[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

Jim Jimmymac at copper.net
Sat Sep 3 14:59:47 UTC 2011


Roger Dingledine wrote:
> Perhaps now is a great time for you to learn how to verify the signatures
> on Tor packages you download:
> https://www.torproject.org/docs/verifying-signatures

I don't have a solution to this problem but I am raising it in case
somebody else does.  It's great that you not only sign your packages but
that the page above also lists the fingerprints of the signing keys.
But in case of a man-in-the-middle attack (or a compromised website) the
attacker could provide his own signatures for trojaned packages and then
display a page that shows the signature for *his* signing key(s) in
place of those for the real keys.

I presume the general method of solving this for PGP keys is to create a
chain of trust by signing the keys.  But it is not clear to me how that
would work for a project like Tor that distributes software to all
comers where "signing parties" and the like are out of the question.

Jim



More information about the tor-talk mailing list