[tor-bugs] #31990 [Community/Mirrors]: How should we proceed with website mirrors?

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 7 21:08:35 UTC 2019 

#31990: How should we proceed with website mirrors?
-----------------------------------+------------------
     Reporter:  phw                |      Owner:  ggus
         Type:  task               |     Status:  new
     Priority:  Medium             |  Milestone:
    Component:  Community/Mirrors  |    Version:
     Severity:  Normal             |   Keywords:
Actual Points:                     |  Parent ID:
       Points:                     |   Reviewer:
      Sponsor:                     |
-----------------------------------+------------------
 We discussed the current status of website mirrors at
 [http://meetbot.debian.net/tor-meeting/2019/tor-
 meeting.2019-10-03-17.00.log.html our Oct 3 anti-censorship meeting]. The
 following questions and arguments came up:

 * Should we verify mirrors' authenticity? If so, how? If we verify
 mirrors, we may want to do it continuously because a mirror may be
 authentic at time ''t'' but serve malware at time ''t+1''. We may also
 want to verify mirrors in a way that makes it difficult for the mirror to
 distinguish between a user browsing the mirror and us verifying the
 mirror.

 * People let us know when they set up new mirrors but we currently ignore
 volunteers because of our policy of only considering mirrors run by
 trusted contacts.

 * Let's keep in mind that people generally search for "download tor" and
 click on whatever shows up first in their favourite search engine. By
 obsessing too much over the authenticity of mirrors we may be missing the
 bigger issue.

 * Our old website
 [https://2019.www.torproject.org/getinvolved/mirrors.html.en has a list of
 mirrors].

 * Some of us believe that the risk of having mirrors outweighs their value
 while others believe the opposite.

 * Website mirrors are frequently not subject to censorship, so users who
 are unable to browse torproject.org can still browse our mirrors and
 download Tor Browser from there. GetTor could therefore send users a link
 to mirrors – and add PGP verification instructions to its email, so the
 user doesn't need to trust the mirrors).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31990>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list