[tor-talk] How to verify the authenticity of the Torbutton xpi file
Jim
Jimmymac at copper.net
Sun Sep 25 08:50:40 UTC 2011
tor at lists.grepular.com wrote:
> On 23/09/11 16:28, Michael Gomboc wrote:
>
>> OK, I guess I know too less about PGP. So, if someone does not have the
>> private key, they cannot provide the right signature. So even if you
>> download the signature and the file from a fake page, you would notice
>> by checking the authenticity. Is that right?
>
> That is correct. For example, I have signed this email with my private
> pgp key. I am the only person with access to that private key. The
> corresponding public key is available on the Internet for anyone to
> download, in several places. Anyone who has my public key can verify
> that this email was signed by me, and that it hasn't been tampered with.
> This is the same process used to sign Tor.
This is correct as far as it goes. You can verify that the software
that was download was signed with a particular private key. The problem
is knowing whether that key, in fact, belongs to the Tor Project.
torproject.org does list the key they use on their web site. The
problem then returns back to knowing if the web page you are looking at
to verify the key is the real one or a fake. Which I believe is where
the OP began. How does he know if the web page is correct when he
cannot trust the SSL certificate.
I seem to recall that one of the people from the Tor Project stated that
some browsers now have the correct Tor Project SSL certificate "baked
into them". I don't have the time to go looking for that right now but
perhaps somebody can refresh all of our memories?
Regards,
Jim
More information about the tor-talk
mailing list