[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to verify the authenticity of the Torbutton xpi file

tor@xxxxxxxxxxxxxxxxxx wrote:
On 23/09/11 16:28, Michael Gomboc wrote:

OK, I guess I know too less about PGP. So, if someone does not have the
private key, they cannot provide the right signature. So even if you
download the signature and the file from a fake page, you would notice
by checking the authenticity. Is that right?

That is correct. For example, I have signed this email with my private
pgp key. I am the only person with access to that private key. The
corresponding public key is available on the Internet for anyone to
download, in several places. Anyone who has my public key can verify
that this email was signed by me, and that it hasn't been tampered with.
This is the same process used to sign Tor.

This is correct as far as it goes. You can verify that the software that was download was signed with a particular private key. The problem is knowing whether that key, in fact, belongs to the Tor Project. torproject.org does list the key they use on their web site. The problem then returns back to knowing if the web page you are looking at to verify the key is the real one or a fake. Which I believe is where the OP began. How does he know if the web page is correct when he cannot trust the SSL certificate.

I seem to recall that one of the people from the Tor Project stated that
some browsers now have the correct Tor Project SSL certificate "baked
into them".  I don't have the time to go looking for that right now but
perhaps somebody can refresh all of our memories?


tor-talk mailing list