tor-project February 2024

tor-project@lists.torproject.org

12 participants
17 discussions

cohosh's monthly status report, December 2023
by Cecylia Bocovich 17 Jun '24

17 Jun '24

Hi! This is my status report for contract work done in December 2023. # Reputation-based bridge distribution - Continued Tor Browser integration work https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/116 - Debugged some issues with the lox distributor deployment https://gitlab.torproject.org/tpo/tpa/team/-/issues/41406 https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/40 https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/42 https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/43 # Snowflake - Fixed excessive logs of closed connections at the Snowflake proxy https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - Released version 2.8.1 of Snowflake - Provided further review of the SQS rendezvous method https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… # Domain Fronting Alternatives - Looked for cloud providers that offer domain fronting - Looked for good potential front domains for working cloud providers

2 6

Retirement of Gitolite and GitWeb started, please migrate by end of year
by Antoine Beaupré 26 Mar '24

26 Mar '24

Hi, Gitolite (`git.torproject.org` and `git-rw.torproject.org`) and GitWeb (<https://gitweb.torproject.org>) will be fully retired within 9 to 12 months (by the end of Q2 2024). TPA will implement redirections on the web interfaces to maintain limited backwards compatibility for the old URLs. Start migrating your repositories now by following the [migration procedure][], and please complete the migration by the end of year 2023. See the full discussion in [TPA-RFC-36][]. [migration procedure]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/git#how-to-migrate… [TPA-RFC-36]: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-36-gitoli… A. -- Antoine Beaupré torproject.org system administration

1 2

Anti-censorship team meeting notes, 2024-02-29
by meskio 29 Feb '24

29 Feb '24

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2024/tor-meeting.2024-02-29-15.57.html And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, March 7 16:00 UTC Facilitator: onyinyang Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator: meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from sponsors, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Sponsor 96 <-- meskio, shell, onyinyang, cohosh * https://gitlab.torproject.org/groups/tpo/-/milestones/24 * Sponsor 150 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == - Ireland Constitution Amendment Referendum: March 8th Anything to note? * Belarus - General elections (2024-02-25): https://explorer.ooni.org/chart/mat?probe_cc=BY&since=2024-01-16&until=2024… * Cambodia - Senate election (2024-02-25): https://explorer.ooni.org/chart/mat?probe_cc=KH&since=2024-01-16&until=2024… == Discussion == * Mysterious reported snowflake issue in China has maybe gone away as of 2024-02-26? But reportedly still slow/unreliable https://github.com/net4people/bbs/issues/325#issuecomment-1963226429 * looks like we can reproduce the issue: https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/… * shelikhoo will investigate when time is available * Unclear whether AWS will allow public disclosure of credentials * https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… * we are waiting for their response == Actions == == Interesting links == * == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2024-02-29 Last week: - released v2.9.1 for snowflake - merged shadow ci integration tests for snowflake - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - responded to AWS warning about public disclosure of credentials - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - set up a cdn77 endpoint for meek - worked on snowflake webext source code instructions for 0.7.3 rejection - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… This week: - continue following up on AWS support case - review lox synchronization fix - compile a list of next-steps for lox - update wasm-bindgen fork to fix some bugs and hopefully upstream changes - tor-browser-build updates for lox wasm + bindings generation - Conjure bridge maintenance - more testing of available domain fronts Needs help with: dcf: 2024-02-29 Last week: - archived snowflake-webext-0.7.3 https://archive.org/details/snowflake-webextension-0.7.3 - rebased https://gitlab.torproject.org/dcf/snowflake/-/commits/handshake-padding and for testers in China Next week: - review draft MR for unreliable data channels https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to disable /debug endpoint on snowflake broker - move snowflake-02 to new VM Help with: meskio: 2023-02-29 Last week: - email tor-relays to request bridges for lox (lox#56) - mark bridges with local addresses as dysfunciontional in rdsys (rdsys!270) - get the version number from git in lyrebird (lyrebird!31) - try and fail to use iptables to bloc local connections from bridgestrap Next week: - moat distributor in rdsys Shelikhoo: 2024-02-29 Last Week: - [Merge Request]HTTPS distributors in rdsys: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/260 - [Research] Inspect Snowflake Situation In China - Update WebTunnel Container Image(https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transport… - Merge request reviews Next Week/TODO: - Inspect Snowflake Situation In China and create ticket for that - Create Issue for "Merging webtunnel + lyrebird" onyinyang: 2023-02-29 Last week(s): - continued prep for HACS/DRL meeting - Thought about/work on other Lox test deployment milestone pieces -https://gitlab.torproject.org/tpo/anti-censorship/lox/-/milestones/1#tab-issues - worked on better invitation encoding issue: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/58, implemented base64 serialization/deserialization but waiting for more feedback from the wider team - looked into bridge blockage reporting: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/57 This week: - continue prep for HACS/DRL meeting - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum - attempt hyper upgrade again (long term things were discussed at the meeting!): https://pad.riseup.net/p/tor-ac-community-azaleas-room-keep - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2023-01-11 Last weeks: - Currently in the start phase of writing my master thesis (to be finished late june 2024) in communication technology on reducing distinguishability of DTLS. The goal is to implement a validated DTLS anti-fingerprinting library similar to uTLS (useful for Snowflake). Next weeks: - Talk with Sean DuBois about contributing to adding anti-fingerprinting capabilities to the pion library Help with: - Find recent data set of captured DTLS traffic -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

Anti-censorship team meeting notes, 2024-02-22
by Shelikhoo 22 Feb '24

22 Feb '24

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2024/tor-meeting.2024-02-22-15.57.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, February 29 16:00 UTC Facilitator: onyinyang Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator: shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from sponsors, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Sponsor 96 <-- meskio, shell, onyinyang, cohosh * https://gitlab.torproject.org/groups/tpo/-/milestones/24 * Sponsor 150 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * Belarus - General elections (2024-02-25): https://explorer.ooni.org/chart/mat?probe_cc=BY&since=2024-01-16&until=2024… * Cambodia - Senate election (2024-02-25): https://explorer.ooni.org/chart/mat?probe_cc=KH&since=2024-01-16&until=2024… * Ireland Constitution Amendment Referendum: March 8th == Discussion == * == Actions == == Interesting links == * == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2024-02-15 Last week: - caught up on manifest v3 updates - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - release new version of snowflake addon (0.7.3) - updated addon stores - updated website - opened tor-browser-build MR to get SQS rendezvous in Tor Browser - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_re… - fixed shadow integration tests - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - opened an issue for country-specific client rendezvous poll counts - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - caught up on dependency update backlog - mostly caught up on review backlog This week: - review lox synchronization fix - compile a list of next-steps for lox - update wasm-bindgen fork to fix some bugs and hopefully upstream changes - tor-browser-build updates for lox wasm + bindings generation - Conjure bridge maintenance - more testing of available domain fronts Needs help with: dcf: 2024-02-15 Last week: - snowflake azure CDN bookkeeping https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Snowflake-co… Next week: - review draft MR for unreliable data channels https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to disable /debug endpoint on snowflake broker - move snowflake-02 to new VM Help with: meskio: 2023-02-22 Last week: - limit the size of requests in rdsys (rdsys!261) - configure if web proxy headers are trusted in rdsys (rdsys!262) - block connections to localhost in webtunnel (webtunnel!20) - review HTTPS distributor in rdsys (rdsys!260) Next week: - draft an email to request bridges for lox in tor-relays (lox#56) - moat distributor in rdsys Shelikhoo: 2024-02-22 Last Week: - [Merge Request]HTTPS distributors in rdsys: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/260 - [Research] Inspect Snowflake Situation In China - [Merge Request] Update Renovate Golang version to 1.21(https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_reques… - [Merge Request Review] Automatically build container on release and push to our registry. (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…) - [Merge Request Review] client: Only accept connections to remote hosts (https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webt…) - Attend Online FOCI - Merge request reviews Next Week/TODO: - Inspect Snowflake Situation In China - Create Issue for "Merging webtunnel + lyrebird" - Update WebTunnel Container Image onyinyang: 2023-02-15 Last week(s): - Finished up fixing problems with syncing functions - Opened ticket to Lox invitation endpoint only accessible via telegram This week: - redeploy rdsys and lox-distributor with bug fixes and telegram bot - improve metrics collection/think about how to show Lox is working/valuable - start prep for HACS/DRL meeting - sketch out Lox blog post/usage notes for forum - attempt hyper upgrade again (long term things were discussed at the meeting!): https://pad.riseup.net/p/tor-ac-community-azaleas-room-keep - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2023-01-11 Last weeks: - Currently in the start phase of writing my master thesis (to be finished late june 2024) in communication technology on reducing distinguishability of DTLS. The goal is to implement a validated DTLS anti-fingerprinting library similar to uTLS (useful for Snowflake). Next weeks: - Talk with Sean DuBois about contributing to adding anti-fingerprinting capabilities to the pion library Help with: - Find recent data set of captured DTLS traffic

1 0

Job Opportunity - Rust Developer
by Patricia Robinson 21 Feb '24

21 Feb '24

** *Hi Everyone!* * Sending along again for improved readability. :) We have two new job openings for Rust Developers! https://www.torproject.org/about/jobs/rust-developer-network-team/ <https://www.torproject.org/about/jobs/rust-developer-network-team/> If you are or know someone who would be a good fit and wants to join our team, please apply/share. Have a great week and thanks for helping us spread the word! :) Warmly, Patricia Robinson Tor Project, Inc. Recruiting Coordinator *

1 0

Job Opportunity- Rust Developer
by Patricia Robinson 21 Feb '24

21 Feb '24

** *Hi Everyone!* * We have two new job openings for Rust Developers! https://www.torproject.org/about/jobs/rust-developer-network-team/ <https://www.torproject.org/about/jobs/rust-developer-network-team/> If you are or know someone who would be a good fit and wants to join our team, please apply/share. Have a great week and thanks for helping us spread the word! :) Warmly, Patricia Robinson Tor Project, Inc. Recruiting Coordinator *

1 0

Tor Browser Meeting moved to 2024-02-20
by Richard Pospesel 15 Feb '24

15 Feb '24

Hi Everyone, Monday is a holiday so we'll be moving our regularly scheduled Tor Browser weekly meeting to Tuesday (2024-02-20) at 1500 UTC in #tor-meeting on OFTC IRC. best, -richadr

1 0

Anti-censorship team meeting notes, 2024-02-15
by meskio 15 Feb '24

15 Feb '24

Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2024/tor-meeting.2024-02-15-15.57.html And our meeting pad: Anti-censorship -------------------------------- Next meeting: Thursday, February 22 16:00 UTC Facilitator: shelikhoo Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator: meskio == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from sponsors, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Sponsor 96 <-- meskio, shell, onyinyang, cohosh * https://gitlab.torproject.org/groups/tpo/-/milestones/24 * Sponsor 150 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * Elections in Indonesia (2024-02-14): https://explorer.ooni.org/chart/mat?probe_cc=ID&since=2024-01-16&until=2024… * Belarus - General elections (2024-02-25): https://explorer.ooni.org/chart/mat?probe_cc=BY&since=2024-01-16&until=2024… * Cambodia - Senate election (2024-02-25): https://explorer.ooni.org/chart/mat?probe_cc=KH&since=2024-01-16&until=2024… == Discussion == * == Actions == == Interesting links == * FOCI registration is open (attendance is free): https://foci.community/register * February 19th == Reading group == * We will discuss "" on * * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2024-02-15 Last week: - caught up on manifest v3 updates - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - release new version of snowflake addon (0.7.3) - updated addon stores - updated website - opened tor-browser-build MR to get SQS rendezvous in Tor Browser - https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_re… - fixed shadow integration tests - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - opened an issue for country-specific client rendezvous poll counts - https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - caught up on dependency update backlog - mostly caught up on review backlog This week: - review lox synchronization fix - compile a list of next-steps for lox - update wasm-bindgen fork to fix some bugs and hopefully upstream changes - tor-browser-build updates for lox wasm + bindings generation - Conjure bridge maintenance - more testing of available domain fronts Needs help with: dcf: 2024-02-15 Last week: - snowflake azure CDN bookkeeping https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Snowflake-co… Next week: - review draft MR for unreliable data channels https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to disable /debug endpoint on snowflake broker - move snowflake-02 to new VM Help with: meskio: 2023-02-15 Last week: - catching up after long vacation Next week: - react to S96 code audit Shelikhoo: 2024-02-15 Last Week: - [Merge Request]HTTPS distributors in rdsys: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/merge_requests/260 - [Research] Inspect Snowflake Situation In China - Merge request reviews Next Week/TODO: - Inspect Snowflake Situation In China - Create Issue for "Merging webtunnel + lyrebird" - Update WebTunnel Container Image onyinyang: 2023-02-15 Last week(s): - Finished up fixing problems with syncing functions - Opened ticket to Lox invitation endpoint only accessible via telegram This week: - redeploy rdsys and lox-distributor with bug fixes and telegram bot - improve metrics collection/think about how to show Lox is working/valuable - start prep for HACS/DRL meeting - sketch out Lox blog post/usage notes for forum - attempt hyper upgrade again (long term things were discussed at the meeting!): https://pad.riseup.net/p/tor-ac-community-azaleas-room-keep - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2023-01-11 Last weeks: - Currently in the start phase of writing my master thesis (to be finished late june 2024) in communication technology on reducing distinguishability of DTLS. The goal is to implement a validated DTLS anti-fingerprinting library similar to uTLS (useful for Snowflake). Next weeks: - Talk with Sean DuBois about contributing to adding anti-fingerprinting capabilities to the pion library Help with: - Find recent data set of captured DTLS traffic -- meskio | https://meskio.net/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- My contact info: https://meskio.net/crypto.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nos vamos a Croatan.

1 0

Job Opportunity - Mullvad Browser Software Engineer (Contractor)
by Tyler Corn 09 Feb '24

09 Feb '24

Hi Everyone! We have a new job opening for a Browser Software Engineer (Contractor)! https://www.torproject.org/about/jobs/browser-software-engineer/ If you are or know someone who would be a good fit and wants to join our team, please apply/share. Have a great weekend and thanks for helping us spread the word! 🙂 Best, Tyler

1 0

Announcing Onionspray 1.6.0 with a SECURITY fix for Onion Services rewriting proxies
by rhatto 09 Feb '24

09 Feb '24

Hello everyone, I'd like to announce Onionspray, a tool for setting up Onion Services for existing public websites, working as a HTTPS rewriting proxy: https://tpo.pages.torproject.net/onion-services/onionspray/ It's a fork of Alec Muffett's EOTK (https://github.com/alecmuffett/eotk), with many enhancements but retaining compatibility, and relying on C Tor until an alternative in Arti is available. The first Onionspray version is 1.6.0, following the pre-existing version sequence from EOTK. Security fixes: * This release fixes a CRITICAL security vulnerability related to upstream HTTPS certificate verification, which is detailed at https://tpo.pages.torproject.net/onion-services/onionspray/security/advisor… A related fix is also available for EOTK: https://github.com/alecmuffett/eotk/pull/116 We urge Onionspray users that were testing the software while it was being on it's early stages to upgrade ASAP to 1.6.0 and update their configurations, and we recommend that EOTK to the same with the corresponding patch. This issue might also affect other similar rewriting proxy setups, and we urge operators to review and fix their Onion Service configurations. Main improvements over EOTK: * MetricsPort support (for gathering metrics data from the tor instances). * Denial of Service (DoS) protections. * Circuit ID exporting to NGINX logs and optionally to the upstream proxy (through the X-Onion-CircuitID HTTP header). * Onionbalance v3 support ("softmaps" are working again). * Revamped documentation. * Installation procedures added for recent Debian and Ubuntu releases. * Tor and OpenResty upgraded to the latest versions. * Option to keep Onionspray running in the foreground (`--no-daemonize`). * Local healthcheck action (`--health-local`), useful for containerized execution. The full ChangeLog is available at https://tpo.pages.torproject.net/onion-services/onionspray/changelog/ For those wishing to switch from EOTK to Onionspray, there's a migration guide at https://tpo.pages.torproject.net/onion-services/onionspray/migrating/ We also welcome people to report issues, send merge requests etc: https://tpo.pages.torproject.net/onion-services/onionspray/contact/ And we have a bunch of issues waiting for contributions: https://gitlab.torproject.org/tpo/onion-services/onionspray/-/issues Finally, I'd like to thank Alec Muffett for his important work with EOTK and for promoting Onion Services all these years :) Thanks! -- Silvio Rhatto pronouns he/him

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project February 2024