tor-webwml.git

@@ -12,24 +12,44 @@

     <h1>How to verify signatures for packages</h1>

     <hr>

+    <p>Digital signature is a process ensuring that a certain package was

+    generated by its developers and has not been tampered with. Below we explain

+    why it is important and how to verify that the Tor program you download is

+    the one we have created and has not been modified by some attacker.</p>

+

+    <p>Digital signature is a cryptographic mechanism. If you want to learn more

+    about how it works see <a href="https://www.gnupg.org/documentation/">

+    https://www.gnupg.org/documentation/</a>.</p>

+

     <h3>What is a signature and why should I check it?</h3>

     <hr>

-    <p>How do you know that the Tor program you have is really the

-    one we made? Many Tor users have very real adversaries who might

-    try to give them a fake version of Tor — and it doesn't matter

-    how secure and anonymous Tor is if you're not running the real Tor.</p>

+    <p>How do you know that the Tor program you have is really the one we made?

+    Digital signatures ensure that the package you are downloading was created by

+    our developers. It uses a cryptographic mechanism which outputs a sequence of

+    characters that is always the same unless the software has not been tampered

+    with.</p>

+

+    <p>For many Tor users it is important to verify that the Tor software is authentic

+    as they have very real adversaries who might try to give them a fake version

+    of Tor.</p>

-    <p>An attacker could try a variety of attacks to get you to download

-    a fake Tor. For example, he could trick you into thinking some other

+    <p>If the Tor package has been modified by some attacker it is not safe to use.

+    It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>

+

+    <p>There are a variety of attacks that can be used to make you download a fake

+    version of Tor. For example, an attacker could trick you into thinking some other

     website is a great place to download Tor. That's why you should

-    always download Tor from <b>https</b>://www.torproject.org/. The

-    https part means there's encryption and authentication between your

-    browser and the website, making it much harder for the attacker

+    always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>

+

+    <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.

+    Https is the secure version of the http protocol which uses encryption and authentication between your

+    browser and the website. This makes it much harder for the attacker

     to modify your download. But it's not perfect. Some places in the

-    world block the Tor website, making users try <a href="<page

-    docs/faq>#GetTor">somewhere else</a>. Large

-    companies sometimes force employees to use a modified browser,

+    world block the Tor website, making users to download Tor <a href="<page

+    docs/faq>#GetTor">somewhere else</a>.</p>

+

+    <p>Large companies sometimes force employees to use a modified browser,

     so the company can listen in on all their browsing. We've even <a

     href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>

     attackers who have the ability to trick your browser into thinking

@@ -93,8 +113,8 @@

     <p>To verify the signature of the package you downloaded, you will need

     to download the ".asc" file as well. Assuming you downloaded the

     package and its signature to your Desktop, run:</p>

-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify

-    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc

+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \

+    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \

     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>

     <p>The output should say "Good signature": </p>

     <pre>