- tor-dev - lists.torproject.org

RFC: Tor long-term support policy
by Nick Mathewson 18 Jan '17

18 Jan '17

Hi, all! This is a draft for a tor long-term support policy for the program "tor". Please let me know what you think. It's based on earlier work and surveys, but it isn't final till we say it is, and it needs more commentary. Please keep in mind that dropping support for any old release is an inconvenience to some nice busy people, and that supporting any old release is an inconvenience to other nice busy people. Therefore, "don't inconvenience anybody" is not a viable goal here: instead we are stuck with a balancing act. Also please remember the bikeshed. ;) http://bikeshed.com/ == Background == In the past, Tor has had no actual policy for how long we support older releases of the core "tor" network program. We've aimed for informal rules like "support old releases as long as it isn't too much trouble," or "support old releases as long as a lot of people really need it," but these aren't working so well with our new release schedule. The good thing about our new release schedule is that we try to put out two stable release series per year, when previously we were finishing release series once every ~18 months. But this means that, to support the last N years of releases, we need to support three times as many older release series as we did before. This won't scale, and probably isn't a good use of our time. Therefore, we're adopting a practice from several other free software projects with a rapid release schedule: we are going to support some Tor releases for different amounts of time than others. == Levels of support == Here's the plan. * Every new release series will be supported for at least nine months after it becomes stable, and for at least three months after another release series becomes stable. Example: * The first 0.2.8.x stable release was released in August 2016. So it will be supported until at least 9 months later, in May 2017. But if the first 0.2.9.x stable release had not been released until April 2017, we'd keep supporting 0.2.8.x for another 3 months past that point, to July 2017. * Occasionally, we will designate some Tor release series as "long-term support" releases. These will be supported for an amount of time to be announced in advance -- typically, for 3 years. * For the release series that exist today, we will support them according to the schedule at the end of this document. == What does support entail? == For all supported releases, we intend: * Information needed to connect to the Tor network (directory authorities, fallback directories, geoip tables) will be kept up-to-date. * Important security issues will get fixed. * Major stability issues will get fixed. * Portability regressions will get fixed. * Portability bugs to major supported platforms will get fixed. For the most recent supported stable release only: * Misleading documentation will get fixed. * Smaller bugs that significantly impact user experience will get fixed. We do NOT expect: * That directory authorities will be able to run any but the two most recent stable releases. * That unsupported releases will all work on the Tor network. * That unsupported releases will all fail to work on the Tor network. * That older supported releases will provide the same privacy as the newer ones. == The obligatory disclaimer == This document is about plans, not promises. We'll try hard to follow through on these plans, but it's always possible that something unexpected will happen and we'll need to choose between following this policy to the letter and maintaining our users' security. If that happens, we'll aim for protecting our users. == Plan for current releases == 0.2.4.x, 0.2.6.x, and 0.2.7.x, will all receive at least one more stable release. Support for them will end on 1 August 2017. 0.2.8.x will be supported until 1 January 2018. 0.2.5.x is retroactively declared an LTS release, and will be supported until 1 May 2018. 0.2.9.x is an LTS release, and will be supported until at least 1 January 2020.

6 6

[collector] CollecTor Release 1.1.2
by iwakeh 17 Jan '17

17 Jan '17

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi there! another CollecTor version is available: https://dist.torproject.org/collector/1.1.2/ The release provides the following changes * CollecTor now uses the correct type annotation "@type tordnsel 1.0" for exit lists again [0], and * The build process now complies to a Metrics java standard build environment [1]. In addition, the main CollecTor instance and collector.sky-ip.org mirror provide correct exit-lists again as of today. See our mirror list [2]. Other mirror operators should upgrade and process their mirrors exit-lists. A script for the latter is available in the release tarball. Please direct comments and questions to the metrics-team mailing list [3]. And, of course, bug reports [4] or feature requests [5] can be filed in trac. Cheers, iwakeh [0] https://trac.torproject.org/projects/tor/ticket/21195 [1] https://trac.torproject.org/projects/tor/ticket/20596 [2] https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam/Operati… [3] https://lists.torproject.org/cgi-bin/mailman/listinfo/metrics-team [4] https://trac.torproject.org/projects/tor/newticket?component=Metrics/Collec… [5] https://trac.torproject.org/projects/tor/newticket?component=Metrics/Collec… -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYfk1MAAoJEPeEx9Sa/gvijAwQAII81X0vWPLA7YbecHQLZJTA LJqH3ODOpJAZZIrLuk+W4QUlyA/W1EmvSFCbDjUabnsc5d76lKzKJLGu9DlPDJSw Gwb4UBQp+9Gi8wyaYLqHCoRJiGf+JvZnHAQK9/FvBQUDYkyz0ghTuGHLn/JGmNPV w220fdPOZ7kEfYzuqFT8vY4eZBKxL7uLbaiU2GbYfykV3be34q9rUjmDtWoPHQ5u FfFbzdQxDFaeRTKiWhXOG1He2epKeZezxZJBUQTotpSotaTjH3NFP+oJCsPUmPej G5td1glJ2kBcl+b61TXtVMaCUVgw9otx9bsogQnY2ceTCL8iR5M2eNP1queI6gZ8 NgPh8KGsjXMmYlPmER1UedaBgf8YcYdlKchUtMLuWVPPX0QTaAdC3eLtuLNPxOWX +lbFkCiH9hJ+1i4TktJ/XiBf0lBBvZCzkSBA5U0N0LEMTSkBIv9oh5wnP/AtoFLN DFAtnHsOLXPz8mTtvBivHzTurwIL83FHs64Bm4nh2uPQ4iX/P1JzWLaIo8tGOVEO pAJtEZGAzKMWTb96kIsLehXKgRTPAR+LAeWirwa+yY65YuhKNCKWz0jbG9s/6NAv HggzcltuHibgr64D8LhlgSY6om9zwtEGH3NG26Zcd1pZAbQkIlr4c6qcKQF4C0AB s+YXdtoVFpOfc3TiEEli =DvuO -----END PGP SIGNATURE-----

1 0

txtorcon 0.18.0
by meejah 12 Jan '17

12 Jan '17

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 txtorcon 0.18.0 is released, improving error-reporting when you have SAFECOOKIE or COOKIE authentication turned on but can't read the file. * https://github.com/meejah/txtorcon/issues/200 You can download the release from PyPI or GitHub (or of course "pip install txtorcon"): https://pypi.python.org/pypi/txtorcon/0.18.0 https://github.com/meejah/txtorcon/releases/tag/v0.18.0 Releases are also available from the hidden service: http://timaq4ygg2iegci7.onion/txtorcon-0.18.0.tar.gz http://timaq4ygg2iegci7.onion/txtorcon-0.18.0.tar.gz.asc You can verify the sha256sum of both by running the following 4 lines in a shell wherever you have the files downloaded: cat <<EOF | sha256sum --check 12be80f1d5e2893378c6e8c752cf159479f868f8424e16b34b75cd679a0ab171 dist/txtorcon-0.18.0.tar.gz cffe063dbcedd9d344e88a572c0de39b0390562165a865efa27019260c2119f6 dist/txtorcon-0.18.0-py2-none-any.whl EOF thanks, meejah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYdp4sAAoJEMJgKAMSgGmnxCIH/iiFJdYtbSnShAktDrwMuL6K tJN+AALrr6zIydjIVG4pNuGydoxqtmrpb/12xNn/c7noEWZpuuHd+hn/PRn+XNaA Gh+q4922VKs3ZCFYFClVAkZFtT5iug7EKnB6n0IKt4Z+rVAzRTCpHqgnCmmavHP1 s55jkYc+emC/jzGag22sD7HnPYHjkuKV+qy1Y6mF1//oD9FFhJUXvn5FVjf9cNb/ xta7HB3AMXp/8qdpURPJaJBjWOg1BxSVBngZXYiUJkkoOReOJU1ngDoU0J7VjQJq Uyi2ijwylUnK6/7qLLS8pwyX/UmWgV7NeQgIr00Shsm7Jv+zkk0QhXbnwJo8pRQ= =oJqn -----END PGP SIGNATURE-----

1 0

txtorcon 0.18.0
by meejah 12 Jan '17

12 Jan '17

1 0

SipHash Impact on TCP ISN skew fingerprinting
by bancfc＠openmailbox.org 11 Jan '17

11 Jan '17

SipHash a fast PRF by DJB has been adopted upstream across the Linux networking stack landing in 4.11. It deprecates a lot of ancient and broken crypto like MD5 for initial sequence number hashes. Its my guess that that timer values added in ISNs should now be indistinguishable from the rest of the hashed secret outlined in RFC-6528.[1] Can anyone knowledgeable in reading kernel code [2] please confirm that this kills clock skew extraction [3] and fingerprinting [4] described in Steven Murdoch's papers? Its one of the advanced attacks we've been following for some time now and would be good to write it off. *** [1] https://tools.ietf.org/html/rfc6528 [2] http://lkml.iu.edu/hypermail/linux/kernel/1701.1/00076.html [3] http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ih05coverttcp.pdf (pages 7-8) [4] http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf

2 1

ExcludeExitNodes and ExcludeNodes but no "ExcludeEntryNodes"?
by nusenu 09 Jan '17

09 Jan '17

Hi, is there a possibility to blacklist guard relays (only in that position) from a client perspective? I didn't find one in the torrc man page. It is generally a bad idea to create custom tor client footprints by excluding relays but maybe it is less bad to exclude a certain relay just in the guard position than to exclude it completely via ExcludeNodes + StrictNodes since guards are used for a longer timeperiod. thanks, nusenu

2 1

Remaining 4 bits in prop224 addresses
by Jesse V 06 Jan '17

06 Jan '17

Hello all, I've been closely following the other Proposal 224 threads regarding the next-generation of onion services. I'm glad to see that we have a timeline and plan for migrating the network. One unresolved point is what to do with the remaining 4 bits in the longer addresses. Section 1.2 in the 224 document states "Note that since master keys are 32 bytes long, and 52 bytes of base 32 encoding can hold 260 bits of information, we have four unused bits in each of these names." It seems a waste for these to be zeroed out. The four bits could also be used to hold client-side flags, but I'm not aware of any applicable client settings that could be used here. I suggest that we use them as a checksum. (wasn't this proposed in Arlington?) Since speed isn't a priority, aside from Adler-32 or some CRC function, we could also hash the 32-byte key and use the first four bits of the hash. I think a checksum is best because it helps ensure data integrity when the address is shared online, copy/pasted, or physically written down. Bitcoin addresses contain a checksum as well for exactly this reason. They use a combination of SHA-256 and RIPEMD-160 to compute the checksum component. Source: 1) https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addres… 2) https://bitcoin.stackexchange.com/questions/32353/ What do we think about a checksum, or do we have other plans here? I ask because once we nail down the address format, I can add support for 224 into my Onion Name System. -- Jesse

4 7

Re: [tor-dev] blacklisting relays with end-to-end correlation capabilities?
by nusenu 03 Jan '17

03 Jan '17

Sebastian Hahn wrote (2016-12-08): >> On 08 Dec 2016, at 14:03, nusenu <nusenu(a)openmailbox.org> wrote: >> >> Dear tor directory authorities, >> >> TLDR: Would you blacklist relays with end-to-end correlation capabilities? > > > I do not think that this is worthwhile. It establishes a precedent where > setting your contact info is something that gets you banned, potentially > incorrectly because it's unauthenticated, whereas we're unable to identify > people who actually maliciously run several relays without such indicators. > > Additionally, it's yet one more thing to update the dirauths' configs > for, but with rather more overhead as we might get multiple mails back > and forth about how MyFamily is annoying to maintain, how they're just > trying to help, etc. All not so bad arguments. > > If we did this, also why would we blacklist the nonexit relays? That > seems to not make sense, as a relay operator could have multiple relays > that act as guard and exit simultaneously. I think we'd need to > blacklist at least all the exit relays, if not all of them. BadExiting > them would then be the more sensible choice. Scarcity of resources has > in the past led us to bad designs like Valid/Invalid relays etc, which > causes way more annoyances than good things. I understand dir auth operators have limited resources, but if you (most of the dir auths) agree that blacklisting specific relays to protect tor end users makes sense: Would you agree on handling a limited amount (6?) of such 'end-to-end' cases per year? I.e. one case every 2 months if the operator has a guard probability >0.1% and exit_probability >0.1% and didn't fix the problem within a month after getting contacted? Note: Luckily the list of such known potential operators is currently very short (<5). In the past month I had some positive effect when trying to contact relay operators [1], but unfortunately the biggest operators (by consensus weight) are not to motivated to fix their configuration in a reasonable time frame. thanks, nusenu [1] https://lists.torproject.org/pipermail/tor-relays/2016-December/011520.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011507.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011476.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011486.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011521.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011426.html

1 0

Interested in contributing to Tor Project - IP Hijacking detection for Tor relays
by Nikhil 29 Dec '16

29 Dec '16

Hi, I am Nikhil. R, a student from India. You can know more about me from here[1] and here[2]. I have been running a Tor relay for sometime and now I am interested in contributing to the Tor Project. Specifically, I would like to work on IP Hijacking detection for Tor relays. I understand this does not involve directly with the Tor core hence I think this project is ideal in getting my feet wet with the Tor Community and get me started for further contributions to the Tor Project. BGP hijacking is difficult without inside help from ISP's(I think ?) but state run adversaries don't necessarily have this problem. This has a great risk of exposing all Tor clients or even mess around with the name resolution in exit relays. I have also read about incidents where an attacker using BGP hijacking, hijacked a portion of a Bitcoin mining pool traffic to pay himself instead of the people contributing the processing power. I feel BGP has major security implications in this aspect and a monitoring service is necessary. There are many monitoring services and we can possibly leverage one of them for the routing data. The main motive of the service would be to find anomalies/ malicious changes in the routing information compared to previous snapshots of the same. How do we actually do this comparison ? Any pointers for that ? The project also mentions that the service should be Tor-aware. What exactly does this mean ? Does it mean that, it should monitor all tor relays ip addresses ? It would be wonderful if you could elaborate on the project in a little more detail. I am a beginner in this area and please excuse me if any of the above questions are too stupid. Regards, Nikhil. R [1]:https://in.linkedin.com/in/rnikhil275 [2]https://rnikhil275.github.io

1 0

Can I modify obfs4 proxy code for my purpose?
by trmobid＠tutanota.com 22 Dec '16

22 Dec '16

Hi. I have some questions about modifying codes. 1. I wanna build a password protected obfs4 proxy sever with my VPS. I don't need that much privacy in terms of MITM for this. I just wanna know if it is ok to build such server in Tor network. 2.I wanna overrides some Javascript API with add-on. but... I just tried this with latest Torbrowser. it seems like I can't overrides some API's. Because same add-on I made worked on normal Firefox browser. I wanna avoid some fingerprint tracking recently discovered. Is there any reason to block overrides by add-on? Or am I missing something? I wanna know which is best way to do this. add-on or Torbrowser itself. Thanks.

2 2