[Tor www-team] Suggestions for Mirrors in Censored Countries
Griffin Boyce
griffin at cryptolab.net
Sun May 4 05:52:11 UTC 2014
Should we loop in tor-talk on this? They might have some additional
ideas =)
William Papper wrote:
> We're now looking for suggestions on providing downloads for
> censored countries.
I've been working on this recently with Satori [1][2], and decided to
mirror on AWS, Github, and Chrome Web Store. (that last one is a
logistical nightmare and not recommended).[4]
The reason is that these are places where there's a strong financial
incentive for countries to not block them or MITM. Doesn't mean that
they won't wind up blocked or tampered with, but makes it less likely.
Both AWS and Github are also accessible in Iran and China.
> 1. Host the downloads directly on each mirror
> While this would work, the combined size of all of the files is
> greater than GitHub's 1GB limit per repository.
I've talked to github about this -- specifically about distributing
software -- and they said that it's a soft limit. I have repositories
that are ~2GB which are fine. Might be better to divide into individual
repos by language if you're concerned they might change their policies.
> 2. Use an external download mirror that is not torproject.org
> Could we use something like Amazon S3 or Sourceforge?
AWS s pretty straightforward, but I would not suggest Sourceforge due
to their advertising policies.
> 3. Provide torrents to users in censored countries
> This seems much more difficult to block, which is good. I couldn't
> find any official TBB torrents, though.
Potential problem[3] with this is that if an adversary becomes a
seeder, they can tally IP addresses of people trying to get ahold of
circumvention software. Highly problematic for people who might get a
knock at the door. Also, not sure how likely it is that the torrent
trackers would just get blocked.
> 4. Assume that the user is not living in a censored country
Can you expand on this a bit?
best,
Griffin
[1] https://github.com/glamrock/satori
[2]
https://chrome.google.com/webstore/detail/satori/oncomejlklhkbffpdhpmhldlfambmjlf
[3]
https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013158.html
[4] So the process here is that one is distributing unlisted "apps"
which are .crx files. Within those compressed files are the TBB and a
required manifest.json file. That's pretty straightforward, and
nigh-unblockable, but downloading a crx as a zip automatically is
difficult for windows/mac (easy for linux). And there are currently 60
bundles total (30 for linux). Making these could be scripted. Every
Google Chrome Developer account maxes out at 20 apps or extensions, so
we'd still need to create/verify 2-3 accounts if we wanted full language
support. Like I said, logistical nightmare, but I do it for Arabic,
Farsi, and Chinese because the tradeoffs are IMO worth it (and 6 is no
big deal).
More information about the www-team
mailing list