tor-dev

tor-dev@lists.torproject.org

3581 discussions

[draft] Proposal XXX: On upgrading HS identity keys and on a new HS directory scheme that does not leak
by George Kadianakis 01 Oct '13

01 Oct '13

release early; release often again This is a draft of a proposal that merges the two proposals I posted last month, namely the "Migrate HS identity keys to Ed25519" and "Stop HS address enumeration by HSDirs" proposals. This goes together with the "Migration to ed25519 HS identity keys and privacy-preserving directory documents" I posted two weeks ago. It tried to address most of the comments from Nick and Matthew. There are still lots of stuff to fix (especially the key derivation part). Inlining: Filename: xxx-hs-id-keys-and-onion-leaking.txt Title: On upgrading HS identity keys and on a new HS directory scheme that does not leak Author: George Kadianakis Created: 10 August 2013 Target: 0.2.5.x Status: Draft [More draft than Guiness.] ToC: 0. Overview 1. Motivation 2. Related proposals 3. Overview of changes 4. Specification of changes 5. Discussion 6. Acknowledgments Appendix: A0. Security proof of directory scheme --- 0. Overview: This proposal has two aims: a) Improve the strength of HS identity keys. Specifically, this proposal suggests the adoption of Ed25519 ECDSA keys as a replacement for the RSA-1024 keys that are currently in use by hidden services. b) Stop HS address enumeration by HSDirs When a client asks for the descriptor of a hidden service the hidden service address is leaked to the HSDir that was inquired. This proposal suggests a new directory scheme that prevents HSDirs from learning the hidden service address or the contents of the hidden service descriptors they serve. 1. Motivation The long-term identity keys of Hidden Services are RSA-1024 keys; we consider these weak and in need for replacement. Furthermore, 80-bit hidden service addresses are short enough to be prone to brute-force impersonation attacks. Ed25519 (specifically, Ed25519-SHA-512 as described and specified at http://ed25519.cr.yp.to/) is a good alternative: it's secure, fast, has small keys and small signatures, is bulletproof in several important ways, and supports fast batch verification. (It isn't quite as fast as RSA1024 when it comes to public key operations, since RSA gets to take advantage of small exponents when generating public keys.) 2. Related proposals This proposal goes hand in hand with proposal XXX "On the migration to Ed25519 HS identity keys and privacy-preserving directory documents". Proposal XXX specifies how the schemes described in this proposal should be deployed in the real Tor network to minimize frustration and bad vibes. XXX Another related proposal is proposal XXX "On the upgrade of Hidden Service service keys" which defines the upgrade from the current RSA-1024 HS service keys to a more powerful cryptosystem. 3. Overview of changes This section provides a high-level overview of the changes suggested in this document. 3.0. Overview of identity-key changes Longterm RSA-1024 "identity keys" are used by hidden services to authenticate themselves to clients. This proposal specifies: * The generation of new Ed25519 long-term identity keypairs (#KEYGEN) * A new HS descriptor format (v3) that contains Ed25519 HS identity keys (#NEWDESC) * A way for clients to upload and fetch v3 descriptors from HSDirs (#DESCFETCH and #DESCUPLOAD) 3.1. Overview of anti-enumeration scheme Currently, Hidden Services upload their unencrypted descriptor to hidden service directories (HSDirs). HSDirs store the unencrypted descriptor in an internal map of: <hs address> -> <hs descriptor> When a client wants the descriptor of an HS, it asks an HSDir for the descriptor that corresponds to <hs address>. If the HSDir has such an index in its map, it returns the <hs descriptor> to the client. This proposal asks Hidden Services to periodically derive a new ephemeral keypair from their long-term identity key; the new keypair being a function of the identity key and a time-dependent nonce. The derivation should be one-way; if you know the identity key you should be able to derive the ephemeral key but not the other way around. Finally, a client should be able to derive the ephemeral HS public key from the long-term HS public key without knowing the long-term HS private key (#KEYPAIRDERIVATION) Hidden Services then encrypt their descriptor with a symmetric key (derived from the long-term identity public key) and sign the ciphertext and the ephemeral public key with their ephemeral private key (#NEWDESC). Then they place the ephemeral public key, the encrypted descriptor and the signature in a v3 hidden servide descriptor and send that to the HSDir (#DESCUPLOAD). When the HSDir receives a v3 hidden service descriptor, it validates the signature using the embedded ephemeral public key and if it verifies it stores the descriptor in an internal map of: <ephemeral public key> -> <v3 descriptor> (#DESCHANDLING). Now, out of band, the HS gives to its clients a <z>.onion address. <z> in this case is the long-term public key of the HS (this is different from the current situation where <z> is the hash of the long-term public key). A client that knows the <z>.onion address and wants to acquire the HS descriptor, derives the <ephemeral public key> of the HS using <z> and the same key derivation procedure that the HS uses. She also derives the symmetric key that decrypts the encrypted HS descriptor (#KEYPAIRDERIVATION). The client then contacts the appropriate HSDir and queries it for the descriptor with index <ephemeral public key>. If the HSDir has such an index in its internal map it passes the <v3 descriptor> to the client (#DESCFETCH). The client then verifies the signature of the v3 descriptor, and if it's legit she decrypts the encrypted descriptor using the ephemeral symmetric key. The client now has the Hidden Servide descriptor she was looking for (#DESCHANDLING). 4. Specificaton of changes 4.0 Generation of long-term identity-key Ed25519 keypairs (#KEYGEN) When a hidden service starts up with no Ed25519 identity keys, it generates a new identity keypair. 4.1. Ephemeral keypair derivation (anti-enumreation) (#KEYPAIRDERIVATION) XXX Leaving this unpsecified for now till the security proof comes along. 4.1.0. By Hidden Services: For now, let's assume that after this paragraph each HS has a per-TIME_PERIOD ephemeral keypair. It also has a symmetric key derived from the identity public key to encrypt its descriptor. 4.1.1. By clients: When a Tor client is asked to connect to a hidden service address <z>.onion, it assumes that <z> is the long-term public key of the hidden service. Internally, and without notifying the user, the Tor client generates the ephemeral public key and ephemeral symmetric key of the HS for that time period (using the long-term public key of the hidden service and the procedure specified in the previous section). 4.2. New v3 Hidden Service Descriptor Format (#NEWDESC) To serve the purposes of this proposal we need to perform multiple modifications to hidden service descriptors. Specifically, to migrate to new identity keys we need to change the format of the v2 Hidden Service descriptor to use Ed25519 keys. Furthermore, to provide enumeration protection we need to encrypt the whole descriptor with the ephemeral symmetric key. To do so we define a new construct just for this section, called "intermediate descriptor". It has the same format as a v2 hidden service descriptor but uses Ed25519 instead of RSA-1024. The following changes are performed to the v2 HS descriptor: [*] The "permanent-key" field is replaced by "permanent-key-ed25519": "permanent-key-ed25519" SP an Ed25519 public key [Exactly once] The public key of the hidden service which is required to verify the "descriptor-id" and "signature-ed25519". In base64 format with terminating =s removed. [*] The "service-key" field is replaced by "service-key-ed25519': "service-key-ed25519" SP an Ed25519 public key [Exactly once] The public key used to encrypt messages to the hidden service. In base64 format with terminating =s removed. [*] The "signature" field is replaced by "signature-ed25519': "signature-ed25519" SP signature-string [At end, exactly once] A signature of all fields above using the private Ed25519 key of the hidden service. In base64 format with terminating =s removed. Now we define the format of the new v3 Hidden Service descriptor that is uploaded to the HSDirs: "ephemeral-public-key" SP public-key [At start, exactly once] The ephemeral HS public key for this time period. In base64 format with terminating =s removed. "encrypted-descriptor" SP encrypted-descriptor [Exactly once] An encrypted intermediate descriptor (as specified above). It's encrypted with AES in CTR mode with a random initialization vector of 128 bits that is written in the beginning of the encrypted string. The ephemeral symmetric key derived in section XXX is used as the secret key of AES. The encrypted string is encoded in base64 and surrounded with "-----BEGIN MESSAGE-----" and "-----END MESSAGE-----". "publication-time" SP YYYY-MM-DD HH:MM:SS NL [Exactly once] A timestamp when this descriptor has been created. It should be rounded down to the nearest day. The timestamp SHOULD be used by the clients and HSDirs to discard old descriptors. XXX Should we specify how long the HSDir is supposed to keep the descriptor? rend-spec.txt doesn't do so. XXX Is "rounded down to the nearest day" too extreme of a rounding? Other Tor documents round it down to the nearest hour. Does it matter if our expiration time is longer than a day? XXX Should we kill the "publication-time" in the HS descriptors? Or just leave it there? "signature" SP signature [At end, exactly once] A signature of all fields above using the ephemeral private key of the hidden service. In base64 format with terminating =s removed. 4.3. Uploading v3 HS descriptors to HSDirs (#DESCUPLOAD) A new type of Hidden Service Directory Server must be established which knows how to handle v3 Hidden Service descriptors. The Hidden Service follows the same publishing procedure as for v2 descriptors but instead of sending an HTTP 'POST' to "/tor/rendezvous2/publish", the HS sends the 'POST' request to "/tor/rendezvous3/publish" with the descriptor included in the body of the 'POST'. 4.4. Fetching v3 HS descriptors from HSDirs (#DESCFETCH) When a client needs to fetch a v3 Hidden Service Descriptor from an HSDir, it follows the exact same procedure as for v2 descriptors but instead of sending an HTTP 'GET' to "/tor/rendezvous2/<z>", it sends an HTTP 'GET' to "/tor/rendezvous3/<z>" where <z> is the base32 encoding of the *ephemeral* public key of the Hidden Service. XXX base32 is used because it's URL-safe and because we don't really care about the extra length. XXX example? 4.5. v3 hidden servide descriptor handling (#DESCHANDLING) 4.5.1. By HSDirs: When an HSDir receives a v3 hidden service descriptor, it verifies its signature using the ephemeral public key that was included in the descriptor. If the signature verifies and the descriptor timestamp is reasonable, the descriptor is accepted and cached. Otherwise, the descriptor is discarded. 4.5.2. By clients: When a client receives a v3 hidden service descriptor, it checks the timestamp and verifies the signature using the previously derived keys and discards it if the signature was not proper. If the signature is proper, the client uses the derived ephemeral symmetric key to decrypt the 'encrypted-descriptor' part of the metadescriptor. 5. Discussion [Points here might deserve their own sections] Do we need the HSDir hash ring, even though the HS address and the descriptor are now hidden from HSDirs? An Ed25519 public key is 32 bytes. 32 bytes in base32 encoding is 56 characters (or 52 with the '=' padding removed). Do we want a different URL encoding or are we happy with addresses like: mfrggzdfmztwq2lknnwg23tpobyxe43uov3ho6dzpjaueq2eivda.onion ? 6. Acknowledgments The cryptography behind this proposal was originally proposed by Robert Ransom in a private email thread and subsequently posted in tor-dev [0]. Discussion was continued in trac ticket #8106 [1]. During the past 6 months many bright people have looked at the cryptography behind this scheme. The list of people includes Nadia Heninger, Leonid Reyzin, Nick Hopper, Aggelos Kiayias, Tanja Lange, Dan J. Bernstein and probably others that I can't recall at this point. Thanks! Parts of this proposal has been based on discussions with Nick Mathewson and his proposal 220. XXX "One more: Christian Grothoff told me in Garching that GNUnet does something quite similar for its keys. So we should probably check out their approach too, and include them in the "related work" section of any hypothetical publication here. :)" Appendix: A0. Security proof of directory scheme XXX A security proof of the above scheme is under development. We are not going to implement or deploy anything before we have a solid proof of this.

1 0

Re: [tor-dev] Sponsor F: update; next meeting [in *two weeks*]
by Matt Pagan 01 Oct '13

01 Oct '13

On Mon, 30 Sep 2013 19:13:37 -0700 Tom Lowenthal <me(a)tomlowenthal.com> wrote: > Today, at 1100 Pacific, we spent more than 90 minutes discussing > [Sponsor F][]. Here's the summary. > > **READ THIS**: The next Sponsor F meeting will be held in a mere two > weeks on **2013-10-14, at 1100h Pacific in #tor-dev**. > > This is a schedule change: from now on, the meetings will be every two > weeks. It's possible that we may have to increase this to every week, > depending on how fast we work, and how long meetings are taking. If > you should be at these meetings but cannot make Mondays at 1100h > Pacific, please contact me, and I'll start the process of finding a > better time or times. > > If you are individually in the `cc` field of this message, it's > because I think that there's something which I think you need to do > for Sponsor F before Halloween. You should also come to the next > Sponsor F meeting. If you can't make the meeting, or don't think this > work applies to you, you should get back to me ASAP so we can fix it. > > Is something else missing, wrong, or messed up? I'd like to know. > > [Sponsor F]: > https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year3 > > > * * * * * > > > Core Phase 2 Deliverables > ========================= > > > UDP Transport [#10] > ------------- > > **[On Track: Minimal]** Karsten will work with Rob to complete the > Shadow simulation of this work, then write up a full report on this, > probably with Stephen's help. We expect both tasks to be complete by > Halloween. This likely represents a minimal outcome for this > deliverable. > > > Combine obfuscation (obfsproxy) with address-diversity (flashproxy) > [#11] > ------------------------------------------------------------------- > > **[On Track: Minimal]** The work of integrating obfsproxy with > flashproxy is done. George will include this in the next released > version of the pluggable transports browser bundle. George will also > write a report on this work. Ximin and David will help. By Halloween, > the report will be complete and the bundles will either be released or > well on their way through testing. This likely represents some > combination of minimal or intended outcomes for this deliverable. > > > Bridge Metrics [#12] > -------------- > > **[Done: Intended]** Our reporting code has been merged into master. > It will ride the trains or flow downstream or whatever your favorite > code development cycle imagery is, and show up in future releases. As > it goes through alpha, beta, and release, gets picked up and adopted > by more operators, we'll get more comprehensive sample coverage, and > better data. This likely represents an ideal outcome for this > deliverable. > > > N23 Performance Work [#13] > -------------------- > > **[On Track: Alternate]** Roger doesn't think that N23 is as good as > we thought it was, so he's going to write a report on the various > performance improvements we've implemented lately; the performance > work which we though about, but decided not to implement, and why; and > a wishlist of future performance work and research. He'll have this > done by Halloween. This likely represents an alternate outcome for > this deliverable. > > > Improved Scheduling [#14] > ------------------- > > **[On Track: Intended]** Nick will work with Roger and Andrea to > implement an improved scheduler (possibly based on picking randomly, > weighted by bandwidth), and -- if possible -- also to refactor `cmux`. > If time permits, Nick will also attempt to simulate this using Shadow > , probably with Karsten's help. Finally, Nick will produce a full > report before Halloween. This likely represents an intended outcome > for this deliverable. > > > Alternate `Fast` Flag Allocation [#15] > -------------------------------- > > **[At Risk]** The person who we initially expected to do this work > does not seem to be available to do it. We need to find an alternate > plan to execute this deliverable. If you think you can do it, please > read [ticket #1854][#1854] and get in touch. > > [#1854]: https://trac.torproject.org/projects/tor/ticket/1854 > > > VoIP Support [#16] > ------------ > > **[On Track: alternate]** Our implementation strategy for this was > high-latency send-an-mp3-over-XMPP using Gibberbot/Chatsecure, or a > similar system. The internal milestone was to have a release candidate > available today. Sadly, Nathan (who is on point for this) wasn't on > the call. Fortunately, Nathan [blogged][guardian-1] about Chatsecure's > `12.4.0-beta4` ten days ago, and a tantalizingly-named > [`ChatSecure-v12.4.2-release.apk`][chatsecure-release] > ([sig][chatsecure-release-sig]) is available in the Guardian Project > [release directory][guardian-releases]. The outlook seems good, but > Tom will follow up with Nathan as soon as possible to verify these > outrageous claims. Nathan, if you're reading this, could you get in > touch (email, IRC, XMPP, whatever). Thanks! > > [guardian-1]: > https://guardianproject.info/2013/09/20/gibberbots-chatsecure-makeover-almo… > [chatsecure-release]: > https://guardianproject.info/releases/ChatSecure-v12.4.0-beta4-release.apk > [chatsecure-release-sig]: > https://guardianproject.info/releases/ChatSecure-v12.4.0-beta4-release.apk.… > [guardian-releases]: https://guardianproject.info/releases/ > > > > Extended Phase 2 Deliverables > ============================= > > > VoIP Support [#17] > ------------ > > **[Limbo: Intended]** Here we're talking about getting a general VoIP > client (Mumble) to work over Tor. This discussed in [ticket > #5699][#5699], and [instructions][torify-mumble] for using Mumble over > Tor are on the wiki. We didn't get an update during the meeting, so if > you're working on this, get in touch, eh? > > [#5699]: https://trac.torproject.org/projects/tor/ticket/5699 > [torify-mumble]: > https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Mumble > > There still exists a bug in Mumble such that when network connections are routed through a proxy they leak DNS requests. This past month I've been reading QT documentation so that I can understand the Mumble code better and find the bug. After the meeting on IRC, velope suggested that fixing it might be as simple as implementing SOCKS5 with hostname. DNS leaks also occur with HTTP proxies, which shouldn't happen. See also: http://sourceforge.net/p/mumble/bugs/1033/

2 1

Criteria for prioritizing pluggable transport work
by Roger Dingledine 30 Sep '13

30 Sep '13

Below is my first go at a list of criteria to consider when evaluating pluggable transports for readiness of deployment to users. The goal isn't to say that every transport has to "pass" each question -- rather, I'm hoping to fund a researcher-developer at some point soon to polish some of the research prototypes so we can include them in the PT TBB, and I wanted to think about guidelines for how they should prioritize which PTs to work on. What points is it missing? What points does it mis-explain? See also George's "How the pluggable transports factory works" mail: https://lists.torproject.org/pipermail/tor-dev/2013-August/005231.html Thanks! --Roger ---- Section one, how reviewed / reviewable is it: 1) Is the software published, and is it entirely free and open source? Some designs call for non-free (and non-distributable) components like Skype, a copy of Windows in a VM image, etc. 2) Is there a published design document, including a threat model? Is there a specification? How testable are its security / unblockability claims? We should also consider how much peer review the design has received, and whether the project is getting continued attention by its inventors. 3) What is its deployment history? What kind of users did it have and how many? How much publicity? Did it get blocked? Section two, evaluation of design: 4) How difficult or expensive will it be to block the design (by protocol, by endpoints, etc)? For example, what services or protocols does it rely on being usable or reachable? Expense could include actual cost or could include collateral damage. Another way to measure might be the fraction of censoring countries where the technique is expected to work. 5) What anonymity improvements does the design provide, if any? While many pluggable transports focus only on reachability and leave anonymity properties to Tor, some research designs use the pluggable transport interface to experiment with improved traffic analysis resistance, such as by adding padding to defend better against website fingerprinting attacks. 6) What's the bandwidth overhead? Some transports like Obfsproxy don't inflate communication size, while others like Stegotorus wrap their communications in a more innocuous protocol at a cost of sending and receiving more bytes. Designs with higher bandwidth overhead can provide better blocking-resistance, but are also less suited for low-bandwidth environments. 7) Scanning-resistance: how does the design fare against active probing attacks, like China's follow-up connections that test for vanilla Tor traffic? ("How the Great Firewall of China is Blocking Tor", Philipp Winter, FOCI 2012). Section three, evaluation of implementation: 8) Does the implementation use Tor's Pluggable Transport (PT) Application Programming Interface (API) already? Tor has a standard recommended approach so transport modules can be invoked and managed by the Tor process. The PT API also allows Tor to automatically publish capabilities of the transport, collect user and usage statistics from the transport, and so on. 9) Is the implementation cross-platform (Windows, OS X, Linux at least)? How about support for mobile platforms? 10) How easy is the build process, and how easy is deployment and scaling? For example, what software libraries does it require, how likely are we to get enough bridge-side addresses, etc? 11) How is the code from a security and maintainability perspective? Are there unit tests, integration tests, etc? While the underlying Tor channel provides security properties like encryption and authentication, pluggable transports can still introduce new security risks if designed or built improperly.

1 0

Announcing liballium (A C Tor Pluggable Transports Utility Library)
by Yawning Angel 30 Sep '13

30 Sep '13

Hello, For those aspiring Pluggable Transports authors out there, I've recently written a simple library that handles the Tor Pluggable Transport Configuration protocol. The idea is for this library to be the C/C++ equivalent to pyptlib (and maybe more, depending on how much time I have to work on it). The code is available at: https://github.com/Yawning/liballium It still needs more documentation, but all of the use cases are covered by a reasonably well commented example (examples/ptcfg_example.c). Questions, comments, feedback all appreciated. -- Yawning Angel

1 0

HTTPS Server Impersonation
by Rohit 30 Sep '13

30 Sep '13

Hi, I was thinking about proposal #203 (Avoiding censorship by impersonating an HTTPS server) and have a few thoughts. I'm not sure if I've understood how everything fits correctly but here goes: For each bridge, we give their identity fingerprint and a shared secret along with their IP address and port. ie: bridge <ipaddress:port> <fingerprint> <shared_secret> The fingerprint allows the client to verify the identity of the bridge (via signed certificate) while a TLS connection is being set up. The shared secret allows the bridge to authorize clients after the TLS connection is set up. The shared secret could be sent using AUTHORIZE cells as proposed in #189 and #190. The AUTHORIZE cell could be wrapped in a HTTP GET request header. This should satisfy most goals. - A passive attacker wouldn't be able to distinguish between HTTPS->HTTPS traffic and Tor->Bridge. (Both use TLS) - An active attacker wouldn't be able to fool a client into thinking it was talking to a bridge. (Client would verify identity using fingerprint) - An active attacker wouldn't be able to fool a bridge into thinking it was a client. (No shared secret) To do the actual HTTPS impersonation, we could use Design #3 or #2 from #203. Nginx could be the reverse proxy, forwarding connections to the webserver or bridge as required. Depending on what the bridge is pretending to be, we could simply have nginx sitting in front of the bridge. I'm not sure what type of site the server should pretend to be. Some sort of blog? Maybe a login page? Or it could pretend to be a proxy service or perhaps web based ssh site? Could even be a combination of them I guess. Code changes would include - writing an nginx module to handle authentication - tor would need to handle AUTHORIZE/AUTHORIZED cell Thoughts? Did I miss anything? Thank you for your time, Rohit

4 3

Damian's Status Report - September 2013
by Damian Johnson 30 Sep '13

30 Sep '13

Hi all. Present status: gobbling birthday carrot cake. Before that, though, did a few things worth noting in September... ====================================================================== Stem: Connection Resolution Support ====================================================================== Stem can now provide you with the active connections belonging to a process. This is similar to arm, capable of doing lookups via seven *nix and FreeBSD resolution methods... https://stem.torproject.org/api/util/connection.html#stem.util.connection.R… Unlike arm, however, this is a far cleaner implementation including both unit and integ tests. Unfortunately this doesn't yet work with Tor's DisableDebuggerAttachment feature, but I plan to look into workarounds for that soon. 'How do I use this', you ask? It's easy! https://stem.torproject.org/tutorials/east_of_the_sun.html#connection-resol… ====================================================================== Arm: Rewrote Starter Module ====================================================================== Arm is presently undergoing an overhaul, and this month I focused on its starter module. It's now shorter, has unit tests, and is just generally damn better... before: https://gitweb.torproject.org/arm.git/blob/refs/heads/release:/src/starter.… after: https://gitweb.torproject.org/arm.git/blob/HEAD:/arm/starter.py ====================================================================== Other news this month includes... * Google Summer of Code finals were last week. All the remaining students passed, having done great work - fingers crossed they stick around! * DocTor's python replacement is now happily chugging along on yatei and provides #tor-bots notifications. * Attended a local TA3M meetup hosted by Lee Fisher. I'll be presenting a 'tor ecosystem' talk at it in October. (https://www.seattleprivacy.org/?p=356) * Notified outdates relays that will soon be dropped from the network if they don't upgrade. (#9476) * Investigated tor regression reported by stem's jenkins tests. (#9746) * Code reviewed Aaron's TorPS. (https://github.com/torps/torps.git) * Fixed a stem caching bug regarding hidden service config options caught by wayzard. (#9792) * My site (https://www.atagar.com, which hosts arm) finally has SSL support. https://lists.torproject.org/pipermail/tor-commits/2013-September/062328.ht… Cheers! -Damian

1 0

File verification GUI tool
by Sherief Alaa 29 Sep '13

29 Sep '13

Hi Everyone, (moving this email from the support-team ML to tor-dev as Runa suggested.) I am starting to work on a small GUI tool for file verification because I find guiding users through the verification process on Windows/Mac through the command line painful. Tools in use: - Python 3.3 or 2.7 (still didn't decide yet). - PyQT - python-gnupg-0.3.5 I might also add a log window and a save log button to see what went wrong during the verification process. Attached is a draft design of how the tool would look like. On Mon, Sep 23, 2013 at 7:12 PM, Lunar <lunar(a)torproject.org> wrote: >How do you think users will be able to install such a tool on their >system? There won't be any installation required It's a single executable. >More importantly, how will they be able to ensure that it's >not a tampered version? I've thought about that and few things came to mind: - Include the executable inside TBB. - Host it somewhere and also provide a SHA-256 hash on a website or in a file. But this is all an endless chain because lets say I download TBB, then download gpg to verify it but then how do I make sure that gpg it self wasn't tampered with? (assuming I don't have it installed already.) Any help or suggestions would be much appreciated. Thanks. -- Sherief Alaa pgp 0x8623B882

6 6

Re: [tor-dev] Pluggable Transport Browser Bundle FTE Integration
by David Fifield 29 Sep '13

29 Sep '13

On Sun, Sep 01, 2013 at 01:32:23PM +0300, George Kadianakis wrote: > Kevin P Dyer <kpdyer(a)gmail.com> writes: > > === How do we invoke PTs? > > I had this discussion with Roger, but I don't see any open tickets or clear > > discussion on this already. If we have N>1 PTs and at least one bridge per > > PT, how do we select which PT (and which bridge associated with that PT) to > > use? Determinism is bad because then only one PT is used. Booting up all > > PTs is bad, especially if (say) the PTs make network connections prior to > > any incoming SOCKS connections. Selecting a random PT is potentially bad, > > too, depending upon how hostile and persistent and stateful the adversary > > is. > > That's an interesting question. I'm not sure if the process of Tor > picking bridges is deterministic or not. I should test it out. David > might know. > > (A good scenario would be that Tor treats bridges like guards and > selects some at random to build circuits.) I don't know how Tor decides which PT bridges to use. I would guess that it treats them like any other Bridge lines in torrc. You should see this ticket and blog post: "Config option to declare whether you're using bridges for reachability or for security" https://trac.torproject.org/projects/tor/ticket/4624 https://blog.torproject.org/blog/different-ways-use-bridge The idea behind it is that some users want covertness (I need to hide the fact that I am using Tor), and some users want reachability (I need some way to circumvent the firewall). The way I see it, the unstated policy of the PT bundles is to optimize for reachability. By default we launch all the transports we know about, so for example if three transports are blocked and one gets through, that is a success. This doesn't work for the first kind of user, for whom a blocked transport means they have been detected. This first kind of user is likely to have to take some extraordinary steps while using Tor in any case. I don't think we have a plan for how to make a bundle that, in its default configuration, is safe to use for all such users. However we can make a bundle that does reachability with no special configuration, so that's what we're doing. The new 3.0 series bundles ask you, on startup, whether you are able to connect directly to Tor or whether you have to do your own manual configuration (like adding bridges). The option to launch only one specific safe transport could in principle be added to such a UI. David Fifield

2 1

Help make the Tor stackexchange beta succeed
by Roger Dingledine 28 Sep '13

28 Sep '13

Hello Tor developers and anonymity researchers, Our Stackexchange beta is underway: http://area51.stackexchange.com/proposals/56447/tor and we could use some more participation from actual Tor developers, anonymity researchers, and so on. The goals include a) building a good set of answers to questions around Tor research and development, and b) growing a larger army of people who know these answers and can answer more such questions. If you can help out, please send me mail off-list, including what email address I should tell them for you, and I'll hook you up. Steven, Philipp, Jens, and I can't do it by ourselves. :) (And as a carrot, if you sign up you can read my answer to "What are the options to remove Mevade botnet from Tor?") Thanks! --Roger

1 0

New GPG key for Mike Perry
by Mike Perry 27 Sep '13

27 Sep '13

Hi everyone, I've finally made a new GPG key (after a scant 7 years!). This new key will be used to sign email from me going forward, and will be used to sign software releases until such time as I get around to creating a second set of keys on a hardware token for that purpose. While I dislike the Web of Trust for a number of reasons*, my plan is to cross-certify these two sets of new keys, and also sign both with my old key. Hence I will not immediately be issuing a revocation for my old key. The new key is attached, and is available on the keyservers (with a signature from my old key) at: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x29846B3C683686CC Here's the fingerprint and current subkey information for reference: pub 8192R/29846B3C683686CC 2013-09-11 Key fingerprint = C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC uid Mike Perry (Regular use key) <mikeperry(a)torproject.org> sub 4096R/717F1F130E3A92E4 2013-09-11 [expires: 2014-09-11] sub 4096R/A3BD8153BC40FFA0 2013-09-11 [expires: 2014-09-11] This message should also be signed by my previous key, which was used extensively to sign my email and my source code releases prior to today. * Ensuing flamewars about the Web of Trust should reply only to tor-talk. -- Mike Perry

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev