Re: A suggestion to TOR [a proxy server]

To: or-talk@xxxxxxxxxxxxx

Subject: Re: A suggestion to TOR [a proxy server]

From: Kory Kirk <kory.kirk@xxxxxxxxx>

Date: Sun, 25 Jul 2010 20:31:30 -0500

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Sun, 25 Jul 2010 21:31:36 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=pNERE/Re0CMu0+g8jVxVB+OayphCX/WXEBZ3OlIA2T0=; b=pjS8RFwroPoDzQcb/x6vrOIdHnVrT7PXTJrxHXPbCdBHwc9i7GIjekWPnBtSrWz1Sd HlSu+YAm0sMsZSZsIrM5FwuNRYpv1syPrjDL3ezv8bEhQ5Xm8meSnu2OlLd+cK9J8YHW SsGc2nVGY42DQXdXLA/A2Zc64GLJkCa+sieGo=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=hTAfJKmunldx8lqBqy2kgTqYZompm3KwS9VPqvG3IZONuENoSq9atdH9yBZlxDL20u RAil2DzTV8lDJpTK1STiyjfKxzEtA5fC0PGb58c4bfpIsZWBQ0JZ4eR2U1oWIFY5QTjM UxDevOeTKJFVM6WqIwSPpOhJ3ClBInYJsPa1U=

In-reply-to: <AANLkTin1KgKZDiX=QW2O5H2aDpsZhwM9LSETwmpcw=eN@xxxxxxxxxxxxxx>

References: <1280073515.1838.8.camel@arshad-desktop> <20100725204032.GA21630@sescenties> <201007251744.30198.praedor@xxxxxxxxx> <AANLkTi=FO-WYqr0+JfRLH5bHAw=+jvOU0zqm_9OeTsDZ@xxxxxxxxxxxxxx> <4C4CB38F.1080109@xxxxxxxxxxxxxx> <AANLkTikvJPTPG1m-07tGAF5w-0EULjFi+ESBG6kQd9pJ@xxxxxxxxxxxxxx> <AANLkTi=Sfa0R3fbYUL2ntk++NaoMndbB8nYRWqOsiERL@xxxxxxxxxxxxxx> <AANLkTin1KgKZDiX=QW2O5H2aDpsZhwM9LSETwmpcw=eN@xxxxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On Sun, Jul 25, 2010 at 7:02 PM, Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote:

(1) If the user can't install the regular tor package that means that
someone else has enough control over his system that he can't trust
any validation on his system. Short of abusing the treacherous
computing for good, there is no real way to have confidence in any
validation system running on an untrusted machine.

If the user's computer is restricted by some policy (e.g. not allowing installation of applications, not allowing usb drives), it doesn't necessarily mean that the validation systems are untrustworthy. Although I understand the point, it can be applied for most workplace machines, or a machine that have more than one user with admin/root. The browser or JVM would have to be modified to break the validation system on the local machine. It could also be done via MITM because the user would be going through the local network. The main validation system necessary here would be the signed applet, which is handled by Java, which is called by the browser. Could additionally be verified by manually comparing the fingerprint of the public key used to verify the jar. The lookup for the fingerprints of the key would need to be done on an alternative connection. It seems to me that it would be much easier to just block it than compromise the verification mechanisms on the local computer.

More practically important,

(2) If the user can install the torbutton software he either could
install tor directly or a version of torbutton can be shipped
_including_ tor itself.

Torbutton is just a firefox extension. I have no idea how it could be shipped including tor itself. In my experience with windows machines in computer labs, you are able to install firefox extensions without the permissions to install programs. I mentioned torbutton for automatic checksum verification of the jar, it wouldn't be necessary - just convenient, because it could be done manually as well.

and

(3) If the server in question provides the torbutton it could easily
provide a modified copy of it. So this doesn't eliminate the
bootstrapping problem.

I don't see a reason for the server/relay to be providing torbutton, it is available through Mozilla and torproject. Also, firefox extensions can be signed and verified (and the pk could be manually verified).