[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

On Sat, Sep 03, 2011 at 02:27:47PM -0500, joebtfsplk@xxxxxxx wrote 4.2K bytes in 84 lines about:
: is about as technical as it gets.  My 1st impression w/ the process
: (& instructions on Tor page - verifying signatures) is, it will be
: over the avg users' heads, or more trouble / effort than they're
: willing to exert (possibly to their detriment).  I haven't tried the
: steps listed on Tor site, but seems pretty straight forward.

We made them copy and paste so new users can do it. I've watched people
in trainings successfully verify the signatures. we need a better model
for osx and windows, as neither system comes with gpg. Installing gobs
of software that doesn't come with verification to verify tor is sort of

: down:  if it's a truly important step before installing any
: software, major developers need to make the verification process
: easier / more automated for avg users.

The other side to this is that users who do verify the software they
download will hopefully be vocal when the software fails to verify.

pgp key: 0x74ED336B
tor-talk mailing list