Small improvements to verify signatures page
hiromipaw commited on 2017-07-10 10:28:32
Zeige 1 geänderte Dateien mit 15 Einfügungen und 6 Löschungen.
- docs/en/verifying-signatures.wml c6e3b27ce..dcbf5d9b1
| ... | ... |
@@ -18,17 +18,16 @@ |
| 18 | 18 |
the one we have created and has not been modified by some attacker.</p> |
| 19 | 19 |
|
| 20 | 20 |
<p>Digital signature is a cryptographic mechanism. If you want to learn more |
| 21 |
- about how it works see <a href="https://www.gnupg.org/documentation/"> |
|
| 22 |
- https://www.gnupg.org/documentation/</a>.</p> |
|
| 21 |
+ about how it works see <a href="https://en.wikipedia.org/wiki/Digital_signature"> |
|
| 22 |
+ https://en.wikipedia.org/wiki/Digital_signature</a>.</p> |
|
| 23 | 23 |
|
| 24 | 24 |
<h3>What is a signature and why should I check it?</h3> |
| 25 | 25 |
<hr> |
| 26 | 26 |
|
| 27 | 27 |
<p>How do you know that the Tor program you have is really the one we made? |
| 28 | 28 |
Digital signatures ensure that the package you are downloading was created by |
| 29 |
- our developers. It uses a cryptographic mechanism which outputs a sequence of |
|
| 30 |
- characters that is always the same unless the software has not been tampered |
|
| 31 |
- with.</p> |
|
| 29 |
+ our developers. It uses a cryptographic mechanism to ensure that the software package |
|
| 30 |
+ that you have just downloaded is authentic. </p> |
|
| 32 | 31 |
|
| 33 | 32 |
<p>For many Tor users it is important to verify that the Tor software is authentic |
| 34 | 33 |
as they have very real adversaries who might try to give them a fake version |
| ... | ... |
@@ -37,11 +36,18 @@ |
| 37 | 36 |
<p>If the Tor package has been modified by some attacker it is not safe to use. |
| 38 | 37 |
It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p> |
| 39 | 38 |
|
| 39 |
+ <p>Before you go ahead and download something, there are a few extra steps you |
|
| 40 |
+ should take to make sure you have downloaded an authentic version of Tor.</p> |
|
| 41 |
+ |
|
| 42 |
+ <h4>Always download Tor from torproject.org</h4> |
|
| 43 |
+ |
|
| 40 | 44 |
<p>There are a variety of attacks that can be used to make you download a fake |
| 41 | 45 |
version of Tor. For example, an attacker could trick you into thinking some other |
| 42 |
- website is a great place to download Tor. That's why you should |
|
| 46 |
+ website is a great place to download Tor. You should |
|
| 43 | 47 |
always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p> |
| 44 | 48 |
|
| 49 |
+ <h4>Always make sure you are browsing over https</h4> |
|
| 50 |
+ |
|
| 45 | 51 |
<p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https. |
| 46 | 52 |
Https is the secure version of the http protocol which uses encryption and authentication between your |
| 47 | 53 |
browser and the website. This makes it much harder for the attacker |
| ... | ... |
@@ -55,6 +61,8 @@ |
| 55 | 61 |
attackers who have the ability to trick your browser into thinking |
| 56 | 62 |
you're talking to the Tor website with https when you're not.</p> |
| 57 | 63 |
|
| 64 |
+ <h4>Always verify signatures of packages you have downloaded</h4> |
|
| 65 |
+ |
|
| 58 | 66 |
<p>Some software sites list <a |
| 59 | 67 |
href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1 |
| 60 | 68 |
hashes</a> alongside the software on their website, so users can |
| ... | ... |
@@ -116,6 +124,7 @@ |
| 116 | 124 |
<pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \ |
| 117 | 125 |
C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \ |
| 118 | 126 |
C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre> |
| 127 |
+ <p>Please substitute "Alice" with your own username.</p> |
|
| 119 | 128 |
<p>The output should say "Good signature": </p> |
| 120 | 129 |
<pre> |
| 121 | 130 |
gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0 |
| 122 | 131 |