Delivery-Date: Tue, 03 Feb 2015 21:39:37 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 1BB2A1E0477
	for <archiver@seul.org>; Tue,  3 Feb 2015 21:39:36 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 031ED33897;
	Wed,  4 Feb 2015 02:39:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id B377B33887
 for <tor-talk@lists.torproject.org>; Wed,  4 Feb 2015 02:39:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id LqUShD0vbDFe for <tor-talk@lists.torproject.org>;
 Wed,  4 Feb 2015 02:39:27 +0000 (UTC)
Received: from ip-172-31-0-247.us-west-2.compute.internal
 (ec2-54-213-166-118.us-west-2.compute.amazonaws.com [54.213.166.118])
 by eugeni.torproject.org (Postfix) with ESMTP id 8E2E33387C
 for <tor-talk@lists.torproject.org>; Wed,  4 Feb 2015 02:39:27 +0000 (UTC)
Received: from [192.168.1.145] (rrcs-24-43-0-6.west.biz.rr.com [24.43.0.6])
 (Authenticated sender: mike)
 by ip-172-31-0-247.us-west-2.compute.internal (Postfix) with ESMTPSA id
 D990DA0C10
 for <tor-talk@lists.torproject.org>; Wed,  4 Feb 2015 02:39:18 +0000 (UTC)
Message-ID: <54D1865A.7010404@confidantmail.org>
Date: Tue, 03 Feb 2015 18:39:22 -0800
From: Mike Ingle <mike@confidantmail.org>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <CALoT2zaPdX6+eEwEF=S94_E8nEBVzyF8jkatGTiJQZ3rPyJz9Q@mail.gmail.com>
 <54D181A0.4030908@roffey.org> <20150204022524.GI26784@mail2.eff.org>
In-Reply-To: <20150204022524.GI26784@mail2.eff.org>
Subject: Re: [tor-talk] "Confidant Mail"
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

That is an interesting point. Thinking this through in the game theory 
sense:
Spooks' choice:
1: never mess with Tor downloads
2: mess with Tor downloads in rare cases of high value targets (where a 
selector like IP or cookie matches)
3: frequently mess with Tor downloads

Effect of 1: they get no intel.
Effect of 2: they get high value intel, and are unlikely to get caught.
Effect of 3: someone eventually verifies a download, finds out it's 
poisoned, and tells the world.
People become much more careful in checking downloads. Especially people 
who have reason
to be paranoid. They get less high value intel than with choice 2.

I think that's why such things are rarely seen even though we know they 
can do it.
I have checked Tails sigs a few times, but am not always religious about 
it. So far have
never found a mismatch.

I should probably put this up on github or sourceforge or something with 
HTTPS downloads, as
well as hosting it locally. More options are better.

Mike
> The Tor Project itself has found that users often don't verify GPG
> signatures on binaries (I think Mike Perry quoted some statistics about
> how often the Tor Browser binary had been downloaded in comparison to
> the .asc signature file -- it was orders of magnitude less often).  That
> suggests to me that HTTPS should be used for software distribution
> authenticity even when there's a signature available; the importance of
> this only diminishes if the signature will be verified automatically
> before installation (like in some package managers).  That's usually
> not the case for first-time installations of software downloaded from the
> web.
>
> (I don't think the Tor Project has studied _why_ the users didn't verify
> the signatures -- there are tons of possible reasons.  But it's clear
> that most didn't, because the .asc file is so rarely downloaded.)
>
>   

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

