[tor-dev] [Proposal] Obfuscating the Tor Browser Bundle initial download
Blake Hadley
moosehadley at gmail.com
Mon May 9 19:09:37 UTC 2016
Hey everyone,
[How it's currently done]
Distributed by gettor at torproject.com, the URL makes it pretty clear what
you're downloading.
Dropbox:
https://www.dropbox.com/s/mz9ug2rzvj85791/torbrowser-install-5.5.5_en-US.exe?dl=1
Google Drive:
https://docs.google.com/uc?id=0B76pDbk5No54VHowTEprZnBfWlU&export=download
GitHub:
https://github.com/TheTorProject/gettorbrowser/releases/download/v5.5.5/torbrowser-install-5.5.5_en-US.exe
[Security problem]
The download URL on Google Drive is somewhat obfuscated, but once the
download is started, the filename that the browser requests is
'torbrowser[...]'
An environment I was working in has started to block the files based on
name, and it would be very easy for an adversary monitoring network
traffic to detect users downloading it.
[Solution proposed]
When the user emails gettor, they could also request obfuscation. An
application would randomize the filename and upload it to a mainstream
host (Google, Dropbox, GitHub, AWS).
Maybe even protect the file from scanning by making an AES encrypted ZIP
file, and giving the user the password in the reply email.
I'd be happy to make a proof-of-concept.
What do you all think of this?
Does anyone have any better ideas? Anything that uses less processing
resource?
More information about the tor-dev
mailing list