Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
- Original Message - From: Roger Dingledine Sent: 09/01/11 03:47 PM To: tor-talk@lists.torproject.org Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others) For those who haven't been following, check out https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it You should pay special attention if you're in an environment where your ISP (or your government!) might try a man-in-the-middle attack on your interactions with https://www.torproject.org/. We stepped up our schedule for switching the Tor Browser Bundle to Firefox 6 (which we can build from source on all platforms, and thus remove the offending CA ourselves). New bundles are out now: https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps now is a great time for you to learn how to verify the signatures on Tor packages you download: https://www.torproject.org/docs/verifying-signatures --Roger Hello Roger. Is it possible to check the signatures for the Browser bundle, which I use on a USB with Windows but check the signatures from my Mac? I only use internet cafe computers as they are so readily available where I live, are much faster t han what I have been able to purchase for an ISP provider from my home and many times just isn't working. Don't know if that is possible to do from Mac on .exe files or whatever. Not real savvy here. Sorry. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 7:55 AM, Achter Lieber wrote: - Original Message - From: Roger Dingledine Sent: 09/01/11 03:47 PM To: tor-talk@lists.torproject.org Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others) New bundles are out now: https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps now is a great time for you to learn how to verify the signatures on Tor packages you download: https://www.torproject.org/docs/verifying-signatures Is it really a risk, d/l Tor or TBB directly from Tor Project's site, that verifying signatures is necessary? What is the reasoning here - if getting files from Tor Project server? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 9:57 AM, David Carlson wrote: On 9/2/2011 9:28 AM, Joe Btfsplk wrote: Is it really a risk, d/l Tor or TBB directly from Tor Project's site, that verifying signatures is necessary? What is the reasoning here - if getting files from Tor Project server? ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk I believe that the point of Roger's message was that you or I may not really be downloading the package from TorProject, if we are using SSL that is authenticated to a fake certificate. Thanks. I'm sure many would appreciate a bit more explanation what "...if we are using SSL that is authenticated..." means, in this case. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 9:28 AM, Joe Btfsplk wrote: > On 9/2/2011 7:55 AM, Achter Lieber wrote: >> - Original Message - >> From: Roger Dingledine >> Sent: 09/01/11 03:47 PM >> To: tor-talk@lists.torproject.org >> Subject: [tor-talk] Dutch CA issues fake *.torproject.org cert (among >> many others) >> >> New bundles are out now: >> https://blog.torproject.org/blog/new-tor-browser-bundles-4 Perhaps >> now is a great time for you to learn how to verify the signatures on >> Tor packages you download: >> https://www.torproject.org/docs/verifying-signatures > Is it really a risk, d/l Tor or TBB directly from Tor Project's site, > that verifying signatures is necessary? What is the reasoning here - > if getting files from Tor Project server? > > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > I believe that the point of Roger's message was that you or I may not really be downloading the package from TorProject, if we are using SSL that is authenticated to a fake certificate. I do not use a Mac, but I was able to use GPA and Kleopatra in Windows to verify that the bundles I downloaded were signed by Erinn. In < https://www.torproject.org/docs/verifying-signatures> the procedure for verification spelled out for use on a Mac should work to verify files containing Windows code.The procedure applies to the verification computer, not the target computer. David Carlson 0xDC7C8BF3.asc Description: application/pgp-keys ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
Joe Btfsplk writes: > Is it really a risk, d/l Tor or TBB directly from Tor Project's > site, that verifying signatures is necessary? What is the reasoning > here - if getting files from Tor Project server? How do you know it was really the Tor Project server? -- Seth Schoen Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On 9/2/2011 12:11 PM, Seth David Schoen wrote: Joe Btfsplk writes: Is it really a risk, d/l Tor or TBB directly from Tor Project's site, that verifying signatures is necessary? What is the reasoning here - if getting files from Tor Project server? How do you know it was really the Tor Project server? I'm not sure. How do I know when I open an HTTPS bookmark link to my bank, that it's my bank? I don't go through a (manual) signature verification process when signing in, or d/l anything from a bank, CC or investment company. Are you answering a question w/ a question? I asked 1st :) ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
According to a number of bloggers(1), torproject.org was include among those domains targeted in the certificate breach. In at least the case of Google, these certificates have been offered to Iranian Internet users by a number of ISPs, in a number of city. Risk is a product of situation, and if you are in Iran, Syria, Belarus, et al, I would exercise at least that level of caution. (1) http://www.nu.nl/internet/2603449/mogelijk-nepsoftware-verspreid-naast-aftappen-gmail.html On Fri, Sep 2, 2011 at 1:11 PM, Seth David Schoen wrote: > Joe Btfsplk writes: > > > Is it really a risk, d/l Tor or TBB directly from Tor Project's > > site, that verifying signatures is necessary? What is the reasoning > > here - if getting files from Tor Project server? > > How do you know it was really the Tor Project server? > > -- > Seth Schoen > Senior Staff Technologist https://www.eff.org/ > Electronic Frontier Foundation https://www.eff.org/join > 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 > ___ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)
On Fri, Sep 02, 2011 at 01:31:53PM -0400, col...@averysmallbird.com wrote 4.5K bytes in 109 lines about: : According to a number of bloggers(1), torproject.org was include among those Here's another blogger for your list, https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it -- Andrew pgp key: 0x74ED336B ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
[tor-talk] TBB + vanilla Firefox
Hi, I'm new to this list so please forgive any breaches of etiquette. I've been using Firefox + Torbutton for a while, but decided to switch to TBB so I could better keep Tor/non-Tor sessions separated. I understand you've just switched to FF6 and there will be bugs to iron out, but... If I have a TBB session open, and I try to fire up a vanilla Firefox for some non-anonymous purpose, it detects the remote session and I get a new Aurora window instead. This seems rather unintuitive; at least, it's not what I expected. And it seems dangerous. Yes, one can specify -no-remote, but that's not the point. Sadly I'm not familiar with the FF code or I'd do something about it myself. So I thought I'd just draw attention to it instead. Regards, Julian signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
