<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    On 9/2/2011 9:28 AM, Joe Btfsplk wrote:

    <blockquote cite="mid:4E60E813.1060409@gmx.com" type="cite">On

      9/2/2011 7:55 AM, Achter Lieber wrote:

      <br>

      <blockquote type="cite">----- Original Message -----

        <br>

        From: Roger Dingledine

        <br>

        Sent: 09/01/11 03:47 PM

        <br>

        To: <a class="moz-txt-link-abbreviated" href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a>

        <br>

        Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert

        (among many others)

        <br>

        <br>

        &nbsp; New bundles are out now:

        <a class="moz-txt-link-freetext" href="https://blog.torproject.org/blog/new-tor-browser-bundles-4">https://blog.torproject.org/blog/new-tor-browser-bundles-4</a>

        Perhaps now is a great time for you to learn how to verify the

        signatures on Tor packages you download:

        <a class="moz-txt-link-freetext" href="https://www.torproject.org/docs/verifying-signatures">https://www.torproject.org/docs/verifying-signatures</a>

        <br>

      </blockquote>

      Is it really a risk, d/l&nbsp; Tor or TBB directly from Tor Project's

      site, that verifying signatures is necessary?&nbsp; What is the

      reasoning here - if getting files from Tor Project server?

      <br>

      <br>

      _______________________________________________

      <br>

      tor-talk mailing list

      <br>

      <a class="moz-txt-link-abbreviated" href="mailto:tor-talk@lists.torproject.org">tor-talk@lists.torproject.org</a>

      <br>

      <a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk</a>

      <br>

      <br>

    </blockquote>

    I believe that the point of Roger's message was that you or I may

    not really be downloading the package from TorProject, if we are

    using SSL that is authenticated to a fake certificate.<br>

    <br>

    I do not use a Mac, but I was able to use GPA and Kleopatra in

    Windows to verify that the bundles I downloaded were signed by

    Erinn.&nbsp; <br>

    In &lt;<span style="font-family: Verdana;"><span style="font-size:

        12px;">

        <pre style="white-space: pre-wrap; word-wrap: break-word;"><a class="moz-txt-link-freetext" href="https://www.torproject.org/docs/verifying-signatures">https://www.torproject.org/docs/verifying-signatures</a>&gt;

</pre>

      </span></span>

    <p> the procedure for verification spelled out for use on a Mac

      should work to verify files containing Windows code.The procedure

      applies to the verification computer, not the target computer.<br>

    </p>

    <p>David Carlson<br>

    </p>

    <span style="font-family:Verdana"><span style="font-size:12px">

        <pre style="white-space: pre-wrap; word-wrap: break-word;"></pre>

      </span></span>

  </body>

</html>