Download Tor from website .onion instead of dist.torproject.org

When using http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/download/

I notice that when you click to download a file it wants to download from
dist.torproject.org, rather than the .onion.

This differs from, say, the OnionShare website .onion, where when you download
a file it downloads from the .onion.

Would it be possible to change the download behavior at the torproject.org .onion’s download
page to download from the .onion rather than pivot to downloading at dist.torproject.org?

1 Like

When I hover over “Download for Linux” I get this URL:

http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/dist/torbrowser/11.0.7/tor-browser-linux64-11.0.7_en-US.tar.xz

And as you can see, it fetches it from the .onion domain. To me it looks ok…

Step 1: Visit http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/download/
Step 2: Click to download the Windows version (for example)

A window pops up with the heading, “Download an external file type?”

I click on, “Download file”

That popup disappears and is replaced by “opening torbrowser-install-win64-11.07_en-US.exe”

The window reads:

You have chosen to open:

torbrowser-install-win64-11.07_en-US.exe

which is EXE file (73.5 MB)

from: https://dist.torproject.org

etc.

#################

This differs from the behavior I see at OnionShare’s .onion:

http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/

When you click download, the external file type? popup comes up

that window is replaced by a window saying the location of the .msi
file is from the .onion location and not clear net.

#################

“Hovering” over the Tor Browser link may suggest it is downloading from the .onion
but for Tor Browser it isn’t, for OnionShare it is. Unless, of course, I am wrong
somehow.

#################

Edit: My thread title should read: “Tor Browser” rather than simply “Tor.”

2 Likes

the same happens here - downloads served from https://dist.torproject.org

1 Like

@atari:

Thanks for the confirmation! :+1:

Should this be reported as a bug on the Gitlab site or somewhere else? I would really like to see this fixed.

2 Likes

Ok, I can now confirm what you saw.
I now tried downloading with curl comman:

curl --socks5-hostname localhost:9150 http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/dist/torbrowser/11.0.7/torbrowser-install-win64-11.0.7_en-US.exe

And this is what curl says:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://dist.torproject.org/torbrowser/11.0.7/torbrowser-install-win64-11.0.7_en-US.exe">here</a>.</p>
<hr>
<address>Apache Server at 2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion Port 80</address>
</body></html>

Look at the line “The document has moved”, in my mind this suggests the onion URL is just a shortcut to /dist.torproject.org/…
So this is not a bug at all, but the way they organize downloads. The actual files seem not to be hosted on the .onion server, but on
dist.torproject.org

So, this is not bug, this is just a redirection of the .onion URL to the real download target. They seem to not host their files on the .onion server, that´s all.

@RealEd

“this is just a redirection of the .onion URL to the real download target. They seem to not host their files on the .onion server, that´s all.”

Yes, this is why I used the word, “pivot” in my Original Post.

“So, this is not bug”

I disagree. In your original post to this thread you said, “And as you can see, it fetches it from the .onion domain. To me it looks ok…” A user is on an .onion site, and for the most part, they believe a file downloaded while at the .onion site should be at the .onion site. Do you see how easily it is to misunderstand this prior to doing any checking other than “hovering?”

I believe this is a bug. I pointed out my example with the OnionShare site .onion and how their file(s) are being served by the .onion and not “pivoting” to clear net.

I’m not familiar enough with GitLab or else I’d file a bug for this. Some may not agree with me and just say that’s how the site works, deal with it, or use kinder words. But, as I pointed out with the OnionShare site’s .onion, if you’re going to point to a file(s) on an .onion, it should actually be hosted via the .onion!

Should this not be considered a bug, there should be a CLEAR WARNING for the user(s) that the file(s) are not actually being hosted on an .onion but on clear net, BEFORE they begin the download.

Thanks for your post, your efforts, and your response. Have a beautiful day!

1 Like

If anyone wants I can mirror dist.torproject.org on an onion

We already have dist.tpo as an onion service:

You can find all onion services managed by the Tor Project here: https://onion.torproject.org/

Filled this ticket: Downloading Tor Browser from the onionsite redirects to dist.tpo (#40667) · Issues · The Tor Project / TPA / TPA team · GitLab

3 Likes

@gus:

Thanks very much for opening the ticket and for quoting+linking back here to this thread. :heart_eyes:

I also appreciate you pointing out to us the dist.tpo .onion service and the TP .onion services site. I was familiar with that site but I didn’t think to search for dist.tpo there! I know where I’ll be downloading future releases from until this is fixed!

I’ll leave this thread opened until resolved for further info/comments should any arise.

:pray:

1 Like

Hello, this is now fixed. You can see how @lavamind fixed it here:

I’ll close this thread. Thank you, @aliceinonionland.

3 Likes

This topic was automatically closed 2 hours after the last reply. New replies are no longer allowed.