November 2017 - tor-commits - lists.torproject.org

[research-web/master] publish the request and response for 2017-03
by arma＠torproject.org 01 Nov '17

01 Nov '17

commit 0af0f5936711be37a31c56331bdaf66c313bf5ce Author: Roger Dingledine <arma(a)torproject.org> Date: Wed Nov 1 02:16:08 2017 -0400 publish the request and response for 2017-03 --- htdocs/safetyboard.html | 16 ++++- htdocs/trsb/2017-03-request.txt | 124 +++++++++++++++++++++++++++++++++++++++ htdocs/trsb/2017-03-response.txt | 118 +++++++++++++++++++++++++++++++++++++ 3 files changed, 257 insertions(+), 1 deletion(-) diff --git a/htdocs/safetyboard.html b/htdocs/safetyboard.html index 1058533..7a53bed 100644 --- a/htdocs/safetyboard.html +++ b/htdocs/safetyboard.html @@ -198,10 +198,24 @@ public first. 2017-03: Running middle relays to measure onion service popularity <ul> -<li>[still anonymized during paper review] +<li><a href="trsb/2017-03-request.txt">request</a> +<li><a href="trsb/2017-03-response.txt">response</a> <li><a href="https://onionpop.github.io/">research project page</a> +<li>[Accepted paper forthcoming at NDSS 2018] </ul> + +2017-04: [under review] + + + +2017-05: [under review] + + + +2017-06: [under review] + + <hr> <a id="who"></a> <h3><a class="anchor" href="#who">Who is on the Board?</a></h3> diff --git a/htdocs/trsb/2017-03-request.txt b/htdocs/trsb/2017-03-request.txt new file mode 100644 index 0000000..1cafc20 --- /dev/null +++ b/htdocs/trsb/2017-03-request.txt @@ -0,0 +1,124 @@ +From: Rob Jansen <rob.g.jansen(a)nrl.navy.mil> +Subject: Request for feedback on measuring popularity of Facebook onion site front page +Date: Sun, 2 Jul 2017 + +# Overview + +We have been working on exploring the website fingerprinting problem in +Tor. In website fingerprinting, either a client's guard or someone that +can observe the link between the client and its guard is adversarial and +attempts to link the client to its destination. This linking is attempted +by first crawling common destinations and gathering a dataset of webpage +features, and then training a classifier to recognize those features, +and finally using the trained classifier to guess the destination to +which an observed traffic stream connected. + +A common assumption in research papers that explore these attacks is +that the adversary controls the guard or client-to-guard link. We are +attempting to understand how effective fingerprinting would be for a +weaker node adversary that runs only middle nodes, and who focuses on +onion service websites. This involves 1.) guessing if an observed circuit +is a hidden service circuit (already done by Kwon et al. from a guard node +position); 2.) guessing that you are in a middle position, specifically +the middle position next to the client-side guard; and 3.) if both 1 and +2 are true, then guessing the onion service website based on a trained +classifier. We would like to apply these classifiers to Tor traffic and +use them to measure the popularity of the Facebook onion site front page. + +# Where we are + +We have already used our own client and middle to crawl the onion +service space. Our client built circuits to a list of onions, and our +client pinned middle relays under our control so that all circuits were +built through our middles. The clients sent a special signal to our +middles so that the middles could tag the circuits that were created by +us (so that it only logged our circuits and not circuits of legitimate +clients). Our middles then logged ground truth information about these +circuits, as well as features that could be used for guessing the circuit +type, position, and onion site being accessed. We used this data set to +train classifiers and run analysis. + +# Where we want to go + +In our version of website fingerprinting, we guess the circuit type, +position, and onion site. Since we are doing this from a middle node, +even if all of those guesses work out, the adversary learns that someone +with a specific guard went to a given onion site. This is not enough for +deanonymization. Although there are several strategies that could leak +information about the client once a middle is successful at fingerprinting +(guard profiling, latency attacks to geolocate clients, legal attacks +on guards), we would like to show a potentially interesting application +of website fingerprinting beyond client deanonymization. + +If fingerprinting at the middle is successful, then it can be used to +discover onion service popularity; we first identify the onion site, and +then measure the frequency that each onion site is accessed. Because this +measurement is done from the middle position, we will more quickly gain +a representative sample of all circuits built in Tor (because new middles +are chosen for each circuit with fewer biases than guards and exits). We +would like to use PrivCount to do such a popularity measurement safely, +following the methods and settings set out in the "Safely Measuring Tor" +CCS paper by Jansen and Johnson. This is where we are requesting feedback. + +We would like to measure the following: +1. The fraction of all circuits that we classify as hidden service circuits +2. The fraction of hidden service circuits that we classify as accessing +the Facebook onion front page + +We want to do this measurement safely, because it will involve measuring +circuits of real users. We hope to be able to do this from the first +client-side middle node (which will involve guessing the circuit, +position, and the site) as well as from the rendezvous position (which +will only involve guessing the site). The classifiers necessary to perform +these guesses will be trained on our previously crawled onion data set +and a dataset of circuit information that we generated synthetically +in Shadow. + +During the measurement process, circuit and cell metadata will be used +by the classifiers to make their guesses. Circuit meta-data includes +a description of the previous and next relay in the circuit, as well +as the previous and next circuit ID and channel ID. Cell metadata +includes whether the cell was sent or received and from which side of +the circuit, the previous and next circuit ID and channel ID, the cell +type and cell command type if known, and a timestamp relative to the +start of the circuit. + +The meta-data will be sent in real time to PrivCount where it will be +stored in volatile memory (RAM); the longest time that PrivCount will +store the data in RAM is the lifetime of the circuit. When the circuit +closes, PrivCount will pass the meta-data to the previously-trained +classifier, which will make the guesses as appropriate. The following +counters will be incremented in PrivCount according to the results of +the guesses: + +1. Total number of circuits +2. Total number of onion service circuits +3. Number of onion service circuits accessing facebook onion frontpage +4. Number of onion service circuits NOT accessing facebook onion frontpage + +Once these counters are incremented, all meta-data corresponding to +circuit and its cells are destroyed. The PrivCount counters are initiated +to noisy values to ensure differential privacy is maintained (cf. "Safely +Measuring Tor"), and are then blinded and distributed across several +share keepers to provide secure aggregation. At the end of the process, +we learn *only* the value of these noisy counts aggregated across all data +collectors, and nothing else about the information that was used during +the measurement process. Specifically, client usage of Tor during our +measurement will be protected under differential privacy. (We currently +plan to run at least 3 share keepers and more than 10 data collectors.) + +# Value + +This work has value to the community that we believe offsets the potential +risks associated with the measurement. Understanding Facebook popularity +and having raw numbers to report, while is in itself interesting, also +allows us to focus a popularity measurement on the positive use cases +of Tor and onion service rather than the not-so-positive. We believe +that showing how website fingerprinting can be applied to purposes +other than client deanonymization is novel and interesting and may +spur additional research that may ultimately help us better understand +the real world risks associated with fingerprinting techniques (which +may lead to better fingerprinting defenses). Finally, risk from middle +nodes is often overlooked, and we think there is value in showing what +is possible from the position with the fewest requirements. + diff --git a/htdocs/trsb/2017-03-response.txt b/htdocs/trsb/2017-03-response.txt new file mode 100644 index 0000000..20a4478 --- /dev/null +++ b/htdocs/trsb/2017-03-response.txt @@ -0,0 +1,118 @@ +Date: Sun, 16 Jul 2017 01:00:40 -0400 +From: Roger Dingledine <arma(a)mit.edu> +Subject: Re: [tor-research-safety] Request for feedback on measuring popularity of Facebook onion site front page + +Here are some thoughts that are hopefully useful. I encourage other safety +board people to jump in if they have responses or other perspectives. + +A) Here's an attack that your published data could enable. + +Let's say there is another page somewhere in onion land that looks +just like the Facebook frontpage, from your classifier's perspective. + +In that case you're going to be counting, and publishing, what you think +are Facebook frontpage visits, but if somebody knows the ground truth +for the Facebook visits (and at least Facebook does), then they can +subtract out the ground truth and learn the popularity of that other page. + +Counterintuitively, the more "colliding" pages there are, or rather, +the more colliding pages there are that are sufficiently popular, the +less scary things get, since you're publishing popularity of "Facebook + +all the others that look like Facebook", and if that second part of the +number is a broad variety of pages, it's not so scary to publish it. + +I guess you can look through your training traces to see if there are +traces that look very similar, to get a handle on whether there are zero +or some or many. But even if you find zero, (1) are your training traces +just the front pages of other onion sites? In that case you'll be missing +many internal pages, and maybe there is a colliding internal page. And +(2) you don't have a comprehensive onion list (whatever that even means), +so you can't assess closeness for the pages you don't know about. And +(3) remember dynamic pages -- like a duckduckgo search for a particular +sensitive word that you didn't think to search for. (I don't think that +particular example will produce a collision with the Facebook frontpage, +but maybe there's some similar example that would.) + +So, principle 1: publishing a sum of popularity of a small number of +sites is inherently more revealing than publishing the sum of popularity +of a broader set of sites, because the small number is more precise. + +And principle 1b: if an external party has a popularity count for a subset +of your sum, they can get more precision than you originally intended. + +Unless the differential privacy that you talked about handles this case? +I have been assuming it focuses on making it hard to reconstruct exactly +how many hits a given relay saw, but maybe it does more magic than that? + +B) You mention picking Facebook in particular, and I assume you'll be +naming them in your paper. Have you asked them if they're ok with this? + +Getting consent when possible would go a long way to making your approach +as safe as it can be. I can imagine that Facebook would say it's ok, +while I could imagine that a particular SecureDrop deployment might ask +you to please not do it. + +In particular, two good contacts for Facebook would be Alec Muffett +and <other Facebook security person anonymized for publication>. + +The service side is of course only half of the equation: in an ideal +world it would be best to get consent from all the clients too. But since +your experiment's approach aggregates all the clients, yet singles out +the service, I think it's much more important to think about consent +from the service side for this case. + +So, principle 2: the more you're going to single out and then name a +particular entity, the more important it is for you to get consent from +that entity before doing so. + +C) In fact, it would probably be good in your paper to specify *why* +the safety board thought that doing this measurement was ok -- that +you got consent and that's why you were comfortable naming them and +publishing a measurement just for them. + +I think mentioning it in the paper is important because if this general +"popularity measurement" attack works, I can totally imagine somebody +wanting to do a follow-on paper measuring individual popularity for a big +pile of other onion services, first because it would seem cool to do it +in bulk (the exact opposite of the reason why you decided not to do it in +bulk), and second because eventually people will realize that measuring +popularity is a key stepping stone to building a bayesian prior, which +could make website fingerprinting attacks work better than the default +"assume a uniform prior" that I guess a lot of them do now. + +So, principle 3: explicitly say in your paper where your +lines-you-didn't-want-to-cross are, so readers can know which follow-on +activities are things you wouldn't have wanted to do (and so future PCs +reviewing future follow-on papers have something concrete to point to +when they're expressing concern about methodology). + +D) I actually expect your Facebook popularity measurement to show +that it's not very popular right now. That's because, at least last I +checked, all of the automated apps and stuff use facebook.com as their +destination. The Facebook folks have talked about putting the onion +address by default in their various mobile apps if it detects that Orbot +is running, but as far as I know they haven't rolled that out yet. So +(1) doing a measurement now will allow you to do another measurement +later once Facebook has made some changes, and you'll have a baseline for +comparison; and (2) if you coordinate better with the Facebook people, +you can learn the state and expected timing for their "onion address by +default" roll-out -- or heck, you might learn other confounding factors +that Facebook can explain for you. + +E) If you're planning to use PrivCount, does that mean you are running +more than one relay to do this measurement? I think yes because "and +more than 10 data collectors"? + +For the last person who asked us about running many relays for doing +measurements, we suggested that they label their relays in the ContactInfo +section, and put up a little page explaining what their research is and +why it's useful (I think the text you sent us would do fine). + +Here is their page for an example: http://tor.ccs.neu.edu/ + +I think that step would be wise here too. + +Hope those are helpful! Let me know if you have any questions. + +--Roger +

1 0

[chutney/master] Add networks that test that IPv6-only tor clients can use microdescriptors
by teor＠torproject.org 01 Nov '17

01 Nov '17

commit 61c28b99a2ab9d2f828a346baec6d43c6ef8a144 Author: teor <teor2345(a)gmail.com> Date: Wed Nov 1 17:00:24 2017 +1100 Add networks that test that IPv6-only tor clients can use microdescriptors These networks and torrc templates end in "ipv6-md". Implements #21001. --- networks/client-ipv6-only-md | 21 +++++++++++++++++++ networks/hs-client-ipv6-md | 24 ++++++++++++++++++++++ networks/hs-ipv6-md | 25 +++++++++++++++++++++++ networks/hs-v23-ipv6-md | 26 ++++++++++++++++++++++++ networks/hs-v3-ipv6-md | 25 +++++++++++++++++++++++ networks/single-onion-client-ipv6-md | 24 ++++++++++++++++++++++ networks/single-onion-ipv6-md | 25 +++++++++++++++++++++++ networks/single-onion-v23-ipv6-md | 27 +++++++++++++++++++++++++ networks/single-onion-v3-ipv6-md | 25 +++++++++++++++++++++++ torrc_templates/client-only-v6-md.i | 2 ++ torrc_templates/client-only-v6-md.tmpl | 2 ++ torrc_templates/client-only-v6.i | 10 +++------ torrc_templates/hs-only-v6-md.tmpl | 3 +++ torrc_templates/hs3-only-v6-md.tmpl | 3 +++ torrc_templates/single-onion-only-v6-md.tmpl | 3 +++ torrc_templates/single-onion-v3-only-v6-md.tmpl | 3 +++ 16 files changed, 241 insertions(+), 7 deletions(-) diff --git a/networks/client-ipv6-only-md b/networks/client-ipv6-only-md new file mode 100644 index 0000000..32f713e --- /dev/null +++ b/networks/client-ipv6-only-md @@ -0,0 +1,21 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +ExitRelay6 = Node(tag="r", relay=1, exit=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-exit.tmpl") +HS = Node(tag="h", hs=1, torrc="hs.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# The minimum number of authorities/relays/exits is 3, the minimum path length +# But for some reason, Tor wants 4 "acceptable routers" (Tor bug #20071) +NODES = Authority6.getN(3) + ExitRelay6.getN(1) + HS.getN(1) + Client6.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/hs-client-ipv6-md b/networks/hs-client-ipv6-md new file mode 100644 index 0000000..c93c354 --- /dev/null +++ b/networks/hs-client-ipv6-md @@ -0,0 +1,24 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +HS = Node(tag="h", hs=1, torrc="hs.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client6.getN(1) + HS.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/hs-ipv6-md b/networks/hs-ipv6-md new file mode 100644 index 0000000..c64080f --- /dev/null +++ b/networks/hs-ipv6-md @@ -0,0 +1,25 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +HS6 = Node(tag="h", hs=1, torrc="hs-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client.getN(1) + Client6.getN(1) + HS6.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/hs-v23-ipv6-md b/networks/hs-v23-ipv6-md new file mode 100644 index 0000000..f562dd8 --- /dev/null +++ b/networks/hs-v23-ipv6-md @@ -0,0 +1,26 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +HSv2IPv6 = Node(tag="h", hs=1, torrc="hs-only-v6-md.tmpl") +HSv3IPv6 = Node(tag="h", hs=1, torrc="hs3-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client.getN(1) + Client6.getN(1) + HSv2IPv6.getN(1) + HSv3IPv6.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/hs-v3-ipv6-md b/networks/hs-v3-ipv6-md new file mode 100644 index 0000000..fc021d8 --- /dev/null +++ b/networks/hs-v3-ipv6-md @@ -0,0 +1,25 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +HS6 = Node(tag="h", hs=1, torrc="hs3-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client.getN(1) + Client6.getN(1) + HS6.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/single-onion-client-ipv6-md b/networks/single-onion-client-ipv6-md new file mode 100644 index 0000000..cdd64ec --- /dev/null +++ b/networks/single-onion-client-ipv6-md @@ -0,0 +1,24 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +SingleOnion = Node(tag="h", hs=1, torrc="single-onion.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client6.getN(1) + SingleOnion.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/single-onion-ipv6-md b/networks/single-onion-ipv6-md new file mode 100644 index 0000000..7464e4b --- /dev/null +++ b/networks/single-onion-ipv6-md @@ -0,0 +1,25 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +SingleOnion6 = Node(tag="h", hs=1, torrc="single-onion-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client.getN(1) + Client6.getN(1) + SingleOnion6.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/single-onion-v23-ipv6-md b/networks/single-onion-v23-ipv6-md new file mode 100644 index 0000000..4450a66 --- /dev/null +++ b/networks/single-onion-v23-ipv6-md @@ -0,0 +1,27 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +SingleOnionv2IPv6 = Node(tag="h", hs=1, torrc="single-onion-only-v6-md.tmpl") +SingleOnionv3IPv6 = Node(tag="h", hs=1, torrc="single-onion-v3-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client.getN(1) + Client6.getN(1) + \ + SingleOnionv2IPv6.getN(1) + SingleOnionv3IPv6.getN(1) + +ConfigureNodes(NODES) diff --git a/networks/single-onion-v3-ipv6-md b/networks/single-onion-v3-ipv6-md new file mode 100644 index 0000000..fc166cd --- /dev/null +++ b/networks/single-onion-v3-ipv6-md @@ -0,0 +1,25 @@ +import os +# By default, Authorities are not configured as exits +Authority6 = Node(tag="a", authority=1, relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="authority-orport-v6.tmpl") +NonExitRelay6 = Node(tag="r", relay=1, + ipv6_addr=os.environ.get('CHUTNEY_LISTEN_ADDRESS_V6', + '[::1]'), + torrc="relay-orport-v6-non-exit.tmpl") +Client = Node(tag="c", client=1, torrc="client.tmpl") +Client6 = Node(tag="c", client=1, torrc="client-only-v6-md.tmpl") +SingleOnionv3IPv6 = Node(tag="h", hs=1, torrc="single-onion-v3-only-v6-md.tmpl") + +# Since only 25% of relays get the guard flag, +# TestingDirAuthVoteGuard * may need to be used in small networks + +# A hidden service needs 5 authorities/relays to ensure it can build HS +# connections: +# a minimum path length of 3, plus the client-nominated rendezvous point, +# plus a seperate introduction point +NODES = Authority6.getN(2) + NonExitRelay6.getN(3) + \ + Client.getN(1) + Client6.getN(1) + SingleOnionv3IPv6.getN(1) + +ConfigureNodes(NODES) diff --git a/torrc_templates/client-only-v6-md.i b/torrc_templates/client-only-v6-md.i new file mode 100644 index 0000000..8c3d452 --- /dev/null +++ b/torrc_templates/client-only-v6-md.i @@ -0,0 +1,2 @@ +# A client that only uses IPv6 ORPorts +ClientUseIPv4 0 diff --git a/torrc_templates/client-only-v6-md.tmpl b/torrc_templates/client-only-v6-md.tmpl new file mode 100644 index 0000000..dd4471a --- /dev/null +++ b/torrc_templates/client-only-v6-md.tmpl @@ -0,0 +1,2 @@ +${include:client.tmpl} +${include:client-only-v6-md.i} diff --git a/torrc_templates/client-only-v6.i b/torrc_templates/client-only-v6.i index 3105c0f..985f237 100644 --- a/torrc_templates/client-only-v6.i +++ b/torrc_templates/client-only-v6.i @@ -1,10 +1,6 @@ # A client that only uses IPv6 ORPorts -ClientUseIPv4 0 +${include:client-only-v6-md.i} + # Due to Tor bug #19608, microdescriptors can't be used by IPv6-only clients +# running tor 0.2.9 and earlier UseMicrodescriptors 0 - -# Previous versions of Tor did not support IPv6-only operation -# But this is how it would have been configured -#ClientUseIPv6 1 -#ClientPreferIPv6ORPort 1 -#ReachableAddresses reject 0.0.0.0/0, accept [::]/0 diff --git a/torrc_templates/hs-only-v6-md.tmpl b/torrc_templates/hs-only-v6-md.tmpl new file mode 100644 index 0000000..3831a3d --- /dev/null +++ b/torrc_templates/hs-only-v6-md.tmpl @@ -0,0 +1,3 @@ +${include:hs.tmpl} +# Hidden services are just another kind of client +${include:client-only-v6-md.i} diff --git a/torrc_templates/hs3-only-v6-md.tmpl b/torrc_templates/hs3-only-v6-md.tmpl new file mode 100644 index 0000000..a017dd9 --- /dev/null +++ b/torrc_templates/hs3-only-v6-md.tmpl @@ -0,0 +1,3 @@ +${include:hs-v3.tmpl} +# Hidden services are just another kind of client +${include:client-only-v6-md.i} diff --git a/torrc_templates/single-onion-only-v6-md.tmpl b/torrc_templates/single-onion-only-v6-md.tmpl new file mode 100644 index 0000000..d32a503 --- /dev/null +++ b/torrc_templates/single-onion-only-v6-md.tmpl @@ -0,0 +1,3 @@ +${include:single-onion.tmpl} +# Onion services are just another kind of client +${include:client-only-v6-md.i} diff --git a/torrc_templates/single-onion-v3-only-v6-md.tmpl b/torrc_templates/single-onion-v3-only-v6-md.tmpl new file mode 100644 index 0000000..c4ac312 --- /dev/null +++ b/torrc_templates/single-onion-v3-only-v6-md.tmpl @@ -0,0 +1,3 @@ +${include:single-onion-v3.tmpl} +# Onion services are just another kind of client +${include:client-only-v6-md.i}

1 0

[translation/tails-misc_completed] Update translations for tails-misc_completed
by translation＠torproject.org 01 Nov '17

01 Nov '17

commit 743d886559b36977bb4c8e5ea815dd74b7ea53a1 Author: Translation commit bot <translation(a)torproject.org> Date: Wed Nov 1 04:17:10 2017 +0000 Update translations for tails-misc_completed --- vi.po | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/vi.po b/vi.po index b93e764e8..7015424fa 100644 --- a/vi.po +++ b/vi.po @@ -4,14 +4,14 @@ # # Translators: # Acooldude, 2017 -# Khanh Nguyen <nguyenduykhanh85(a)gmail.com>, 2015-2016 +# Khanh Nguyen <nguyenduykhanh85(a)gmail.com>, 2015-2017 msgid "" msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2017-06-05 11:57+0200\n" -"PO-Revision-Date: 2017-05-26 14:47+0000\n" -"Last-Translator: carolyn <carolyn(a)anhalt.org>\n" +"POT-Creation-Date: 2017-09-13 20:10+0200\n" +"PO-Revision-Date: 2017-11-01 03:53+0000\n" +"Last-Translator: Khanh Nguyen <nguyenduykhanh85(a)gmail.com>\n" "Language-Team: Vietnamese (http://www.transifex.com/otf/torproject/language/vi/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -334,3 +334,7 @@ msgstr "Trình duyệt trang không an toàn" #: ../config/chroot_local-includes/usr/share/desktop-directories/Tails.directory.in.h:2 msgid "Tails specific tools" msgstr "Những công cụ đặc biệt của Tails" + +#: ../config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.root-terminal.policy.in.h:1 +msgid "To start a Root Terminal, you need to authenticate." +msgstr "Để khởi động một Thiết bị gốc, bạn cần phải xác thực"

1 0

[translation/tails-misc] Update translations for tails-misc
by translation＠torproject.org 01 Nov '17

01 Nov '17

commit 4336906fd750bf776e5c82f801728455cda18e7a Author: Translation commit bot <translation(a)torproject.org> Date: Wed Nov 1 04:17:04 2017 +0000 Update translations for tails-misc --- vi.po | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vi.po b/vi.po index 4b47f5b32..7015424fa 100644 --- a/vi.po +++ b/vi.po @@ -4,14 +4,14 @@ # # Translators: # Acooldude, 2017 -# Khanh Nguyen <nguyenduykhanh85(a)gmail.com>, 2015-2016 +# Khanh Nguyen <nguyenduykhanh85(a)gmail.com>, 2015-2017 msgid "" msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2017-09-13 20:10+0200\n" -"PO-Revision-Date: 2017-09-22 06:20+0000\n" -"Last-Translator: carolyn <carolyn(a)anhalt.org>\n" +"PO-Revision-Date: 2017-11-01 03:53+0000\n" +"Last-Translator: Khanh Nguyen <nguyenduykhanh85(a)gmail.com>\n" "Language-Team: Vietnamese (http://www.transifex.com/otf/torproject/language/vi/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -337,4 +337,4 @@ msgstr "Những công cụ đặc biệt của Tails" #: ../config/chroot_local-includes/usr/share/polkit-1/actions/org.boum.tails.root-terminal.policy.in.h:1 msgid "To start a Root Terminal, you need to authenticate." -msgstr "" +msgstr "Để khởi động một Thiết bị gốc, bạn cần phải xác thực"

1 0

[translation/liveusb-creator] Update translations for liveusb-creator
by translation＠torproject.org 01 Nov '17

01 Nov '17

commit 56b8e44afe8f93a9bc273fb4e4b3e4687763bb8f Author: Translation commit bot <translation(a)torproject.org> Date: Wed Nov 1 04:15:56 2017 +0000 Update translations for liveusb-creator --- vi/vi.po | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/vi/vi.po b/vi/vi.po index 10b369867..54cad5493 100644 --- a/vi/vi.po +++ b/vi/vi.po @@ -5,15 +5,15 @@ # Translators: # Acooldude, 2016-2017 # Hoang Thu Giang <hoanggiang0811(a)yahoo.com>, 2014 -# Khanh Nguyen <nguyenduykhanh85(a)gmail.com>, 2015-2016 +# Khanh Nguyen <nguyenduykhanh85(a)gmail.com>, 2015-2017 # Tho Nguyen <tho.nguyen(a)savoirfairelinux.com>, 2015 msgid "" msgstr "" "Project-Id-Version: The Tor Project\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2017-09-20 18:02+0200\n" -"PO-Revision-Date: 2017-09-21 01:33+0000\n" -"Last-Translator: carolyn <carolyn(a)anhalt.org>\n" +"POT-Creation-Date: 2017-09-25 14:02+0200\n" +"PO-Revision-Date: 2017-11-01 03:57+0000\n" +"Last-Translator: Khanh Nguyen <nguyenduykhanh85(a)gmail.com>\n" "Language-Team: Vietnamese (http://www.transifex.com/otf/torproject/language/vi/)\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" @@ -329,11 +329,11 @@ msgstr "Cài đặt" #: ../tails_installer/gui.py:465 #, python-format msgid "%(size)s %(vendor)s %(model)s device (%(device)s)" -msgstr "" +msgstr "%(size)s %(vendor)s %(model)s thiết bị (%(device)s)" #: ../tails_installer/gui.py:476 msgid "No ISO image selected" -msgstr "" +msgstr "Không có hình ảnh ISO nào được chọn" #: ../tails_installer/gui.py:477 msgid "Please select a Tails ISO image."

1 0

[translation/https_everywhere_completed] Update translations for https_everywhere_completed
by translation＠torproject.org 01 Nov '17

01 Nov '17

commit b53ad80343cd7ebe5e8915db7eee79cff59338cf Author: Translation commit bot <translation(a)torproject.org> Date: Wed Nov 1 04:15:50 2017 +0000 Update translations for https_everywhere_completed --- vi/https-everywhere.dtd | 34 ++++++---------------------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/vi/https-everywhere.dtd b/vi/https-everywhere.dtd index c88019cf3..8bc595c3a 100644 --- a/vi/https-everywhere.dtd +++ b/vi/https-everywhere.dtd @@ -2,42 +2,22 @@ <!ENTITY https-everywhere.about.ext_name "HTTPS Everywhere"> <!ENTITY https-everywhere.about.ext_description "Mã hóa Web! Tự động sử dụng bảo mật HTTPS ở nhiều trang web."> <!ENTITY https-everywhere.about.version "Phiên bản"> -<!ENTITY https-everywhere.about.created_by "Tạo ra bởi"> -<!ENTITY https-everywhere.about.and ", và"> -<!ENTITY https-everywhere.about.librarians "Những người quản lý thư viện quy tắc"> <!ENTITY https-everywhere.about.add_new_rule "Thêm quy định mới"> -<!ENTITY https-everywhere.about.thanks "Nhờ có"> -<!ENTITY https-everywhere.about.many_contributors "Rất rất nhiều người đóng góp, bao gồm cả"> -<!ENTITY https-everywhere.about.noscript "Hơn nữa, những phần của HTTPS Everywhere được dựa trên mã của NoScript, bởi Giorgio Maone và những người khác. Chúng tôi biết ơn vì thành quả xuất sắc của họ."> -<!ENTITY https-everywhere.about.contribute "Nếu như bạn thích HTTPS Everywhere, có thể bạn cũng quan tâm đến"> -<!ENTITY https-everywhere.about.donate_tor "Đóng góp cho Tor"> -<!ENTITY https-everywhere.about.tor_lang_code "en"> -<!ENTITY https-everywhere.about.or "hoặc"> -<!ENTITY https-everywhere.about.donate_eff "Đóng góp cho EFF"> <!ENTITY https-everywhere.menu.donate_eff_imperative "Đóng góp cho EFF"> -<!ENTITY https-everywhere.menu.about "Thông tin về HTTPS Everywhere"> <!ENTITY https-everywhere.menu.observatory "Các Tùy Chọn Ưu Tiên cho SSL Observatory"> <!ENTITY https-everywhere.menu.globalEnable "Bật HTTPS Everywhere"> -<!ENTITY https-everywhere.menu.globalDisable "Tắt HTTPS Everywhere"> <!ENTITY https-everywhere.menu.blockUnencryptedRequests "Chặn tất cả những yêu cầu không được mã hóa"> <!ENTITY https-everywhere.menu.showCounter "Hiển Thị Bộ Đếm"> <!ENTITY https-everywhere.menu.viewAllRules "Xem Tất Cả Quy Tắc"> -<!ENTITY https-everywhere.prefs.title "Các Tùy Chọn Ưu Tiên Cho HTTPS Everywhere"> -<!ENTITY https-everywhere.prefs.enable_all "Bật tất cả"> -<!ENTITY https-everywhere.prefs.disable_all "Tắt tất cả"> +<!ENTITY https-everywhere.options.generalSettings "Những cài đặt chung"> +<!ENTITY https-everywhere.options.importSettings "Nhập những cài đặt"> +<!ENTITY https-everywhere.options.import "Nhập"> +<!ENTITY https-everywhere.options.imported "Những cài đặt của bạn đã được nhập"> + +<!ENTITY https-everywhere.prefs.export_settings "Xuất các cài đặt"> <!ENTITY https-everywhere.prefs.reset_defaults "Khôi phục về Mặc định"> -<!ENTITY https-everywhere.prefs.search "Tìm kiếm"> -<!ENTITY https-everywhere.prefs.site "Trang web"> -<!ENTITY https-everywhere.prefs.notes "Các Lưu Ý"> -<!ENTITY https-everywhere.prefs.list_caption "Những quy tắc chuyển hướng HTTPS nào nên được áp dụng?"> -<!ENTITY https-everywhere.prefs.enabled "Bật"> -<!ENTITY https-everywhere.prefs.ruleset_howto "Bạn có thể tìm hiểu về cách tự viết các quy tắc của riêng bạn (để hỗ trợ cho những trang web khác)"> -<!ENTITY https-everywhere.prefs.here_link "tại đây"> -<!ENTITY https-everywhere.prefs.toggle "Bật tắt"> -<!ENTITY https-everywhere.prefs.reset_default "Khôi phục về Mặc định"> -<!ENTITY https-everywhere.prefs.view_xml_source "Tìm nguồn XML"> <!ENTITY https-everywhere.chrome.stable_rules "Các quy tắc ổn định"> <!ENTITY https-everywhere.chrome.stable_rules_description "Ép buộc mã hóa các kết nối đến các trang web này:"> @@ -53,5 +33,3 @@ <!ENTITY https-everywhere.chrome.regex "Regex phù hợp"> <!ENTITY https-everywhere.chrome.redirect_to "Chuyển hướng đến"> <!ENTITY https-everywhere.chrome.status_cancel_button "Hủy bỏ"> - -

1 0

[translation/https_everywhere] Update translations for https_everywhere
by translation＠torproject.org 01 Nov '17

01 Nov '17

commit 543a79db6c84bd32efe8c118b3a1b9dcd55863a2 Author: Translation commit bot <translation(a)torproject.org> Date: Wed Nov 1 04:15:39 2017 +0000 Update translations for https_everywhere --- vi/https-everywhere.dtd | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vi/https-everywhere.dtd b/vi/https-everywhere.dtd index 37e2e697c..8bc595c3a 100644 --- a/vi/https-everywhere.dtd +++ b/vi/https-everywhere.dtd @@ -11,12 +11,12 @@ <!ENTITY https-everywhere.menu.showCounter "Hiển Thị Bộ Đếm"> <!ENTITY https-everywhere.menu.viewAllRules "Xem Tất Cả Quy Tắc"> -<!ENTITY https-everywhere.options.generalSettings "General Settings"> -<!ENTITY https-everywhere.options.importSettings "Import Settings"> -<!ENTITY https-everywhere.options.import "Import"> -<!ENTITY https-everywhere.options.imported "Your settings have been imported."> +<!ENTITY https-everywhere.options.generalSettings "Những cài đặt chung"> +<!ENTITY https-everywhere.options.importSettings "Nhập những cài đặt"> +<!ENTITY https-everywhere.options.import "Nhập"> +<!ENTITY https-everywhere.options.imported "Những cài đặt của bạn đã được nhập"> -<!ENTITY https-everywhere.prefs.export_settings "Export Settings"> +<!ENTITY https-everywhere.prefs.export_settings "Xuất các cài đặt"> <!ENTITY https-everywhere.prefs.reset_defaults "Khôi phục về Mặc định"> <!ENTITY https-everywhere.chrome.stable_rules "Các quy tắc ổn định">

1 0

[tor/master] trivial comment fixes
by arma＠torproject.org 01 Nov '17

01 Nov '17

commit 9635843342cb98340a965c40d9afcbe69c8d12df Author: Roger Dingledine <arma(a)torproject.org> Date: Tue Oct 31 23:09:00 2017 -0400 trivial comment fixes done while i was trying to debug nearby code --- src/or/addressmap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/or/addressmap.c b/src/or/addressmap.c index 7e9263360..9a2cc26b3 100644 --- a/src/or/addressmap.c +++ b/src/or/addressmap.c @@ -541,7 +541,7 @@ addressmap_have_mapping(const char *address, int update_expiry) * (virtual address mapping) from the controller.) * * new_address should be a newly dup'ed string, which we'll use or - * free as appropriate. We will leave address alone. + * free as appropriate. We will leave address alone. * * If wildcard_addr is true, then the mapping will match any address * equal to address, or any address ending with a period followed by @@ -554,7 +554,6 @@ addressmap_have_mapping(const char *address, int update_expiry) * wildcard_new_addr, remove any mappings that exist from * address. * - * * It is an error to set wildcard_new_addr if wildcard_addr is * not set. */ void

1 0

[tor/master] all the other lines here had a tab; make this one blend in
by arma＠torproject.org 01 Nov '17

01 Nov '17

commit b601eeda0ec72d2a2caee85ed4834e4a2e4db658 Author: Roger Dingledine <arma(a)torproject.org> Date: Tue Oct 31 23:07:47 2017 -0400 all the other lines here had a tab; make this one blend in --- scripts/codegen/fuzzing_include_am.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/codegen/fuzzing_include_am.py b/scripts/codegen/fuzzing_include_am.py index fee6d4494..fda57d2ae 100755 --- a/scripts/codegen/fuzzing_include_am.py +++ b/scripts/codegen/fuzzing_include_am.py @@ -9,7 +9,7 @@ FUZZERS = """ hsdescv2 hsdescv3 http - http-connect + http-connect iptsv2 microdesc vrs

1 0