[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
From: Joe Btfsplk <joebtfsplk@xxxxxxx>
Date: Sat, 03 Sep 2011 14:27:47 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 03 Sep 2011 15:28:13 -0400
In-reply-to: <4E624F15.8080806@xxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110902125555.163220@xxxxxxx> <4E60E813.1060409@xxxxxxx> <20110902171101.GA6618@sescenties> <CAC+VsLuHVypfqnyW=KPHdE6B83OmWYp0nauhpW-tzaoaQNh_Gw@xxxxxxxxxxxxxx> <20110902214612.GD17375@xxxxxxxxxxxxxxxx> <4E622E22.80501@xxxxxxx> <4E624F15.8080806@xxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0

On 9/3/2011 11:00 AM, Netizio wrote:

I'm just asking here - other than entities (gov'ts?) targeting anonymity
software (for now) what prevents this issue from becoming widespread?
If I download an update from MS - how do I know it's the authentic pkg
from the real MS?  There's no authentication (or even check sums) for
d/l Firefox, IE.  Only a small % of all developers offer these
capabilities.

Hi, AFAIK Microsoft does an automated hash or signature check in the
background to test that your downloaded packages are unmanipulated.
Mozilla offers you md5 sums and - more recommended - sha1 sums along
with the offical key to check the integrity of downloads:

http://releases.mozilla.org/pub/mozilla.org/firefox/releases/6.0.1/

Greetings,

Netizio

Thanks Netizio & others. Clarification - check sums & verifyingsignatures are completely different animals - yes? I'm getting moreeducated on signature verification, but more questions are popping up aswell. Netizio, when you're right, you're right. I had never seen thepage for mozilla w/ a "key", MD5s, SHA1s. You don't see it on theirmain d/l page - least I never have.

I'm asking these questions, because others that don't know are afraid toraise their hands. What you don't know CAN hurt you. I haven't usedsignature verification before, but my education field is about astechnical as it gets. My 1st impression w/ the process (& instructionson Tor page - verifying signatures) is, it will be over the avg users'heads, or more trouble / effort than they're willing to exert (possiblyto their detriment). I haven't tried the steps listed on Tor site, butseems pretty straight forward.


Q-1:  on the Mozilla link above, the "Key" says

This file contains the PGP keys of various developers that work on
Mozilla and its subprojects (such as Firefox and Thunderbird).

Obviously, they assume anyone looking at that page & info will knowexactly what to do w/ it. I don't. Would the process of using thedata on their "Key" page be same as described on Tor Project's"Verifying Signatures" page?

Jeroen, thanks for links, but I was talking about more automatedsignature verification. I think those were more for check sums - yes?Still, good info.


Lee:

These are all rhetorical questions - right?

No. I understand Tor Project's main concern is Tor / TBB. I fail tounderstand why the issue / problem being discussed is in any way limitedto Tor or a few softwares. It seems like if it is, or could be aserious concern for Tor users, it could be for users of any software.My contention was, few are going to go to the trouble to verifysignatures, by the process that currently exists (if signatures foreverything existed - & it appears they SHOULD - but don't).

So, either it's a major concern & a LOT of people are going to get"infected" because they can't follow the procedures to verify signatures, or they won't take the time; OR it's not that big a risk for avgusers. I might use the process, but a lot of people won't evenunderstand the words, much less take the time. Boiled down: if it's atruly important step before installing any software, major developersneed to make the verification process easier / more automated for avg users.

If it's as serious & imminent a danger as the bloggers & some Tordevelopers indicated, either major software developers will find a wayto protect avg users, or the internet could eventually become likewalking the streets of El Paso & Juarez, alone at night. For those notfamiliar, I've been told by people w/ family there or have visited, drugcartels have basically taken over & no "decent' folk are out after dark.


Lee:

  	Only a small % of all developers offer these capabilities.
if you're concerned about it, ask the developers to offer the capabilities.

Should I be concerned? Are you? Is Tor or browsers the only softwaresusceptible to fake certificates? Mozilla / Google have takencorrective steps. What about all the other apps? I have no idea howconcerned I should be, but snippy answers don't contribute to thediscussion.


_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: andrew
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Lee

References:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Achter Lieber
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Seth David Schoen
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Collin Anderson
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: andrew
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Netizio

Prev by Author: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by Author: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Previous by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Index(es):
- Author
- Thread