Andrew Roffey writes: > michael ball: > > On *Tue Feb 3, Mike Ingle wrote:* > >> I don't have HTTPS because there is nothing secret on the site, and > >> because I don't place much trust in it > > > > i may be mistaken that it is kinda stupid not to use HTTPS on a > > website with downloads, as documents released by Ed Snowden show that > > the NSA has the capability of injecting malicious software into > > active EXE file downloads in realtime. > > Then GnuPG signatures would perhaps be more appropriate in this instance?
The Tor Project itself has found that users often don't verify GPG signatures on binaries (I think Mike Perry quoted some statistics about how often the Tor Browser binary had been downloaded in comparison to the .asc signature file -- it was orders of magnitude less often). That suggests to me that HTTPS should be used for software distribution authenticity even when there's a signature available; the importance of this only diminishes if the signature will be verified automatically before installation (like in some package managers). That's usually not the case for first-time installations of software downloaded from the web. (I don't think the Tor Project has studied _why_ the users didn't verify the signatures -- there are tons of possible reasons. But it's clear that most didn't, because the .asc file is so rarely downloaded.) -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
