<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 9/2/2011 9:28 AM, Joe Btfsplk wrote:
<blockquote cite="mid:4E60E813.1060409@gmx.com" type="cite">On
9/2/2011 7:55 AM, Achter Lieber wrote:
<br>
<blockquote type="cite">----- Original Message -----
<br>
From: Roger Dingledine
<br>
Sent: 09/01/11 03:47 PM
<br>
To: <a class="moz-txt-link-abbreviated" href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a>
<br>
Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert
(among many others)
<br>
<br>
New bundles are out now:
<a class="moz-txt-link-freetext" href="https://blog.torproject.org/blog/new-tor-browser-bundles-4">https://blog.torproject.org/blog/new-tor-browser-bundles-4</a>
Perhaps now is a great time for you to learn how to verify the
signatures on Tor packages you download:
<a class="moz-txt-link-freetext" href="https://www.torproject.org/docs/verifying-signatures">https://www.torproject.org/docs/verifying-signatures</a>
<br>
</blockquote>
Is it really a risk, d/l Tor or TBB directly from Tor Project's
site, that verifying signatures is necessary? What is the
reasoning here - if getting files from Tor Project server?
<br>
<br>
_______________________________________________
<br>
tor-talk mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a>
<br>
<br>
</blockquote>
I believe that the point of Roger's message was that you or I may
not really be downloading the package from TorProject, if we are
using SSL that is authenticated to a fake certificate.<br>
<br>
I do not use a Mac, but I was able to use GPA and Kleopatra in
Windows to verify that the bundles I downloaded were signed by
Erinn. <br>
In <<span style="font-family: Verdana;"><span style="font-size:
12px;">
<pre style="white-space: pre-wrap; word-wrap: break-word;"><a class="moz-txt-link-freetext" href="https://www.torproject.org/docs/verifying-signatures">https://www.torproject.org/docs/verifying-signatures</a>>
</pre>
</span></span>
<p> the procedure for verification spelled out for use on a Mac
should work to verify files containing Windows code.The procedure
applies to the verification computer, not the target computer.<br>
</p>
<p>David Carlson<br>
</p>
<span style="font-family:Verdana"><span style="font-size:12px">
<pre style="white-space: pre-wrap; word-wrap: break-word;"></pre>
</span></span>
</body>
</html>