[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Bootstraping Tor manually to get past the Great Firewall

On 12/4/06, Lexi Pimenidis <lexi@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Why not simply provide (some) directory-downloads over https?

Just my2c,


In fact, any sort of non-clear-text representation of the
network-status info, transmitted over something other than http (in
order to avoid the well-known /tor/server/* URL fingerprints), would
do just fine. However, to add support for something like https would
mean having to revise a large part of Tor, particularly how directory
information is served and fetched.

Tor already has its own PKI and trust hierarchy (starting from the
three hard-wired authoritative directory servers), so we don't need
all the additional effort to develop https support. All that needs to
be done in Tor are the following, in order to support manual

- Catch the case where "__allDirActionsPrivate" has been set to 1 but
there is no usable circuit yet, and refrain from attempting to fetch
network-status. Currently, if Tor is started up with
__allDirActionsPrivate=1, it goes into an infinite loop o' death
trying to fetch network-status.

- Wait for the user to manually load enough server descriptors through
the +POSTDESCRIPTOR controller command.

- Once there are enough server descriptors to successfully build a
circuit to reach one or more of the authoritative directory servers,
start fetching network-status through Tor.

I hope the Tor developers would be interested in taking this up. (You
definitely wouldn't want to see my C code...)

- John