- tor-dev - lists.torproject.org

RecommendedTBBVersions
by Micah Lee 18 Nov '13

18 Nov '13

This URL has traditionally been a JSON string that lists the recommended version of TBB to install: https://check.torproject.org/RecommendedTBBVersions But the last couple days it's been returning 404. Did it move somewhere? Tor Browser Launcher uses it to figure out what version of TBB to download and install. Thanks! -- Micah Lee @micahflee

2 2

Proposal status changes the last 17 months.
by Nick Mathewson 15 Nov '13

15 Nov '13

Hi! Here's a summary of the proposals that have changed their status and become closed, dead, or superseded since the last one of these emails I sent out (last year). I'll summarize the current status of open proposals in my next mail. I'll try to send these out more regularly. ===== Newly DEAD or SUPERSEDED: 146 Add new flag to reflect long-term stability [SUPERSEDED] From time to time we get the idea of having clients ship with a reasonably recent consensus (or a list of directory mirrors), so instead of bootstrapping from one of the authorities, they can bootstrap from a regular directory cache. The problem here is that by the time the client is run, most of the directory mirrors will be down or will have changed their IP. This proposal tried to address that. The applications of this design are achieved by proposal 206 instead. Instead of having the authorities track long-term stability for nodes that might be useful as directories in a fallback consensus, we eliminated the idea of a fallback consensus, and just have a DirSource configuration option. 213 Remove stream-level sendmes from the design [DEAD] Roger had an idea to improve flow control, then decided it wasn't a good one. See the comments in this proposal for more discussion. ===== Implemented in 0.2.3 or earlier 162 Publish the consensus in multiple flavors [FINISHED] This one got mostly implemented in 0.2.2, with the introduction of microdescriptor consensus, and in 0.2.3, where microdescriptors were finished. We never implemented the meta-document that was going to describe other, future flavors, however. I should extract that into a new proposal. ===== Implemented in 0.2.4 117 IPv6 exits [CLOSED] 208 IPv6 Exits Redux [CLOSED] We implemented IPv6 exit support in 0.2.4.x. There are some lingering issues not addressed in these proposals -- see tickets tagged with "ipv6". 186 Multiple addresses for one OR or bridge [CLOSED] The protocol side of this is implemented as part of the IPv6 work in 0.2.4. Tor doesn't yet use the full range of options that the format allows, however. See for example #9729 for work in that area (which needs review!) 198 Restore semantics of TLS ClientHello [CLOSED] We did this one in 0.2.4.x. This put us back on the track of being TLS users in good standing, and let us use better ciphersuites (like ECDHE ones) than the ones we had picked out in v1 and v2 of the link protocol. 200 Adding new, extensible CREATE, EXTEND, and related cells [CLOSED] 216 Improved circuit-creation key exchange [CLOSED] These came in 0.2.4.x; the first one allowed us to change our circuit handshake; the latter specified the ntor handshake that 0.2.4.x clients and later prefer today. 204 Subdomain support for Hidden Service addresses [FINISHED] This one allows an (ignored) foo at the front of foo.bar.onion, for subdomain support. Sadly, I bet it will never see much use with the introduction of longer onion addresses in our next-gen hidden service design. 205 Remove global client-side DNS caching [CLOSED] Caching DNS addresses across circuits presented a user tagging opportunity, and exposed some linkability across circuits. This proposal removed the client-side DNS cache entirely for most purposes in 0.2.4. 206 Preconfigured directory sources for bootstrapping [CLOSED] This proposal introduces the DirSource option, with 0.2.4 clients (and later) can be set up with to avoid hammering on the authorities during their initial bootstrapping on the network. 207 Directory guards [CLOSED] To avoid client enumeration, this proposal says that clients should use a guard . Implemented in 0.2.4. 214 Allow 4-byte circuit IDs in a new link protocol [CLOSED] We've been at risk of having more than 65535 circuits on a link for a while now; this proposal increased the size of circuit IDs to avoid that. 221 Stop using CREATE_FAST [CLOSED] The CREATE_FAST handshake was introduced to avoid using the TAP handshake on the first hop of circuits, since the TAP circuit extension handshake provides no benefit over the . But now that the ntor handshake is (sometimes) available, that reasoning no longer holds. Implemented in 0.2.4. 222 Stop sending client timestamps [CLOSED] This proposal enumerated all the places in our protocol where eavesdroppers, clients, or servers get a view of a client or server's current time, and explained how to ameliorate or remove those linkability. Implemented in 0.2.4. ===== Implemented in 0.2.5 217 Tor Extended ORPort Authentication [FINISHED] We could use an authentication step for using the extended ORPort, to ensure that local connections are coming from an authorized pluggable transport. This proposal explains how. We implemented this in 0.2.5.x as part of the ExtORPort work. 218 Controller events to better understand connection/circuit usage [CLOSED] This one is actually going to be in 0.2.5.2-alpha; it adds more controller events for researchers.

6 5

Nov 2013 proposal status summary
by Nick Mathewson 14 Nov '13

14 Nov '13

This list of open Tor proposals is based on one I sent out in June of last year[1], based on the one I did in May[2] of the year before. I should try to do these more regularly. [1] https://lists.torproject.org/pipermail/tor-dev/2012-June/003641.html [2] https://lists.torproject.org/pipermail/tor-dev/2011-May/002637.html The dates after each paragraph indicate when I last revised the paragraph. Only open, needs-revision, and needs-research proposals are listed here. Dead, superseded, closed, and finished proposals are listed elsewhere. See proposal 001 for a summary of the proposal workflow. 127 Relaying dirport requests to Tor download site / website The idea here was to make it easier to fetch and learn about Tor by making it easy for relays to automatically act as proxies to the Tor website. It needs more discussion, and there are some significant details to work out. It's not at all clear whether this is actually a good idea or not. Probably, there are better choices when it comes to distributing software and updates. (11/2013) 131 Help users to verify they are using Tor [NEEDS-REVISION] This one is not a crazy idea, but I marked it as needs-revision since it doesn't seem to work so well with our current designs. It seems mostly superseded by proposal 211. (11/2013) 132 A Tor Web Service For Verifying Correct Browser Configuration This proposal was meant to give users a way to see if their browser and privoxy (yes, it was a while ago) are correctly configured by running a local webserver on 127.0.0.1. I'm not sure the status here. Generally, I'm skeptical of designs that run webservers on localhost, since they become a target for cross-site attacks. (11/2013) 133 Incorporate Unreachable ORs into the Tor Network This proposal had an idea for letting ORs that can only make outgoing connections still relay data usefully in the network. It's something we should keep in mind, and it's a pretty neat idea, but it radically changes the network topology. Anybody who wants to analyze new network topologies should definitely have a look. (5/2011) 140 Provide diffs between consensuses This proposal describes a way to transmit less directory traffic by sending only differences between consensuses, rather than the consensuses themselves. It is mainly languishing for lack of an appropriately licensed, well-written, very small, pure-C implementation of the "diff" and "patch" algorithms. (The good diffs seem to be GPL (which we can't use without changing Tor's license), or spaghetti code, or not easily usable as a library, or not written in C, or very large, or some combination of those.) (5/2011) 141 Download server descriptors on demand The idea of this proposal was for clients to only download the consensus, and later ask nodes for their own server descriptors while building the circuit through them. It would make each circuit more time-consuming to build, but make bootstrapping much cheaper. Microdescriptors obsolete a lot of this proposal, and present some difficulties in using in a way compatible with it. (6/2012) 143 Improvements of Distributed Storage for Tor Hidden Service Descriptors Here's a proposal from Karsten about making the hidden service DHT more reliable and secure to use. It could use more discussion and analysis. We should look into it as part of efforts to improve designs for the next generation of hidden services. One problem with the analysis here, though, is that it assumes a fixed set of servers that doesn't change. One reason that we upload to N servers at each chosen point in the ring is that the hidden service host and the hidden service client may have different views of which servers exist. We need to re-do the analysis with some fraction of recent consensuses. (11/2013) 144 Increase the diversity of circuits by detecting nodes belonging the same provider This is a version of the good idea, "Let's do routing in a way that tries to keep from routing traffic through the same provider too much!" There are complex issues here that the proposal doesn't completely address, but I think it might be a fine idea for somebody to see how much more we know now than we did in 2008, particularly in light of the relevant paper(s) by Matt Edmann and Paul Syverson. (5/2011) 145 Separate "suitable as a guard" from "suitable as a new guard" [NEEDS-RESEARCH] Currently, the Guard flag means both "You can use this node as a guard if you need to pick a new guard" and "If this node is currently your guard, you can keep using it as a guard." This proposal tries to separate these two concepts, so that clients can stop picking a router once it is full of existing clients using it as a guard, but the clients currently on it won't all drop it. It's not clear whether this has anonymity issues, and it's not clear whether the imagined performance gains are actually worthwhile. (5/2011) 147 Eliminate the need for v2 directories in generating v3 directories This proposal explains a way that we can phase out the vestigial use of v2 directory documents in keeping authorities well-informed enough to generating the v3 consensus. It's still correct; somebody should implement it before the v2 directory code rots any further. (5/2011) 156 Tracking blocked ports on the client side This proposal provides a way for clients to learn which ports they are (and aren't) able to connect to, and connect to the ones that work. It comes with a patch, too. It also lets routers track ports that _they_ can't connect to. I'm a little unconvinced that this will help a great deal: most clients that have some ports blocked will need bridges, not just restriction to a smaller set of ports. This could be good behind restrictive firewalls, though. The router-side part is a little iffy: routers that can't connect to each other violate one of our network topology assumptions, and even if we do want to track failed router->router connections, the routers need to be sure that they aren't fooled into trying to connect repeatedly to a series of nonexistent addresses in an attempt to make them believe that (say) they can't reach port 443. This one is a paradigmatic "open" proposal: it needs more discussion. The patch probably also needs to be ported to 0.2.3.x; it touches some code that has changed. (5/2011) 157 Make certificate downloads specific This proposal added cross-certification and signing-key-specific download URLs for directory authority certificates. It's implemented on the server side in 0.2.1.9-alpha, and we implemented the client-side download part in 0.2.4.13-alpha. There's a remaining SHOULD that needs to turn into a MUST, and that's it: see bug #10162 for the branches we should merge to finish this one. (11/2013) 159 Exit Scanning This is an overview of SoaT, with some ideas for how to integrate it into Tor. (5/2011) 164 Reporting the status of server votes This proposal explains a way for authorities to provide a slightly more verbose document that relay operators can use to diagnose reasons that their router was or was not listed in the consensus. These documents would be like slightly more verbose versions of the authorities' votes, and would explain *why* the authority voted as it did. It wouldn't be too hard to implement, and would be a fine project for somebody who wants to get to know the directory code. (5/2011) 165 Easy migration for voting authority sets This is a design for how to change the set of authorities without having a flag day where the authority operators all reconfigure their authorities at once. It needs more discussion. One difficulty here is that we aren't talking much about changing the set of authorities, but that may be a chicken-and-egg issue, since changing the set is so onerous. If anybody is interested, it would be great to move the discussion ahead here. (5/2011) 168 Reduce default circuit window This proposal reduces the default window for circuit sendme cells. I think it's implemented (or mostly implemented) in 0.2.1.20? If so, we should make sure that tor-spec.txt is updated and close it. (11/2013) 172 GETINFO controller option for circuit information 173 GETINFO Option Expansion These would help controllers (particularly arm) provide more useful information about a running Tor process. They're accepted and some parts of 173 are even implemented: somebody just needs to implement the rest. (5/2011) 175 Automatically promoting Tor clients to nodes Here's Steven's proposal for adding a mode between "client mode" and "relay mode" for "self-test to see if you would be a good relay, and if so become one." It didn't get enough attention when it was posted to the list; more people should review it. (5/2011) 177 Abstaining from votes on individual flags Here's my proposal for letting authorities have opinions about some (flag,router) combinations without voting on whether _every_ router should have that flag. It's simple, and I think it's basically right. With more discussion and review, somebody could/should build it, I think. (11/2013) 182 Credit Bucket This proposal suggests an alternative approach to our current token-bucket based rate-limiting, that promises better performance, less buffering insanity, and a possible end to double-gating issues. (6/2012) 185 Directory caches without DirPort The old HTTP directory port feature is no longer used by clients and relays under most circumstances. The proposal explains how we can get rid of the requirement that non-bridge directories have an open directory port. (6/2012) 188 Bridge Guards and other anti-enumeration defenses This proposal suggests some ways to make it harder for a relay on the Tor network to enumerate a list of Tor bridges. Worth investigating and possibly implementing. (6/2012) 189 AUTHORIZE and AUTHORIZED cells 190 Bridge Client Authorization Based on a Shared Secret [NEEDS-REVISION] 191 Bridge Detection Resistance against MITM-capable Adversaries Proposal 187 reserved the AUTHORIZE cell type; these proposals suggests how it could work to try to make it harder to probe for Tor bridges. They need more alternatives and attention, and possibly some revision and analysis. Number 190 needs revision, since its protocol isn't actually so great. (11/2013) 192 Automatically retrieve and store information about bridges This proposal gives an enhancement to the bridge information protocol, where clients remember more things about bridges, and are able to update what they know about them over time. Could help a lot with bridge churn. (6/2012) 194 Mnemonic .onion URLs Here's one of several competing "let's make .onion URLs human-usable" proposals. This one makes sentences using a fixed map. This kind of approach is likely to obsoleted if we go ahead with current plans for hidden services that would make .onion addresses much longer, though. (11/2013) 195 TLS certificate normalization for Tor 0.2.4.x Here's the followup to proposal 179, containing all the parts of proposal 179 that didn't get built, and a couple of other tricks besides to try to make Tor's default protocol less detectable. I'm pretty psyched about the part where we let relays drop in any any self-signed or CA-issued certificate that they like. Some of this is done in ticket #7145; we should decide, however, how much we want to push towards normalizing the main Tor protocol. (11/2013) 196 Extended ORPort and TransportControlPort Here are some remaining pieces of the pluggable transport protocol that give Tor finer control over the behavior of its transports. Much of this is implemented in 0.2.5 now; we should figure out what's left, and whether we want to build that. (11/2013) 197 Message-based Inter-Controller IPC Channel This proposal is for an architectural enhancement in Tor deployments, where Tor coordinates communications between the various programs (Vidalia, TorBrowser, etc) that are using it. (6/2012) 199 Integration of BridgeFinder and BridgeFinderHelper Here's a proposal for how Tor can integrate with a client program that finds bridges for it. I've seen some work being done on things called "BridgeFinder"; I don't know what the status of the current proposal is, though. (11/2013) 201 Make bridges report statistics on daily v3 network status requests Here's a proposal for bridges to better estimate the number of bridge users. (6/2012) 202 Two improved relay encryption protocols for Tor cells Here's a sketch of the two broad classes of alternatives for improving how relay encryption works. Right now, progress on this proposal is stalled waiting for the ideal wide-block construction to come along the line. (11/2013) 203 Avoiding censorship by impersonating an HTTPS server This one is a design for making a bridge that acts like an HTTPS server (by *being* an HTTPS server) until the user proves they know it's a bridge. (11/2013) 209 Tuning the Parameters for the Path Bias Defense In this proposal, Mike discusses alternative parameters for getting better result out of the path-bias-attack detection code. (11/2013) 210 Faster Headless Consensus Bootstrapping This proposal suggests that we get our initial consensus by launching multiple connections in parallel, and fetching the consensus from whichever one completes. In my opinion, that would be a fine idea when we're fetching our initial consensus from non-Authority DirSources, but we shouldnt' do anything to increase the load on authorities. (11/2013) 211 Internal Mapaddress for Tor Configuration Testing Here, the idea is to serve an XML document over HTTP that would let the know when it's using Tor. The XML document would be returned when you make a request over Tor for a magic address in 127.0.0.0/8. I think we need to do _something_to solve this problem, but I'm not thrilled with the idea of having any more magical addresses like this; we got rid of .noconnect for a reason, after all. (11/2013) 212 Increase Acceptable Consensus Age This proposal suggests that we increase the maximum age of a consensus that clients are willing to use when they can't find a new one, in order to make the network robust for longer against a failure to reach consensus. In my opinion, we should do that. If I recall correctly, there was some tor-dev discussion on this one that should get incorporated into a final, implementable version. (11/2013) 215 Let the minimum consensus method change with time This proposal describes how we can raise the minimum allowable consensus method that all authorities must support, since the ancient "consensus method 1" would not actually be viable to keep the Tor network running. We should do this; see ticket #10163. (11/2013) 219 Support for full DNS and DNSSEC resolution in Tor Here's a design to allow Tor to support a full range of DNS request types. It probably isn't adequate on its to make DNSSEC work realistically, since naive DNSSEC requires many round trips that wouldn't be practical over Tor. It has a ton of inline discussion that needs to get resolved before this is buildable. (11/2013) 220 Migrate server identity keys to Ed25519 This one is an intial design to migrate server identity keys to Ed25519 for improved security margin. It needs more analysis of long-term migration to other signing key types, and eventual dropping of RSA1024 keys entirely. (11/2013)

1 0

recreated website png diagrams as svg
by Justin Findlay 13 Nov '13

13 Nov '13

Item h under https://www.torproject.org/getinvolved/volunteer.html.en#OtherCoding discusses (at least) the images at this page, https://www.torproject.org/about/overview.html.en which look as if they're copied from some EFF presentation. I've recreated them as svg. Svg being a fairly standard vector markup, I supposed that it would be more amenable to automatic string replacement than a png (I'm not sure what wml is). Please look them over and give me feedback. If they are ultimately found acceptable, you are welcome to use them for the site. Thanks. Justin

5 6

Finalizing translation strings
by Griffin Boyce 13 Nov '13

13 Nov '13

So I'm hiring translators for Cupcake, for Persian and Urdu translations. As it turns out, this is surprisingly inexpensive. Because I'm hiring translators anyway, I want to go ahead and donate translations of Tor project strings. (Especially Urdu, which is inexpensive, but difficult to find volunteers for). After looking at Transifex for a few projects, there seem to be some extraneous strings. Torbutton and TorBirdy both have a lot of single-character strings which don't make sense (or lack context). After chatting with Runa, decided to go ahead and post this to the list. If strings could be updated/finalized by early December, that would help the process a lot. =) best, Griffin -- Be kind, for everyone you meet is fighting a hard battle. PGP: 0xD9D4CADEE3B67E7AB2C05717E331FD29AE792C97 OTR: saint(a)jabber.ccc.de

2 4

Notes on HS revamping
by George Kadianakis 11 Nov '13

11 Nov '13

Hey Nick, these are my notes from when I was writing the HS blog post. I updated them a bit with some more stuff. Might be helpful :) """ HS improvements: 1 performance 1.1 reuse IPs (#8239) 1.2 torperf (#8510) 1.3 scaling https://lists.torproject.org/pipermail/tor-dev/2013-October/005556.html 1.4 valet nodes 1.5 lasse's "Improving Efficiency and Simplicity of Tor circuit establishment and hidden services" 1.5.1 big design change. maybe worth it. assumes valet nodes IIRC 2 security 2.1 Crypto upgrade 2.1.1 Upgrade id keys [https://lists.torproject.org/pipermail/tor-dev/2013-October/005536.html] [https://lists.torproject.org/pipermail/tor-dev/2013-October/005534.html] 2.1.2 Upgrade IP service keys 2.1.3 Fix hybrid encryption (?) 2.2 Onion anti-harvesting (#8106) https://lists.torproject.org/pipermail/tor-dev/2013-October/005534.html 2.3 Guard node enumeration (#9001) 2.3.1 Virtual Circuits? Guard tiers? 2.4 Unpredictable HSDirs (#8244) 2.5 Hide HS popularity 2.5.1 Oblivious transfer for HSDirs (is it needed if we have #8106? maybe yes.) 2.5.2 Unlinkable introductions in IPs (is this even possible?) (do we even care? we have service keys) 3 Can we decrease the responsibility of guard nodes? It seems that security of HSes == their guard nodes, atm. 3.1 Implement stuff from https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-pa… 3.2 Add optional padding/bitrate anti-fingerprinting transport for HSes. 3.2.1 Can be enabled by truly paranoid HSes. 3.2.2 But this is going to make HSes stand out even more! 3.2.3 These transports can all be broken anyway. Except a truly slow but theoretically secure padding/constant bitrate transport. 3.3 What are other anonymous publishing protocols doing here? I2P seems to be weak here too, according to Grothoff's recent paper. 4 misc 4.1 HSDirs system 4.1.1 Do we still need the hash ring even after #8106? 4.1.2 Look into Valet nodes 4.2 petnames/human memorable onions? 4.2.1 maybe better as a third party (probably unofficial) plugin to tor/firefox 4.3 Read and compare with other HS-like designs. See: 4.3.1 I2P, GNUNet, rewebber, retroshare, "Anonymizing censorship resistant systems" by Serjantov, ... 4.3.2 Check uni-directional tunnels of I2P and their pros/cons. 4.3.3 http://freehaven.net/anonbib/ 4.4 Encrypted servives https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/ideas/xxx-en… 5 What else should we do? How would we design HSes if we were not prejudiced by the current design? """

4 7

[fwd] Re: [perpass] DNS confidentiality (from: bortzmeyer@nic.fr)
by Wendy Seltzer 11 Nov '13

11 Nov '13

I thought this might be of interest to the Tor community. --Wendy ----- Forwarded message from Stephane Bortzmeyer <bortzmeyer(a)nic.fr> ----- Date: Mon, 11 Nov 2013 13:10:27 +0100 From: Stephane Bortzmeyer <bortzmeyer(a)nic.fr> To: Stephen Farrell <stephen.farrell(a)cs.tcd.ie> Cc: perpass <perpass(a)ietf.org>, Andy Wilson <andrewgwilson(a)gmail.com> Subject: Re: [perpass] DNS confidentiality User-Agent: Mutt/1.5.21 (2010-09-15) On Wed, Sep 25, 2013 at 02:40:59PM +0200, Stephane Bortzmeyer <bortzmeyer(a)nic.fr> wrote a message of 13 lines which said: > May be starting with the more modest but certainly useful "DNS > privacy considerations" Internet-Draft? Such a document, just > documenting the problem, would be a good idea, IMHO. Done. http://tools.ietf.org/html/draft-bortzmeyer-perpass-dns-privacy _______________________________________________ perpass mailing list perpass(a)ietf.org https://www.ietf.org/mailman/listinfo/perpass ----- End forwarded message ----- -- -- Wendy Seltzer -- wseltzer(a)w3.org +1.617.715.4883 (office) Policy Counsel, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)

1 0

Re: [tor-dev] Registering special-use domain names of peer-to-peer name systems with IETF
by Jacob Appelbaum 10 Nov '13

10 Nov '13

hellekin: > On 11/09/2013 03:36 PM, Jacob Appelbaum wrote: >> >> I've given it an edit pass - I've included the original, a unified diff >> and my modified version. >> > *** Thank you! > > I will fix the formatting and a typo. Thanks! > > The rest looks good to me, except the references section. > > I think it would be better to have a "nice URL" that will stand the > proof of time: https://torproject.org/torspec would match the repository > name. Then either do some redirection magic to the latest version, or > better, list the various specs with an #anchor matching the name you use > in reference. I don't think we'll have anyone add such redirects any time soon, sadly. They're sorta ugly but they're accurate. All the best, Jacob

1 0

torbutton user agent update scheme idea
by Justin Findlay 09 Nov '13

09 Nov '13

Sorry for always picking random stuff from the volunteer page, but having read this, <quote> Programs like Torbutton aim to hide your browser's UserAgent string by replacing it with a uniform answer for every Tor user. That way the attacker can't splinter Tor's anonymity set by looking at that header. It tries to pick a string that is commonly used by non-Tor users too, so it doesn't stand out. Question one: how badly do we hurt ourselves by periodically updating the version of Firefox that Torbutton claims to be? If we update it too often, we splinter the anonymity sets ourselves. If we don't update it often enough, then all the Tor users stand out because they claim to be running a quite old version of Firefox. The answer here probably depends on the Firefox versions seen in the wild. Question two: periodically people ask us to cycle through N UserAgent strings rather than stick with one. Does this approach help, hurt, or not matter? Consider: cookies and recognizing Torbutton users by their rotating UserAgents; malicious websites who only attack certain browsers; and whether the answers to question one impact this answer. </quote> I think the best answer is simple, although a little more than trivial to implement. If you want to anonymize the user agent, you need to mimic the user agent changes made by normal users across the web, and I'm positing that in any statistically significant sample of web users, the behavior will be similar and simple enough on nearly all orders of magnitude available, i.e., normally distributed in any analytical dimension. Think about the natural evolution of a typical web user's user agent. What are the factors that will result in a change of user agent? 1) A user may have more than one browser that they use on the same computer, 2) they may use the web on more than one device (phone, tablet, laptop, desktop), 3) and typical, stochastic upgrade patterns. For (1) and (2) there is not much torbutton could do to coordinate reasonable obfuscation among multiple version, logical, space, and time separated instances without way more effort than would be profitable. In fact, (1) and (2) ought to naturally provide most if not all the anonymizing that can reasonably be accomplished from torbutton's perspective without any action at all on torbutton's part. For (3), though, there is something that could be done by torbutton. Some factors to consider in constructing a stochastic user agent updater are: - which browsers automatically upgrade themselves? - which browsers bother the user to upgrade? - what are the typical user response patterns towards browser upgrades? Remember, we're thinking about a single browser on a single system. If there are things going on for that user external to this (reinstall windows, upgrade ubuntu, get a new computer, etc.) those effects are already accounted for by (1) and (2). Some investigative questions/statements to lead an analysis on this could be something like: 'what is the distribution of browsers for human web users?' 'what is the distribution of systems and system versions for human web users?' 'what are the significant correlations on the cartesian product of these two dimensions?' 'how do the browser versions in this product space evolve through time?' ... '2/3 of firefox users are on windows and their upgrade habits follow a temporal distribution that is a spike followed by an exponential decay of order 2.3', '0.8 of the remaining firefox users are on linux and their update habits are dominated by package management systems', etc. Then, upon finding the most significant trends in browser update patterns, construct a mechanism for torbutton that mimics them on a per user basis: Once a user installs torbutton, it samples (selects) a browser from the distribution of browsers and then follows that browser's typical upgrade pattern. The problem with this idea, I guess, is that torbutton will have to phone home to find out when browser updates are adopted by users so that it can make its change at the expectation value or whatever. The goal being to distribute torbutton users according to the distribution of all web users among all user agents, you must first find out what that latter distribution is and how it is likely to evolve. This second part is not so bad as it seems because I'm guessing that some forward standard deviations of the expectation value in the temporal sense will occur late enough after the browser update that torbutton can push it out to most installed instances (it's not going to happen before, causality and all). Justin

1 0

Registering special-use domain names of peer-to-peer name systems with IETF
by Christian Grothoff 09 Nov '13

09 Nov '13

Dear all, Together with Matthias Wachs and Hellekin Wolf, I'm preparing an IESG approval request for the reservation of special-use domain names for P2P networks according to RFC 6761. The goal is to reserve .onion, .exit, .i2p, .gnu and .zkey (so that they don't become ordinary commercial TLDs at some point) and to at the same time document their use and how they should be processed for the broader community. I've attached the current draft which we plan to submit shortly (unless, of course, we receive insightful comments that require major revisions). As two of the five pTLDs involve Tor, we would be happy for feedback from the Tor developer community. Happy hacking! Christian

4 3