[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Lee
ler762 at gmail.com
Sat Sep 3 18:10:18 UTC 2011
On 9/3/11, Joe Btfsplk <joebtfsplk at gmx.com> wrote:
> On 9/2/2011 4:46 PM, andrew at torproject.org wrote:
>> On Fri, Sep 02, 2011 at 01:31:53PM -0400, collin at averysmallbird.com wrote
>> 4.5K bytes in 109 lines about:
>> : According to a number of bloggers(1), torproject.org was include among
>> those
>>
>> Here's another blogger for your list,
>> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
> Thanks for all replies on this. I read over several linked articles.
> Honestly, many avg users won't / can't take time to read it all & may
> not understand it.
>
> Question - obviously, Tor isn't the only software or site that could be
> targeted. What's to prevent necessity of verifying signatures on every
> d/l software, even mainstream, major developers (if they made it
> possible)? And if they don't, why wouldn't users of other software be
> at same risk? Just because we haven't heard about XYZ software & fake
> certificates, does that mean anything? Sure, verifying Tor may be
> prudent, but what if users have to verify signatures on all software (if
> available)?
These are all rhetorical questions - right?
> Unless it becomes a more automated process, avg users
> wouldn't devote that kind of time.
And your point is ... what? I used to not bother locking my car at
home. Someone stole everything in my car one night so now I always
lock it. ^shrug^ If the average user gets concerned enough about
security they'll take the time.
> I'm just asking here - other than entities (gov'ts?) targeting anonymity
> software (for now) what prevents this issue from becoming widespread?
I haven't heard of anyone being able to create a fake cert. As far as
I know, they've all been bought or stolen from trusted CAs. So how
much do you trust all those CAs in your browser certificate store?
After the Comodo [? from memory - not bothering to check] certificate
kerfluffle I deleted all the non-US CAs from IE.
> If I download an update from MS - how do I know it's the authentic pkg
> from the real MS?
http://www.truecrypt.org/digital-sig-note
> There's no authentication (or even check sums) for
> d/l Firefox, IE.
There is on Windows .. see the truecrypt page.
> Only a small % of all developers offer these capabilities.
if you're concerned about it, ask the developers to offer the capabilities.
Lee
More information about the tor-talk
mailing list