[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: https

To: tor-mirrors@xxxxxxxxxxxxxx
Subject: Re: https
From: "Kiss Gabor (Bitman)" <kissg@xxxxxxxxxxxxx>
Date: Sun, 20 Dec 2009 19:44:14 +0100 (CET)
Delivered-to: archiver@xxxxxxxx
Delivered-to: tor-mirrors-outgoing@xxxxxxxx
Delivered-to: tor-mirrors@xxxxxxxx
Delivery-date: Sun, 20 Dec 2009 13:44:21 -0500
In-reply-to: <4B2E6F7F.20004@xxxxxxxxxxxxxx>
References: <alpine.DEB.1.10.0912191307510.8683@xxxxxxxxxxxxxxxxxx> <20091219220850.GD10101@xxxxxxxxxxxxxx> <alpine.DEB.1.10.0912200731380.3863@xxxxxxxxxxxxxxxxxx> <4B2E6F7F.20004@xxxxxxxxxxxxxx>
Reply-to: tor-mirrors@xxxxxxxxxxxxxx
Sender: owner-tor-mirrors@xxxxxxxxxxxxxx
User-agent: Alpine 1.10 (DEB 962 2008-03-14)

>  > Maybe a list of md5sums signed by you would help.
> > (Including HTML pages.)
> > Unfortunately content of the site changes too often.
> 
> We did this with sha1 hashes and very few checked them.  Even worse is
> that if the man in the middle can swap binaries on the fly, they can
> sure send a new sha1/md5sum too.  So now the user thinks they've done

I repeat: the md5sum/sha1sum list must be digitally signed.

> the right thing and verified the false md5/sha1 hash successfully.
> 
> The pgp signature can't be faked easily, which is why we use them.

Yes. That is I speak about.
However HTML files are NOT signed individually.

> > And how can anybody check if I serve the original files hold by
> > www.torproject.org?
> 
> The pgp signature.

See above.

> > Should I mirror everything? Including .*.swp files and .svn/ directories?
> 
> Just use the rsync server to keep it all in sync.  See
> https://www.torproject.org/running-a-mirror.html.en

OK. I get .swp files too. (They are now excluded.)

Thanks

Gabor

Follow-Ups:
- Re: https
  - From: Bryon Eldridge

References:
- https
  - From: Kiss Gabor (Bitman)
- Re: https
  - From: Roger Dingledine
- Re: https
  - From: Kiss Gabor (Bitman)
- Re: https
  - From: Andrew Lewman

Prev by Author: A new mirror is up
Next by Author: Re: A new mirror is up
Previous by thread: Re: https
Next by thread: Re: https
Index(es):
- Author
- Thread