[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
andrew at torproject.org
andrew at torproject.org
Sun Sep 4 04:30:52 UTC 2011
On Sat, Sep 03, 2011 at 02:27:47PM -0500, joebtfsplk at gmx.com wrote 4.2K bytes in 84 lines about:
: is about as technical as it gets. My 1st impression w/ the process
: (& instructions on Tor page - verifying signatures) is, it will be
: over the avg users' heads, or more trouble / effort than they're
: willing to exert (possibly to their detriment). I haven't tried the
: steps listed on Tor site, but seems pretty straight forward.
We made them copy and paste so new users can do it. I've watched people
in trainings successfully verify the signatures. we need a better model
for osx and windows, as neither system comes with gpg. Installing gobs
of software that doesn't come with verification to verify tor is sort of
comical.
: down: if it's a truly important step before installing any
: software, major developers need to make the verification process
: easier / more automated for avg users.
The other side to this is that users who do verify the software they
download will hopefully be vocal when the software fails to verify.
--
Andrew
pgp key: 0x74ED336B
More information about the tor-talk
mailing list