commit 6df982765bb09b7c09a82c9afd0e1ecd309bb50e Author: Pili Guerra <pili@piliguerra.com> Date: Wed Jan 22 13:04:16 2020 +0100 Add Project Ideas for GSoC to Community Portal --- .../gsoc/cloudflare-captcha-monitoring/contents.lr | 47 +++++++++++ content/gsoc/contents.lr | 17 ++++ content/gsoc/onion-toolbox/contents.lr | 58 ++++++++++++++ content/gsoc/privacy-friendly-web/contents.lr | 44 +++++++++++ content/gsoc/tor-relay-ipv6-support/contents.lr | 56 ++++++++++++++ content/gsoc/tor-weather/contents.lr | 90 ++++++++++++++++++++++ models/project.ini | 43 +++++++++++ models/projects.ini | 33 ++++++++ templates/gsoc.html | 41 ++++++++++ templates/macros/projects.html | 16 ++++ templates/project.html | 49 ++++++++++++ 11 files changed, 494 insertions(+) diff --git a/content/gsoc/cloudflare-captcha-monitoring/contents.lr b/content/gsoc/cloudflare-captcha-monitoring/contents.lr new file mode 100644 index 0000000..e6ba0d5 --- /dev/null +++ b/content/gsoc/cloudflare-captcha-monitoring/contents.lr @@ -0,0 +1,47 @@ +_model: project +--- +_template: project.html +--- +active: True +--- +section: GSoC +--- +section_id: gsoc +--- +color: primary +--- +key: 1 +--- +languages: javascript +--- +mentors: arma, gk +--- +difficulty: medium +--- +title: Cloudflare Captcha Monitoring +--- +summary: + +We should track the rate that cloudflare gives captchas to Tor users over time. + +--- +description: + +My suggested way of doing that tracking is to sign up a very simple static webpage to be fronted by cloudflare, and then fetch it via Tor over time, and record and graph the rates of getting a captcha vs getting the real page. + +The reason for the "simple static page" is to make it really easy to distinguish whether we're getting hit with a captcha. The "distinguishing one dynamic web page from another" challenge makes exitmap tricky in the general case, but we can remove that variable here. + +One catch is that Cloudflare currently gives alt-svc headers in response to fetches from Tor addresses. So that means we need a web client that can follow alt-srv headers -- maybe we need a full Selenium like client? + +Once we get the infrastructure set up, we would be smart to run a second one which is just wget or curl or lynx or something, i.e. which doesn't behave like Tor Browser, in order to be able to track the difference between how Cloudflare responds to Tor Browser vs other browsers. + +I imagine that Cloudflare should be internally tracking how they're handling Tor requests, but having a public tracker (a) gives the data to everybody, and (b) helps Cloudflare have a second opinion in case their internal data diverges from the public version. + +The Berkeley ICSI group did research that included this sort of check: +​https://www.freehaven.net/anonbib/#differential-ndss2016 +​https://www.freehaven.net/anonbib/#exit-blocking2017 +but what I have in mind here is essentially a simpler subset of this research, skipping the complicated part of "how do you tell what kind of response you got" and with an emphasis on automation and consistency. + +There are two interesting metrics to track over time: one is the fraction of exit relays that are getting hit with captchas, and the other is the chance that a Tor client, choosing an exit relay in the normal weighted faction, will get hit by a captcha. + +Then there are other interesting patterns to look for, e.g. "are certain IP addresses punished consistently and others never punished, or is whether you get a captcha much more probabilistic and transient?" And does that pattern change over time? \ No newline at end of file diff --git a/content/gsoc/contents.lr b/content/gsoc/contents.lr new file mode 100644 index 0000000..2e4ffb5 --- /dev/null +++ b/content/gsoc/contents.lr @@ -0,0 +1,17 @@ +_template: layout.html +--- +section: GSoC +--- +section_id: gsoc +--- +html: gsoc.html +--- +color: primary +--- +key: 0 +--- +title: Project Ideas +--- +body: + +You may find some of these projects to be good ideas for Google Summer of Code. We have labelled each idea with which of our core developers would be good mentors. If one or more of these ideas looks promising to you, please contact us to discuss your plans rather than sending blind applications. \ No newline at end of file diff --git a/content/gsoc/onion-toolbox/contents.lr b/content/gsoc/onion-toolbox/contents.lr new file mode 100644 index 0000000..a551ba8 --- /dev/null +++ b/content/gsoc/onion-toolbox/contents.lr @@ -0,0 +1,58 @@ +_model: project +--- +_template: project.html +--- +active: True +--- +section: GSoC +--- +section_id: gsoc +--- +color: primary +--- +key: 1 +--- +languages: javascript +--- +mentors: hiro, asn +--- +difficulty: medium +--- +title: Onion Tool Box +--- +summary: + +Myonion is a developer tool box, providing a command line interface and a GUI to configure and deploy existing services via .onion. A minimal prototype for myonion already [exists](https://github.com/hiromipaw/myonion). + +Someone that may want to run an onion service can use the myonion wrapper app to start a .onion from their computer and sharea static website or a web application. + +Myonion can also be used to deploy the resulting configured app to a defined set of cloud providers. + +--- +description: + +## Problem definition + +It is not necessarily difficult to use onion services, but it might be tricky to configure a web service to be offered via .onion so that it doesn’t leak sensitive information. + +There are detailed [guides](https://riseup.net/en/security/network-security/tor/onionservices-best-pract...) available for users that would like to offer a web application via .onion and some tools have been developed to help service operators: discover known misconfiguration or [vulnerabilities](https://onionscan.org/) or deploy an [onion site](https://github.com/alecmuffett/eotk). + +## Scope + +Myonion provides a way to build and deploy onion ready applications, allowing developers to build and test web applications and easily share them with others, bundling the code and configuration in a lightweight, portable Docker container application that runs thesame everywhere. + +The experience for developers will be similar to using other industry solutions, like the [Docker desktop app](https://www.docker.com/products/docker-desktop). + +Developers using myonion are provided with pre-defined and customizable application templates, with corresponding configuration and a test set, eliminating error-prone manual setup and known onion service configuration mistakes. + +The resulting application is therefore deployable via a set of endpoint management tools to known providers. Providing a way to deploy onion services at scale. + +## Impact + +The idea behind myonion is to make onion services accessible to developers that might be interested to innovate in the privacy space, building applications that are designed for privacy and security. + +Involving a wider developer community can help creating a better image of Tor and onion services, replacing the “dark net” narrative with the secure and private web one. + +Onion services can also be relevant to all those people interested in the “zero-trust” strategy. The concept behind zero-trust is to adopt strategies and tools to help prevent data breaches by eliminating the concept of trust from an organization’s network architecture, with the principle of never trust, always verify. + +Ultimately myonion is about creating a better experience for onion services developers and operators and therefore fostering a more legitimate onion service ecosystem. diff --git a/content/gsoc/privacy-friendly-web/contents.lr b/content/gsoc/privacy-friendly-web/contents.lr new file mode 100644 index 0000000..da9cc13 --- /dev/null +++ b/content/gsoc/privacy-friendly-web/contents.lr @@ -0,0 +1,44 @@ +_model: project +--- +_template: project.html +--- +active: True +--- +section: GSoC +--- +section_id: gsoc +--- +color: primary +--- +key: 1 +--- +languages: javascript +--- +mentors: hiro +--- +difficulty: medium +--- +title: Privacy Friendly Web +--- +summary: + +The scope of this project is creating a open-source community-driven browsable list of patterns and release a css/js framework that web developers can extend and use in their work. +--- +description: + +Security concerned web users take conscious steps to limit the amount of data they share with the websites visited and third party services. + +There are a number of security enhancing tools available. Some come in the form of browser extensions and javascript blockers, others are full fledged web browsers designed with providing extra security to their users. + +One of this is the Tor Browser. The Tor Browser was designed to provide privacy while surfing the web and defend users against both network and local forensic adversaries. There are two main categories of requirements that have been considered: Security Requirements, and Privacy Requirements. + +Security Requirements are the minimum properties in order for a browser to be able to support Tor and similar privacy proxies safely. Privacy requirements are primarily concerned with reducing linkability: the ability for a user's activity on one site to be linked with their activity on another site without their knowledge or explicit consent. + +Websites can work seamsly with the Tor Browser and other privacy enhancing browsers and tools if they adopt a series of respectful and ethical patterns. + +The Tor Browser is in fact, based on Mozilla's Extended Support Release (ESR) Firefox branch. We have a series of patches against this browser to enhance privacy and security. Browser behavior is additionally augmented through the Torbutton extension, and we also change a number of Firefox preferences from their defaults. + +The Tor Project has developed over the years a set of web development guidelines that allow websites to work with security enhanced browsers without causing any or minimal functionality destruption to their users. These guidelines have been shaped in an internal styleguide that has been adopted across all torproject.org websites. + +We are now formalizing these web development patterns and some security concerns that need to be considered when developing websites for users surfing the web with security enhanced browsers and tools. + diff --git a/content/gsoc/tor-relay-ipv6-support/contents.lr b/content/gsoc/tor-relay-ipv6-support/contents.lr new file mode 100644 index 0000000..3624ca1 --- /dev/null +++ b/content/gsoc/tor-relay-ipv6-support/contents.lr @@ -0,0 +1,56 @@ +_model: project +--- +_template: project.html +--- +active: True +--- +section: GSoC +--- +section_id: gsoc +--- +color: primary +--- +key: 1 +--- +languages: C +--- +mentors: teor, ahf, dgoulet, catalyst +--- +difficulty: Medium +--- +title: Improve Tor Relay IPv6 Support +--- +summary: + +Tor helps people stay safe on the internet, by keeping their internet use secure and anonymous. More Tor clients are running on IPv6-only or dual-stack networks. But only 20% of Tor’s available relay bandwidth supports IPv6. We want to automate relay IPv6 address discovery and reachability checks, so that it is easier for relay operators to run IPv6 relays. + +--- +description: + +Students may choose to focus on designing and implementing core features, tor relay testing, reporting statistics, or diagnosing and fixing bugs. + + +## Prerequisites + +* Network configuration skills +* Basic understanding of Internet Protocol (IP) versions + +Recommended: + +* Experience testing network software +* Experience running Internet-connected servers + +## Links/Resources + +https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#IPv6 + +https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/IPv6Features#... + +## Programming skills needed: + +* C coding +* Building Unix-based software + +Recommended: + +* Experience with network programming diff --git a/content/gsoc/tor-weather/contents.lr b/content/gsoc/tor-weather/contents.lr new file mode 100644 index 0000000..3bc6714 --- /dev/null +++ b/content/gsoc/tor-weather/contents.lr @@ -0,0 +1,90 @@ +_model: project +--- +_template: project.html +--- +active: True +--- +section: GSoC +--- +section_id: gsoc +--- +color: primary +--- +key: 2 +--- +languages: TBD +--- +mentors: karsten +--- +difficulty: medium +--- +title: Tor Weather +--- +summary: + +Tor Weather is the most efficient way to achieve and maintain a healthy Tor network on the long run. + +--- +description: + +Tor Weather was [discontinued on 2016-04-04](https://lists.torproject.org/pipermail/tor-relays/2016-April/009009.html), however "Tor Weather is still a good idea, it just needs somebody to implement it." + +How Tor Weather looked like: +​https://web.archive.org/web/20141004055709/https://weather.torproject.org/su... + +## Motivation + +If a relay disappears today, it is unlikely that anyone will notice or even send an email to the operator unless it is a big one. + +Relay operators and the entire tor network would benefit from a Tor Weather service because it notifies relay operators when the state of their relays changed (and more). This will increase the likelihood that relay operators notice problems and actually mitigate the problem otherwise there is no "user feedback" since tor can cope with disappearing relays quite well. + +It also: +- shows the relay operator that someone actually cares if their relays go down or become outdated or have another problem +- gives the operator relay best-practices information. + +## Expected Effects + +If enough operators subscribe to such a service: +- relays might become more long lived / the churn rate might decrease +- the fraction of relays running outdated tor versions might decrease +- the fraction of exits with broken DNS might decrease + +It also has the benefit of being able to contact relay operators: +- completely automatically +- even if they choose to not set a public ContactInfo string in their torrc files. + +## Ideas for Notification Types + +_(sorted by importance)_ + +Support subscribing via single relay FP or MyFamily groups (should not need any subscription change if a relay gets added to the family). + +- [ ] Email me when my node is down +_How long before we send a notification?_ +- [ ] email me when my relay is affected by a security vulnerability +- [ ] email me when my relay runs an end-of-life version of tor +- [ ] email me when my relay runs an outdated tor version (note: this should depend on the related onionoo bugs to avoid emailing alpha relay people) +- [ ] email me when my exit relay fails to resolve hostnames (DNS failure) +- [ ] email me when my relay looses the [ ] stable, [ ] guard, [ ] exit flag +- [ ] email me when my MyFamily configuration is broken (meaning: non-mutual config detected or relay with same contactInfo but no MyFamily) +- [ ] email me when you detect issues with my relay +- [ ] email me with suggestions for configuration improvements for my relay (only once per improvement) +- [ ] email me when my relay is on the top [ ] 20 [ ] 50 [ ] 100 relays list +- [ ] email me with monthly/quarterly status information that includes information like what my position in the overall relay list is (sorted by CW), how much traffic my relay did during the last month and what fraction of the months time your relay was included in consensus as running (this shows information on how many % of the months' consensuses this relay has been included and running) +- [ ] aggregate emails for all my relays into a single digest email +- [ ] email me about new relay requirements +- [ ] email me about tor relay operator events + + +*Task:* Write a specification describing the meaning of each checkbox + +## Security and Privacy Implications + +The service stores email addresses of potential tor relay operators, they should be kept private and safeguarded, but a passive observer can collect them by watching outbound email traffic if no TLS is used. Suggest to use a dedicated email address for this service. + +## Additional Ideas + +- easy: integration into tor: show the URL pointing to the new Tor Weather service like the current link to the lifecycle blogpost when tor starts and detects to be a new relay +- Provide an uptimerobot-style status page for relay operators using onionoo data + + diff --git a/models/project.ini b/models/project.ini new file mode 100644 index 0000000..8b286a0 --- /dev/null +++ b/models/project.ini @@ -0,0 +1,43 @@ +[model] +name = Project +label = {{ this.title }} + +[fields.title] +label = Title +type = string + +[fields.link] +label = Link +type = url + +[fields.active] +label = Active +type = boolean + +[fields.summary] +label = Summary +type = markdown + +[fields.color] +label = Color +type = string + +[fields.description] +label = Description +type = markdown + +[fields.mentors] +label = Mentors +type = string + +[fields.languages] +label = Languages +type = string + +[fields.mentors] +label = Mentors +type = string + +[fields.difficulty] +label = Difficulty Level +type = string \ No newline at end of file diff --git a/models/projects.ini b/models/projects.ini new file mode 100644 index 0000000..c09bf77 --- /dev/null +++ b/models/projects.ini @@ -0,0 +1,33 @@ +[model] +name = Projects +label = {{ this.title }} + +[fields.title] +label = Title +type = string + +[fields.section] +label = Section +type = string +translate = True + +[fields.section_id] +label = Section_id +type = string +translate = False + +[fields.body] +label = Body +type = markdown + +[fields.color] +label = Color +type = string + +[fields.html] +label = Html +type = string + +[children] +model = project +order_by = title diff --git a/templates/gsoc.html b/templates/gsoc.html new file mode 100644 index 0000000..1c1add9 --- /dev/null +++ b/templates/gsoc.html @@ -0,0 +1,41 @@ + {% include 'breadcrumb.html' %} + <div class="row flex-xl-nowrap"> + <main role="main" class="mx-auto col-12 {{ bag('alternatives', this.alt, 'order') }}"> + <div class="container py-3"> + <div class="row"> + <p>{{ this.body }}</p> + </div> + </div> + <div class="container py-3"> + <h3 class="text-primary display-5">{{ _('Project Ideas') }}</h3> + </div> + <div class="container py-3"> + <div class="accordion" id="accordionJobs"> + {% from "macros/projects.html" import render_active %} + {% set items = this.children.filter(F.active == True).all() %} + {% for item in items %} + {{ render_active(item, this.alt) }} + {% endfor %} + </div> + </div> + <div class="container py-3"> + <h3 class="text-primary display-5">{{ _('Previous Projects') }}</h3> + </div> + <div class="container py-3"> + <div class="row"> + <div class="col-85"> + <ul class="jobs-ul"> + {% set items = this.children %} + {% for item in items.filter(F.active == False) %} + <li>{{ item.title }}</li> + {% endfor %} + </ul> + </div> + </div> + <div class="row"> + <p>{{ _('None of these ideas seem appealing? You may also want to propose your own project idea — which often results in the best projects.') }} <a href="mailto:gso@torproject.org">{{ _('We invite you to contact us to discuss your own project idea.') }}</a></p> + </div> + </div> + </main> + </div> + \ No newline at end of file diff --git a/templates/macros/projects.html b/templates/macros/projects.html new file mode 100644 index 0000000..99e102b --- /dev/null +++ b/templates/macros/projects.html @@ -0,0 +1,16 @@ +{% macro render_active(item, alternative) %} +<div class="card border-0"> + <div class="card-header bg-white border-0" id="headingOne"> + <h5 class="mb-0"> + <a href="{{ item.path|url }}">{{ item.title }}</a> + </h5> + <span class="badge badge-primary">{{ item.languages }}</span> + </div> + <div> + <div class="card-body"> + {{ item.summary }} + <a href="{{ item.path|url }}">{{ _('Read more.') }}</a> + </div> + </div> +</div> +{% endmacro %} \ No newline at end of file diff --git a/templates/project.html b/templates/project.html new file mode 100644 index 0000000..1aaed71 --- /dev/null +++ b/templates/project.html @@ -0,0 +1,49 @@ +<!doctype html> +{% include 'meta.html' %} +<body class="no-gutters"> + <header> + {% include 'navbar.html' %} + </header> + <div class="page"> + {% include 'header.html' %} + {% include 'pagenav.html' %} + <div class="container-fluid"> + <div class="row flex-xl-nowrap"> + <main role="main" class="mx-auto col-12 {{ bag('alternatives', this.alt, 'order') }}"> + <div class="container py-3 mt-5"> + <h4>Project Title: {{ this.title }}</h4> + <span class="badge badge-primary">{{ this.languages }}</span> <span class="badge badge-secondary">{{ this.difficulty }}</span> + </div> + <div class="container py-3 mt-5"> + <h4>Project Summary:</h4> + <p> + {{ this.summary }} + </p> + </div> + <div class="container py-3"> + <h4>Project Description:</h4> + <p> + {{ this.description }} + </p> + </div> + <div class="container py-3"> + <h4>Mentors:</h4> + <p> + {{ this.mentors }} + </p> + </div> + </main> + </div> + <div class="card mt-5"> + <ul class="list-group list-group-flush"> + <li class="list-group-item"> + <a href="{{ this.parent|url }}">{{ _("Back to ") }}{{ this.parent.title }}</a> + </li> + </ul> + </div> + </div> +</div> +<footer> + {% include 'footer.html' %} +</footer> +</body>