tor-project September 2024

tor-project@lists.torproject.org

13 participants
18 discussions

OONI Monthly Report: April 2024
by Maria Xynou 06 Sep '24

06 Sep '24

Hello, Apologies for the delay in sharing OONI's previous monthly reports, and for the many upcoming reports. This email shares OONI's monthly report for April 2024. *# OONI Monthly Report: April 2024* Throughout April 2024, the OONI team’s work can be tracked through the various OONI GitHub repositories: https://github.com/ooni Highlights are shared in this report below. *## Published research report on internet censorship in Tanzania* In April 2024, we published a new research report (“Tanzania: Surge in online LGBTIQ censorship and other targeted blocks”), documenting the blocking of LGBTIQ websites and other targeted blocks in Tanzania based on the analysis of OONI data. Thanks to community member Tori Francis, who translated the report, we also published it in Swahili to reach local communities. Our research report is available in: * English: https://ooni.org/post/2024-tanzania-lgbtiq-censorship-and-other-targeted-bl… * Swahili: https://ooni.org/sw/post/2024-tanzania-lgbtiq-censorship-and-other-targeted… As part of this report, we analyzed OONI data collected from Tanzania between 1st January 2023 to 31st January 2024. Our analysis of OONI data collected from Tanzania shows: * *Blocking of many LGBTIQ websites*, including LGBTIQ social networks (such as Grindr), LGBTIQ rights sites (such as OutRight International and ILGA), LGBTIQ news and culture sites (such as Queerty), and a LGBTIQ suicide prevention site (The Trevor Project); * *Blocking of online dating websites* (such as Tinder and OKCupid); * *Targeted blocking of specific websites that defend human rights through grants and petitions* (Change.org, Global Fund for Women, GlobalGiving, Open Society Foundations); * *Targeted blocking of specific social networking sites* (Clubhouse and 4chan); * *Targeted blocking of ProtonVPN*. Our analysis reveals the extensive blocking of LGBTIQ sites, which correlates with the escalating discrimination and crackdown on LGBTIQ communities in Tanzania in recent years. Many other blocks identified as part of this study appear to be targeted, as they involve very specific websites, while other sites from the same categories (e.g. social media, human rights) were found accessible. For example, access to the Global Fund for Women website was found blocked in Tanzania, while Amnesty International's website was found accessible. Meanwhile, Tanzania recently started requiring users to report their use of VPNs. Out of tested VPNs, we only found ProtonVPN blocked in Tanzania during the analysis period. Overall, the results of our analysis show that most ISPs in Tanzania appear to implement blocks by means of TLS interference, specifically by timing out the session after the Client Hello message during the TLS handshake. As the timing of the blocks and the types of URLs blocked are (mostly) consistent across (tested) networks, ISPs in Tanzania likely implement blocks in a coordinated manner (possibly through the use of Deep Packet Inspection technology). *## Published new reports on the OONI Censorship Findings page* In April 2024, we published 2 new reports on our Censorship Findings page: * Kyrgyzstan blocked TikTok: https://explorer.ooni.org/findings/154621229001 * Senegal blocked TikTok: https://explorer.ooni.org/findings/144156914701 These reports were published in response to emergent censorship events, sharing relevant OONI data. Access to TikTok was temporarily blocked in Senegal amid political unrest, while access to TikTok was blocked in Kyrgyzstan following a government order to ban the platform. *## Research collaborations with partners on upcoming reports* We continued to coordinate with our partners on research efforts required for upcoming research reports. Specifically, we coordinated with our partners on extensive updates to the Citizen Lab test lists for Bangladesh and Iran. In April 2024, Miaan Group contributed extensive updates to the test list for Iran: https://github.com/citizenlab/test-lists/pull/1702 *## OONI Probe Mobile* In April 2024, we released OONI Probe 3.8.6 on Android ( https://github.com/ooni/probe-android/releases/tag/v3.8.6) and iOS ( https://github.com/ooni/probe-ios/releases/tag/v3.8.6). This release includes a fix for the OONI Probe Signal experiment, as well as several other bug fixes and improvements. *## OONI Probe Desktop* In April 2024, we released OONI Probe Desktop 3.9.5: https://github.com/ooni/probe-desktop/releases/tag/v3.9.5 This release contained a fix that prevents the app from being disabled on Windows and uses OONI Probe CLI v3.21.0 ( https://github.com/ooni/probe/issues/2699). *## OONI Probe CLI* We rationalized, documented, refactored, and improved the code used to communicate with the OONI backend: https://github.com/ooni/probe/issues/2700 As part of this work, we improved the code used for circumventing the blocking of the OONI backend, documented its design, and planned for future improvements: https://github.com/ooni/probe/issues/2704 *## OONI Run* As part of our work on creating the next generation version of OONI Run (“OONI Run v2”), we continued our efforts with QA testing for the Android version of the new OONI Probe app that will include both an improved UI and support for new OONI Run links. We spent time polishing the new flow that users will go through when adding OONI Run v2 links to their app dashboard, as well as ensuring that updating and removing links works as planned. You can explore related issues here: https://github.com/ooni/run/issues Additionally, we continued to test and fine-tune the admin dashboard that users will use to create, edit and manage their OONI Run v2 links. *## Documented OONI methodology for measuring throttling* In April 2024, we published documentation for our methodology on measuring throttling: https://github.com/ooni/probe-cli/pull/1546/files In previous months, we created an open methodology for measuring throttling. In line with our broader scope of work (which focuses on targeted cases of internet censorship), this methodology aims to detect cases of targeted throttling that impact specific online services (such as the throttling of Twitter/X). As part of this methodology, we measure cases of targeted throttling through the analysis of OONI Web Connectivity data (which is collected through the OONI Probe testing of URLs). Specifically, OONI’s methodology for measuring targeted cases of throttling involves the analysis of timing information during HTTPS requests in Web Connectivity data. This methodology has been successful in measuring various cases of throttling, such as those documented as part of our previous research reports on throttling cases in Kazakhstan ( https://ooni.org/post/2023-throttling-kz-elections/#throttling-of-sites), Russia ( https://ooni.org/post/2022-russia-blocks-amid-ru-ua-conflict/#twitter-throt…), and Turkey (https://ooni.org/post/2023-turkey-throttling-blocking-twitter/). Our throttling methodology is also explained in these reports. *## OONI Explorer### User research* Last month, we mentioned that we started user interviews with members of our community who use OONI Explorer (https://explorer.ooni.org/) as part of research and advocacy. The goal of these interviews was to supplement the qualitative data collected through the surveys, and to better understand how they use OONI Explorer and the challenges they encounter in discovering censorship findings through the platform. In April 2024, we completed these interviews and distilled the information and insights gathered to help us inform the next phase of several projects we have on the go. To collect community feedback for the improvement of the OONI Explorer navigation, we also did a user study ( https://twitter.com/OpenObservatory/status/1778016715940536698). Our goal through this study ( https://s900pyof.optimalworkshop.com/optimalsort/33tdoyag) was to collect community feedback on how to improve the structure of content on OONI Explorer and make it easier to navigate. All of these efforts are helping us make progress on two important projects: * Presenting thematic censorship findings on OONI Explorer * Revamping the OONI Explorer navigation *### Presenting thematic censorship findings on OONI Explorer* Based on community feedback collected as part of our user research studies, we worked with a designer on creating wireframes and mockups of potential ways to present thematic censorship findings on OONI Explorer ( https://explorer.ooni.org/). In addition to enabling the internet freedom community to easily and quickly discover censorship findings that they care about, we aim to also ensure that information is presented in a logical fashion, building a stronger connection between the various pages and sections on OONI Explorer. *### Revamping the OONI Explorer navigation* Adding another section like the Thematic Censorship pages to OONI Explorer will require us to consider the navigation menu of the site. As is, the OONI Explorer menu is fairly crowded, and we want to ensure that we can continue to grow and expand the navigation as we grow the functionality within OONI Explorer. Based on community feedback collected as part of a user study on OONI Explorer navigation ( https://s900pyof.optimalworkshop.com/optimalsort/33tdoyag), we completed some wireframes of different options for the navigation and had several brainstorming sessions to discuss. *### Other improvements* On the development side, we began the work to update a few sections of the OONI Explorer country pages that had previously been redesigned ( https://github.com/ooni/explorer/issues/916, https://github.com/ooni/explorer/issues/914). We fixed an issue with our language drop-down menu for people using Brave browser ( https://github.com/ooni/explorer/issues/931). We also continued our work using Tailwind for our design library ( https://github.com/ooni/design-system/pull/175). *## Automating censorship detection and characterization based on OONI measurements* In April 2024, we continued to make progress towards shipping our new OONI Data Pipeline into production. Specifically, to improve maintainability going forward, we refactored OONI data into two separate packages (https://github.com/ooni/data/pull/60): * End user pip installable package to download and parse measurements; * Pipeline to perform the analysis and processing of OONI data. We also ported analysis and observation generation over to temporal and set up the production environment in the OONI devops repository ( https://github.com/ooni/data/pull/61). *## General backend/devops* In April 2024, we worked on porting the oonifindings service to our new and improved ooniapi pattern (https://github.com/ooni/backend/issues/807). We also experimented with some proof of concepts to improve our devops processes, such as re-conceptualizing codepipeline triggers, and trying weighted target groups and scheduled blue/green deployment. *## Test list updates* Following the announcement of the suspension of the broadcasting of programs from several news media outlets in Burkina Faso ( https://x.com/sergedanielinfo/status/1784676862083399728), we created a new test list for Burkina Faso with those news media websites: https://github.com/citizenlab/test-lists/pull/1714 We also added a few news media websites to the Togo test list: https://github.com/citizenlab/test-lists/pull/1715 *## Planning the OONI Partner Gathering 2024* In preparation for the upcoming OONI Partner Gathering in Malaysia in May 2024, we continued to coordinate on numerous logistics (flights, shuttle service, hotel, catering, etc.). We also continued to assist participants as needed with their travel logistics, and we continued to coordinate with designers on event-related supplies and materials. To help ensure that the OONI Partner Gathering 2024 agenda is as useful as possible to our partners, we previously shared a survey to collect their feedback. As our goal was to ensure that we create an agenda that is valuable to all participants, we requested their feedback on the types of sessions that they would find most useful, the types of skills and knowledge that they would like to learn, and the outcomes that would make their participation feel well spent. We also asked participants to propose sessions that they would like to facilitate at the event. Based on the analysis of partner feedback, we created the final agenda based on the most pressing needs, interests, and requests identified in most survey responses, while taking into account the diversity in participant backgrounds. We also coordinated with partners who expressed interest (through our survey) in facilitating sessions to include their proposed sessions in the final agenda. In April 2024 (several weeks in advance to the event), we shared the final Agenda with all OONI Partner Gathering participants. The detailed Agenda of the OONI Partner Gathering 2024 is available here: https://ooni.org/documents/OONI-Partner-Gathering-Agenda.pdf We also created an additional, internal, and more detailed agenda for our team to enable coordination and the management of logistics during the event. Prior to the event, we prepared and shared the following with participants: * Code of Conduct: https://ooni.org/documents/Information-Package-CoC-Privacy-Policy.pdf * Communication Guidelines: https://ooni.org/documents/Information-Package-Communication-Tips.pdf * Privacy Policy * OONI Partner Gathering Information Package (providing detailed information about the event, logistical details, and answers to Frequently Asked Questions (FAQ) about the event) * Facilitation guidelines (shared with all OONI Partner Gathering facilitators) * Participant list document * COVID-19 Safety Guidelines * Emergency Information document Moreover, in preparation for the OONI Partner Gathering 2024, we: * Created a dedicated OONI Partner Gathering 2024 mailing list; * Created a dedicated OONI Partner Gathering 2024 Signal group; * Created documents for note-taking during the OONI Partner Gathering sessions; * Created slides for various OONI Partner Gathering sessions; * Created certificates for each of the participants; * Ordered OONI t-shirts, banners, stickers, flyers, tote bags, and lanyards for the event; * Ordered COVID-19 masks, tests, and hand sanitizers for the event. *## Rapid response### Blocking of TikTok in Kyrgyzstan* In response to the blocking of TikTok in Kyrgyzstan, we shared relevant OONI data and information on Twitter/X: https://twitter.com/OpenObservatory/status/1782005308342055256 We subsequently published a report on our Censorship Findings page, providing further information on the blocking of TikTok in Kyrgyzstan: https://explorer.ooni.org/findings/154621229001 *## Community use of OONI data### Report on the blocking of Grindr in Malaysia* Our partner, Sinar Project, published a report documenting the blocking of Grindr in Malaysia based on OONI data: https://imap.sinarproject.org/news/internet-censorship-update-blocking-of-g… They also encouraged OONI Probe testing of Grindr in Malaysia on Twitter/X: https://twitter.com/sinarproject/status/1781287369213395291 *## Community activities### DRL Implementers Meeting 2024* Between 1st-4th April 2024, OONI’s Arturo and Jessie traveled to Washington D.C to attend the DRL Implementers Meeting 2024. As part of their participation, they facilitated sessions about community organization and governance, and communicating security risks to users. *### OONI training by Zaina Foundation for researchers in Tanzania* On 4th April 2024, our partner, Zaina Foundation ( https://ooni.org/partners/zaina-foundation/), facilitated an OONI training for researchers in Tanzania ( https://x.com/ZainaFoundation/status/1776243051339350226). OONI’s Elizaveta joined the training through remote/online participation, provided a live demo of using OONI Explorer, and addressed the questions of the participants. *### Digital Rights & Inclusion Forum (DRIF) 2024* Between 23rd-25th April 2024, OONI’s Elizaveta traveled to Accra, Ghana, to participate in the Digital Rights & Inclusion Forum (DRIF) 2024. As part of her participation, Elizaveta facilitated a session on strengthening community response to internet censorship ( https://drif.paradigmhq.org/agenda/). While in Accra, Elizaveta also shared OONI’s work as part of a TV interview with Pan African TV: https://www.facebook.com/PANAFRICANTV/videos/979923349677358 *## Measurement coverage* In April 2024, 57,990,058 OONI Probe measurements were collected from 2,887 networks in 167 countries around the world. This information can also be found through our measurement stats on OONI Explorer (see chart on “monthly coverage worldwide”): https://explorer.ooni.org/ ~ OONI team.

1 0

Advisory regarding your Yubikey
by Antoine Beaupré 05 Sep '24

05 Sep '24

As some of you have already noticed, a security issue regarding the Yubikey 5 series has been released two days ago. Sadly, the Yubikeys distributed at the 2023 Tor Meeting in Costa Rica are affected. ### The issue at hand To work their magic, Yubikeys store a secret key inside them that is never supposed to leave the device. Researches at Ninjalab found out that by physically probing one of the chips inside a Yubikey, it is possible to acquire this secret key. Once an adversary has acquired such a secret key, they can use this to perform two-factor authentication and/or OpenPGP operations, as if they were the owner of the device. In practice, abusing this vulnerability is quite costly. It requires: - having physical access to your Yubikey - knowing a password(s) to one of your accounts protected by two-factor authentication (and/or your PIN if you use passkey) to get to your two-factor secret key - knowing your PIN to get to your OpenPGP secret key Nevertheless, it's not unthinkable that adversaries with sufficient resources may be targeting Torproject. ### Am I affected? - Was the Yubikey you use given to you in Costa Rica? Then yes, you are affected. - Are you using a Yubikey 5 that was purchased before May this year? Then yes, you are affected. - Are you using a Yubikey 5 that was purchased after May this year? Then you should check the firmware version to see if you are affected. Keys with firmware prior to 5.7 are affected. For instructions on how to find out which firmware your Key has, see the [Where to find YubiKey Firmware][] guide from Yubico. Command-line users can use the `ykman info` command to view the firmware version. [Where to find YubiKey Firmware]: https://support.yubico.com/hc/en-us/articles/12420838928284-Where-to-find-Y… ### What does this mean for me? The impact for you depends on what you use your Yubikey for. #### For two-factor authentication If you use your Yubikey for two-factor authentication, this attack can be used on top of a regular phishing attack to permanently break the second factor and compromise your accounts, without you noticing. #### For OpenPGP signing and decryption If you use your Yubikey for OpenPGP signing or authentication, you should check what type of key you have: - If it's an RSA key, you are not affected by this vulnerability. - If it's an elliptic curve key, and the attacker knows your PIN, this attack can be used to gain access to and make a copy of your secret key. An attacker could then forge signatures, authenticate to servers, or possibly decrypt other secrets. ### What should I do? First of all, in the wise words of Douglas Adams: don't panic. We advise you to take care of the following: - Keep using your Yubikey for two-factor authentication, it is still much safer than TOTP (e.g., google authenticator) or not having any two-factor authentication. - Do make sure you don't leave your Yubikey unattended, especially during conferences, in hotel rooms, etc. - Avoid using passkey (passwordless authentication). - Apply multi-coloured glitter nail polish on the casing of your Yubikey (yes, really) and store a photo of it. If you have reason to believe the device has been tampered with, check if the glitter is still the same. - If you use your Yubikey for OpenPGP and have an elliptic curve key, please ensure you have a strong PIN. You may consider switching to an RSA key or switching to a newer Yubikey using firmware 5.7 or higher, depending on the impact a compromise of your key may have. ### References - YubiCo advisory YSA-2024-03: https://www.yubico.com/support/security-advisories/ysa-2024-03/ - Technical paper: https://ninjalab.io/wp-content/uploads/2024/09/20240903_eucleak.pdf . ### Further questions If you have any questions about the safety of your Yubikey, please feel free to contact TPA, see: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/support -- Antoine Beaupré torproject.org system administration

1 0

Felicia's Montly Status Report, August 2024
by Priscila 05 Sep '24

05 Sep '24

Hi, This is my first status report since joining TPI on August 12th. As I'm still getting up to speed, I may have missed some details, but I'll ensure more comprehensive reports in the future. During August, my primary focus was familiarizing myself with Figma libraries, addressing minor issues, and studying Acorn, Mozilla’s design system. Here are some key activities: * Attended onboarding meetings from August 12th to August 19th; * Set up accounts and passwords; * Resolved minor issues in GitLab, such as updating the bridge-emoji background: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42698#n… Since then, I’ve been concentrating on: * Tasks related to Figma, UI and design system, aligning Tor Browser’s UI elements with those of Firefox; * Addressing small UI-related issues. Cheers, — Felicia (she/her)

1 0

Anti-censorship team meeting notes, 2024-09-05
by Shelikhoo 05 Sep '24

05 Sep '24

Hey everyone! Here are our meeting logs: http://meetbot.debian.net/tor-meeting/2024/tor-meeting.2024-09-05-16.00.html And our meeting pad: Anti-censorship work meeting pad -------------------------------- Anti-censorship -------------------------------- Next meeting: Thursday, September 12 16:00 UTC Facilitator: onyinyang ^^^(See Facilitator Queue at tail) Weekly meetings, every Thursday at 16:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress) This week's Facilitator: shelikhoo == Goal of this meeting == Weekly check-in about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at the Tor Project and Tor community. == Links to Useful documents == * Our anti-censorship roadmap: * Roadmap:https://gitlab.torproject.org/groups/tpo/anti-censorship/-/boards * The anti-censorship team's wiki page: * https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/home * Past meeting notes can be found at: * https://lists.torproject.org/pipermail/tor-project/ * Tickets that need reviews: from projects, we are working on: * All needs review tickets: * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/merge_requests?s… * Project 158 <-- meskio working on it * https://gitlab.torproject.org/groups/tpo/anti-censorship/-/issues/?label_na… == Announcements == * == Discussion == * (empty) == Actions == == Interesting links == * https://www.bamsoftware.com/talks/wac7-fep/ * dcf's recent talk (45 min) "How cryptography relates to Internet censorship circumvention" == Reading group == * We will discuss "SpotProxy: Rediscovering the Cloud for Censorship Circumvention " on September 12 * https://www.cs-pk.com/sec24-spotproxy-final.pdf * https://censorbib.nymity.ch/#Kon2024b * Questions to ask and goals to have: * What aspects of the paper are questionable? * Are there immediate actions we can take based on this work? * Are there long-term actions we can take based on this work? * Is there future work that we want to call out in hopes that others will pick it up? == Updates == Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week. Help with: - Something you need help with. cecylia (cohosh): 2024-08-29 Last week: - went through massive todo backlog - dealt with breaking changes in KCP library - answered a bunch of Lox questions for integration work - cleared out review backlog This week: - take a look at snowflake web and webext translations and best practices - make changes to Lox encrypted bridge table - https://gitlab.torproject.org/tpo/anti-censorship/lox/-/merge_requests/147 Needs help with: dcf: 2024-09-05 Last week: Next week: - archive snowflake webextension v0.9.0 (manifest V3) - comment as requested on kcp v5.6.17 upgrade - open issue to have snowflake-client log whenever KCPInErrors is nonzero https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - parent: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… - open issue to disable /debug endpoint on snowflake broker - move snowflake-02 to new VM Help with: - tell me when to restart the brokers for https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… meskio: 2023-08-29 Last week: - don't distribute blocked-in bridges in moat and https (rdsys#204) - plan switch from BridgeDB to rdsys (rdsys#218) Next week: - add ipversion subscription to rdsys - be ready for the BridgeDB switch Shelikhoo: 2024-09-05 Last Week: - snowflake broker update/reinstall - Review fix: extension not starting after browser restart( https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… ) - Research: respond to YSA-2024-03 (YubiKey < 5.7 side-channel attack on ECC private keys) (https://gitlab.torproject.org/tpo/tpa/team/-/issues/41744) - Release Snowflake Webext(again) - Merge request reviews Next Week/TODO: - Merge request reviews - snowflake broker update/reinstall: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… onyinyang: 2023-08-29 Last week(s): - continued with key rotation integration work - collected issues and TODOs for all Lox work that needs to be done before deployment Next week: - finish up key rotation integration work - add pref to handle timing for pubkey checks in Tor browser - update lox protocols to return duplicate responses for an already seen request - add trusted invitation logic to tor browser integration: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42974 - Work on outstanding milestone issues: in particular: https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/69 - key rotation automation Later: - begin implementing some preliminary user feedback mechanism to identify bridge blocking based on Vecna's work - improve metrics collection/think about how to show Lox is working/valuable - sketch out Lox blog post/usage notes for forum (long term things were discussed at the meeting!): https://pad.riseup.net/p/tor-ac-community-azaleas-room-keep - brainstorming grouping strategies for Lox buckets (of bridges) and gathering context on how types of bridges are distributed/use in practice Question: What makes a bridge usable for a given user, and how can we encode that to best ensure we're getting the most appropriate resources to people? 1. Are there some obvious grouping strategies that we can already consider? e.g., by PT, by bandwidth (lower bandwidth bridges sacrificed to open-invitation buckets?), by locale (to be matched with a requesting user's geoip or something?) 2. Does it make sense to group 3 bridges/bucket, so trusted users have access to 3 bridges (and untrusted users have access to 1)? More? Less? theodorsm: 2024-08-22 Last weeks: - Expose hooks in pion/webrtc library Next weeks: - Update Snowflake to use latest pion upstream releases (DTLS: v3 and WebRTC: beta v4) - Test Snowflake fork with covert-dtls - Condensing thesis into paper Help with: - Feedback on thesis Facilitator Queue: onyinyang meskio shelikhoo 1. First available staff in the Facilitator Queue will be the facilitator for the meeting 2. After facilitating the meeting, the facilitator will be moved to the tail of the queue (This message is unsigned as my email client is having some issues....)

1 0

ebanam's monthly status report and user support report for August 2024
by ebanam 03 Sep '24

03 Sep '24

Hello everyone! Last month, we saw a massive uptick in user support requests coming from Russian and Chinese speaking users. To put it in numbers, we answered a little over 1100 unique user support requests across our various user support channels. This can be attributed to the latest developments[0] in Tor censorship in Russia and continued outreach work aimed towards Chinese speaking audience[1] respectively. Since a majority of these requests are from users in regions where Tor is censored, it has involved helping users to download (using mirrors and GetTor) and install Tor Browser, using censorship circumvention methods that will work best for them, gathering feedback and general troubleshooting. I dedicated some time testing the latest Tor Browser Alpha releases and answered a number of Tor Browser related user support tickets. Here's a more detailed breakdown of the tickets our user support team worked on last month: # Frontdesk (email support channel) * 762(↑) RT tickets created * 672(↑) RT tickets resolved Tickets by numbers: 1. 350(↑) RT tickets: private bridge requests from Chinese speaking users. 2. 237(↑) RT tickets: circumventing censorship in Russian speaking countries. 3. 5 RT tickets: Reports of onion services (not maintained by Tor Project) not working. We ask users to report to the respective onion service operator. 4. 3(↓) RT tickets: Circumventing censorship with Tor in Farsi. Highlighting some other topics we received questions and feedback: 5. 4 RT tickets: Help with troubleshooting Tor Browser install on Windows. 6. 3 RT tickets: Reports of websites blocking Tor. 7. 2 RT tickets: Help with installing Tor Browser install on Linux. 8. Help with installing Tor Browser on macOS. 9. Question about contributing to Tor. # Telegram, WhatsApp and Signal Support channel * 751(↑) tickets resolved Breakdown: * 734(↑) tickets on Telegram * 17(↓) tickets on WhatsApp * 0(↓) ticket on Signal Tickets by numbers: 1. 542(↑) tickets: circumventing censorship in Russian speaking countries. 2. 46(↓) tickets: circumventing censorship with Tor in Farsi. 3. 27(↑) tickets: private bridge requests from Chinese speaking users. 4. 22(↑) tickets: helping users on iOS, using Onion Browser or Orbot, to use censorship circumvention methods. Highlighting some other topics we received questions about: 5. 10(↑) tickets: instructions on how to get Tor Browser binaries from GetTor. 6. 2 tickets: Questions about what onion services are and how to access them. 7. 2 tickets: Help with troubleshooting Tor Browser install on Linux. 8. Help with troubleshooting Tor Browser install on macOS. # Highlights from the Tor Forum 1. Issues connecting to Tor with bridges from Russia.[2] 2. 'lyrebird' in Tor Browser.[3] 3. Bookmarks in Tor Browser.[4] Thanks! e. [0]: https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/iss… [1]: https://github.com/torproject/tor4zh [2]: https://forum.torproject.org/t/does-anyone-have-issues-with-the-connection-… [3]: https://forum.torproject.org/t/lyrebird-can-prevent-tor-browser-from-workin… [4]: https://forum.torproject.org/t/security-hole-with-bookmarks/14266

1 0

cohosh's monthly status report, August 2024
by Cecylia Bocovich 03 Sep '24

03 Sep '24

Hi! This is my status report for contract work done in August 2024. # Snowflake The big task this month was rolling out the MV3 update for the Snowflake web extension[0]. I helped review and test those changes. I also followed up on a proxy count check after we had a significant drop caused by new requirements from the Mozilla web store[1]. We had a lot of contributions to review lately, which is great, and I spent some time doing reviews and issue maintenance. There was a dependency update for the KCP library that caused one of our tests to fail[2] due to a change in whether queued writes are flushed[3]. # Reputation-based bridge distribution We're continuing work on the integration with Tor Browser. I finally got around to answering some questions on open merge requests about requirements for that[4,5], and picked up some work on maintaining our wasm-bindgen fork[6]. # Conjure I worked on writing a grant to support Conjure development and infrastructure. We're hoping to submit this as an NSF TTP. # Other An ongoing issue with pluggable transports and Tor Browser are their large binary sizes, and restrictions for Tor Browser android. As part of the Firefox 128 ESR work, we needed to explore some potential space-saving tricks for reducing PT binary sizes[7]. The results weren't as useful as we hoped, but managed to reduce binary sizes a little[8]. During the week of August 12-16 I travelled to USENIX, where we presented our work on Snowflake. [0] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… [1] https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/142 [2] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow… [3] https://github.com/xtaci/kcp-go/issues/273 [4] https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… [5] https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… [6] https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/71 [7] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42607 [8] https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snow…

1 0

Nina’s Monthly Status Report, August 2024
by Nina 03 Sep '24

03 Sep '24

Hi! Below is my August’24 report! In August, I resolved 928 (↑341) tickets: * On Telegram (@TorProjectSupportBot) - 687 (↑260) * On RT (frontdesk@tpo) - 233 (↑88) * On WhatsApp (+447421000612) - 8 (↓5) * and on Signal (+17787431312) - 0 (↓2) The focus of my work is to help Russian-speaking users of Tor to install the browser and bypass internet censorship. In August, internet censorship in Russia became more strict, with YouTube and Signal being blocked[0], as well as many Tor bridges. So we received more tickets than usual: + 341 compared to July 24 - the growth or decrease by category can be seen above. Tor is reachable with bridgesin Russia, and I updated and posted the instructions for Russian users on the Forum [1]. We got a lot of questions from iOS users from Russia about what app they should use. Also, I helpedusers with troubleshooting and keep an eye on issues and bugs to report them to Tor developers. InAugust I submitted a copy/paste issue in Tor Browser [2],and continued to monitor the issue with Tor Browser not working on some of the Samsung devices [3]. [0] https://gitlab.torproject.org/tpo/anti-censorship/censorship-analysis/-/iss… [1] https://forum.torproject.org/t/tor-blocked-in-russia-how-to-circumvent-cens… [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43064 [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42714

1 0

PieroV's Monthly Status Report, August 2024
by Pier Angelo Vendrame 02 Sep '24

02 Sep '24

Hi everyone! Here is my status report for August 2024. I spent this month almost only on tasks linked with the transition from Firefox ESR115 to ESR128. At the beginning of the month, I reviewed Dan's Android rebase. Then, after it landed, I checked for new reproducibility problems. I found only one with the license files [0]. The oss-license-plugin wasn't updated upstream this year, so it must be linked with other toolchain updates (including Java from 11 to 17 and Gradle). The solution [1] was to build and use a patched plugin that uses `TreeSet` instead of a `HashSet`. Sadly, the APK sizes grew a lot between 115 and 128. For this reason, we couldn't publish 14.0a2 and 14.0a3 on the Play Store for the x86 and x86-64 architectures [2]. During this month, Claire, cohosh from the AC team, and I spent some time investigating this. 14.0a4 should fit at least for Android x86-64. For Android x86, we might have to shave another 100-200kB if we understood how this threshold works. Another issue I worked on was a leak of regional locale data with the `Intl` API. During the rebase, we had to start specifying `RFPTarget`s, and I chose the only one handled differently without realizing it. This was a reminder of how important it is to upstream our patches whenever possible. I started the process for this one two years ago [3], but then it didn't land because it would have applied also to the browser UI. After finding a new fix that worked for us, I added a proposal to the upstream bug on a possible approach that might also work for Firefox. Another bug worth mentioning was a problem with mixed content in Onion Services [4]. The fix eventually was easy [5], but it took me quite a while to understand what was going on because it involved debugging between parent and content processes. Also, it was a great occasion to improve the Onion Sites I implemented for testing [6] and the documentation around them. While doing so, I accidentally learned that we accept self-signed certificates only if they specify subject alternative names. This new knowledge allowed me to quickly answer another issue [7] without further investigation. Finally, Mozilla is releasing Firefox 115.15 tomorrow, which is expected to be the last update for the 115 series [8]. However, it's also the last version supporting Windows 7. While we agree that people shouldn't use unsupported operating systems, we know some of our users don't have another choice. So, if eventually Mozilla decides to extend the support for Firefox 115, we might end up extending Tor Browser 13.5's life as well [9]. One of our updater changes is to check for the minimum requirements on the client side to avoid sending the OS version to our update servers. So, this month, I also simulated providing several updates to Firefox: one compatible with Windows >= 7 and one with Windows >= 10. Sadly, the updater didn't handle this case as expected, and I needed to create a patch. We will need some additional deployment steps if we actually provide the alternative update path. In this case, we will also drop the hash check on the update files (it's redundant since they are already signed) [10]. Cheers, Pier [0] https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/4… [1] https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_re… [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42607 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1746668 [4] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/43013 [5] https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests… [6] https://gitlab.torproject.org/tpo/applications/wiki/-/wikis/Development-Inf… [7] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42887 [8] https://whattrainisitnow.com/release/?version=esr [9] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42747 [10] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42737

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project September 2024