[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
From: Michael Gomboc <michael.gomboc@xxxxxxxxx>
Date: Fri, 23 Sep 2011 11:28:16 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 23 Sep 2011 11:28:32 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=OAzx7T/Vz60JwBtwpM0JJNnTVLfeNCRchtow5Y0w4io=; b=DFbi34/Nixs4fdV8ar0Wt8QqUGdbUihpZblMGWIom3YWLCR6tOb+8aQOfHc1h6dNhj RkdhSUK1ZJJ9G4yQhlZ4x6k1hFTKqMv6iCT430EiC6U5K5hwpRp5vi59upG3XQwnz6HQ L6jwdLR2+iXTPuiFz6K6LTn1UgpgejRXTE6kk=
In-reply-to: <4E7C959F.5040902@xxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CACLwEKGks05kTdWFGUAyxRuaK8D_abaAqPC7ZrxUk5-6kvPtgA@xxxxxxxxxxxxxx> <201109230948.13191.andrew@xxxxxxxxxxxxxx> <CACLwEKFVoF9FUdRm=d6bUPCNMAMXrhB1JYv2XEp9y=Y4tOrqGQ@xxxxxxxxxxxxxx> <4E7C959F.5040902@xxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

OK, I guess I know too less about PGP. So, if someone does not have the private key, they cannot provide the right signature. So even if you download the signature and the file from a fake page, you would notice by checking the authenticity. Is that right?

Thanks again. :-)

2011/9/23 <tor@xxxxxxxxxxxxxxxxxx>

On 23/09/11 15:10, Michael Gomboc wrote:

> Thanks Andrew. But when the SSL certificate is faked....

If you have the public key which corresponds to the private key which
was used to create the signature, then it doesn't matter if the SSL
certificate is faked. Even using non-SSL http would be fine.

https://www.torproject.org/docs/verifying-signatures. hhtml

If the file, or the signature file you download are tampered with, doing
this verification will alert you to that fact.

--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--
Michael Gomboc

pgp-id: 0x5D41FDF8

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
  - From: tor

References:
- [tor-talk] How to verify the authenticity of the Torbutton xpi file
  - From: Michael Gomboc
- Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
  - From: Andrew Lewman
- Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
  - From: Michael Gomboc
- Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
  - From: tor

Prev by Author: Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
Next by Author: Re: [tor-talk] Tor banned in Pakistan.
Previous by thread: Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
Next by thread: Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file
Index(es):
- Author
- Thread