[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/3/2011 11:00 AM, Netizio wrote:
Thanks Netizio & others. Clarification - check sums & verifying
signatures are completely different animals - yes? I'm getting more
educated on signature verification, but more questions are popping up as
well. Netizio, when you're right, you're right. I had never seen the
page for mozilla w/ a "key", MD5s, SHA1s. You don't see it on their
main d/l page - least I never have.
I'm just asking here - other than entities (gov'ts?) targeting anonymity
software (for now) what prevents this issue from becoming widespread?
If I download an update from MS - how do I know it's the authentic pkg
from the real MS? There's no authentication (or even check sums) for
d/l Firefox, IE. Only a small % of all developers offer these
Hi, AFAIK Microsoft does an automated hash or signature check in the
background to test that your downloaded packages are unmanipulated.
Mozilla offers you md5 sums and - more recommended - sha1 sums along
with the offical key to check the integrity of downloads:
I'm asking these questions, because others that don't know are afraid to
raise their hands. What you don't know CAN hurt you. I haven't used
signature verification before, but my education field is about as
technical as it gets. My 1st impression w/ the process (& instructions
on Tor page - verifying signatures) is, it will be over the avg users'
heads, or more trouble / effort than they're willing to exert (possibly
to their detriment). I haven't tried the steps listed on Tor site, but
seems pretty straight forward.
Q-1: on the Mozilla link above, the "Key" says
Obviously, they assume anyone looking at that page & info will know
exactly what to do w/ it. I don't. Would the process of using the
data on their "Key" page be same as described on Tor Project's
"Verifying Signatures" page?
This file contains the PGP keys of various developers that work on
Mozilla and its subprojects (such as Firefox and Thunderbird).
Jeroen, thanks for links, but I was talking about more automated
signature verification. I think those were more for check sums - yes?
Still, good info.
No. I understand Tor Project's main concern is Tor / TBB. I fail to
understand why the issue / problem being discussed is in any way limited
to Tor or a few softwares. It seems like if it is, or could be a
serious concern for Tor users, it could be for users of any software.
My contention was, few are going to go to the trouble to verify
signatures, by the process that currently exists (if signatures for
everything existed - & it appears they SHOULD - but don't).
These are all rhetorical questions - right?
So, either it's a major concern & a LOT of people are going to get
"infected" because they can't follow the procedures to verify signatures
, or they won't take the time; OR it's not that big a risk for avg
users. I might use the process, but a lot of people won't even
understand the words, much less take the time. Boiled down: if it's a
truly important step before installing any software, major developers
need to make the verification process easier / more automated for avg users.
If it's as serious & imminent a danger as the bloggers & some Tor
developers indicated, either major software developers will find a way
to protect avg users, or the internet could eventually become like
walking the streets of El Paso & Juarez, alone at night. For those not
familiar, I've been told by people w/ family there or have visited, drug
cartels have basically taken over & no "decent' folk are out after dark.
Should I be concerned? Are you? Is Tor or browsers the only software
susceptible to fake certificates? Mozilla / Google have taken
corrective steps. What about all the other apps? I have no idea how
concerned I should be, but snippy answers don't contribute to the
Only a small % of all developers offer these capabilities.
if you're concerned about it, ask the developers to offer the capabilities.
tor-talk mailing list