[tor-bugs] #31213 [Webpages/Support]: torproject.org TBB verification instructions - "poisoned" public key
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 22 13:08:36 UTC 2019
#31213: torproject.org TBB verification instructions - "poisoned" public key
---------------------+----------------------------------
Reporter: lofenyy | Owner: hiro
Type: defect | Status: new
Priority: Medium | Component: Webpages/Support
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
---------------------+----------------------------------
The instructions on torproject.org for verifying the TOR Browser Bundle
don't really work anymore, due to a "key poisoning" attack on the signing
key located on the keyserver. I came across this by downloading the TBB
and the signature, and then trying to import the public key (on a new
machine that doesn't already have it) so I can verify it, only to find out
that I couldn't.
Affected page: https://support.torproject.org/tbb/how-to-verify-signature/
Relevant mailing list post: https://lists.torproject.org/pipermail/tor-
project/2019-July/002384.html
Description of attack:
https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31213>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list