On 2011-09-03 15:39 , Joe Btfsplk wrote: > On 9/2/2011 4:46 PM, [email protected] wrote: >> On Fri, Sep 02, 2011 at 01:31:53PM -0400, [email protected] >> wrote 4.5K bytes in 109 lines about: >> : According to a number of bloggers(1), torproject.org was include >> among those >> >> Here's another blogger for your list, >> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it >> > Thanks for all replies on this. I read over several linked articles. > Honestly, many avg users won't / can't take time to read it all & may > not understand it. > > Question - obviously, Tor isn't the only software or site that could be > targeted. What's to prevent necessity of verifying signatures on every > d/l software, even mainstream, major developers (if they made it > possible)? And if they don't, why wouldn't users of other software be > at same risk? Just because we haven't heard about XYZ software & fake > certificates, does that mean anything? Sure, verifying Tor may be > prudent, but what if users have to verify signatures on all software (if > available)? Unless it becomes a more automated process, avg users > wouldn't devote that kind of time.
At least three tools can do this for you: Team Cymru's WinMHR: http://www.team-cymru.org/Services/MHR/WinMHR/ Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/ Spybot Search & Destroy: http://www.safer-networking.org Note that these primarily focus on malware & spybots and most likely all depend on the wrong hash to be known at the tool that you are using. At least they can state in quite a few cases which binaries are known to them and which standard binaries are off from what they see in the wild. You are also of course, like in a lot of cases, depending on those organizations to do the right thing which again boils down to who to trust. Greets, Jeroen _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
