[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

Sat Sep 3 19:27:47 UTC 2011

On 9/3/2011 11:00 AM, Netizio wrote:
>> I'm just asking here - other than entities (gov'ts?) targeting anonymity
>> software (for now) what prevents this issue from becoming widespread?
>> If I download an update from MS - how do I know it's the authentic pkg
>> from the real MS?  There's no authentication (or even check sums) for
>> d/l Firefox, IE.  Only a small % of all developers offer these
>> capabilities.
> Hi, AFAIK Microsoft does an automated hash or signature check in the
> background to test that your downloaded packages are unmanipulated.
> Mozilla offers you md5 sums and - more recommended - sha1 sums along
> with the offical key to check the integrity of downloads:
>
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/6.0.1/
>
> Greetings,
>
> Netizio
Thanks Netizio & others.  Clarification - check sums & verifying 
signatures are completely different animals - yes?  I'm getting more 
educated on signature verification, but more questions are popping up as 
well.  Netizio, when you're right, you're right.  I had never seen the 
page for mozilla w/ a "key", MD5s, SHA1s.  You don't see it on their 
main d/l page - least I never have.

I'm asking these questions, because others that don't know are afraid to 
raise their hands.  What you don't know CAN hurt you.  I haven't used 
signature verification before, but my education field is about as 
technical as it gets.  My 1st impression w/ the process (& instructions 
on Tor page - verifying signatures) is, it will be over the avg users' 
heads, or more trouble / effort than they're willing to exert (possibly 
to their detriment).  I haven't tried the steps listed on Tor site, but 
seems pretty straight forward.

Q-1:  on the Mozilla link above, the "Key" says

> This file contains the PGP keys of various developers that work on
> Mozilla and its subprojects (such as Firefox and Thunderbird).
Obviously, they assume anyone looking at that page & info will know 
exactly what to do w/ it.   I don't.  Would the process of using the 
data on their "Key" page be same as described on Tor Project's 
"Verifying Signatures" page?

Jeroen, thanks for links, but I was talking about more automated 
signature verification.  I think those were more for check sums - yes?  
Still, good info.

Lee:
> These are all rhetorical questions - right?
No.  I understand Tor Project's main concern is Tor / TBB.  I fail to 
understand why the issue / problem being discussed is in any way limited 
to Tor or a few softwares.  It seems like if it is, or could be a 
serious concern for Tor users, it could be for users of any software.  
My contention was, few are going to go to the trouble to verify 
signatures, by the  process that currently exists  (if signatures for 
everything existed - & it appears they SHOULD - but don't).

So, either it's a major concern & a LOT of people are going to get 
"infected" because they can't follow the procedures to verify signatures 
, or they won't take the time; OR it's not that big a risk for avg 
users.  I might use the process, but a lot of people won't even 
understand the words, much less take the time.  Boiled down:  if it's a 
truly important step before installing any software, major developers 
need to make the verification process easier / more automated for avg users.

If it's as serious & imminent a danger as the bloggers & some Tor 
developers indicated, either major software developers will find a way 
to protect avg users, or the internet could eventually become like 
walking the streets of El Paso & Juarez, alone at night.  For those not 
familiar, I've been told by people w/ family there or have visited, drug 
cartels have basically taken over & no "decent' folk are out after dark.

Lee:
>   	Only a small % of all developers offer these capabilities.
> if you're concerned about it, ask the developers to offer the capabilities.
Should I be concerned?  Are you?  Is Tor or browsers the only software 
susceptible to fake certificates?  Mozilla / Google have taken 
corrective steps.  What about all the other apps?  I have no idea how 
concerned I should be, but snippy answers don't contribute to the 
discussion.