On 9/3/11, Joe Btfsplk <joebtfs...@gmx.com> wrote: > On 9/2/2011 4:46 PM, and...@torproject.org wrote: >> On Fri, Sep 02, 2011 at 01:31:53PM -0400, col...@averysmallbird.com wrote >> 4.5K bytes in 109 lines about: >> : According to a number of bloggers(1), torproject.org was include among >> those >> >> Here's another blogger for your list, >> https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it > Thanks for all replies on this. I read over several linked articles. > Honestly, many avg users won't / can't take time to read it all & may > not understand it. > > Question - obviously, Tor isn't the only software or site that could be > targeted. What's to prevent necessity of verifying signatures on every > d/l software, even mainstream, major developers (if they made it > possible)? And if they don't, why wouldn't users of other software be > at same risk? Just because we haven't heard about XYZ software & fake > certificates, does that mean anything? Sure, verifying Tor may be > prudent, but what if users have to verify signatures on all software (if > available)?
These are all rhetorical questions - right? > Unless it becomes a more automated process, avg users > wouldn't devote that kind of time. And your point is ... what? I used to not bother locking my car at home. Someone stole everything in my car one night so now I always lock it. ^shrug^ If the average user gets concerned enough about security they'll take the time. > I'm just asking here - other than entities (gov'ts?) targeting anonymity > software (for now) what prevents this issue from becoming widespread? I haven't heard of anyone being able to create a fake cert. As far as I know, they've all been bought or stolen from trusted CAs. So how much do you trust all those CAs in your browser certificate store? After the Comodo [? from memory - not bothering to check] certificate kerfluffle I deleted all the non-US CAs from IE. > If I download an update from MS - how do I know it's the authentic pkg > from the real MS? http://www.truecrypt.org/digital-sig-note > There's no authentication (or even check sums) for > d/l Firefox, IE. There is on Windows .. see the truecrypt page. > Only a small % of all developers offer these capabilities. if you're concerned about it, ask the developers to offer the capabilities. Lee _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk