add some introduction paragraphs. we still need explain that fetching tbb, our sig, and our key from the same place is not going to do what you want.
Roger Dingledine commited on 2011-09-10 12:37:34
Zeige 1 geänderte Dateien mit 36 Einfügungen und 4 Löschungen.
- docs/en/verifying-signatures.wml 599031dab..524c05a6c
| ... | ... |
@@ -12,6 +12,39 @@ |
| 12 | 12 |
<h1>How to verify signatures for packages</h1> |
| 13 | 13 |
<hr> |
| 14 | 14 |
|
| 15 |
+ <h3>What is a signature and why should I check it?</h3> |
|
| 16 |
+ <hr> |
|
| 17 |
+ |
|
| 18 |
+ <p>How do you know that the Tor program you have is really the |
|
| 19 |
+ one we made? Many Tor users have very real adversaries who might |
|
| 20 |
+ try to give them a fake version of Tor — and it doesn't matter |
|
| 21 |
+ how secure and anonymous Tor is if you're not running the real Tor.</p> |
|
| 22 |
+ |
|
| 23 |
+ <p>An attacker could try a variety of attacks to get you to download |
|
| 24 |
+ a fake Tor. For example, he could trick you into thinking some other |
|
| 25 |
+ website is a great place to download Tor. That's why you should |
|
| 26 |
+ always download Tor from <b>https</b>://www.torproject.org/. The |
|
| 27 |
+ https part means there's encryption and authentication between your |
|
| 28 |
+ browser and the website, making it much harder for the attacker |
|
| 29 |
+ to modify your download. But it's not perfect. Some places in the |
|
| 30 |
+ world block the Tor website, making users try somewhere else. Large |
|
| 31 |
+ companies sometimes force employees to use a modified browser, |
|
| 32 |
+ so the company can listen in on all their browsing. We've even <a |
|
| 33 |
+ href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a> |
|
| 34 |
+ attackers who have the ability to trick your browser into thinking |
|
| 35 |
+ you're talking to the Tor website with https when you're not.</p> |
|
| 36 |
+ |
|
| 37 |
+ <p>Some software sites list <a |
|
| 38 |
+ href="http://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1 |
|
| 39 |
+ hashes</a> alongside the software on their website, so users can |
|
| 40 |
+ verify that they downloaded the file without any errors. These |
|
| 41 |
+ "checksums" help you answer the question "Did I download this file |
|
| 42 |
+ correctly from whoever sent it to me?" They do a good job at making |
|
| 43 |
+ sure you didn't have any random errors in your download, but they |
|
| 44 |
+ don't help you figure out whether you were downloading it from the |
|
| 45 |
+ attacker. The better question to answer is: "Is this file that I |
|
| 46 |
+ just downloaded the file that Tor intended me to get?"</p> |
|
| 47 |
+ |
|
| 15 | 48 |
<p>Each file on <a href="<page download/download>">our download |
| 16 | 49 |
page</a> is accompanied by a file with the same name as the |
| 17 | 50 |
package and the extension ".asc". These .asc files are GPG |
| ... | ... |
@@ -23,10 +56,9 @@ |
| 23 | 56 |
<h3>Windows</h3> |
| 24 | 57 |
<hr> |
| 25 | 58 |
|
| 26 |
- <p>You need to have GnuPG installed |
|
| 27 |
- before you can verify signatures. Go to <a |
|
| 28 |
- href="http://www.gnupg.org/download/">http://www.gnupg.org/download/</a> |
|
| 29 |
- and look for the "version compiled for MS-Windows" under "Binaries".</p> |
|
| 59 |
+ <p>You need to have GnuPG installed before |
|
| 60 |
+ you can verify signatures. Download it from <a |
|
| 61 |
+ href="http://gpg4win.org/download.html">http://gpg4win.org/download.html</a>.</p> |
|
| 30 | 62 |
|
| 31 | 63 |
<p>Once it's installed, use GnuPG to import the key that signed your |
| 32 | 64 |
package. Since GnuPG for Windows is a command-line tool, you will need |
| 33 | 65 |