-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You just reminded me of this: http://psiphon.civisec.org/ Not that it directly relates to your question (and I have not taken a very close look at it yet), but perhaps this might be useful to your friends. :-) Cheers, - - ferg - -- "John Kimble" wrote: Hi all, A few of my friends in China have been observing how the Great Firewall works. It seems they concentrate on blocking http traffic mostly (Tor directory downloads are naturally blocked), but generally leave https untouched. So we do have a fighting chance to get Tor working from inside China if we can somehow get Tor to build its circuits first, without the initial mandatory network-status downloads. So, is there a way to bootstrap Tor by hand, i.e. feed it with a minimal set of network-status documents and/or server descriptors so that the first circuit can be built? As soon as this is done, and assuming "__allDirActionsPrivate=1" is set, Tor can then start pulling network-status from the authoritative directory servers and then proceed to resume full access to the entire Tor network as usual. Of course, we're also assuming that the network-status and server descriptors will have to be supplied out-of-band to Chinese users. This is easy enough, since encrypted P2P networks and https webmail services are, for now, still readily accessible from China. Really paranoid users will probably have to depend on trusted friends bringing in USB drives. network-status and server descriptors supplied in this manner are, of course, easily spoofed. But if the first thing Tor does after building the first circuit is to try to pull signed network-status documents from the built-in authoritative directory servers, then either the download will fail to validate (if fed a spoofed document), or Tor will bootstrap itself right back into the "real" Tor network. This way, in the best-case scenario we can provide Tor access even when the only reliable connectivity the user has is https (as is the case in China), but the worst-case scenario won't be worse off than how Tor works now -- either way, the user is denied access to Tor and the authorities can potentially detect that the user has made an attempt to connect to Tor. Any comments / critiques / alternatives are welcome. - - John -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFc5kVq1pz9mNUZTMRAm02AJwOCVGezlMbpJKZO2sBaciaA82wpACgyYE5 h7zKYcQXMicT+ZyPJz6VMCs= =7/Lk -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/