docs/en/verifying-signatures.wml (181d059fa) - tor-webwml.git

verifying-signatures.wml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
## translation metadata
# Revision: $Revision$
# Translation-Priority: 2-medium
#include "head.wmi" TITLE="Tor Project: Verifying Signatures" CHARSET="UTF-8"
<div id="content" class="clearfix">
  <div id="breadcrumbs">
    <a href="<page index>">Home &raquo; </a>
    <a href="<page docs/verifying-signatures>">Verifying Signatures</a>
  </div>
  <div id="maincol">
    <h1>How to verify signatures for packages</h1>
    <hr>
    <h3>What is a signature and why should I check it?</h3>
    <hr>
    <p>How do you know that the Tor program you have is really the
    one we made? Many Tor users have very real adversaries who might
    try to give them a fake version of Tor &mdash; and it doesn't matter
    how secure and anonymous Tor is if you're not running the real Tor.</p>
    <p>An attacker could try a variety of attacks to get you to download
    a fake Tor. For example, he could trick you into thinking some other
    website is a great place to download Tor. That's why you should
    always download Tor from <b>https</b>://www.torproject.org/. The
    https part means there's encryption and authentication between your
    browser and the website, making it much harder for the attacker
    to modify your download. But it's not perfect. Some places in the
    world block the Tor website, making users try <a href="<page
    docs/faq>#GetTor">somewhere else</a>. Large
    companies sometimes force employees to use a modified browser,
    so the company can listen in on all their browsing. We've even <a
    href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
    attackers who have the ability to trick your browser into thinking
    you're talking to the Tor website with https when you're not.</p>
    <p>Some software sites list <a
    href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
    hashes</a> alongside the software on their website, so users can
    verify that they downloaded the file without any errors. These
    "checksums" help you answer the question "Did I download this file
    correctly from whoever sent it to me?" They do a good job at making
    sure you didn't have any random errors in your download, but they
    don't help you figure out whether you were downloading it from the
    attacker. The better question to answer is: "Is this file that I
    just downloaded the file that Tor intended me to get?"</p>
    <h3>Where do I get the signatures and the keys that made them?</h3>
    <hr>
    <p>Each file on <a href="<page download/download>">our download
 
 
הההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההההה
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
tor-webwml.git

Update signature verification page
