- tor-dev - lists.torproject.org

GoSC - Website Fingerprinting project
by Marc Juarez 20 Mar '14

20 Mar '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lunar: > Have you read Mike Perry's long blog post on the topic? > https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-at… > > It outlines future research work in evaluating the efficiency of > fingerprinting attacks, and also mention a couple of promising defenses. Yes, I am aware of it and I'm currently working on a study to evaluate the efficiency of these attacks. As Mike Perry said in the post, most of the attacks give an unrealistic advantage to the adversary and probably countermeasures work much better than what has been shown so far. However, some of the results of these articles suggest that there exist coarse-grained traffic features that are invariant to randomized pipelines (RP, SPDY) and thus can still identify web pages (Dyer et. al.). Also, edit-distance based classifiers broke some old versions of the RP implemented in Tor Browser. It's an open problem to see if these features actually uniquely identify web pages in larger worlds than the ones considered in the literature. In any case, link-padding strategies are specially designed to conceal these features with the minimal amount of cover traffic and are becoming affordable in terms of bandwidth. The project I propose would be directed to address this bug ticket: https://trac.torproject.org/projects/tor/ticket/7028 For example, I would like to implement the common building blocks for link-padding countermeasures (such as a "traffic generator controller" in the onion proxy and the entry guard). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHz3kAAoJEGfJ5xfgazlxOwoH/ilP01mjxyyeuPbko/xkKGfw 5gMJGFa0m4StabJ1bhbqJWF2jsu6W2SBCVCqea0emvOvab0WzhuvQvzQb2obZpzr NReUhhiGRhj4xN+2yAL3Vh8zoyZigKtSQPoykwa/AFG7TvIGppHZb0S5ii7Hk/Yf UtwO3Kt3YCGJT3FoKEJQgN2wz82Skbo4Xiw0bknemPFmIkxlxyplkkD0D34OdEYx YPPxRBMuEnpa1H5H3bPMXK55kBP91qS5fg23hsN6Gksy45yhLeiOJZBi0n3nlHD2 xtp4sWdQhTUDFP85kSmbzW/eufuc4WAI6k5KeZtc5YrmIl9eOnAu+tG8Ghu4Vpc= =Rf6n -----END PGP SIGNATURE-----

4 7

Re: [tor-dev] Torbirdy
by mujnabed＠gmail.com 19 Mar '14

19 Mar '14

Hi, I've submitted my project proposal on Improving Torbirdy for review on Google Melange as suggested. If you guys can verify the proposal and suggest any modifications that would be great. My Name is Debanjum in case I haven't mentioned earlier. Thanks D

2 1

Interested in GSoC - Hidden Service Naming or Hidden Service Searching
by Jeremy Rand 19 Mar '14

19 Mar '14

Hi Tor developers, I'm interested in participating in GSoC. I'm an undergrad majoring in computer science at University of Oklahoma, and I've been a major Tor enthusiast for years. There are two possible projects which I'm considering; I'm looking for some feedback on which you think would be better for me to apply for. One project is allowing hidden services to have human-readable names. I think Namecoin would be an excellent backend for this. I coded a proof-of-concept of using Namecoin to point human-readable .bit domains to .onion domains; that code is available at https://github.com/JeremyRand/Convergence . For example, using this, you can visit http://federalistpapers.bit/ to get to the Federalist Papers hidden service. The proof of concept only works on Firefox right now (not TorBrowser); I would definitely be interested in porting it to TorBrowser, improving its privacy, and making it work for applications other than web browsing. Namecoin also has the useful feature of allowing HTTPS fingerprints to be embedded in the blockchain, which eliminates the need to trust certificate authorities for clearnet HTTPS websites (I understand that malicious exit nodes messing with TLS is currently a significantly voiced concern for Tor). I have a strong understanding of how Namecoin's DNS works and have developed some projects using Namecoin (including a dynamic DNS client), so I think I'm a good fit for such a project if there's interest in the Tor community. I talked with Jacob Appelbaum about using Namecoin recently; he was concerned about a 51% attack. I think that could be mostly resolved via a checkpointing system; while doing so adds a small degree of centralization, Tor is already slightly centralized, and it's still less centralized than other alternative naming systems that have been proposed (e.g. having Tor Project maintain a list of names themselves). While I'm not particularly familiar (yet) with how checkpointing is done within Namecoin's block validation system, I do know how to at least verify whether the currently loaded blockchain matches a given checkpoint (which would at least alert users that an attack had taken place). The other project is making a search engine for hidden services (listed as Project Idea F on the Tor website). I think YaCy could be used to accomplish this in a decentralized and censorship-free way. I would suggest making a separate YaCy network for hidden services, using a regexp whitelist to only index .onion URL's (YaCy has such a network but I think it's currently inactive). YaCy doesn't have whitelist support built in, but I think the blacklist feature should be usable for simulating such a feature with some effort. YaCy's SOLR schema supports searching based on outgoing link URL's, so I think I could make a standard YaCy client search for all clearnet sites which link to a .onion/.onion.to/.tor2web.org URL, and feed those URL's to a Tor YaCy client for indexing. I've been a YaCy enthusiast for a couple years, and I'm actually using YaCy in a grad-level CS project this semester (the course is on Artificial Neural Networks and Evolution), so while I haven't touched the YaCy source code, I think I'm a good match for this project. Do either of these sound like good proposals? Is one significantly more likely to be approved than the other, so that I know which to submit? Thanks, -Jeremy Rand

3 7

Re: [tor-dev] Panopticlick summer project
by Yan Zhu 18 Mar '14

18 Mar '14

(resending to tor-dev because the original message didn't go through) On 03/16/2014 11:52 PM, Yan Zhu wrote: > On 03/16/2014 07:59 PM, Gunes Acar wrote: >> Dear All, >> >> My name is Gunes Acar, a 2nd year PhD student at Computer Security and >> Industrial Cryptography (COSIC) group of University of Leuven. >> >> I work with Prof. Claudia Diaz and study online tracking and browser >> fingerprinting. I'd like to work on "Panopticlick" >> (https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick) >> summer >> project and other fingerprinting related issues which I tried to >> outline below: > > Hi Gunes, > > I think all of these projects below would primarily be with EFF, not Tor > directly. Peter and/or I would be your point of contact; I'm not > familiar enough with Panopticlick at this time to give you much feedback > on the ideas below, so I cc'ed Peter. > >> >> 1) Collaborate with Peter@EFF to port/open-source Panopticlick: >> https://trac.torproject.org/projects/tor/ticket/6119#comment:4 >> a) implement necessary modifications - e.g. we won't be having cookies >> or real IP addresses to match returning visitors. >> b) consider security implications of storing fingerprints (e.g. what >> happens if someone gets access to fingerprint database?) > > Peter, what's the blocker on this? It sounds like Tor folks really want > it to happen soon, so I'm happy to take the lead on helping get this > open-sourced from the EFF side. > >> >> 2) Add machine-readability support outlined in Tor Automation >> proposals: >> https://people.torproject.org/~boklm/automation/tor-automation-proposals.ht… >> a) which one(s) should we implement? JSON, YAML, XML? > > No input here. > >> >> 3) Survey the literature for fingerprinting attacks published since >> Panopticlick. Implement those that may apply to TBB: >> a) Canvas & WebGL fingerprinting (Mowery et al.) - make sure the patch >> at #6253 works >> b) JS engine fingerprinting (Mulazzani et al.) >> c) CSS & rendering engine fingerprinting, (Unger et al.) > > This sounds greatly useful. Another good place to look is Mozilla's bug > tracker (https://bugzilla.mozilla.org/) > >> 4) Check with realworld fingerprinting scripts to see if they collect >> anything that is not considered before. Check if TBB's FP >> countermeasures work against them. (We can use data from FPDetective >> study to find sites with fingerprinting scripts) > > Same as above. > >> 5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in case >> they consider an update. > > Yes, I'm happy to get those updates into EFF's instance. > >> 6) Convert fixed FP-related bugs into regression tests. >> https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting… >> >> 7) Build test cases to check the severity of fingerprinting related >> open tickets, e.g.: >> https://trac.torproject.org/projects/tor/ticket/8770 >> https://trac.torproject.org/projects/tor/ticket/10299 >> >> 8) Work on potential fingerprinting bugs that ESR31 may bring. >> >> 9) ESR transitions seem to create a lot of FP-related issues that need >> to be checked manually (e.g. #9608). Consider developing a tool that >> iterates over the host objects of two browsers to compare them >> automatically (e.g. to pinpoint new objects, new methods, updated >> default values, etc.). Similar to "diff tool" mentioned here: >> https://people.torproject.org/~boklm/automation/tor-automation-proposals.ht… >> >> 10) Evaluate the font-limits of TBB by checking the average # of fonts >> Top 1 Million sites use. We can either collect fresh data with >> FPDetective or use the existing (~1 year old) data. > > All of the above sounds fine. > > Assuming that we can get Panopticlick open-sourced, I'm more than happy > to help you with any of these subprojects. > > -Yan > (EFF Staff Technologist / HTTPS Everywhere maintainer) >

3 3

Re: [tor-dev] Torbirdy
by mujnabed＠gmail.com 18 Mar '14

18 Mar '14

Hi, Thanks for the feedback. I have done some work in javacript and c++ and am comfortable coding in both, which is one of the reasons I chose the project. So I'll go ahead and submit my application at the max by tomorrow. Also can I edit the final project proposal once its submitted to melange ? Anyway thanks for all the help. Regards D

1 0

Another weekly tor dev meeting, 19:00 UTC on Wednesday 3/19
by Nick Mathewson 18 Mar '14

18 Mar '14

Hi, friends! This is another developer's meeting for working on the program "tor". (This won't cover all the other programs developed under the Tor umbrella.) We're going to try doing the weekly meeting on Wednesday. The meeting time will be: Wednesday March 12, 19:00 UTC. (That's 3pm EST and 12:00 noon PST) As before, we'll do it on the #tor-dev IRC channel, unless the meeting turns out to be too disruptive for the rest of the channel or vice versa. peace, -- Nick

1 0

[RELEASE] Torsocks 2.0.0-rc5/6
by David Goulet 17 Mar '14

17 Mar '14

Hi everyone! Here is the release candidate 5 *and* 6 for Torsocks 2.x. Unfortunately, right after the release 5, I've noticed a critical issue that made the new allow inbound option misbehaved quite badly so I'm immediately releasing rc6 containing that fix. Basically, you can ignore rc5 if you prefer. Sorry for that! A new option has been introduced to allow inbound connections (that were previously blocked in rc4). The torsocks.conf new option is "AllowInbound 0|1" set to 0 by default meaning listen/accept is *blocked* for remote connections only so the localhost is *alway* allowed. This fixes the "ssh -L/-D" use cases to open a listening socket. Again, *by default* any localhost socket will work so this example out of the box should work properly: $ ssh -D8080 yourserver.com You will notice a "listen: Operation not permitted" with the above command because by default ssh tries to connect to IPv6 localhost but fail somehow. I'm aware of the issue but will need much more investiguation to fix but it's not a show stopper. Furthermore, whois was not working because fclose() is used to close the socket and torsocks was not tracking that call thus failing to see the close connection. This was NOT triggering any leak but whois was simply not working. This has been fixed which is an important use case for Tails. Here is the change log for both versions. 2014-03-17 torsocks 2.0.0-rc6 * Fix: set addr len for getsockname in accept * Fix: use socket fd and NOT sockaddr in accept 2014-03-17 torsocks 2.0.0-rc5 * Fix: strict aliasing in library * Add fclose() support * Fix: add torsocks.conf option type * Add option to allow inbound connections * Fix: handle NULL node in getaddrinfo Again, as usual, and forever! *please* code review, test and most importantly report any issues. Contribution ftw! :) Git: https://github.com/dgoulet/torsocks.git (mirror: https://gitweb.torproject.org/user/dgoulet/torsocks.git) Github tarball: https://github.com/dgoulet/torsocks/archive/v2.0.0-rc6.tar.gz TPO Tarball: https://people.torproject.org/~dgoulet/torsocks-2.0.0-rc6.tar.bz2 (sig: https://people.torproject.org/~dgoulet/torsocks-2.0.0-rc6.tar.bz2.asc) Cheers! David

2 1

A simple HTTP transport and big ideas
by David Fifield 17 Mar '14

17 Mar '14

Here is a repository containing a simple HTTP-based transport. git clone https://www.bamsoftware.com/git/meek.git cd meek/meek-client export GOPATH=~/go go get go build tor -f torrc Usually when you think of an HTTP transport, you think of something that steganographically tries to make something look like plain HTTP requests and responses. Try and forget that idea for now, because that's not what I have in mind. The protocol is simple. The client generates a random string to serve as a session id. It puts this session id in a POST to the server. The server has a map from session ids to ORPort connections; if the POST's id is not in the map, the server creates a new ORPort connection, otherwise it uses an existing one. The server copies the POST body to the ORPort, and copies a block of data from the ORPort to the HTTP response. The client receives the response, and when it has more to send, it does another POST (with the same session id). Then repeat. How do we prevent 1) fingerprinting of the HTTP requests and 2) blocking of the HTTP server? The answer to (1) is that the HTTP requests are really HTTPS: the censor gets to see where they are going but not what is inside them. The answer to (2) is hinted at by the Bridge line: Bridge meek 0.0.2.0:1 url=https://meek-reflect.appspot.com/ front=www.google.com We use Google App Engine as a middleman, using a trick to make it look as if we're talking to www.google.com. This transport can get through as long as https://www.google.com/ is unblocked, even if App Engine is blocked. (Up to things like TLS fingerprinting and traffic analysis, which we need to think about.) Like flash proxy, this transport doesn't need bridge distribution. The torrc has everything you need to make it work. Unlike flash proxy, it works without any port forwarding games. Now for the big ideas. This transport is similar to https://trac.torproject.org/projects/tor/wiki/doc/GoAgent in its use of App Engine. However, GoAgent requires every user to upload their own instance of the app server. I propose that we run a server for use by the public and see how much it costs. (App Engine's free tier gives you 1 GB a day and above that it costs money.) If the cost is comparable to that of running a fast relay, it might make sense to fund on an ongoing basis. As a student I have $1000 in App Engine credit that I wouldn't mind burning on the experiment. A simple PHP script can do the work of the App Engine server component: all it does is copy HTTP requests and responses. By using PHP as a middleman, you lose Google's too-big-to-fail unblockability, but you gain an easy way to set up lots of bridges. Such a PHP bridge would not even require a shell account, just a PHP web host. Conceivably such bridges could even be distributed through BridgeDB. Thinking about transport composition, scramblesuit|meek could be an interesting thing. What this would mean is that your client makes an HTTP request to some server, containing a POST body with the beginning of a ScrambleSuit conversation. If you have the shared secret, the server replies with 200 and you start communication. If you don't have the shared secret, the server replies with a 404 (or even 200 with an ordinary web page). What it means is that there can be a magic URL that only you (holder of the shared secret) can use as a bridge. It could even be on a real web site with real pages and everything. ScrambleSuit would additionally provide some diversity of packet lengths and timing. The Google fronting trick, it turns out, also works on CloudFlare sites, which are many. If we ran a bridge as a web app on CloudFlare, even if our web app is blocked, a censored user could access it through the name of any CloudFlare site that supports HTTPS. There may be other CDN-like systems that work similarly. The software is working (try it!) though of course there are always lots of things to do. I'd like the client to be able to pin the certificate of www.google.com. We need the client to use TLS that looks like that of a browser (now it is just using Go's built-in HTTPS support). There are some constant buffer sizes and polling timeouts; they can probably be tuned for better performance. David Fifield

1 2

Re: [tor-dev] Torbirdy
by D 17 Mar '14

17 Mar '14

Hi Sukhbir, Thanks for the quick reply and clarification. > We already have code ready for generating random > message-IDs Yeah I saw the SHA-512 based random message-ID insertion in your Thunderbird+Tor paper. >> 3. And using extension hooks with explicit calls instead of checking user >> set configurations flags for removing timestamp data from header. This it's >> suggested will allow better handling of messages received/sent in the >> background by Thunderbird. > Yes, that's correct. Figuring out how to do this and doing it properly > is the only blocker Right, so start with fixing the preference setting system using extension hooks instead of preference flags. Then work with the new preference system on issues #6314, #6315. Finally, verify stability across different MUA's,MTA's for the updated patches, submit the patch request to #902573 & #902580 and work with Mozilla for patch request acceptance. Does this process flow sound reasonable ? Should I give a more elaborate write-up on the it for you to proof-read or should I just give you the final project proposal for proof-reading ? The only prior experience I have with extension development was on Gnome and it was minimal. But I've started reading up on extension development in Thunderbird and the Torbirdy code. Should be able to run by you a more detailed project proposal soon. Thanks D

2 1

GsoC - Interested in "Revamp GetTor"
by Israel Leiva 17 Mar '14

17 Mar '14

Hi! My name is Israel Leiva, I'm a computer science student at University of Santiago, Chile. More info about me in [1]. I'm interested in the 'Revamp GetTor' project for the Google summer of code. I think that GetTor has a huge impact on how to avoid censorship, and therefore it could be expanded to do a lot more of what it does now. Here is my idea: i) A modular design, with a core module in charge of transmitting data to the others modules, each one of them would represent a different "service" (e.g. SMTP) ii) The core module will be in charge of receiving requests from the other modules and answer them. For example, the SMTP module will say "Give me the URL links for TBB in this language" and the core module will answer with the desired links. These links could be retrieved from several locations, my proposal is that the links could be stored in a private git repository available only to trusted Tor developers, so the links and other data could vary with time according to the different censorship behaviours. iii) As I said, the other modules will each represent a different "service". I propose the following three for starting: * SMTP: Enhance the current bot. I tried it a couple of days ago and it didn't work as I expected (sent me a windows link when I asked for linux). * Twitter: this module will answer requests via twitter, either via mentions or via direct messages. It will ask for the corresponding links to the core module. There are lots of bots implemented out there, no need to reinvent the wheel. * Skype: this module will listen for calls or chats and will answer with a file transfer or message with the links. I believe this can be done using the sevabot [2] in Python or the Skype::Any [3] in Perl. The main idea is that this new design would allow for new services to be implemented in the future. ** OTHER IDEAS ** Here are some minor ideas that could also be considered: a) Most OS bring tools to make DNS requests, and an (experimented) user could make custom requests for TXT records that contain links. I know this isn't the case for most people, but it could be helpful. b) Users could send formatted mails with their public PGP keys to the SMTP service, and the bot will answer them with encrypted content. c) Users could notify services with censored links, this means that if, for example, a user requests the links via SMTP and one of them has been blocked, he/she could send a message notifying this to the SMTP service. This info along with stats about which services are more popular will be saved in a log file (I think this is how is working now) and/or a database. The purpose of this data will be to enhance GetTor, no info about users will be recorded. d) Other option to storage could be Github (as you may know, repos can be downloaded as ZIP files). e) For all the above, GetTor will need official twitter/github accounts. f) Comunication between modules could be done via system commands, but I'm open to any other suggestions. This communication will involve sending links (trusted servers, github repo, dropbox accounts) or local uris (~/tbb/latest.tgz). A basic diagram representing what I've tried to explain can be found on [4]. I think the best way to achieve this is to rewrite GetTor, but if you choose extend the current code to do it I'm okay with it. If you choose the former, I could do it in Python, eventhough I have a lot more experience in Perl (I've coded a module to automate the grading of programming tasks [5]). This is just a draft, please let me know if you find this is the way to go and I'll work in the details and a possible timeline to see how much can be done in 4 months. [1] http://ileiva.github.io [2] https://github.com/opensourcehacker/sevabot [3] http://search.cpan.org/~akiym/Skype-Any-0.06/lib/Skype/Any.pm [4] https://raw.github.com/ileiva/Tor/master/revamp-gettor-simplediagram.txt [5] https://metacpan.org/author/ILV best. -- israel

2 2