[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Joe Btfsplk
joebtfsplk at gmx.com
Sat Sep 3 13:39:46 UTC 2011
On 9/2/2011 4:46 PM, andrew at torproject.org wrote:
> On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin at averysmallbird.com wrote 4.5K bytes in 109 lines about:
> : According to a number of bloggers(1), torproject.org was include among those
>
> Here's another blogger for your list,
> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
Thanks for all replies on this. I read over several linked articles.
Honestly, many avg users won't / can't take time to read it all & may
not understand it.
Question - obviously, Tor isn't the only software or site that could be
targeted. What's to prevent necessity of verifying signatures on every
d/l software, even mainstream, major developers (if they made it
possible)? And if they don't, why wouldn't users of other software be
at same risk? Just because we haven't heard about XYZ software & fake
certificates, does that mean anything? Sure, verifying Tor may be
prudent, but what if users have to verify signatures on all software (if
available)? Unless it becomes a more automated process, avg users
wouldn't devote that kind of time.
I'm just asking here - other than entities (gov'ts?) targeting anonymity
software (for now) what prevents this issue from becoming widespread?
If I download an update from MS - how do I know it's the authentic pkg
from the real MS? There's no authentication (or even check sums) for
d/l Firefox, IE. Only a small % of all developers offer these capabilities.
More information about the tor-talk
mailing list