[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https



On 12/20/2009 02:01 AM, Kiss Gabor (Bitman) wrote:
 > Maybe a list of md5sums signed by you would help.
> (Including HTML pages.)
> Unfortunately content of the site changes too often.

We did this with sha1 hashes and very few checked them.  Even worse is
that if the man in the middle can swap binaries on the fly, they can
sure send a new sha1/md5sum too.  So now the user thinks they've done
the right thing and verified the false md5/sha1 hash successfully.

The pgp signature can't be faked easily, which is why we use them.

> And how can anybody check if I serve the original files hold by
> www.torproject.org?

The pgp signature.

> Should I mirror everything? Including .*.swp files and .svn/ directories?

Just use the rsync server to keep it all in sync.  See
https://www.torproject.org/running-a-mirror.html.en

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject