[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

David Carlson carlson.dl at sbcglobal.net
Fri Sep 2 14:57:43 UTC 2011

On 9/2/2011 9:28 AM, Joe Btfsplk wrote:
> On 9/2/2011 7:55 AM, Achter Lieber wrote:
>> ----- Original Message -----
>> From: Roger Dingledine
>> Sent: 09/01/11 03:47 PM
>> To: tor-talk at lists.torproject.org
>> Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among
>> many others)
>>   New bundles are out now:
>> https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps
>> now is a great time for you to learn how to verify the signatures on
>> Tor packages you download:
>> https://www.torproject.org/docs/verifying-signatures
> Is it really a risk, d/l  Tor or TBB directly from Tor Project's site,
> that verifying signatures is necessary?  What is the reasoning here -
> if getting files from Tor Project server?
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
I believe that the point of Roger's message was that you or I may not
really be downloading the package from TorProject, if we are using SSL
that is authenticated to a fake certificate.

I do not use a Mac, but I was able to use GPA and Kleopatra in Windows
to verify that the bundles I downloaded were signed by Erinn. 
In <


the procedure for verification spelled out for use on a Mac should work
to verify files containing Windows code.The procedure applies to the
verification computer, not the target computer.

David Carlson

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110902/9c074a3c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xDC7C8BF3.asc
Type: application/pgp-keys
Size: 1729 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110902/9c074a3c/attachment.key>

More information about the tor-talk mailing list