Tor Project infrastructure updates in response to security breach

Mike Perry mikeperry at fscked.org
Thu Jan 21 22:09:42 UTC 2010


Thus spake Paolo Palmieri (palmaway at gmx.it):

> > would it make sense to sign the torbutton xpi's?
> 
> Actually, I've always been quite amazed by the fact that TorButton's
> .xpi (binary?) files are not signed.
>
> I'd really like to see this implemented in the future.

Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
sign .xpis, but have been sloppy about posting them publicly.

As for actual Firefox-compatible builtin xpi signatures, the last time
I looked into those they were exceedingly complicated and needed a
special Code Signing Certificate, which required me bending over and
paying Verisign or some other SSL Mafia Member a lot of money
($200-500/yr) to examine my rectum for a while. Maybe the Tor Project
can get one of these for me, but I am not certain its really worth it.

I suppose I could also create a rogue code signing certificate and
provide that over SSL for people to install, but then I wonder if
vanilla Firefox will reject my XPIs then because they are signed, but
with an "invalid" cert.

For now, I think the right answer is "Fetch it over SSL" or "Check the
git/gpg sig".

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100121/f0ef58f2/attachment.pgp>


More information about the tor-talk mailing list