[Tor www-team] Suggestions for Mirrors in Censored Countries

Griffin Boyce griffin at cryptolab.net
Sun May 4 05:52:11 UTC 2014


Should we loop in tor-talk on this? They might have some additional 
ideas =)

William Papper wrote:

> We're now looking for suggestions on providing downloads for
> censored countries.

   I've been working on this recently with Satori [1][2], and decided to 
mirror on AWS, Github, and Chrome Web Store. (that last one is a 
logistical nightmare and not recommended).[4]

   The reason is that these are places where there's a strong financial 
incentive for countries to not block them or MITM.  Doesn't mean that 
they won't wind up blocked or tampered with, but makes it less likely.  
Both AWS and Github are also accessible in Iran and China.

> 1. Host the downloads directly on each mirror
> While this would work, the combined size of all of the files is
> greater than GitHub's 1GB limit per repository.

   I've talked to github about this -- specifically about distributing 
software -- and they said that it's a soft limit.  I have repositories 
that are ~2GB which are fine.  Might be better to divide into individual 
repos by language if you're concerned they might change their policies.

> 2. Use an external download mirror that is not torproject.org
> Could we use something like Amazon S3 or Sourceforge?

   AWS s pretty straightforward, but I would not suggest Sourceforge due 
to their advertising policies.

> 3. Provide torrents to users in censored countries
> This seems much more difficult to block, which is good. I couldn't
> find any official TBB torrents, though.

   Potential problem[3] with this is that if an adversary becomes a 
seeder, they can tally IP addresses of people trying to get ahold of 
circumvention software.  Highly problematic for people who might get a 
knock at the door.  Also, not sure how likely it is that the torrent 
trackers would just get blocked.

> 4. Assume that the user is not living in a censored country

   Can you expand on this a bit?

best,
Griffin

[1] https://github.com/glamrock/satori
[2] 
https://chrome.google.com/webstore/detail/satori/oncomejlklhkbffpdhpmhldlfambmjlf
[3] 
https://mailman.stanford.edu/pipermail/liberationtech/2014-March/013158.html
[4] So the process here is that one is distributing unlisted "apps" 
which are .crx files.  Within those compressed files are the TBB and a 
required manifest.json file.  That's pretty straightforward, and 
nigh-unblockable, but downloading a crx as a zip automatically is 
difficult for windows/mac (easy for linux). And there are currently 60 
bundles total (30 for linux).  Making these could be scripted.  Every 
Google Chrome Developer account maxes out at 20 apps or extensions, so 
we'd still need to create/verify 2-3 accounts if we wanted full language 
support.  Like I said, logistical nightmare, but I do it for Arabic, 
Farsi, and Chinese because the tradeoffs are IMO worth it (and 6 is no 
big deal).


More information about the www-team mailing list