On Mon, 9 May 2016 15:09:37 -0400 Blake Hadley moosehadley@gmail.com wrote:
Hey everyone,
[How it's currently done]
Distributed by gettor@torproject.com, the URL makes it pretty clear what you're downloading. Dropbox: https://www.dropbox.com/s/mz9ug2rzvj85791/torbrowser-install-5.5.5_en-US.exe... Google Drive: https://docs.google.com/uc?id=0B76pDbk5No54VHowTEprZnBfWlU&export=downlo... GitHub: https://github.com/TheTorProject/gettorbrowser/releases/download/v5.5.5/torb...
[Security problem]
The download URL on Google Drive is somewhat obfuscated, but once the download is started, the filename that the browser requests is 'torbrowser[...]' An environment I was working in has started to block the files based on name, and it would be very easy for an adversary monitoring network traffic to detect users downloading it.
The environment you're were in was mounting a MITM attack to break TLS, or has compromised your box, because the only component of the URL that is visible otherwise is the host in the SNI field.
In such an environment, gettor in general isn't unblockable because there is no privacy/security for the request/response messages.
Regards,