[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
From: Jim <Jimmymac@xxxxxxxxxx>
Date: Sat, 03 Sep 2011 08:47:07 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 03 Sep 2011 11:01:43 -0400
In-reply-to: <4E622E22.80501@xxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110902125555.163220@xxxxxxx> <4E60E813.1060409@xxxxxxx> <20110902171101.GA6618@sescenties> <CAC+VsLuHVypfqnyW=KPHdE6B83OmWYp0nauhpW-tzaoaQNh_Gw@xxxxxxxxxxxxxx> <20110902214612.GD17375@xxxxxxxxxxxxxxxx> <4E622E22.80501@xxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.23 (X11/20090812)

Joe Btfsplk wrote:

I'm just asking here - other than entities (gov'ts?) targeting anonymitysoftware (for now) what prevents this issue from becoming widespread?If I download an update from MS - how do I know it's the authentic pkgfrom the real MS? There's no authentication (or even check sums) ford/l Firefox, IE. Only a small % of all developers offer these capabilities.


I agree that all projects ought to offer digital signatures for their
downloads (or at least a digitally signed list of cryptographically
secure hashes values -- no MD5s please!) and far too few projects do.
But I do wonder if you are wrong about Firefox not supplying hash
values.  I know SeaMonkey (also hosted by Mozilla although not an
official Mozilla project) offers hashes, but you have to go looking for
them.  I suspect the same is true for FF although I don't know if I have
ever looked.  Of course while I consider them (slightly) better than
nothing, hash values alone won't thwart a determined and knowledgeable
attacker.

Jim




_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Achter Lieber
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Seth David Schoen
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Collin Anderson
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: andrew
- Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
  - From: Joe Btfsplk

Prev by Author: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Next by Author: Re: [tor-talk] I've yet to understand <clock skew> attacks on hidden services
Previous by thread: [tor-talk] Verifying software signatures (Was: Dutch CA issues fake *.torproject.org cert (among many others))
Next by thread: Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Index(es):
- Author
- Thread