Browse code

add some introduction paragraphs. we still need explain that fetching tbb, our sig, and our key from the same place is not going to do what you want.

Roger Dingledine authored on 10/09/2011 12:37:34
Showing 1 changed files
... ...
@@ -12,6 +12,39 @@
12 12
     <h1>How to verify signatures for packages</h1>
13 13
     <hr>
14 14
 
15
+    <h3>What is a signature and why should I check it?</h3>
16
+    <hr>
17
+
18
+    <p>How do you know that the Tor program you have is really the
19
+    one we made? Many Tor users have very real adversaries who might
20
+    try to give them a fake version of Tor &mdash; and it doesn't matter
21
+    how secure and anonymous Tor is if you're not running the real Tor.</p>
22
+
23
+    <p>An attacker could try a variety of attacks to get you to download
24
+    a fake Tor. For example, he could trick you into thinking some other
25
+    website is a great place to download Tor. That's why you should
26
+    always download Tor from <b>https</b>://www.torproject.org/. The
27
+    https part means there's encryption and authentication between your
28
+    browser and the website, making it much harder for the attacker
29
+    to modify your download. But it's not perfect. Some places in the
30
+    world block the Tor website, making users try somewhere else. Large
31
+    companies sometimes force employees to use a modified browser,
32
+    so the company can listen in on all their browsing. We've even <a
33
+    href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
34
+    attackers who have the ability to trick your browser into thinking
35
+    you're talking to the Tor website with https when you're not.</p>
36
+
37
+    <p>Some software sites list <a
38
+    href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
39
+    hashes</a> alongside the software on their website, so users can
40
+    verify that they downloaded the file without any errors. These
41
+    "checksums" help you answer the question "Did I download this file
42
+    correctly from whoever sent it to me?" They do a good job at making
43
+    sure you didn't have any random errors in your download, but they
44
+    don't help you figure out whether you were downloading it from the
45
+    attacker. The better question to answer is: "Is this file that I
46
+    just downloaded the file that Tor intended me to get?"</p>
47
+
15 48
     <p>Each file on <a href="<page download/download>">our download
16 49
     page</a> is accompanied by a file with the same name as the
17 50
     package and the extension ".asc". These .asc files are GPG
... ...
@@ -23,10 +56,9 @@
23 56
     <h3>Windows</h3>
24 57
     <hr>
25 58
 
26
-    <p>You need to have GnuPG installed
27
-    before you can verify signatures. Go to <a
28
-    href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a>
29
-    and look for the "version compiled for MS-Windows" under "Binaries".</p>
59
+    <p>You need to have GnuPG installed before
60
+    you can verify signatures. Download it from <a
61
+    href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p>
30 62
 
31 63
     <p>Once it's installed, use GnuPG to import the key that signed your
32 64
     package. Since GnuPG for Windows is a command-line tool, you will need