On Sun, Jul 25, 2010 at 7:02 PM, Gregory Maxwell
<gmaxwell@xxxxxxxxx> wrote:
(1) If the user can't install the regular tor package that means that
someone else has enough control over his system that he can't trust
any validation on his system. Short of abusing the treacherous
computing for good, there is no real way to have confidence in any
validation system running on an untrusted machine.
If the user's computer is restricted by some policy (e.g. not allowing installation of applications, not allowing usb drives), it doesn't necessarily mean that the validation systems are untrustworthy. Although I understand the point, it can be applied for most workplace machines, or a machine that have more than one user with admin/root. The browser or JVM would have to be modified to break the validation system on the local machine. It could also be done via MITM because the user would be going through the local network. The main validation system necessary here would be the signed applet, which is handled by Java, which is called by the browser. Could additionally be verified by manually comparing the fingerprint of the public key used to verify the jar. The lookup for the fingerprints of the key would need to be done on an alternative connection. It seems to me that it would be much easier to just block it than compromise the verification mechanisms on the local computer.
More practically important,
(2) If the user can install the torbutton software he either could
install tor directly or a version of torbutton can be shipped
_including_ tor itself.
Torbutton is just a firefox extension. I have no idea how it could be shipped including tor itself. In my experience with windows machines in computer labs, you are able to install firefox extensions without the permissions to install programs. I mentioned torbutton for automatic checksum verification of the jar, it wouldn't be necessary - just convenient, because it could be done manually as well.
and
(3) If the server in question provides the torbutton it could easily
provide a modified copy of it. So this doesn't eliminate the
bootstrapping problem.
I don't see a reason for the server/relay to be providing torbutton, it is available through Mozilla and torproject. Also, firefox extensions can be signed and verified (and the pk could be manually verified).