On 9/2/2011 9:28 AM, Joe Btfsplk wrote: > On 9/2/2011 7:55 AM, Achter Lieber wrote: >> ----- Original Message ----- >> From: Roger Dingledine >> Sent: 09/01/11 03:47 PM >> To: [email protected] >> Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among >> many others) >> >> New bundles are out now: >> https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps >> now is a great time for you to learn how to verify the signatures on >> Tor packages you download: >> https://www.torproject.org/docs/verifying-signatures > Is it really a risk, d/l Tor or TBB directly from Tor Project's site, > that verifying signatures is necessary? What is the reasoning here - > if getting files from Tor Project server? > > _______________________________________________ > tor-talk mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > I believe that the point of Roger's message was that you or I may not really be downloading the package from TorProject, if we are using SSL that is authenticated to a fake certificate.
I do not use a Mac, but I was able to use GPA and Kleopatra in Windows to verify that the bundles I downloaded were signed by Erinn. In < https://www.torproject.org/docs/verifying-signatures> the procedure for verification spelled out for use on a Mac should work to verify files containing Windows code.The procedure applies to the verification computer, not the target computer. David Carlson
0xDC7C8BF3.asc
Description: application/pgp-keys
_______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
