Skip to content

How should we proceed with website mirrors?

We discussed the current status of website mirrors at our Oct 3 anti-censorship meeting. The following questions and arguments came up:

  • Should we verify mirrors' authenticity? If so, how? If we verify mirrors, we may want to do it continuously because a mirror may be authentic at time t but serve malware at time t+1. We may also want to verify mirrors in a way that makes it difficult for the mirror to distinguish between a user browsing the mirror and us verifying the mirror.

  • People let us know when they set up new mirrors but we currently ignore volunteers because of our policy of only considering mirrors run by trusted contacts.

  • Let's keep in mind that people generally search for "download tor" and click on whatever shows up first in their favourite search engine. By obsessing too much over the authenticity of mirrors we may be missing the bigger issue.

  • Our old website has a list of mirrors.

  • Some of us believe that the risk of having mirrors outweighs their value while others believe the opposite.

  • Website mirrors are frequently not subject to censorship, so users who are unable to browse torproject.org can still browse our mirrors and download Tor Browser from there. GetTor could therefore send users a link to mirrors – and add PGP verification instructions to its email, so the user doesn't need to trust the mirrors).