commit 8660abe1d94824795ed7e231f2dbee3eb62852a6 Author: hiromipaw hiro@torproject.org Date: Fri Jul 7 13:08:25 2017 +0200

Started updating verify signatures page --- docs/en/verifying-signatures.wml | 48 ++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 14 deletions(-)

diff --git a/docs/en/verifying-signatures.wml b/docs/en/verifying-signatures.wml index 485e509..c6e3b27 100644 --- a/docs/en/verifying-signatures.wml +++ b/docs/en/verifying-signatures.wml @@ -12,24 +12,44 @@ <h1>How to verify signatures for packages</h1> <hr>

+ <p>Digital signature is a process ensuring that a certain package was + generated by its developers and has not been tampered with. Below we explain + why it is important and how to verify that the Tor program you download is + the one we have created and has not been modified by some attacker.</p> + + <p>Digital signature is a cryptographic mechanism. If you want to learn more + about how it works see <a href="https://www.gnupg.org/documentation/"> + https://www.gnupg.org/documentation/</a>.</p> + <h3>What is a signature and why should I check it?</h3> <hr>

- <p>How do you know that the Tor program you have is really the - one we made? Many Tor users have very real adversaries who might - try to give them a fake version of Tor &mdash; and it doesn't matter - how secure and anonymous Tor is if you're not running the real Tor.</p> + <p>How do you know that the Tor program you have is really the one we made? + Digital signatures ensure that the package you are downloading was created by + our developers. It uses a cryptographic mechanism which outputs a sequence of + characters that is always the same unless the software has not been tampered + with.</p> + + <p>For many Tor users it is important to verify that the Tor software is authentic + as they have very real adversaries who might try to give them a fake version + of Tor.</p>

- <p>An attacker could try a variety of attacks to get you to download - a fake Tor. For example, he could trick you into thinking some other + <p>If the Tor package has been modified by some attacker it is not safe to use. + It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p> + + <p>There are a variety of attacks that can be used to make you download a fake + version of Tor. For example, an attacker could trick you into thinking some other website is a great place to download Tor. That's why you should - always download Tor from <b>https</b>://www.torproject.org/. The - https part means there's encryption and authentication between your - browser and the website, making it much harder for the attacker + always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p> + + <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https. + Https is the secure version of the http protocol which uses encryption and authentication between your + browser and the website. This makes it much harder for the attacker to modify your download. But it's not perfect. Some places in the - world block the Tor website, making users try <a href="<page - docs/faq>#GetTor">somewhere else</a>. Large - companies sometimes force employees to use a modified browser, + world block the Tor website, making users to download Tor <a href="<page + docs/faq>#GetTor">somewhere else</a>.</p> + + <p>Large companies sometimes force employees to use a modified browser, so the company can listen in on all their browsing. We've even <a href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a> attackers who have the ability to trick your browser into thinking @@ -93,8 +113,8 @@ <p>To verify the signature of the package you downloaded, you will need to download the ".asc" file as well. Assuming you downloaded the package and its signature to your Desktop, run:</p> - <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify - C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc + <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \ + C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \ C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre> <p>The output should say "Good signature": </p> <pre>