[tor-dev] [Proposal] Obfuscating the Tor Browser Bundle initial download

Yawning Angel yawning at schwanenlied.me
Mon May 9 19:20:08 UTC 2016


On Mon, 9 May 2016 15:09:37 -0400
Blake Hadley <moosehadley at gmail.com> wrote:

> Hey everyone,
> 
> [How it's currently done]
> 
> Distributed by gettor at torproject.com, the URL makes it pretty clear
> what you're downloading.
>     Dropbox:
> https://www.dropbox.com/s/mz9ug2rzvj85791/torbrowser-install-5.5.5_en-US.exe?dl=1
>     Google Drive:
> https://docs.google.com/uc?id=0B76pDbk5No54VHowTEprZnBfWlU&export=download
>     GitHub:
> https://github.com/TheTorProject/gettorbrowser/releases/download/v5.5.5/torbrowser-install-5.5.5_en-US.exe
> 
> [Security problem]
> 
> The download URL on Google Drive is somewhat obfuscated, but once the
> download is started, the filename that the browser requests is
> 'torbrowser[...]'
> An environment I was working in has started to block the files based
> on name, and it would be very easy for an adversary monitoring network
> traffic to detect users downloading it.

The environment you're were in was mounting a MITM attack to break TLS,
or has compromised your box, because the only component of the URL that
is visible otherwise is the host in the SNI field.

In such an environment, gettor in general isn't unblockable because
there is no privacy/security for the request/response messages.

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160509/a6059e3c/attachment.sig>


More information about the tor-dev mailing list