Started updating verify signatures page
hiromipaw

hiromipaw commited on 2017-07-07 13:08:25
Zeige 1 geänderte Dateien mit 34 Einfügungen und 14 Löschungen.

... ...
@@ -12,24 +12,44 @@
12 12
     <h1>How to verify signatures for packages</h1>
13 13
     <hr>
14 14
 
15
+    <p>Digital signature is a process ensuring that a certain package was
16
+    generated by its developers and has not been tampered with. Below we explain
17
+    why it is important and how to verify that the Tor program you download is
18
+    the one we have created and has not been modified by some attacker.</p>
19
+
20
+    <p>Digital signature is a cryptographic mechanism. If you want to learn more
21
+    about how it works see <a href="https://www.gnupg.org/documentation/">
22
+    https://www.gnupg.org/documentation/</a>.</p>
23
+
15 24
     <h3>What is a signature and why should I check it?</h3>
16 25
     <hr>
17 26
 
18
-    <p>How do you know that the Tor program you have is really the
19
-    one we made? Many Tor users have very real adversaries who might
20
-    try to give them a fake version of Tor &mdash; and it doesn't matter
21
-    how secure and anonymous Tor is if you're not running the real Tor.</p>
27
+    <p>How do you know that the Tor program you have is really the one we made?
28
+    Digital signatures ensure that the package you are downloading was created by
29
+    our developers. It uses a cryptographic mechanism which outputs a sequence of
30
+    characters that is always the same unless the software has not been tampered
31
+    with.</p>
32
+
33
+    <p>For many Tor users it is important to verify that the Tor software is authentic
34
+    as they have very real adversaries who might try to give them a fake version
35
+    of Tor.</p>
22 36
 
23
-    <p>An attacker could try a variety of attacks to get you to download
24
-    a fake Tor. For example, he could trick you into thinking some other
37
+    <p>If the Tor package has been modified by some attacker it is not safe to use.
38
+    It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>
39
+
40
+    <p>There are a variety of attacks that can be used to make you download a fake
41
+    version of Tor. For example, an attacker could trick you into thinking some other
25 42
     website is a great place to download Tor. That's why you should
26
-    always download Tor from <b>https</b>://www.torproject.org/. The
27
-    https part means there's encryption and authentication between your
28
-    browser and the website, making it much harder for the attacker
43
+    always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>
44
+
45
+    <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.
46
+    Https is the secure version of the http protocol which uses encryption and authentication between your
47
+    browser and the website. This makes it much harder for the attacker
29 48
     to modify your download. But it's not perfect. Some places in the
30
-    world block the Tor website, making users try <a href="<page
31
-    docs/faq>#GetTor">somewhere else</a>. Large
32
-    companies sometimes force employees to use a modified browser,
49
+    world block the Tor website, making users to download Tor <a href="<page
50
+    docs/faq>#GetTor">somewhere else</a>.</p>
51
+
52
+    <p>Large companies sometimes force employees to use a modified browser,
33 53
     so the company can listen in on all their browsing. We've even <a
34 54
     href="https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it">seen</a>
35 55
     attackers who have the ability to trick your browser into thinking
... ...
@@ -93,8 +113,8 @@
93 113
     <p>To verify the signature of the package you downloaded, you will need
94 114
     to download the ".asc" file as well. Assuming you downloaded the
95 115
     package and its signature to your Desktop, run:</p>
96
-    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify
97
-    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc
116
+    <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \
117
+    C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \
98 118
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
99 119
     <p>The output should say "Good signature": </p>
100 120
     <pre>
101 121