Commit ab39ffcb authored by Hiro's avatar Hiro 🏄
Browse files

Update instructions for gettor

parent 58d052b5
../lego/assests/javascript
\ No newline at end of file
../lego/assets/javascript
\ No newline at end of file
../lego/assests/scss
\ No newline at end of file
../lego/assets/scss
\ No newline at end of file
../../lego/assests/static/css
\ No newline at end of file
../../lego/assets/static/css
\ No newline at end of file
../../lego/assests/static/fonts
\ No newline at end of file
../../lego/assets/static/fonts
\ No newline at end of file
../../lego/assests/static/js
\ No newline at end of file
../../lego/assets/static/js
\ No newline at end of file
......@@ -5,22 +5,124 @@ body:
GetTor is a service that provides alternative methods to download the Tor Browser, especially for people living in places with high levels of censorship, where access to Tor Project's website is restricted.
### How does it work?
# How does it work?
The idea behind GetTor is very simple:
Step 1: Send a request to GetTor specifying your operating system (and optionally your locale).
- Step 1: Send a request to GetTor (gettor@torproject.org) specifying your operating system (and your locale). Ex: "windows es"
  • I think we should provide a bit more information here, to make it easier for our users. For example:

    • Step 1: Send an email to gettor@torproject.org and add in your email's body your operating system ("windows", "osx", or "linux") followed by your language shortcut ("en" for English or "zh" for Chinese). For example, "windows de" or "osx es".

    Also, the language option currently doesn't actually work, right? If so, we shouldn't mention it. Once it works, we can add it to the documentation again.

Please register or sign in to reply
Step 2: GetTor will send you back a reply with links to download Tor Browser from our supported providers.
- Step 2: GetTor will send you back a reply with links to download Tor Browser from our supported providers.
Step 3: Download Tor Browser from one of the providers. When done, check the integrity of the downloaded files.
- Step 3: Download Tor Browser from one of the providers. When done, check the integrity of the downloaded files by verifying its signature.
Step 4: If required, get some bridges!
- Step 4: If required, get some bridges!
### Channels
You can make requests to GetTor using different channels of communication and different locales. At the present moment, we support the following locales: English (en), Farsi (fa), Chinese (zh), Turkish (tr), and the following channels:
Email: you can make a request sending an email to gettor@torproject.org
## How to verify a digital signature
Quick example:
To get links for downloading Tor Browser in English for Windows, send an email to gettor@torproject.org with the words "windows en" in the body of the message.
Digital signature is a process ensuring that a certain package was generated by its developers and has not been tampered with.
Below we explain why it is important and how to verify that the Tor program you download is the one we have created and has not been modified by some attacker.
In GetTor emails we provide a link to a file with the same name as the package and the extension ".asc". These .asc files are OpenPGP signatures.
They allow you to verify the file you've downloaded is exactly the one that we intended you to get.
Please register or sign in to reply
For example, `torbrowser-install-win64-8.5.4_en-US.exe` is accompanied by `torbrowser-install-win64-8.5.4_en-US.exe.asc`.
We now show how you can verify the downloaded file's digital signature on different operating systems.
Please notice that a signature is dated the moment the package has been signed.
Therefore every time a new file is uploaded a new signature is generated with a different date.
As long as you have verified the signature you should not worry that the reported date may vary.
### Installing GnuPG
First of all you need to have GnuPG installed before you can verify signatures.
#### For Windows users:
If you run Windows, [download Gpg4win](https://gpg4win.org/download.html) and run its installer.
In order to verify the signature you will need to type a few commands in windows command-line, `cmd.exe`.
#### For macOS users:
If you are using macOS, you can [install GPGTools](https://www.gpgtools.org).
In order to verify the signature you will need to type a few commands in the Terminal (under "Applications").
#### For GNU/Linux users:
If you are using GNU/Linux, then you probably already have GnuPG in your system, as most GNU/Linux distributions come with it preinstalled.
In order to verify the signature you will need to type a few commands in a terminal window. How to do this will vary depending on your distribution.
### Fetching the Tor Developers key
The Tor Browser team signs Tor Browser releases.
Import the Tor Browser Developers signing key (0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290):
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
  • Will this cause trouble because of the recent key key server DoS attack?

Please register or sign in to reply
This should show you something like:
gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) <torbrowser@torproject.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
pub rsa4096 2014-12-15 [C] [expires: 2020-08-24]
EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
uid [ unknown] Tor Browser Developers (signing key) <torbrowser@torproject.org>
sub rsa4096 2018-05-26 [S] [expires: 2020-09-12]
After importing the key, you can save it to a file (identifying it by fingerprint here):
gpg --output ./tor.keyring --export 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290
### Verifying the signature
To verify the signature of the package you downloaded, you will need to download the corresponding ".asc" signature file as well as the installer file itself, and verify it with a command that asks GnuPG to verify the file that you downloaded.
The examples below assume that you downloaded these two files to your "Downloads" folder.
The result of the command should produce something like this:
gpgv: Signature made 07/08/19 04:03:49 Pacific Daylight Time
gpgv: using RSA key EB774491D9FF06E2
gpgv: Good signature from "Tor Browser Developers (signing key) <torbrowser@torproject.org>"
#### For Windows users:
gpgv --keyring .\tor.keyring Downloads\torbrowser-install-win64-8.5.4_en-US.exe.asc Downloads\torbrowser-install-win64-8.5.4_en-US.exe
#### For macOS users:
gpgv --keyring ./tor.keyring ~/Downloads/TorBrowser-8.5.4-osx64_en-US.dmg{.asc,}
#### For GNU/Linux users (change 64 to 32 if you have the 32-bit package):
gpgv --keyring ./tor.keyring tor-browser-linux64-8.5.4_en-US.tar.xz{.asc,}
You may also want to [learn more about GnuPG](https://www.gnupg.org/documentation/).
## How to get bridges
Bridge relays are Tor relays that are not listed in the public Tor directory.
That means that ISPs or governments trying to block access to the Tor network can't simply block all bridges.
Bridges are useful for Tor users under oppressive regimes, and for people who want an extra layer of security because they're worried somebody will recognize that they are contacting a public Tor relay IP address.
When you start TorBrowser for the first time you will be asked if you want to use bridges. To use pluggable transports, click 'Configure' in the Tor Launcher window that appears when you first run Tor Browser.
Please register or sign in to reply
You can also configure pluggable transports while Tor Browser is running by clicking on the onion icon to the left of the address bar, then selecting 'Tor Network Settings'.
Select 'Tor is censored in my country,' then click 'Select a built-in bridge.' Click on the drop-down menu and select the pluggable transport you'd like to use.
Click 'OK' to save your settings.
Another way to get bridges is to send an email to bridges@torproject.org. Please note that you must send the email using an address from one of the following email providers: Riseup or Gmail.
A bridge is just a normal relay with a slightly different configuration.
Several countries, including China and Iran, have found ways to detect and block connections to Tor bridges.
  • Not sure what the purpose of this paragraph is. It seems to address bridge operators and not users. I would remove it.

Please register or sign in to reply
<mark><a href="https://github.com/Yawning/obfs4/blob/master/doc/obfs4-spec.txt">Obfsproxy</a></mark> bridges address this by adding another layer of obfuscation.
Setting up an obfsproxy bridge requires an additional software package and additional configurations.
See our page on <mark><a href="https://www.torproject.org/docs/pluggable-transports.html.en">pluggable transports</a></mark> for more info.
lego @ 094dd933
Subproject commit 9e6fd6b34b8252ad3cc0a8eb81e640320c2ba6b8
Subproject commit 094dd93359d24f87c74eaa932de7f3214dd93333
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment