A suggestion to TOR [a proxy server]

Kory Kirk kory.kirk at gmail.com
Mon Jul 26 01:31:30 UTC 2010 

On Sun, Jul 25, 2010 at 7:02 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:

> (1) If the user can't install the regular tor package that means that
> someone else has enough control over his system that he can't trust
> any validation on his system. Short of abusing the treacherous
> computing for good, there is no real way to have confidence in any
> validation system running on an untrusted machine.
>
>  If the user's computer is restricted by some policy (e.g. not allowing
installation of applications, not allowing usb drives), it doesn't
necessarily mean that the validation systems are untrustworthy. Although I
understand the point, it can be applied for most workplace machines, or a
machine that have more than one user with admin/root. The browser or JVM
would have to be modified to break the validation system on the local
machine.  It could also be done via MITM because the user would be going
through the local network.  The main validation system necessary here would
be the signed applet, which is handled by Java, which is called by the
browser. Could additionally be verified by manually comparing the
fingerprint of the public key used to verify the jar. The lookup for the
fingerprints of the key would need to be done on an alternative
connection. It seems to me that it would be much easier to just block it
than compromise the verification mechanisms on the local computer.

More practically important,
>
> (2) If the user can install the torbutton software he either could
> install tor directly or a version of torbutton can be shipped
> _including_ tor itself.
>

  Torbutton is just a firefox extension. I have no idea how it could be
shipped including tor itself.  In my experience with windows machines in
computer labs, you are able to install firefox extensions without the
permissions to install programs. I mentioned torbutton for automatic
checksum verification of the jar, it wouldn't be necessary - just
convenient, because it could be done manually as well.


>
> and
>
> (3) If the server in question provides the torbutton it could easily
> provide a modified copy of it. So this doesn't eliminate the
> bootstrapping problem.


I don't see a reason for the server/relay to be providing torbutton, it is
available through Mozilla and torproject. Also, firefox extensions can be
signed and verified (and the pk could be manually verified).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20100725/03080df7/attachment.htm>

More information about the tor-talk mailing list