a
> project such as Tor will undoubtedly have left traces elsewhere on the
> net (unless they're working anonymously). For instance, they may be a
> Debian developer, or have a Twitter account. By comparing fingerprints
> or contact details published on different websites you can confirm that
> they belong to the same person and therefore haven't been tampered with.
> Deciding whether that person *should* be signing packages is a separate
> problem, but which can be approached in a similar manner. Once you've
> verified a key to your satisfaction, then add it to your keyring and
> lsign it (that's "lsign", not "sign"). If ever a future download fails
> verification because you don't trust the key, and you haven't been
> notified of a change in signing key, then you know something is amiss.
>
> The real problem is in educating people that it's a good idea to go
> through this rigmarole. I'd love to see a solution to that.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: andrew
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Julian Yon

References:
- [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Roger Dingledine
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Jim
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Julian Yon

Prev by Author: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by Author: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Previous by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Index(es):
- Author
- Thread