Small improvements to verify signatures page
hiromipaw

hiromipaw commited on 2017-07-10 10:28:32
Zeige 1 geänderte Dateien mit 15 Einfügungen und 6 Löschungen.

... ...
@@ -18,17 +18,16 @@
18 18
     the one we have created and has not been modified by some attacker.</p>
19 19
 
20 20
     <p>Digital signature is a cryptographic mechanism. If you want to learn more
21
-    about how it works see <a href="https://www.gnupg.org/documentation/">
22
-    https://www.gnupg.org/documentation/</a>.</p>
21
+    about how it works see <a href="https://en.wikipedia.org/wiki/Digital_signature">
22
+    https://en.wikipedia.org/wiki/Digital_signature</a>.</p>
23 23
 
24 24
     <h3>What is a signature and why should I check it?</h3>
25 25
     <hr>
26 26
 
27 27
     <p>How do you know that the Tor program you have is really the one we made?
28 28
     Digital signatures ensure that the package you are downloading was created by
29
-    our developers. It uses a cryptographic mechanism which outputs a sequence of
30
-    characters that is always the same unless the software has not been tampered
31
-    with.</p>
29
+    our developers. It uses a cryptographic mechanism to ensure that the software package
30
+    that you have just downloaded is authentic. </p>
32 31
 
33 32
     <p>For many Tor users it is important to verify that the Tor software is authentic
34 33
     as they have very real adversaries who might try to give them a fake version
... ...
@@ -37,11 +36,18 @@
37 36
     <p>If the Tor package has been modified by some attacker it is not safe to use.
38 37
     It doesn't matter how secure and anonymous Tor is if you're not running the real Tor.</p>
39 38
 
39
+    <p>Before you go ahead and download something, there are a few extra steps you
40
+    should take to make sure you have downloaded an authentic version of Tor.</p>
41
+
42
+    <h4>Always download Tor from torproject.org</h4>
43
+
40 44
     <p>There are a variety of attacks that can be used to make you download a fake
41 45
     version of Tor. For example, an attacker could trick you into thinking some other
42
-    website is a great place to download Tor. That's why you should
46
+    website is a great place to download Tor. You should
43 47
     always download Tor from <a href="https://www.torproject.org"><b>https</b>://www.torproject.org/</a>.</p>
44 48
 
49
+    <h4>Always make sure you are browsing over https</h4>
50
+
45 51
     <p><a href="https://www.torproject.org">https://www.torproject.org/</a> uses https.
46 52
     Https is the secure version of the http protocol which uses encryption and authentication between your
47 53
     browser and the website. This makes it much harder for the attacker
... ...
@@ -55,6 +61,8 @@
55 61
     attackers who have the ability to trick your browser into thinking
56 62
     you're talking to the Tor website with https when you're not.</p>
57 63
 
64
+    <h4>Always verify signatures of packages you have downloaded</h4>
65
+
58 66
     <p>Some software sites list <a
59 67
     href="https://en.wikipedia.org/wiki/Cryptographic_hash_function">sha1
60 68
     hashes</a> alongside the software on their website, so users can
... ...
@@ -116,6 +124,7 @@
116 124
     <pre>"C:\Program Files\Gnu\GnuPg\gpg.exe" --verify \
117 125
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe.asc \
118 126
     C:\Users\Alice\Desktop\torbrowser-install-<version-torbrowserbundle>_en-US.exe</pre>
127
+    <p>Please substitute "Alice" with your own username.</p>
119 128
     <p>The output should say "Good signature": </p>
120 129
     <pre>
121 130
     gpg: Signature made Tue 24 Jan 2015 09:29:09 AM CET using RSA key ID D40814E0
122 131