[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Bootstraping Tor manually to get past the Great Firewall
- To: or-talk@xxxxxxxx
- Subject: Bootstraping Tor manually to get past the Great Firewall
- From: "John Kimble" <det.j.kimble@xxxxxxxxx>
- Date: Mon, 4 Dec 2006 11:34:56 +0800
- Delivered-to: email@example.com
- Delivered-to: firstname.lastname@example.org
- Delivered-to: email@example.com
- Delivery-date: Sun, 03 Dec 2006 22:35:16 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=OHPbEJXNV+RIKisVibidGjJhY/sK+m3W5GF4D+dnjZdaWzzZ0TctNFtDbJb5WvBrPqnxZCt96t7gwkVlNmDO0ysjN9bbpR8KC45r5VrPWHzbv3hraAhHn31gHgfzVO7+LHf/CZzVRFXB8e1nE4AAa+0zTCPdQvDXvdu/is3DUXU=
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
A few of my friends in China have been observing how the Great
Firewall works. It seems they concentrate on blocking http traffic
mostly (Tor directory downloads are naturally blocked), but generally
leave https untouched. So we do have a fighting chance to get Tor
working from inside China if we can somehow get Tor to build its
circuits first, without the initial mandatory network-status
So, is there a way to bootstrap Tor by hand, i.e. feed it with a
minimal set of network-status documents and/or server descriptors so
that the first circuit can be built? As soon as this is done, and
assuming "__allDirActionsPrivate=1" is set, Tor can then start pulling
network-status from the authoritative directory servers and then
proceed to resume full access to the entire Tor network as usual.
Of course, we're also assuming that the network-status and server
descriptors will have to be supplied out-of-band to Chinese users.
This is easy enough, since encrypted P2P networks and https webmail
services are, for now, still readily accessible from China. Really
paranoid users will probably have to depend on trusted friends
bringing in USB drives.
network-status and server descriptors supplied in this manner are, of
course, easily spoofed. But if the first thing Tor does after building
the first circuit is to try to pull signed network-status documents
from the built-in authoritative directory servers, then either the
download will fail to validate (if fed a spoofed document), or Tor
will bootstrap itself right back into the "real" Tor network.
This way, in the best-case scenario we can provide Tor access even
when the only reliable connectivity the user has is https (as is the
case in China), but the worst-case scenario won't be worse off than
how Tor works now -- either way, the user is denied access to Tor and
the authorities can potentially detect that the user has made an
attempt to connect to Tor.
Any comments / critiques / alternatives are welcome.