[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [Proposal] Obfuscating the Tor Browser Bundle initial download



On Mon, 9 May 2016 15:09:37 -0400
Blake Hadley <moosehadley@xxxxxxxxx> wrote:

> Hey everyone,
> 
> [How it's currently done]
> 
> Distributed by gettor@xxxxxxxxxxxxxx, the URL makes it pretty clear
> what you're downloading.
>     Dropbox:
> https://www.dropbox.com/s/mz9ug2rzvj85791/torbrowser-install-5.5.5_en-US.exe?dl=1
>     Google Drive:
> https://docs.google.com/uc?id=0B76pDbk5No54VHowTEprZnBfWlU&export=download
>     GitHub:
> https://github.com/TheTorProject/gettorbrowser/releases/download/v5.5.5/torbrowser-install-5.5.5_en-US.exe
> 
> [Security problem]
> 
> The download URL on Google Drive is somewhat obfuscated, but once the
> download is started, the filename that the browser requests is
> 'torbrowser[...]'
> An environment I was working in has started to block the files based
> on name, and it would be very easy for an adversary monitoring network
> traffic to detect users downloading it.

The environment you're were in was mounting a MITM attack to break TLS,
or has compromised your box, because the only component of the URL that
is visible otherwise is the host in the SNI field.

In such an environment, gettor in general isn't unblockable because
there is no privacy/security for the request/response messages.

Regards,

-- 
Yawning Angel

Attachment: pgpONh3wMfwVK.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev