[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

Netizio netizio at t-online.de
Sat Sep 3 16:00:21 UTC 2011


> I'm just asking here - other than entities (gov'ts?) targeting anonymity
> software (for now) what prevents this issue from becoming widespread? 
> If I download an update from MS - how do I know it's the authentic pkg
> from the real MS?  There's no authentication (or even check sums) for
> d/l Firefox, IE.  Only a small % of all developers offer these
> capabilities. 

Hi, AFAIK Microsoft does an automated hash or signature check in the
background to test that your downloaded packages are unmanipulated.
Mozilla offers you md5 sums and - more recommended - sha1 sums along
with the offical key to check the integrity of downloads:

http://releases.mozilla.org/pub/mozilla.org/firefox/releases/6.0.1/

Greetings,

Netizio



More information about the tor-talk mailing list