#31213: torproject.org TBB verification instructions - "poisoned" public key
---------------------+----------------------------------
Reporter: lofenyy | Owner: hiro
Type: defect | Status: new
Priority: Medium | Component: Webpages/Support
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------+----------------------------------
The instructions on torproject.org for verifying the TOR Browser Bundle
don't really work anymore, due to a "key poisoning" attack on the signing
key located on the keyserver. I came across this by downloading the TBB
and the signature, and then trying to import the public key (on a new
machine that doesn't already have it) so I can verify it, only to find out
that I couldn't.
Affected page: https://support.torproject.org/tbb/how-to-verify-signature/
Relevant mailing list post: https://lists.torproject.org/pipermail/tor-
project/2019-July/002384.html
Description of attack:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31213>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
