> You're right. I was considering addons.mozilla.org as the canonical
> source of the xpi, but still, that can be owned too. In fact, I just
> got a message from them informing me that they modified my torbutton
> 1.2.3 xpi to prevent it from being listed as compatible with FF3.6. So
> they see fit
Thus spake Paolo Palmieri (palma...@gmx.it):
> Sorry, but I have to point out that none of the proposed solution really
> works, and both are actually quite bad from the security point of view.
>
> "Fetch it over SSL" doesn't give the user any guarantee about the
> authenticity of the file. Actua
>> Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
>> sign .xpis, but have been sloppy about posting them publicly.
>
>> For now, I think the right answer is "Fetch it over SSL" or "Check the
>> git/gpg sig".
>
> Could you make a point of publicly posting the .xpi gpg signa
Mike Perry wrote:
Just as in the Tor repo, I gpg sign the Torbutton git tags. I also gpg
sign .xpis, but have been sloppy about posting them publicly.
For now, I think the right answer is "Fetch it over SSL" or "Check the
git/gpg sig".
Could you make a point of publicly posting the .xpi
Mike Perry wrote:
>
> I suppose I could also create a rogue code signing certificate and
> provide that over SSL for people to install, but then I wonder if
> vanilla Firefox will reject my XPIs then because they are signed, but
> with an "invalid" cert.
>
I have a few of those laying around. I
on Thu, Jan 21, 2010 at 02:09:42PM -0800, Mike Perry wrote:
> For now, I think the right answer is "Fetch it over SSL"
"Fetch it over SSL from addons.mozilla.org" (the Mozilla Foundation
obviously did bend over)
/marcel
signature.asc
Description: Digital signature
Thus spake Paolo Palmieri (palma...@gmx.it):
> > would it make sense to sign the torbutton xpi's?
>
> Actually, I've always been quite amazed by the fact that TorButton's
> .xpi (binary?) files are not signed.
>
> I'd really like to see this implemented in the future.
Just as in the Tor repo, I
Hi Roger,
Thanks for the detailed explanation. It's always interesting to hear
about how other go into the "verification route" when a compromise happens.
Do you know the nature of the compromise? Was it against Tor itself or
one of the other services running on the Directory Authorities?
J
> would it make sense to sign the torbutton xpi's?
Actually, I've always been quite amazed by the fact that TorButton's
.xpi (binary?) files are not signed.
I'd really like to see this implemented in the future.
Thanks,
Paolo
***
ok, cool. thx guys.
would it make sense to sign the torbutton xpi's?
and torsocks?
perhaps since it all comes from the same git repo it isn't necessary.
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscri
On Jan 21, 2010, at 6:25 AM, grarpamp wrote:
As I wrote someone earlier...
It would be easier to just sign the git revision hashes at various
intervals.
Such as explicitly including the revision hash that each release is
made from in the release docs itself. And then signing that release.
Th
On Thu, Jan 21, 2010 at 12:25:08AM -0500, grarpamp wrote:
> It would be easier to just sign the git revision hashes at various intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone.
As I wrote someone earlier...
It would be easier to just sign the git revision hashes at various intervals.
Such as explicitly including the revision hash that each release is
made from in the release docs itself. And then signing that release.
That way everyone... git repo maintainers, devels, mir
On Wed, Jan 20, 2010 at 11:12:29PM -0500, Peter Thoenen wrote:
> > In early January we discovered that two of the seven directory
> > authorities were compromised (moria1 and gabelmoo), along with
> > metrics.torproject.org, a new server we'd recently set up to serve
> > metrics data and graphs. Th
> In early January we discovered that two of the seven directory
> authorities were compromised (moria1 and gabelmoo), along with
> metrics.torproject.org, a new server we'd recently set up to serve
> metrics data and graphs. The three servers have since been reinstalled
> with service migrated to
On Wed, Jan 20, 2010 at 04:43:44PM -0500, Roger Dingledine wrote:
> In early January we discovered that two of the seven directory
> authorities were compromised (moria1 and gabelmoo), along with
> metrics.torproject.org
Here are some more technical details about the potential impacts, for
those w
When you guys have finished the assessment will you be releasing details
of how the compromise happened?
Cheers,
Harry
On Wed, 2010-01-20 at 16:43 -0500, Roger Dingledine wrote:
> You should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha:
> https://www.torproject.org/download.html.en
>
> In early Janu
You should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha:
https://www.torproject.org/download.html.en
In early January we discovered that two of the seven directory
authorities were compromised (moria1 and gabelmoo), along with
metrics.torproject.org, a new server we'd recently set up to serve
metrics
18 matches
Mail list logo
