Delivery-Date: Sun, 19 Oct 2014 07:19:53 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 7135B1E0510;
	Sun, 19 Oct 2014 07:19:52 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 44211307D3;
	Sun, 19 Oct 2014 11:19:48 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 168E8305EE
 for <tor-talk@lists.torproject.org>; Sun, 19 Oct 2014 11:19:44 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id mpK6f3oBejOV for <tor-talk@lists.torproject.org>;
 Sun, 19 Oct 2014 11:19:44 +0000 (UTC)
Received: from mail.poivron.org (poivron.org [91.194.60.101])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.poivron.org",
 Issuer "StartCom Class 2 Primary Intermediate Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id DDDA42F97B
 for <tor-talk@lists.torproject.org>; Sun, 19 Oct 2014 11:19:43 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1]) with ESMTPSA id F3AF0C060DA
Date: Sun, 19 Oct 2014 13:19:00 +0200
From: Lunar <lunar@torproject.org>
To: tor-talk@lists.torproject.org
Message-ID: <20141019111900.GF9807@loar>
Mail-Followup-To: tor-talk@lists.torproject.org
References: <54428C8D.8030507@web.de> <20141019101526.GC9807@loar>
 <20141019102852.5b8c070e@yandex.com>
MIME-Version: 1.0
In-Reply-To: <20141019102852.5b8c070e@yandex.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [tor-talk] updating Tor
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6353338237616578475=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============6353338237616578475==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="xkXJwpr35CY/Lc3I"
Content-Disposition: inline


--xkXJwpr35CY/Lc3I
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Grace H:
> Great that Tor Browser has automated upgrade system.
>=20
> Does it check SSL certificate (pinning) and checks the download
> against a signature? How does it actually works?

Quoting the release announcement:

    Please also be aware that the security of the updater depends on the
    specific CA that issued the www.torproject.org HTTPS certificate
    (Digicert), and so it still must be activated manually through the
    Help ("?") "about browser" menu option. Very soon, we will support
    both strong HTTPS site-specific certificate pinning (ticket #11955)
    and update package signatures (ticket #13379). Until then, we do not
    recommend using this updater if you need stronger security and
    normally verify GPG signatures.

https://blog.torproject.org/blog/tor-browser-40-released

--=20
Lunar                                             <lunar@torproject.org>

--xkXJwpr35CY/Lc3I
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUQ54dAAoJEEAsIlA9Nuk2JKwP/jpOEfisXJXuzAQa7huqVkAb
oyRjELDrHDwL7+lYXRvMCZcAInwaz5bRnfLJ1pYg+TUPRu3jonykk7/kYXTijDl0
mVG9l/jwILGQwpcpIZZDz0HwvzzBUrfeJT3lVb1H1gEdbCOrOZ2kr0dl5hxJi0M5
fjBgtxTDFpp+XbDfufnSyNUBTrH10TS9KFZ3HC+9DHzUR/35kcdenGSzdWBD5BTe
7NLQG2BWZ0vwBfEAVNp327wNM4XTgE2m3iEhe/L6HnmxiwL/GIERA99Ny70ePcck
uovqd5gPQhS2Tj8Uwic1PEx8ti1C27l6aLZXMeTMskRETI/WXZrquOz2fu3909Nj
WUof5VviEYNSt9YTg6BX1rJH84sIMUaomDKAZBFtRuaCMvwl1kgzq1zCQAJ/vdNb
wFFRVZSvS6kb7YLATCorkY/nFd051rm8G2EN/lOfJdWby38ePwah9JC273sHpAqt
aN+6imH5oC3NYK5SCbnGRjbETRFzy+B58hnn05syoGfGsUlRf8umFPdng1wkOXY2
HVcmpyS0TtZTTyiVEnhpdXUS/z9ibo4rGccfW58sqBdJc/48x+8LIcejXOuIxIe4
kifiGrDx11x93sfOf/eUTiTOhobQGYaFO+cklNf2fctD6B4fTO5F36wyvsmsSt+p
yHsfD4F/xjTwJuO6+j1M
=lgM3
-----END PGP SIGNATURE-----

--xkXJwpr35CY/Lc3I--

--===============6353338237616578475==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============6353338237616578475==--

