[tor-bugs] #5463 [BridgeDB]: BridgeDB must GPG-sign outgoing mails

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Aug 11 05:04:01 UTC 2013


#5463: BridgeDB must GPG-sign outgoing mails
-----------------------+----------------------------------------------------
 Reporter:  rransom    |          Owner:                   
     Type:  defect     |         Status:  needs_information
 Priority:  critical   |      Milestone:                   
Component:  BridgeDB   |        Version:                   
 Keywords:  important  |         Parent:                   
   Points:             |   Actualpoints:                   
-----------------------+----------------------------------------------------

Comment(by sysrqb):

 I think it will be beneficial if we reorganize/extend the verifying-
 signatures[0] page to include a section that describes how one verifies
 our signed mail, too. Assuming we do this, then we don't need to describe
 the various methods for doing this on the various OSs inline. We may still
 want to distribute the TSUM, but presently it does not describe everything
 we need, so it will similarly need to be updated/extended to say how to
 verify our sig. This maybe worthwhile though, for places where tpo is
 blocked.

 With regard to the email message, I think we can add something like this:
 {{{
 Please consider verifying that this email was sent by the Tor Project
 and that it has not changed since its creation. A malicious bridge can
 destroy your anonymity, so you may want to confirm that this email is
 legitimate and was not altered. You can follow the instructions at
 https://www.torproject.org/docs/verifying-signatures.html.en to verify
 this email.

 If you don't need step-by-step instructions, then our public signing
 key is also available at
 https://bridges.torproject.org/sig and our fingerprint is [fpr]. If
 you don't know how to use this information, then please go to the above
 mentioned website or contact help at rt.torproject.org for assistance.
 }}}

 (I dialed-back the scariness/pushiness of my original message)
 Suggestions?

 Thus making:

 {{{
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 [This is an automated message; please do not reply.]

 Here are your bridge relays:

   [bridges x 3]

 Bridge relays (or "bridges" for short) are Tor relays that aren't listed
 in the main directory. Since there is no complete public list of them,
 even if your ISP is filtering connections to all the known Tor relays,
 they probably won't be able to block all the bridges.

 To use the above lines, go to Vidalia's Network settings page, and click
 "My ISP blocks connections to the Tor network". Then add each bridge
 address one at a time.

 Configuring more than one bridge address will make your Tor connection
 more stable, in case some of the bridges become unreachable.

 The following commands are also supported:

   ipv6 : request ipv6 bridges.
   transport NAME : request transport NAME. Example: 'transport obfs2'

 Another way to find public bridge addresses is to visit
 https://bridges.torproject.org/. The answers you get from that page
 will change every few days, so check back periodically if you need more
 bridge addresses.

 Please consider verifying that this email was sent by the Tor Project
 and that it has not changed since its creation. A malicious bridge can
 destroy your anonymity, so you may want to confirm that this email is
 legitimate and was not altered. You can follow the instructions at
 https://www.torproject.org/docs/verifying-signatures.html.en to verify
 this email.

 If you don't need step-by-step instructions, then our public signing
 key is also available at
 https://bridges.torproject.org/sig and our fingerprint is [fpr]. If
 you don't know how to use this information, then please go to the above
 mentioned website or contact help at rt.torproject.org for assistance.

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.19 (GNU/Linux)

 [sig]
 -----END PGP SIGNATURE-----
 }}}

 [0] https://www.torproject.org/docs/verifying-signatures.html.en

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5463#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list