#31213 closed defect (duplicate)

torproject.org TBB verification instructions - "poisoned" public key

Reported by: lofenyy Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Support Version:
Severity: Normal Keywords:
Cc: ggus Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The instructions on torproject.org for verifying the TOR Browser Bundle don't really work anymore, due to a "key poisoning" attack on the signing key located on the keyserver. I came across this by downloading the TBB and the signature, and then trying to import the public key (on a new machine that doesn't already have it) so I can verify it, only to find out that I couldn't.

Affected page: https://support.torproject.org/tbb/how-to-verify-signature/
Relevant mailing list post: https://lists.torproject.org/pipermail/tor-project/2019-July/002384.html
Description of attack: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Child Tickets

Change History (1)

comment:1 Changed 17 months ago by ggus

Resolution: duplicate
Status: newclosed

See ticket: #31168

Note: See TracTickets for help on using tickets.