<div class="gmail_quote">On Sun, Jul 25, 2010 at 7:02 PM, Gregory Maxwell <span dir="ltr"><<a href="mailto:gmaxwell@gmail.com" target="_blank">gmaxwell@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>(1) If the user can't install the regular tor package that means that</div>
someone else has enough control over his system that he can't trust<br>
any validation on his system. Short of abusing the treacherous<br>
computing for good, there is no real way to have confidence in any<br>
validation system running on an untrusted machine.<br>
<br></blockquote><div> If the user's computer is restricted by some policy (e.g. not allowing installation of applications, not allowing usb drives), it doesn't necessarily mean that the validation systems are untrustworthy. Although I understand the point, it can be applied for most workplace machines, or a machine that have more than one user with admin/root. The browser or JVM would have to be modified to break the validation system on the local machine. It could also be done via MITM because the user would be going through the local network. The main validation system necessary here would be the signed applet, which is handled by Java, which is called by the browser. Could additionally be verified by manually comparing the fingerprint of the public key used to verify the jar. The lookup for the fingerprints of the key would need to be done on an alternative connection. It seems to me that it would be much easier to just block it than compromise the verification mechanisms on the local computer.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
More practically important,<br>
<br>
(2) If the user can install the torbutton software he either could<br>
install tor directly or a version of torbutton can be shipped<br>
_including_ tor itself.<br></blockquote><div><br></div><div> Torbutton is just a firefox extension. I have no idea how it could be shipped including tor itself. In my experience with windows machines in computer labs, you are able to install firefox extensions without the permissions to install programs. I mentioned torbutton for automatic checksum verification of the jar, it wouldn't be necessary - just convenient, because it could be done manually as well.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
and<br>
<br>
(3) If the server in question provides the torbutton it could easily<br>
provide a modified copy of it. So this doesn't eliminate the<br>
bootstrapping problem.</blockquote><div><br></div><div>I don't see a reason for the server/relay to be providing torbutton, it is available through Mozilla and torproject. Also, firefox extensions can be signed and verified (and the pk could be manually verified).</div>
</div>