- tor-dev - lists.torproject.org

Draft Proposal for BridgeDB IPv6 Support
by Aaron 17 Dec '11

17 Dec '11

Attached is a draft document describing proposed changes to BridgeDB to accommodate the new or-address spec (186-multiple-orports.txt) and IPv6 bridges. I am especially interested in comments on sections tagged #XXX. Thanks! --Aaron

4 5

Tor on TV (hemm, on WDTV!)
by Fabio Pietrosanti (naif) 15 Dec '11

15 Dec '11

Hi all, i got a WDTV Live (http://support.wdc.com/product/install.asp?groupid=1003&lang=en) that's part of bigger family of consumer mediaplayer from Western Digital (http://support.wdc.com/product/install.asp?level1=10&lang=en) It seems it can run Tor without any major issue. There is a very nice hacked firmware community around WDTV users, that's a very cheap hardware (retail price 70-80EUR). What's about making a "promotional" campaign like for the Tor Cloud to have people running Tor Relay "right on their TV" ? I mean, the "hacked firmware" installation process of WDTV works that way: - Plug an USB Key formatted FAT32 with 3 files (boot, kernel, image) on WDTV - Poweron So it may be possible to make a campaign where users are invited to "run their tor relay" on their TV in 3 simple steps: - Get a USB Key - Load that files on it - Plug to your WDTV - Poweron your WDTV You are now helping poor sirian, iranian and chinese censored people. That way even the average fat guy sitting on his couch drinking beer and eating wing chicken can support freedom of speech. That kind of user can just "poweron" the WDTV and with his "remote control" after seeing his favorite telefilm on paytv, can just "zap" to see how his Tor Router is working: On TV! This could be defined as the "very lazy Tor user" who doesn't even want to use a computer, but just do TV zapping :P So, the idea could be to do a custom hacked firmware of WDTV and a WDTV Apps that you can "click" via remote control, seeing the statistics of your Tor Relay. # uname -a Linux WDTVLIVE 2.6.22.19-19-4 #28 PREEMPT Mon Mar 22 20:08:14 CST 2010 mips GNU/Linux # tor --version Jan 01 15:41:37.533 [notice] Tor v0.2.2.32 (git-877e17749725ab88). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux mips) Tor version 0.2.2.32 (git-877e17749725ab88). # free total used free shared buffers Mem: 199056 193664 5392 0 10832 Swap: 0 0 0 Total: 199056 193664 5392 # cat /proc/cpuinfo system type : Sigma Designs TangoX processor : 0 cpu model : MIPS 24K V7.12 FPU V0.0 Initial BogoMIPS : 332.59 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available System bus frequency : 333000000 Hz CPU frequency : 499500000 Hz DSP frequency : 333000000 Hz -naif

4 6

Two questions about dir-spec.txt
by Karsten Loesing 14 Dec '11

14 Dec '11

Hi Nick, as the subject says, two quick questions about dir-spec.txt: 1. The "s" lines of network status entries are specified as: "s" SP Flags NL Now, when a relay has no flags at all, which can happen in a vote or could happen in older consensus methods, that relay would have an "s" line just consisting of "s", not "s ". I think it makes sense to omit the SP, but should this be specified? If so, how? There are other lines where it's not specified whether a trailing SP is permitted or not. But I think I only encountered "s" lines without any list elements so far. (I ran into problems here a while ago, when I looked for lines starting with "s " to overwrite an sLine string variable. But there was no "s " line for some relays, so the program used the "s " line from the previous relay. Went unnoticed. Ugh.) 2. The "m" lines in votes are not in dir-spec.txt. I haven't looked at proposal 158 yet. Is that proposal up-to-date? Thanks, Karsten

2 1

Purpose Controller Bug
by Tarik Karaoglu 14 Dec '11

14 Dec '11

Hi, I am trying to create circuits for use of my controller application however I got the following warning after my unsuccessful attempt. Dec 14 02:43:35.239 [warn] circuit_launch_by_extend_info(): Bug: unexpected purpose 19 when cannibalizing a circ. If I don't specify any purpose, I am able to create general purpose circuits. Another problem is that, is there a way to tell Tor to use separate circuits for each flow if possible when Tor attaches streams to circuits? Currently I am trying to attach streams to circuits using my controller but I am facing Proxy timeout issues like below: Dec 14 02:45:35.690 [notice] Tried for 120 seconds to get a connection to [scrubbed]:40000. Giving up. (waiting for controller) Any help will be appreciated. Thanks, Tarik

1 0

How to try out the new shiny IPv6 bridge support
by Linus Nordberg 13 Dec '11

13 Dec '11

Hi, With great help from Jeroen Massars address independence patch posted to this list earlier this year, a first milestone of IPv6 support in tor was reached in the 0.2.3.9-alpha release. Clients can now connect to private bridges over IPv6 if configured for that. If you are at all interested in trying out the new IPv6 support, this short HOWTO is for you. Please note that this is new code. Be prepared to run into bugs, hunt them down, report them, help out solve them and earn eternal fame and glory. It's a pain, but someone's got to do it. As part of proposal 186 ("Multiple addresses for one OR or bridge"), the ORPort configuration option has changed and ORListenAddress will be deprecated. We can use this for adding an IPv6 address to a bridge already running on an IPv4 address. (Another option is to run a bridge listening _only_ to IPv6 but note that every relay need IPv4 too, in order to speak to other OR's in the Tor network.) In order to configure a bridge to listen to an IPv6 address, add an ORPort option with an IPv6 address within square brackets and a port number like this: ORPort [2001:DB8::42]:4711 In order to have your client connect to a bridge over IPv6, simply state the address of the bridge within square brackets and a port number in a Bridge line: Bridge [2001:DB8::42]:4711 Note that there's still no support for IPv6 in BridgeDB. There is no harm in specifying PublishServerDescriptor 1 but nothing good will come out of it. You will have to find other ways of getting your bridge addresses to your users. Note also that if you configure your client with two (or more) addresses belonging to the very same bridge, your client will pick one of them and try to use that. This behaviour is not perfect and will change in future versions of tor. This behaviour isn't even bug free and should not be counted on -- especially when an IPv6 address is preferred over an IPv4 address, in which case the IPv4 address in many cases is the one being used anyway. Short story: Don't configure your client with more than one address per bridge. Please let me know if there are any questions about this and if you run in to any trouble setting it up. Then, when you run into the bugs, please go to https://trac.torproject.org/ and fire away. Thanks, Linus

1 0

Uploading video over Orbot
by Nathan Freitas 11 Dec '11

11 Dec '11

Some progress to share on Tor-related efforts with our Secure Smart Cam project with WITNESS. (More here: https://guardianproject.info/apps/securecam/ ) I know that "uploading HD video over a mobile network on Tor" has long been one of these cringe-inducing requests from NGOs, but at least for short clips, it seems to be working fairly well, both to YouTube and to the self-hostabled Videobin.org software. SSCXfer is my reduction of the Vidiom.mobi (http://vidiom.mobi/) app to be a focused, clean secure video uploader for YouTube and the self-hostable videobin.org software. Vidiom is pretty fantastic, but is a bit too kitchen sink, and also included features like FTP and Facebook upload which I don't feel comfortable putting a "secure" stamp on. The YouTube upload code comes from the very interesting "YouTube Direct" project's Android client: http://code.google.com/p/ytd-android/ The basic user story for SSCXfer is: "Alice has sensitive video evidence of a human rights crime recorded on her smartphone and wants to upload it to YouTube, but is in a country where YouTube is often blocked, and always monitored." a more complex one is: "Bob is a trained human rights defender working in a restrictive region, using his smartphone to interview victims about their experiences, and he needs to safely offload the videos from his phone to a secure private site as soon as possible, without raising any flags in the internet monitor systems." In this case "secure" and "safe", mean it will 1) use HTTPS as available, 2) store any local data in SQLCipher, and 3) support upload over proxy servers, specifically Orbot's built-in SOCKS or HTTP proxy without requiring root. In addition, the uploader must support low-bw, high latency connections, and support resumeable uploads. Finally, since videobin.org can be self-hosted, it is possible that a server could be run by WITNESS or any organization on a Tor hidden service .onion address, or at least on their own, https site. At this point, I've implemented support for Orbot/Tor working by enabling HTTP proxying support in all the HTTP connection code, and it is working quite well for both uploads to YouTube and the default Videobin.org site instance. Resume and retry seem to work, but I have not done extensive testing. I think the most extreme test scenario is uploading over Tor over EDGE network, and then going up and down into the subway. We'll see how we do in that case. Best, Nathan

1 1

AES_ctr128_encrypt() on Windows
by Gisle Vanem 07 Dec '11

07 Dec '11

Seems that this function isn't available in OpenSSL 1.1.0. On Windows at least. The function is enclosed in a "#if 0" in OpenSSL's <aes.h> and util/libeay.num also has this: AES_ctr128_encrypt 3216 NOEXIST::FUNCTION: So should we make an exception for Windows in common/aes.c: --- Git-latest/src/common/aes.c Mon Dec 05 16:54:55 2011 +++ src/common/aes.c Wed Dec 07 18:42:37 2011 @@ -17,7 +17,7 @@ #include <openssl/aes.h> #include <openssl/evp.h> #include <openssl/engine.h> -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) && !defined(MS_WINDOWS) /* See comments about which counter mode implementation to use below. */ #include <openssl/modes.h> #define USE_OPENSSL_CTR --gv

2 2

Reduce TBB/OSX from 32MB to 23MB
by Fabio Pietrosanti (naif) 06 Dec '11

06 Dec '11

Hi all, made the following tricks that you can find attached to reduce the size of TBB/OSX from 32MB to 23MB . With this tricks it's possible to send TBB/OSX via Gmail using Gettor. It goes from: 32M /tmp/TorBrowser-2.2.34-3-dev-osx-x86_64-en-US.zip to 23M /tmp/TorBrowser-7z-wrap2.2.34-3-dev-osx-x86_64-en-US.zip Probably it would require some better cleanup and integration, that's just a working poc. -naif

1 0

routers as bridges
by Rob van der Hoeven 06 Dec '11

06 Dec '11

In July i posted a message on this list proposing to use a router as a Tor bridge. Recently i liberated one of my routers with OpenWrt which made it possible to test this idea. Seems to work. Wrote a small article about it on my blog: http://freedomboxblog.nl/routers-as-tor-bridges/ Cheers, Rob. http://freedomboxblog.nl

1 0

Automatically retrieve and store information about bridges
by Sebastian Hahn 01 Dec '11

01 Dec '11

Filename: xxx-store-bridge-information.txt Title: Automatically retrieve and store information about bridges Author: Sebastian Hahn Created: 16-Nov-2011 Status: Open Target: 0.2.[45].x Overview: Currently, tor already stores some information about the bridges it is configured to use locally, but doesn't make great use of the stored data. This data is the Tor configuration information about the bridge (IP address, port, and optionally fingerprint) and the bridge descriptor which gets stored along with the other descriptors a Tor client fetches, as well as an "EntryGuard" line in the state file. That line includes the Tor version we used to add the bridge, and a slightly randomized timestamp (up to a month in the past of the real date). The descriptor data also includes some more accurate timestamps about when the descriptor was fetched. The information we give out about bridges via bridgedb currently only includes the IP address and port, because giving out the fingerprint as well might mean that Tor clients make direct connections to the bridge authority, since we didn't design Tor's UpdateBridgesFromAuthority behaviour correctly. Motivation: The only way to let Tor know about a change affecting the bridge (IP address or port change) is to either ask the bridge authority directly, or reconfigure Tor. The former requires making a non-anonymized direct connection to the bridge authority Tonga and asking it for the current descriptor of the bridge with a given fingerprint - this is unsafe and also requires prior knowledge of the fingerprint. The latter requires user intervention, first to learn that there was an update and second to actually teach Tor about the change. This is way too complicated for most users, and should be unnecessary while the user has at least one bridge that remains working: Tonga can give out bridge descriptors when asked for the descriptor for a certain fingerprint, and Tor clients learn the fingerprint either from their torrc file or from the first connection they make to a bridge. For some users, however, this option is not what they want: They might use private bridges or have special security concerns, which would make them want to connect to the IP addresses specified in their configuration only, and not tell Tonga about the set of bridges they know about, even through a Tor circuit. Also see https://blog.torproject.org/blog/different-ways-use-bridge for more information about the different types of bridge users. Design: Tor should provide a new configuration option that allows bridge users to indicate that they wish to contact Tonga anonymously and learn about updates for the bridges that they know about, but can't currently reach. Once those updates have been received, the clients would then hold on to the new information in their state file, and use it across restarts for connection attempts. The option UpdateBridgesFromAuthority should be removed or recycled for this purpose, as it is currently dangerous to set (it makes direct connections to the bridge authority, thus leaking that a user is about to use bridges). Recycling the option is probably the better choice, because current users of the option get a surprising and never useful behaviour. On the other hand, users who downgrade their Tors might get the old behaviour by accident. If configured with this option, tor would make an anonymized connection to Tonga to ask for the descriptors of bridges that it cannot currently connect to, once every few hours. Making more frequent requests would likely not help, as bridge information doesn't typically change that frequently, and may overload Tonga. This information needs to be stored in the state file: - An exact copy of the Bridge stanza in the torrc file, so that tor can detect when the bridge is unconfigured/the configuration is changed - The IP address, port, and fingerprint we last used when making a successful connection to the bridge, if this differs from/supplements the configured data. - The IP address, port, and fingerprint we learned from the bridge authority, if this differs from both the configured data and the data we used for the last successful connection. We don't store more data in the state file to avoid leaking too much if the state file falls into the hands of an adversary. Security implications: Storing sensitive data on disk is risky when the computer one uses gets into the wrong hands, and state file entries can be used to identify times the user was online. This is already a problem for the Bridge lines in a user's configuration file, but by storing more information about bridges some timings can be deduced. Another risk is that this allows long-term tracking of users when the set of bridges a user knows about is known to the attacker, and the set is unique. This is not very hard to achieve for bridgedb, as users typically make requests to it non-anomymized and bridgedb can selectively pick bridges to report. By combining the data about descriptor fetches on Tonga and this fingerprint, a usage pattern can be established. Also, bridgedb could give out a made-up fingerprint to a user that requested bridges, thus easily creating a unique set. Users of private bridges should not set this option, as it will leak the fingerprints of their bridges to Tonga. This is not a huge concern, as Tonga doesn't know about those descriptors, but private bridge users will likely want to avoid leaking the existence of their bridge. We might want to figure out a way to indicate that a bridge is private on the Bridge line in the configuration, so fetching the descriptor from Tonga is disabled for those automatically. This warrants more discussion to find a solution that doesn't require bridge users to understand the trade-offs of setting a configuration option. One idea is to indicate that a bridge is private by a special flag in its bridge descriptor, so clients can avoid leaking those to the bridge authority automatically. Also, Bridge lines for private bridges shouldn't include the fingerprint so that users don't accidentally leak the fingerprint to the bridge authority before they have talked to the bridge. Specification: No change/addition to the current specification is necessary, as the data that gets stored at clients is not covered by the specification. This document is supposed to serve as a basis for discussion and to provide hints for implementors. Compatibility: Tonga is already set up to send out descriptors requested by clients, so the bridge authority side doesn't need any changes. The new configuration options governing the behaviour of Tor would be incompatible with previous versions, so the torrc needs to be adapted. The state file changes should not affect older versions.

2 1