[tor-talk] Satori (this crazy app thing I've been working on)
Griffin Boyce
griffin at cryptolab.net
Thu May 8 21:21:40 UTC 2014
Sorry for the delay in responding. Life gets in the way sometimes.
;-)
Runa A. Sandvik wrote:
> Sounds interesting! Could you say a bit more about how it distributes
> software?
So it offers downloads from places that are not currently blocked or
MITM'd: Google's Chrome Web Store, Amazon, and Github. Which seem
unlikely to be due to various economic factors at play. This is mostly
my opinion, though backed by research I've done in this area. Granted,
distributing from these three sites could change the equation for
censors, but right now it works very well.
Fetching .crx files from the Chrome Web Store is particularly devious,
as these are unlisted extensions across a few accounts. These download
as zip files which contain the Tor Browser Bundle. This option is only
available for Chinese, Farsi, and Arabic, as it takes a fairly large
amount of time to set up. Downloading from Github or Amazon is more
straightforward, and downloads the usual .zip file. The bundles aren't
modified in any way, so the sha256 checksums and gpg signatures should
be verifiable across torproject.org and its mirrors.
I've been weighing fetching the files via torrent with something like
bitford or bittorrent torque built-into Satori, but haven't come to a
solid conclusion on it. It's technically possible to do so, but there
are questions in my mind that need to be resolved before I think this
could be a real solution. Mostly because it's easy for a censor to just
start seeding a given torrent and then tally IP addresses of people
downloading. Another is whether the trackers would just get blocked
outright (and running a tracker on AWS sort of loops back around to the
idea of a single point of failure).
Sukhbir Singh wrote:
> This is a great idea. This coupled with GetTor can help alleviate our
> bundle distribution issues :)
Thanks! ^_^
> Some feedback, mostly related to the UI/UX, so this may very well be a
> personal opinion but I will still comment because I really hope we use
> this to distribute the bundles.
I'm not sure whose call that is, tbh. Happy to keep it a personal
project =) And UI/UX feedback is always welcome.
> - the background looks nice but we can probably use something simple
> just to make sure that it is accessible
True. I'm planning to add a stylesheet for screen readers (which would
hide the <canvas> entirely), along with WAI-ARIA attributes[1] to make
it more accessible overall. I really like the background, but might nix
the space theme and go with the polygons on black instead.
> - the (A) and (B) for the download links should be redesigned.
Agreed. Currently leaning towards replacing A/B/C with download icons
that indicate the source. That sentence is super dry, but I think you
get what I mean.
> - is it possible to use this without signing in to your Google account?
Yes! First, download the zip from github:
https://github.com/glamrock/satori
* Go to chrome://extensions/
* ☑ Developer mode
* Click "Load unpacked extension"
* Choose Satori/chrome directory
Then go to chrome://apps/ to launch (this is the apps page). Once
development slows a bit, the goal is to have gpg-signed releases in the
github repo. So that way it's possible to independently verify that the
app came from me and still use it without logging in to google.
> - checksums for some of the bundles was not working
> - sorry, couldn't resist -- it's TorBirdy and not Torbirdy ;)
Oh butts, I didn't even notice those! :D Will fix!
> Very well done though! The hash generation takes the prize above all!
Thanks, though the Google Closure library really does the heavy
lifting on that.
> Please keep us informed about the development.
Will do!
best,
Griffin
[1] http://www.w3.org/TR/wai-aria-1.1/
[2] https://www.transifex.com/projects/p/cupcake/resource/satori-chrome/
More information about the tor-talk
mailing list