[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)



On 9/3/2011 11:00 AM, Netizio wrote:
I'm just asking here - other than entities (gov'ts?) targeting anonymity
software (for now) what prevents this issue from becoming widespread?
If I download an update from MS - how do I know it's the authentic pkg
from the real MS?  There's no authentication (or even check sums) for
d/l Firefox, IE.  Only a small % of all developers offer these
capabilities.
Hi, AFAIK Microsoft does an automated hash or signature check in the
background to test that your downloaded packages are unmanipulated.
Mozilla offers you md5 sums and - more recommended - sha1 sums along
with the offical key to check the integrity of downloads:

http://releases.mozilla.org/pub/mozilla.org/firefox/releases/6.0.1/

Greetings,

Netizio
Thanks Netizio & others. Clarification - check sums & verifying signatures are completely different animals - yes? I'm getting more educated on signature verification, but more questions are popping up as well. Netizio, when you're right, you're right. I had never seen the page for mozilla w/ a "key", MD5s, SHA1s. You don't see it on their main d/l page - least I never have.

I'm asking these questions, because others that don't know are afraid to raise their hands. What you don't know CAN hurt you. I haven't used signature verification before, but my education field is about as technical as it gets. My 1st impression w/ the process (& instructions on Tor page - verifying signatures) is, it will be over the avg users' heads, or more trouble / effort than they're willing to exert (possibly to their detriment). I haven't tried the steps listed on Tor site, but seems pretty straight forward.

Q-1:  on the Mozilla link above, the "Key" says

This file contains the PGP keys of various developers that work on
Mozilla and its subprojects (such as Firefox and Thunderbird).
Obviously, they assume anyone looking at that page & info will know exactly what to do w/ it. I don't. Would the process of using the data on their "Key" page be same as described on Tor Project's "Verifying Signatures" page?

Jeroen, thanks for links, but I was talking about more automated signature verification. I think those were more for check sums - yes? Still, good info.

Lee:
These are all rhetorical questions - right?
No. I understand Tor Project's main concern is Tor / TBB. I fail to understand why the issue / problem being discussed is in any way limited to Tor or a few softwares. It seems like if it is, or could be a serious concern for Tor users, it could be for users of any software. My contention was, few are going to go to the trouble to verify signatures, by the process that currently exists (if signatures for everything existed - & it appears they SHOULD - but don't).

So, either it's a major concern & a LOT of people are going to get "infected" because they can't follow the procedures to verify signatures , or they won't take the time; OR it's not that big a risk for avg users. I might use the process, but a lot of people won't even understand the words, much less take the time. Boiled down: if it's a truly important step before installing any software, major developers need to make the verification process easier / more automated for avg users.

If it's as serious & imminent a danger as the bloggers & some Tor developers indicated, either major software developers will find a way to protect avg users, or the internet could eventually become like walking the streets of El Paso & Juarez, alone at night. For those not familiar, I've been told by people w/ family there or have visited, drug cartels have basically taken over & no "decent' folk are out after dark.

Lee:
  	Only a small % of all developers offer these capabilities.
if you're concerned about it, ask the developers to offer the capabilities.
Should I be concerned? Are you? Is Tor or browsers the only software susceptible to fake certificates? Mozilla / Google have taken corrective steps. What about all the other apps? I have no idea how concerned I should be, but snippy answers don't contribute to the discussion.

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk