tor-project

tor-project@lists.torproject.org

17 participants
2326 discussions

Network team meeting notes, 7 Aug 2019
by Nick Mathewson 08 Aug '19

08 Aug '19

We had our tor meeting at 2300 today, as is our custom in the first week of the month. You can read our logs here: http://meetbot.debian.net/tor-meeting/2019/tor-meeting.2019-08-07-22.59.html Here are the contents of our pad: = Network team meeting pad! = This week's team meeting is at Wednesday 7 August 2300 UTC on #tor-meeting on OFTC. We have changed the day from Tuesday to Wednesday. August schedule: * Wednesday 7 August 2300 UTC (!!!) * Monday 12 August 1700 UTC * Monday 19 August 1700 UTC * Monday 26 August 1700 UTC Welcome to our meeting! First meeting each month: Wednesday at 2300 UTC Other meetings each month: Mondays at 1700 UTC until 3 November 2019, when daylight saving time changes On #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! After each week's meetings, the contents of this pad will be sent to tor-project @ lists.torproject.org. After that is done, the pad can be used for the next week. == Previous notes == (Search the list archive for older notes.) 8 July: https://lists.torproject.org/pipermail/tor-project/2019-July/002390.html In-person meetings: https://trac.torproject.org/projects/tor/wiki/org/meetings/2019Stockholm/No… 22 July: https://lists.torproject.org/pipermail/tor-project/2019-July/002401.html 29 July: https://lists.torproject.org/pipermail/tor-project/2019-July/002408.html == Stuff to do every week = * Let's check the 0.4.1 release status page. See https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… (This page automatically shows the latest trac ticket status.) * Let's check and update the roadmap. What's done, and what's coming up? We're using a kanban board: https://dip.torproject.org/torproject/core/tor/boards * Check reviewer assignments! How reviews from last week worked? Any blocker? Here are the outstanding reviews, oldest first, including sbws https://trac.torproject.org/projects/tor/query?status=needs_review&componen… == Reminders == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing work for the next releases. * Remember to fill up the 'actual point' field when you close a ticket. We need those to calculate velocity. * Check other's people call for help in their entries. * When you are overloaded, it is ok to say "no" to things. * And it is ok to reschedule things. ------------------------------- ---- 7 August 2019 ------------------------------- == Announcements == AFK reminder: catalyst will be AFK Jul 29 through Aug 18 nickm will be AFK August 12 through August 16 ahf will be AFK all of August for BornHack and CCC Camp, but will be on IRC every now and then On September there is a technical writer from Google Season of Docs starting to work with us on rewriting the Tor manual page. She will be participating in the network team meetings. Her project: https://developers.google.com/season-of-docs/docs/participants/project-tor We are moving the kanban board from storm into https://dip.torproject.org/torproject/core/tor/boards . This will help lead a plan for migration into dip.torproject.org. The release date for 0.4.1.x-stable is postponed to 20 August, so that it will come out _after_ Nick is back from vacation. Please get all 041 blockers fixed and merged if possible? == Discussion == - Technical writer: are you ok if she brings any of the issues of her project to tor-dev and the discussion is there? (the IRC channel or the mailing list? Both are fine) -ok Technical Writer man page rewrite feedback: << teor: I will copy this to some place for later. The project starts september 1st. --gaba >> https://developers.google.com/season-of-docs/docs/participants/project-tor * Tor is spelt "Tor" (the project) or "tor" (the program), not "TOR" * should we change the existing 9 categories of options in the man page? * tor command-line options belong in the man page, this is a man page convention * torrc options should have an explicit default value in the values subsection * torrc options should have an optional subsection that tells users if they can't be changed at runtime * some of the proposed changes might not be possible in nroff format (the markup format used by man pages) == Recommended links == Practical Concurrency https://www.markbernstein.org/Aug19/PracticalConcurrencySomeRu.html [OT] Remembering Toni Morrison https://www.democracynow.org/2019/8/7/remembering_toni_morrison == Updates == Name: Week of XYZ (planned): - What you planned for last week. Week of XYZ (actual): - What you did last week. Week of ABC (planned): - What you're planning to do this week. Help with: - Something you may need help with. PLEASE DO NOT BULK-DELETE THE OLD ENTRIES! Leave the "Planned" parts! Leave the parts for last week and this week! gaba: Last week (actual): . catching up . s30 . roadmap This week (planned): . s28 Help with: teor: (online first week of the month, offline at the usual meeting time) Week of 29 July (actual): - Leave until Tuesday Urgent: - travel reimbursements - backlogs: email, IRC (mostly skipped), tickets Roadmap: - add tor controller trace logging to diagnose stem hangs (#30901) - nickm suggested a simpler implementation today - bugs I found while writing the control trace code (need separate tickets) Other: - some code reviews - merged CI for pluggable transports (#29267) - other merges - IPv6 funding proposal - proposal 306 IPv6 happy eyeballs review - backport deciding - release 0.4.1 CI updates (#30835) - CI fixes Week of 5 August (planned): Urgent: - config.c refactor code review (#30914), because nickm is going away next week - triage remaining backport backlog Roadmap: - finish add tor controller trace logging to diagnose stem hangs (#30901) - try nickm's suggested a simpler implementation - split off bugs I found while writing the control trace code Other: - code reviews Week of 5 August (actual): Urgent: - config.c refactor meeting Roadmap: - worked on add tor controller trace logging to diagnose stem hangs (#30901) - found bugs in practracker, draft add files script, Other: - ticket triage - code reviews - IPv6 funding proposal - proposal 306 IPv6 happy eyeballs review Nick: Week of 29 July (planned): - More 29211 work (config.c): validation and subsystems integration. - Revise a bunch of earlier 29211 code - Revise a bunch of earlier practracker code - More practracker work - Help with any remaining roadmapping issues - Review and merge. - Backport things to 0.4.0.x? Week of 29 July (actual): - Review prop306 - Various review and merge - Revise practracker code, fix more practracker issues - Analysis for walking onions paper - Several proposal comments Week of 5 August (planned): - More review and merge - Finish august practracker work by getting may-include support - Fix several CI issues - Work on validation refactoring for #29211 (config.c). - Logs ot meetings - Try to end the week with inbox zero - Reschnedule 041-stable - Walking onions paper - Start on 0.4.1.x release notes - NOTE: I am on vacation next week! Week of 5 August (actual): - ... Week of 12 august (planned): - ON VACATION Mike (may have to leave early): Week of 7/29 (planned): - Peer reviews - Expense reports - Try to determine severity of wtf-pad log warn bugs - Define roles for Research Director position - Try not to work more than max hours for July Week of 7/29 (actual): - Peer reviews - Expense reports - Looked into wtf-pad log bugs: added more log messages; enumerated issues - Fixed a comment in https://trac.torproject.org/projects/tor/ticket/30942 - asn: plz verify my comment's claim that vanguards closing circuits for dropped cells in a testing framework is a reasonable plan week of 8/7 (planned): - Fix https://trac.torproject.org/projects/tor/ticket/30992 and/or https://trac.torproject.org/projects/tor/ticket/31343 - Clean up #30942 - Catch up on researcher and scalability related mail Need help with/at risk of dropping this month: - Need nickm and asn's input on directions for #30992 and #30942 - Teor/catalyst/dgoulet: Does our CI or test network stuff care if we have noisy protocol warns (#30942)? [It shouldn't. -nickm] - Scalability work (making tickets, running or attending meetings, proposals, etc) [don't worry about this for now. i can ping you in 1 or 2 weeks for reviewing stuff -gaba] - Deep-thought-required research project followup (masque, BGP, ECN, etc) - Private browsing meetings - Relay community drive/mgmt (and related LTS herding) - Circpad documentation + Sponsor 2 report - Firefox ESR network code review - Code reviews? catalyst: - on leave week of 07/08 (2019-W28) (planned): - travel prep - Stockholm meeting week of 07/08 (2019-W28) (actual): - travel prep - Stockholm meeting week of 07/15 (2019-W29) (actual): - travel - time off to recover from travel week of 07/22 (2019-W30) (planned): - Season of Docs selection due 07/23 - expense reports - follow up from Stockholm meeting - hand off some reviews to teor - working partial days this week asn: Week of 07/01 (actual): - Pushed #26294 branch to needs_review. - Some more thoughts on the DoS thread. - Some more thoughts on scaling thread. - Lots of hackerone activity/triaging/rewarding (#31022, #31001, plus one more not yet filed) - Finished review/merge backlog. Week of 07/08 (planned): - Triaged a few wtf-pad related tickets but need more work: #30649, #31098. - Tor meeting in Stockholm. - Allhands expenses ahf: - on leave Week of 22/7 (planned): - Do reimbursement - Go over all notes from Stockholm that seems relevant to me. - Follow up on pre-Stockholm items: - Continue figuring out some info on a potential Danish funder. - Continue with #5304 and #28930 Week of 22/7 (actually): - Did reimbursement - Went over all notes from Stockholm. - Followed up on pre-Stockholm items: - Continue figuring out some info on a potential Danish funder (postponed until they are back from vacation). - Continued work with #5304 and #28930 Week of 29/7 (planned): - Finish off #5304 and #28930 before going on vacation. - Review Roger's DEFCON slides. - Do you need any help from me before I leave? dgoulet: (offline) Week of 29 july: - Work on DoS tickets for sponsor 27. - Some scaling work as well. - Reproduce for Mike some circ padding issues on our HS DoS testbed. - Merges and review. Week of 5 august: - Did scaling work for #31340. Takes a lot of work and concentration so I rushed a lot of hours there so I can have 100% focus. - Got #15516 merged finally so I can finalize prop305 this week. - Planning to mostly finalize s27 things with the rest of the week.

1 0

service documentation refactored in wiki
by Antoine Beaupré 06 Aug '19

06 Aug '19

Hi, As part of an effort (ticket #31261) to consolidate and clarify our service documentation, I have merged the following two pages in the latter: https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure https://trac.torproject.org/projects/tor/wiki/org/operations/services All pages previously under Infrastructure/ are now under services/. Please do not create pages under "Infrastructure" anymore and instead create them in "services". Also, help is very welcome in updating and maintaining documentation in those pages. If you see any inaccuracies or omissions, please *do* add and change things in the wiki. In particular, I suspect that the maintainers columns is seriously out of date for most services. I would also be grateful is someone could tell me what those pages are for: https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure… https://trac.torproject.org/projects/tor/wiki/org/operations/ProductsandAss… .. and if they can be destroyed or merged into the services page. Thank you for your time, A. -- Antoine Beaupré torproject.org system administration

1 0

Tor Browser team meeting notes, 5 August 2019
by Georg Koppen 05 Aug '19

05 Aug '19

Hello! Our weekly Tor Browser meeting finished a couple of hours ago. Here comes the usual link to our IRC log: http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-08-05-17.30.l… And the notes from the pads are below: Week of August 5, 2019 Discussion - OTF Browser Proposal: "Bringing Tor Browser into the mainstream" - https://pad.riseup.net/p/otf-tb-2019-2020 - brainstorm for esr migration work & its effort https://pad.riseup.net/p/otf-tb-esr-migration-brainstorm follow up meeting august 19 19:30 UTC - next browser meeting? tjr - FYI: the e10s pref has died in 68, you need to use an env var now: https://bugzilla.mozilla.org/show_bug.cgi?id=1548941 - Landed a HiDPI patch for pdfs in -central. Can anyone with hardware double check it works and I'll request backport? (pospeselr: tjr is there a linux build available with the patch applied? If not I can spin up a build locally but will take longer ;) ) (tjr: https://archive.mozilla.org/pub/firefox/nightly/2019/08/2019-08-02-09-48-35… ) (pospeselr: looks good to me: https://share.riseup.net/#fb7XRE1cWIfh-Xns08EDGQ latest stable on the left, alpha build on the right) (\o/) - For future reference: a) From the bug, look for a comment with a mozilla-central link like https://hg.mozilla.org/mozilla-central/rev/85385b4957e3 b) From there, there are lines containing 'first release with' and 'first release without' c) The 'files' link on that will take you to the Nightly build directory - https://bugzilla.mozilla.org/show_bug.cgi?id=1537955 - pospeselr: Last Week: - fixed #31251 (security level ux polish) - reviewed #18101 :( (proxy bypass in windows file dialogs) - submitted patch to mingw folks to add FOS_SUPPORTSTREAMABLEITEMS to their shobjidl.h (this got pushed to master on Thursday, though turns out it doesn't fix #18101 oh well) - began work on #31286 (network settings in about:preferences) This Week: - continue on #31286 - begin prep for sept browser workshop trip boklm (afk during meeting): Last week: - helped with building/publish 9.0a5 android release - Reviewed/improved esr 68 linux changes: latest version is in https://gitweb.torproject.org/user/boklm/tor-browser-build.git/log/?h=linux… This week: - Will be mostly afk during this week (still reading emails in case there is something important) sysrqb: Last week: Release 9.0a5 prep and testing Published Android release, 9.0a5 Rebasing and testing 68esr Android patches Began troubleshooting #31140 a little (crash on aarch64) This week: More debugging on #31140 - this seems like it is affecting many people More work on 68esr patches pili: Last week: - Meeting to divide up browser tasks - S27 Reporting (work completion and monthly report) - Helping with OTF Browser proposal - Tried to do some triage but failed - what's the best way to get a second opinion on a ticket without interrupting and forcing a context switch? This week: - Sponsor 44 admin - OTF Browser proposal - Started Sponsor 30 triage - marking things as sponsor30-can for now mainly, when I'm done I would like to review with the team to make sure they make sense under sponsor mcs and brade: Last week: - #30126 (Make Tor Browser on macOS compatible with Apple's notarization). - completed several rounds of testing. - #29197 (Remove use of overlays from Tor Launcher). - patch was submitted; reviewed by acat (thanks!) - #31300 (Modify Tor Launcher so it is compatible with ESR68). - patch and revisions were submitted; reviewed by acat (thanks!) - #30429 (ESR 68 Rebase) — rebase updater patches. - Participate in the “Georg tasks” transition effort. This week/upcoming: - #30429 (ESR 68 Rebase) — rebase updater patches. - Respond to Antonela's comments in #30237 (Onion Services client auth prompt). acat: Last week: - Pushed revised esr68 branch (#30429) - Reviewed #31300 - Reviewed #29197 - Reviewed some android patches (#31010) - Landed https://bugzilla.mozilla.org/show_bug.cgi?id=1561322 This week: (recovering from a stomach flu, hopefully should be 100% from tomorrow on, but let's see) - Finish reviewing Android patches (#31010) [sysrqb: i'm working on rebasing these commits on top of your recent branch] - Address possible review comments for #30429, and do one big style-fixing pass (eslint, clang-format). - Fix about:tor assertion failure in esr68 linux debug builds (#31322) - Backlog: upstreaming patches antonela Last week: - we ran a Tor Browser Usage survey during the dev meeting. This week: - Sharing Tor Browser Usage survey results. - Working with TB Network Settings https://www.notion.so/TB90-Network-Settings-13be33d9b7ef4a65b8039d88f29f404c GeKo: Last week: - dealt with backlog - spent some time on HackerOne bugs - tried to fix #30126 (prerequisites for macOS notarization) but there is still stuff left to do :( - reviews for esr68 nightlies: #30429, #10671, linux toolchain patches (#30736, #30376 etc.) - distracted by CCC camp submission - moved browser workshop participation in September forward - helped with 9.0a5 This week: - moar reviews - getting esr68 linux nightlies going (tentatively on Wed) - some begin of the month team admin stuff - hopefully fixing the macOS pre-notarization woes (#30126) sisbell: Last Week: - Orbot project made a lot of commits over the last week. Went through July/Aug commit and made updates to tor-android-service (branch 0801a) - Changes also include updates to include x86_64 and armv8 support for new version of tor browser. - Prepared (will submit shortly, needs a little more testing) PR to Orbot. These includes changes to keep project in sync - Updated tor-browser-build for new commit of tor-android-service This Week - Create gradle flavors to further isolate Orbot VPN code from the code we need (this deals with some firing of intents we don’t need for VPN). This will mean we shouldn’t require any patches in the future. - Start applying previous esr60 patches to esr68 Georg

1 0

Anti-censorship team monthly report: July 2019
by Philipp Winter 05 Aug '19

05 Aug '19

Tor dev meeting =============== * Many anti-censorship team members attended Tor's developer meeting. Here are the meeting notes of all censorship-related sessions: <https://trac.torproject.org/projects/tor/wiki/org/teams/AntiCensorshipTeam#…> * We talked to OONI and asked if they could measure the availability of STUN servers for us. This would help with learning where snowflake is blocked: <https://github.com/ooni/probe/issues/875> * Started working on a "censorship table" that encodes what's necessary to get Tor to work in a given country (or autonomous system). Ultimately, Tor Browser should to use this table to help its users connect to the network while minimising user interaction: <https://bugs.torproject.org/28531> * Created a ticket for an easy-to-use Tor bridge meta Debian package: <https://bugs.torproject.org/31153> We hope to be done with this before our "set up new bridges" outreach campaign. Snowflake ========= * Deployed a proxy-go instance that uses the pion WebRTC library: <https://bugs.torproject.org/28942> We're evaluating if pion could replace libwebrtc for us. * Started working on the web extension "infinite loop bug" that currently affects Firefox: <https://bugs.torproject.org/31100> * Google's "Safe" Browsing system blocked snowflake's infrastructure domains *.bamsoftware.com. This is a false positive that was apparently caused by an educational article: <https://www.bamsoftware.com/hacks/zipbomb/> We migrated to a new domain: <https://bugs.torproject.org/31250#comment:13> * Fixed <https://bugs.torproject.org/27385> (<https://snowflake.torproject.org/embed> is confusing). * Started adding localisation to user-facing snowflake components: <https://bugs.torproject.org/30310> * Progress on easier-to-see snowflake icons in Firefox's dark mode: <https://bugs.torproject.org/31170> * Revised snowflake's project page: <https://snowflake.torproject.org> Bridge operators ================ * Worked with bridge operators who had troubles getting obfs4 to work. Pluggable transports ==================== * Started fixing a number of issues in our PT 1.0 spec. Here is our canonical list of issues: <https://bugs.torproject.org/29285#comment:5> Hopefully, there will be a way to merge these fixes with the PT 2.0 spec. Here's the in-progress feature branch: <https://dip.torproject.org/phw/torspec/tree/feature/29285> * Added in-progress wiki page on retiring pluggable transports: <https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/Guide…> BridgeDB ======== * Deployed in-progress BridgeDB metrics feature branch which will give us insight into how BridgeDB is used: <https://bugs.torproject.org/9316> Found and fixed numerous bugs and eventually published first insights into BridgeDB metrics: <https://lists.torproject.org/pipermail/tor-dev/2019-July/013953.html> * Resurrected an old ticket to expose BridgeDB's assignments file again. This would allow bridge operators to see what bucket their bridge is in: <https://bugs.torproject.org/29480> Miscellaneous ============= * Reviewed a Tor Research Safety Board submission. * Wrote a summary of the NDSS'17 paper "Dissecting Tor Bridges": <https://lists.torproject.org/pipermail/anti-censorship-team/2019-July/00002…> * Filed ticket to have a single Tor instance support, say, more than one obfs4 instance: <https://bugs.torproject.org/31228> * Summarised the MASQUE circumvention protocol: <https://lists.torproject.org/pipermail/anti-censorship-team/2019-July/00002…> * Cecylia attended the Citizen Lab's Summer Institute 2019 and PETS 2019. * Philipp will attend the OTF summit in Taiwan, and probably also potential pre and post events.

1 0

Anti-censorship meeting notes, 1 Aug 2019
by Philipp Winter 01 Aug '19

01 Aug '19

Here are our meeting notes: http://meetbot.debian.net/tor-meeting/2019/tor-meeting.2019-08-01-17.00.log… And here is our meeting pad: Anti-censorship work meeting pad -------------------------------- Next meeting: Thursday August 1st 17:00 UTC Weekly meetings, every Thursday at 17:00 UTC, in #tor-meeting at OFTC (channel is logged while meetings are in progress). == Goal of this meeting == Weekly checkin about the status of anti-censorship work at Tor. Coordinate collaboration between people/teams on anti-censorship at Tor. == Links to Useful documents == * Our anti-censorship roadmap: https://storm.torproject.org/shared/knaG2lEzepdsCC21DYk4dD4hRtwcUGnXQvalH1s… * Our roadmap consists of a subset of trac tickets. * Note that there's a bug that causes the roadmap to load slowly. To work around it, first click on "All boards", and then on "ROADMAP Anti-censorship team" * The anti-censorship team's wiki page: https://trac.torproject.org/projects/tor/wiki/org/teams/AntiCensorshipTeam * GetTor's roadmap: https://dip.torproject.org/anti-censorship/gettor/boards * Tickets that need reviews: https://trac.torproject.org/projects/tor/query?status=needs_review&componen… --------------------------- ---- 1st August 2019 ---- --------------------------- == Announcements == * == Discussion == * Gettor seems to be down #31307 * Roadmap: how are we doing? Is everybody ok for me to organize it in gitlab instead of storm? * trac updated it under keyword anti-censorship-roadmap: https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… == Actions == * == Interesting links == * https://davidschinazi.github.io/masque-drafts/draft-schinazi-masque.html * We should at least follow the standardisation process. == Updates == FORMAT! Name: This week: - What you worked on this week. Next week: - What you are planning to work on next week (related to anti-censorship work). Help with: - Something you may need help with. hiro: (gettor days are Thursday) This week: Next week: Past week: phw: This week (2019-08-01): * Filed #31250 for snowflake. * Filed #31252 for snowflake. * Reviewed Tor Research Safety Board submission. * Proof-read Roger's DEFCON slides. * Revised BridgeDB patch for #9316 and sent summary of preliminary results to tor-dev@. * Inspired by Karsten's feedback, thought about how to implement aggregate statistics. * Got the commit bit for the website and updated obfs4 setup guide. * Added a work-in-progress wiki page on retiring pluggable transports: * https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/Guide… * Read new IETF MASQUE proposal and subscribed to their mailing list: * Here's a summary: https://lists.torproject.org/pipermail/anti-censorship-team/2019-July/00002… * Started working on improving flow obfuscation in obfs4: * Realised that obfs4's iat=1 mode sends 1350-byte (instead of 1500-byte) packets on both Linux and Windows? Trying to figure out why. * A little bit more work in improving PT spec based on the issues we collected: * https://trac.torproject.org/projects/tor/ticket/29285#comment:5 Next week: Help with: Gaba: (updated August 1st) Last week (): * off-line This week (planned): * hopefully will get into the roadmap * hopefully move forward organizing s30 ahf Last week: - Worked on #28930 This week: - Finished refactoring parts of #28930. Trying to figure out if we should begin the discussion on how PT's can report back on bootstrap info. - Continued to work on a tool to convert Trac tickets into Gitlab tickets. cecylia (cohosh): last updated 2019-08-01 (will try to attend, but at CLSI) Last week: - CLSI (31 July - 2 Aug) - talk preparation - checked on pion proxy and made progress towards windows build - review of #27385 and merges - review of some racecar reports/documents This week: - going to be on vacation Aug 5 - Aug 7 - snowflake dogfood - finish windows build of pion branch (#28942 and #28942) - sequencing layer for snowflake (#29206) Help with: catalyst: week of 07/11 (actual): - Stockholm meeting week of 07/18 (actual): - recovering from travel week of 07/25 (planned): - recovering from travel - mostly sponsor31 - preparing for extended leave starting 07/29 arlolra: 2019-08-01 Last week: - review of #31170 - deployed #27385 Next week: - revisions to #30310 - start looking at the suggestions in #31109 - add a build step / documentation for code reuse in cupcake - maybe more review of #31170 Help with: - dcf: 2019-08-01 Last week: - merged some refactoring for Snowflake dark mode (#31170) - reviewed proxy deadlock fix (#31100) Next week: - finish Snowflake dark mode (#31170) Help with:

1 0

June and July 2019 report for the UX team
by Antonela Debiasi 01 Aug '19

01 Aug '19

Hello Tor, S27 - Onion Services ================ - We continued working with onionsites authentication. https://trac.torproject.org/projects/tor/ticket/30237 - We shared working time with Tor Browser and Network developers during the dev meeting to discuss our next steps on this project. You can follow our design exploration by reading the relevant tickets or sneak peeking here https://trac.torproject.org/projects/tor/attachment/ticket/30281/O2.pdf S9 - User Research =============== - Gus and Narrira have been traveling through Uganda and Kenya during June and July. With these travels, we consolidated our relationship with partners in the global south community to follow our work on the next sponsor year. - We shared our first Persona work during the dev meeting. It is one of the first steps to introduce human-centered design practices on our workflow. If you didn't make the session, you could see our presentation and downloads here https://trac.torproject.org/projects/tor/attachment/wiki/org/meetings/2019S… https://trac.torproject.org/projects/tor/ticket/30430 - During the dev meeting, we distributed a survey to collect feedback about Tor Browser Usage. We will be sharing the results with the lists soonish. Also, we want to collect this kind of feedback from the broad community, so we are planning to extend this survey online. S30 - Snowflake ============ - The anti-censorship team is working on the Snowflake web extension. We worked the user interface and other design deliverables. https://trac.torproject.org/projects/tor/ticket/23888 OONI Explorer =========== - We were working on reach the stable release for the new OONI Explorer. We have been polishing UI and UX tickets. You can play with the beta here https://explorer-beta.ooni.io - All the tickets we have been working on are here https://github.com/ooni/explorer/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3… Fundraising ========= - We gave support to the Fundraising team on the Bug Smash Fund and Defenders of Privacy campaigns. We provide visuals for the various platforms used for promoting them. - We published a fundraising banner at the latest Tor Browser release. https://trac.torproject.org/projects/tor/ticket/30577 Thanks, A -- Antonela Debiasi UX Team Lead @antonela E2330A6D1EB5A0C8 https://torproject.org

1 0

Smashing all the bugs
by Stephanie A. Whited 01 Aug '19

01 Aug '19

** *Hello Tor! * * Today we launched our Bug Smash Fund. Through the month of August, all donations the Tor Project receives will be marked to help us smash bugs and respond rapidly to critical security issues. Many of you have experienced why we need such a fund: this kind of work is not usually covered by sponsors or grants, so we have to divert time and funds when these kind of things happen. And we know that they will happen. So this month is an opportunity to help us prepare for smashing the bugs ahead. If you’re able to make a donation, you can do so at https://donate.torproject.org We’re reaching out to community members, press, and influencers to spread the word, and we could use your help spreading the word, too. If you are on Twitter, you can help by sharing the blog post[1], writing a tweet using one of the graphics Antonela made (which you can find on the blog and our tweets) and using the hashtag #TorBugSmash, or just by liking or RTing our posts[2] or any other positive mentions. Talking about the fund IRL with someone close to you works great, too. If you feel comfortable, writing a post that mentions your involvement can have more impact than one without. You could write something like: “Bugs happen. I’ve worked on fixing them with @torproject, and we know there will be more. You can help us be prepared for what bugs may come by making a donation this month. All donations will go towards smashing bugs. #TorBugSmash https://donate.torproject.org” As always, I’ll be watching for posts from the Tor community to engage with and support. If there’s anything related to this campaign or our work in general that I’ve missed or would be relevant for us to share, please let me know. I’m also happy to talk over something you’re considering posting if you want feedback. You can DM @torproject or me personally @walnutwordsalad, send me an email, or ping me on IRC (stephw). Cheers! Steph [1] https://blog.torproject.org/tors-bug-smash-fund-help-tor-smash-all-bugs [2] https://twitter.com/torproject/status/1156910864391262208 * -- Stephanie A. Whited Communications Director The Tor Project IRC: stephw PGP Fingerprint: E976 9771 7D46 2E63 9697 9F6D 6D6B 72C3 39A8 76AD <https://pgp.mit.edu/pks/lookup?op=get&search=0x6D6B72C339A876AD>

1 0

PSA: flood attack against OpenPGP certificates underway
by Antoine Beaupré 30 Jul '19

30 Jul '19

Hi, Since the Tor project uses OpenPGP and GnuPG extensively in its operations, I figured it was important to let the community know of an ongoing attack against the keyserver infrastructure and GnuPG. The longer story is available on dkg's blog here: https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html ... but a summary is that at least two prominent OpenPGP users have seen their public key flooded with thousands of signatures, to the point where their keys are now completely unusable. I recommend you consider taking the following immediate actions, either: 1. in the short term, disable automated key refreshes on your keyring (either through Parcimonie or manual scripts calling `gpg --refresh` in some other way), or; 2. switch to the new keys.openpgp.org keyserver, by setting the following in your `gpg.conf`: keyserver hkps://keys.openpgp.org/ The first action should only be used in the short term, to allow you to evaluate your options. It might mitigate the problem (unless you somehow allow the nasty keys to enter your keyring some other way), but it will mean you will not be aware of the precious revocation certificates users post when their key is compromised, so it's not an acceptable solution in any way. The second action has been tested as mitigating the problem, but has several downsides as well: a. it does not store UIDs unless they are verified and asked for explicitly (workaround: keys can be shipped in-band with Autocrypt or found through other mechanisms like WKD, Web Key Discovery) b. it does not store UID signatures at all, which will impact the web of trust (workaround: same as point a, and you should send signed keys by email anyways to verify ownership of the UID, using tools like caff, pius, gnome-keysign or monkeysign) c. GnuPG cannot read refresh keys from keys.openpgp.org (workaround: use the custom patch shipped in Debian experimental, see Debian bug #930665) d. it does not currently receive updates from the SKS pool (workaround: upload key updates to keys.openpgp.org directly as well as the SKS pool) Note that keys.openpgp.org has been seeded with the global SKS keyserver datastore, so it contains all the keys you would expect to be present on the latter, except they are sanitized to avoid this problem. I encourage users to: 1. upload their keys to the keys.openpgp.org keyserver 2. either switch to keys.openpgp.org by default or carefully review their key fetching configuration to make sure it is not vulnerable to this attack 3. review dkg's article and make sure your own keys are not affected by this problem If you have fetched an hostile key and GnuPG has become unusable, you can recover by deleting the key with: gpg --delete-key C4BC2DDB38CCE96485EBE9C2F20691179038E5C6 Note that this may take anywhere from 20 minutes to an hour. And then fetch dkg's key via WKD: gpg --locate-keys dkg(a)fifthhorseman.net or his website, <https://dkg.fifthhorseman.net/dkg-openpgp.key>. The other known key affected by this problem is Robert J, Hansen's key, with the fingerprint "CC11BE7CBBED77B120F37B011DCBDC01B44427C7". As far as I know, torproject.org infrastructure has not been affected in any way by this attack. We carefully monitor keys we allow in our keyring which should be sufficient to mitigate this attack. A. PS: to check if your key is affected *without* importing it into your keyring, you can use the following command: FINGERPRINT=0x8DC901CE64146C048AD50FBB792152527B75921E # for example mine KEYSERVER="http://pool.sks-keyservers.net/" URL="$KEYSERVER/pks/lookup?op=get&search=$FINGERPRINT&options=mr&fingerprint=on&exact=on" curl -sSL "$URL"| gpg --list-packets | grep -c '^:signature packet:' This counts the number of signatures on your key. A reasonable number is less or around a thousand. dkg's key has now around 55 000 signatures on his key, which (naturally) causes some trouble in all OpenPGP implementations. -- Antoine Beaupré torproject.org system administration

6 8

Tor Browser team meeting notes, 22 and 29 July 2019
by Georg Koppen 30 Jul '19

30 Jul '19

Hello! Here come the notes from our last two meetings, held on 22 and 29 July. The IRC logs can be found at: http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-07-22-17.29.l… http://meetbot.debian.net/tor-meeting2/2019/tor-meeting2.2019-07-29-17.30.l… And the pad items for both meetings are: Week of July 29, 2019 Discussion - team capacity and ticket estimations - We seem to get a bunch of messages on frontdesk@ with no subject and no content other than a generic sent by mobile phone make signature. Could these be coming from TBA somehow? [sysrqb: i think no. At least I don't think we added frontdesk@ anywhere on Android][GeKo: Pili tries to investigate this issue by asking back how users got to send those messages to our system] - esr68 switch for nightlies (https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb…) [GeKo: The plan is to get Linux nightlies going early next week, building support for the other platforms on top of that] pospeselr: just got back home last night and still out of it so will probably miss this meeting Last Week(s): - vacation - investigated cause of #31251 (Security Level menu hangs off of the toolbarbutton element when it should hang off of the toolbarbutton's child element with toolbarbutton-icon class) - solution here seems to be a relatively simple refactor This Week: - catch up on backlog - sync up with antonela on design for network settings in preferences (do we have a ticket # for this?) [GeKo: Yes, I just created one: #31286] - fix #31251 - review how screen reader UX is for the security level UI and files bugs if necessary Ongoing: - bug the wine devs to get our widl patches in mcs and brade: Last week: - #30429 (ESR 68 Rebase) — provided feedback on a few patches that acat rebased already. - #30429 (ESR 68 Rebase) — started rebasing updater patches. - Upgraded our primary Tor development computer from macOS 10.13.x to 10.14.x and dealt with fallout. This week/upcoming: - #30126 (Make Tor Browser on macOS compatible with Apple's notarization). - #29197 (Remove use of overlays from Tor Launcher). - #30429 (ESR 68 Rebase) — rebase updater patches. - Respond to Antonela's comments in #30237 (Onion Services client auth prompt). GeKo: Last week: - afk This week: - sending out remaining feedback summaries - dealing with backlog - helping with #30126 - review of esr68-rebased patches (#30429 and related tickets) - helping with linux toolchain patches/issues for esr68 migration (see: #30320 and #30321 + respective child tickets) - work on setting up android signing environment - help with release for Google's 64bit requirement starting on Aug 1 (see: #31260 and #31192 for discussions) sisbell: Last Week: - Created esr68 branch and merged gk branch with new toolchain code. - Fix for rust config to handle android - Fix for using tor built clang rather than ndk one - Patch for removing emulator requirement from Firefox build - Investigation of breaking issues with mozconfig This Week - Start applying previous esr60 patches to esr68 [need assets, etc] - Generate firefox gradle dependencies list pili: Last week: - S27 July report - GSoD final candidate selection - Playing around with gitlab - roadmap review This week: - S27 July report - Future funding proposal for Browser team - S27 work completion report - Figuring out browser team task distribution - Following up on fundraising banner localization - coordinating Orfox transition boklm: Last week: - afk This week: - Review gk's linux-esr68 branch, and try to make it ready to merge for nightly - Help with build for the TBA 64bit release tjr - Found a better solution for the alloc/dealloc bug, requested review https://bugzilla.mozilla.org/show_bug.cgi?id=1547519 sysrqb: Last week: Recovery from travel A little work on 68esr rebase/testing Mail/backlog/etc This week: Backport patch for supporting x86 and aarch64 architectures (31260) Investigate x86_64 support? Help investigate aarch64 crash (31140) 68esr branch testing (and rebasing onto acat's most-recent branch) acat: Last week: - Addressing review comments of rebased esr68 patches, rebasing to new gecko-dev esr68 branch. This week: - Push rebased esr68 branches. - Review/test Android ESR 68 rebased patches (#31010). - Backlog: upstreaming patches antonela: Last week: - vacations This week: - post-vacations - we ran a Tor Browser Usage survey during the dev meeting. Sharing results with lists this week. - should work on Network settings -> General settings (#29197) ----------------------------------------------------- Week of July 22, 2019 Discussion: - 9.0 Nightly blockers: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb… - Is there anything else that is missing from that list? - tjr: Building project debootstrap-image - container-image_jessie-amd64-2.tar.gz - bash: cannot set terminal process group (8): Inappropriate ioctl for device - anyone recognize this? Pili: Last Week: - reading and uploading notes from dev meeting - digitizing roadmaps - recovering from dev meeting This week: - Start looking at team capacity vs workload - Roadmap review - I need some help identifying whether some of the August items have tickets for them already: - Switch meek uTLS? - #29430 - Use uTLS for meek TLS camouflage in Tor Browser - https://trac.torproject.org/projects/tor/ticket/29430 ? -Rip out meek? - ? [from mcs: I think this is covered in #29430] - Tor button migration - #28745 - THE Torbutton clean-up - https://trac.torproject.org/projects/tor/ticket/28745 ? - Network settings in General settings - #31286 - Include bridge configuration into about:preferences - https://trac.torproject.org/projects/tor/ticket/31286 - Toolbar button for New Identity - ? [brade: #27511] - Tor Launcher for ESR68 - #29197 - remove use of overlays from Tor Launcher - https://trac.torproject.org/projects/tor/ticket/29197 ? - #30506 - Follow Firefox ESlint rules for torbutton and tor-launcher integrated code - https://trac.torproject.org/projects/tor/ticket/30506 ? tjr - Figured out at least one solution for the alloc/dealloc max https://bugzilla.mozilla.org/show_bug.cgi?id=1547519 mcs and brade: Last week: - #30126 (Make Tor Browser on macOS compatible with Apple's notarization). - We need some help from gk; see comment:11 in the ticket. - #29197 (remove use of overlays from Tor Launcher) - We hope to do this by load XUL fragments instead, but that requires some ESR68 features. - This is on hold until we make some progress on #30429. This week/upcoming: - #30429 (ESR 68 Rebase — look over a few patches that acat rebased already). - #30429 (ESR 68 Rebase — updater patches). - #29197 (Remove use of overlays from Tor Launcher). - #30126 (Make Tor Browser on macOS compatible with Apple's notarization). - Respond to Antonela's comments in #30237 (Onion Services client auth prompt). acat: Last week: - Worked on revision of #21830 upstream patch (locale detectable by button width) https://bugzilla.mozilla.org/show_bug.cgi?id=1396224 - Investigated #29563 (css line-height revisited [at least zoom and linux]) This week: - Address GeKo's comments on #30429 (desktop ESR68 rebased patches) - Review/test Android ESR 68 rebased patches (#31010). - Submit revision for https://bugzilla.mozilla.org/show_bug.cgi?id=1561322 - Try to fix #29563. - Follow up https://bugzilla.mozilla.org/show_bug.cgi?id=1433030 (Copying large text from web console leaks to /tmp) sisbell: Last Week: - #30461 - Update tor-android-service to use android toolchain (ready for review) - #30460 - Update TOPL to use android toolchain (ready for review) - #31174 - Update android toolchain (ready for review) - changes to tor-android-service (decoupled VPN module so we can exclude building, updated jSocks so we use binary rather than build) This Week - integration and testing for Firefox build Georg

1 0

Network team meeting notes, 29 July 2019
by Nick Mathewson 29 Jul '19

29 Jul '19

Hello! You can find the logs of our weekly meeting at http://meetbot.debian.net/tor-meeting/2019/tor-meeting.2019-07-29-17.00.html Below you can find the contents of our pad. = Network team meeting pad! = This week's team meeting is at Monday 29 July at 1700 UTC on #tor-meeting on OFTC. We have changed the day from Tuesday to Wednesday. July schedule: * Wednesday 3 July 2300 UTC - Changed Day! * Monday 8 July at 1700 UTC * (In-person meeting 12-14 July) * Monday 22 July 1700 UTC * Monday 29 July 1700 UTC Welcome to our meeting! First meeting each month: Wednesday at 2300 UTC Other meetings each month: Mondays at 1700 UTC until 3 November 2019, when daylight saving time changes On #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! After each week's meetings, the contents of this pad will be sent to tor-project @ lists.torproject.org. After that is done, the pad can be used for the next week. == Previous notes == (Search the list archive for older notes.) 3 June: https://lists.torproject.org/pipermail/tor-project/2019-June/002343.html 10 June: https://lists.torproject.org/pipermail/tor-project/2019-June/002354.html 17 June: https://lists.torproject.org/pipermail/tor-project/2019-June/002365.html 24 June: https://lists.torproject.org/pipermail/tor-project/2019-June/002373.html 3 July: https://lists.torproject.org/pipermail/tor-project/2019-July/002389.html 8 July: https://lists.torproject.org/pipermail/tor-project/2019-July/002390.html In-person meetings: https://trac.torproject.org/projects/tor/wiki/org/meetings/2019Stockholm/No… 22 July: https://lists.torproject.org/pipermail/tor-project/2019-July/002401.html == Stuff to do every week = * Let's check the 0.4.1 release status page. See https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… (This page automatically shows the latest trac ticket status.) * Let's check and update the roadmap. What's done, and what's coming up? We're using a kanban board: https://storm.torproject.org/shared/_mx8PMGOHFBOximocl1gy3COvhLPr6k3Ja7JA1v… Click on 'all boards' and then the network team one. Filter by your name and check the 'in progress' column is correct. * Check reviewer assignments! How reviews from last week worked? Any blocker? Here are the outstanding reviews, oldest first, including sbws https://trac.torproject.org/projects/tor/query?status=needs_review&componen… Any blocker from last week? == Reminders == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing work for the next releases. * Remember to fill up the 'actual point' field when you close a ticket. We need those to calculate velocity. * Check other's people call for help in their entries. When you are overloaded, it is ok to say "no" to things. And it is ok to reschedule things. ------------------------------- ---- 22 July 2019 ------------------------------- == Announcements == reminder: catalyst will be AFK Jul 29 through Aug 18 nickm will be AFK August 12 through August 16 ahf will be AFK all of August for BornHack and CCC Camp, but will be on IRC every now and then == Discussion == - we are moving the kanban board from storm into dip.torproject.org == Recommended links == == Updates == Name: Week of XYZ (planned): - What you planned for last week. Week of XYZ (actual): - What you did last week. Week of ABC (planned): - What you're planning to do this week. Help with: - Something you may need help with. PLEASE DO NOT BULK-DELETE THE OLD ENTRIES! Leave the "Planned" parts! Leave the parts for last week and this week! gaba: Last week (actual): . vacation This week (planned): . catching up from last week . following up from tor meeting Help with: teor: (offline at the usual meeting time) Week of 8 July (actual): Urgent: - Taking time off before long-haul travel and Stockholm meeting - Travel preparation - Ticket triage - Proposal responses Backlog: - code reviews - add tor controller trace logging to diagnose stem hangs (#30901) - disown or quick fix the rest of my tickets: - I should only be owner on tickets I will work on in the next month - fix sponsor on tickets? - CI for pluggable transports (#29267) <-- this is priority over #29224 and 29227 in the roadmap --gaba - Update EndOfLifeTor.md with our latest end of life process (#30839) - document disabled CI (#30745) - triage remaining backport backlog Nick: Week of 22 July (planned): - Review and merge - Try to release 0.4.1.4-rc - Backports for 0.4.0.x? - More 29211 work (config.c): can I get all the backend code written? - Reply wrt proposal 295 - Reply wrt proposal 306 - More practracker fixes, time permitting Week of 22 July (actual): - Progress on 29211 (config.c) -- solved multiplicity issues and started on refactoring validation. - Small fundraising conversations - Review, merge, etc - Added entries for S31 to roadmapping spreadsheet - Released 0.4.1.4-rc - Fixed a bunch of surprise jenkins warnings :/ Week of 29 July (planned): - More 29211 work (config.c): validation and subsystems integration. - Revise a bunch of earlier 29211 code - Revise a bunch of earlier practracker code - More practracker work - Help with any remaining roadmapping issues - Review and merge. - Backport things to 0.4.0.x? Mike: Week of 7/22 (actual): - Recovery from stockholm + PETS - Looked at #30992 logs (circpad warn) -- still not sure how the wrong hop thing is happening.. :/ Week of 7/29 (planned): - Peer reviews - Expense reports - Try to determine severity of wtf-pad log warn bugs - Define roles for Research Director position - Try not to work more than max hours for July catalyst: week of 07/08 (2019-W28) (planned): - travel prep - Stockholm meeting week of 07/08 (2019-W28) (actual): - travel prep - Stockholm meeting week of 07/15 (2019-W29) (actual): - travel - time off to recover from travel week of 07/22 (2019-W30) (planned): - Season of Docs selection due 07/23 - expense reports - follow up from Stockholm meeting - hand off some reviews to teor - working partial days this week asn: Week of 07/01 (actual): - Pushed #26294 branch to needs_review. - Some more thoughts on the DoS thread. - Some more thoughts on scaling thread. - Lots of hackerone activity/triaging/rewarding (#31022, #31001, plus one more not yet filed) - Finished review/merge backlog. Week of 07/08 (planned): - Triaged a few wtf-pad related tickets but need more work: #30649, #31098. - Tor meeting in Stockholm. - Allhands expenses ahf Week of 22/7 (planned): - Do reimbursement - Go over all notes from Stockholm that seems relevant to me. - Follow up on pre-Stockholm items: - Continue figuring out some info on a potential Danish funder. - Continue with #5304 and #28930 Week of 22/7 (actually): - Did reimbursement - Went over all notes from Stockholm. - Followed up on pre-Stockholm items: - Continue figuring out some info on a potential Danish funder (postponed until they are back from vacation). - Continued work with #5304 and #28930 Week of 29/7 (planned): - Finish off #5304 and #28930 before going on vacation. - Review Roger's DEFCON slides. - Do you need any help from me before I leave? dgoulet: (offline) Week of 07/01 (actual): - s27 DoS work: #15516, #24963/#24964 - Tor-dev update on the DoS experimentation: https://lists.torproject.org/pipermail/tor-dev/2019-July/013923.html Week of 07/08 (planned): - Stocklholm. - Need to address urgently a series of pending bad-relays email.

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project