>> Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg >> sign .xpis, but have been sloppy about posting them publicly. > <snip> >> For now, I think the right answer is "Fetch it over SSL" or "Check the >> git/gpg sig". > > Could you make a point of publicly posting the .xpi gpg signatures along > with the .xpis? > <snip> > So I'd much appreciate being able to get the signature w/o having to > figure out git. Particularly if that signature has already been created.
Sorry, but I have to point out that none of the proposed solution really works, and both are actually quite bad from the security point of view. "Fetch it over SSL" doesn't give the user any guarantee about the authenticity of the file. Actually it does little about security. It only verifies that the user is connected to the real Tor website, but if the file is corrupt or, worse, has been maliciously replaced by some malware version of it, you have no means of finding out. Since we are talking in this very thread about Tor servers being attacked, I consider this as a serious threat. "Check the git/gpg sig" is a little better, but from a quick look at the git repository I couldn't find the .xpi's on it (correct me if I'm wrong here). This means that only the sources are signed, thus requiring the user to recompile the package at every new release. This is time consuming, but it also add some additional requirements on the user, like having the right compilation environment on the box, having it properly configured etc. All this for no security benefit. Finally, checking the git's signature is not as easy as checking a simple .asc file. So, I have to join Jim's plea. Mike, could you please put the .xpi's .asc signature files on the TorButton website? Thanks, Paolo P.S. Are git connection to the Tor git's repository protected by TLS against a valid certificate? *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
