- tor-project - lists.torproject.org

Update from Tor's Community Council
by Jens Kubieziel 13 Jul '17

13 Jul '17

Hi friends, I am writing on behalf of the Community Council with some updates. We wanted to be in touch and let folks know what we have been up to since the recent election. We have had several meetings with the new Council (Alison, qbi, Linda, Hiro, Gunner). We are enjoying working together. In the near term, we are prioritizing the drafting of policies and procedures for the Council. Our plan is to draft these sequentially and then ask for community input once we think specific policies and procedures are ready for feedback. Procedures we are drafting include case handling, Council operations (e.g. when and how we meet), and Council elections. Policies we are drafting include conflict of interest, operational security (in particular what we store and where), and confidentiality (what is and is not confidential). We welcome anyone interested to reach out to any or all Council members if you have input, questions or concerns you would like to share We'll continue to update the community at least once a month. thanks, -- Jens Kubieziel http://www.kubieziel.de Weisheit ist mehr als Wissen: Es kommt darauf an, was zu tun ist, und nicht, was zunächst getan werden soll. Herbert Clarke Hoover

4 4

Core Tor sponsor 4 June report
by isabela 12 Jul '17

12 Jul '17

In June we finished the task [1] to update dir-spec.txt to reflect prop278. We continue to run tests, compare measurements and fixed bugs, some were found at our test network, and an important one (more bellow) affecting other tor relays. Some of the bugs we diagnosed and fixed: #22460 Link handshake trouble: certificates and keys can get out of sync [2] #22466 "Crosscert is expired" warnings: RSA->Ed25519 identity crosscertifice apparently made in 1970? [3] #22751 LZMA coder causes crash when the sandbox is enabled [4] #22752 Assertion failure in consensus_cache_entry_handle_get on Windows [5] As mentioned, we found an important bug that cost us some time to figure out. This was related to the implementation of both proposals, 140 and 278. Where we didn't send the "not modified" header so relays would keep asking for data they already had and receive the document. This was leading to more bandwidth usage which is completely the contrary of our goal with this project. The bug was tracked under this ticket: #22702 Never send a consensus which the downloader already has [6] We collected measurements before and after fixing the bug [7]. If you look at our spreadsheets, in the "regression found" subsheet you will see that middle nodes (XXXm under ID) and relays (XXXr under ID) are above 100% in the delta, which is a regression (using more bandwidth). In the "regression fixed" subsheet, you can see that for XXXm and XXXr nodes this is fixed. They are around 55% which give us a bandwidth improvement of 45% for relays. For clients we ave reduced the bandwidth consumption to the point where we are now only using 41% of the bandwidth we used before version 0.3.1 of core tor. We are very happy with these results. For next month we will evaluate one more compression algorithm to see if we can improve these gains even more[8]. And we also received a ticket[9] from an user (relay operator) with a low-powered machine complaining about a side effect our solution have created. Where a relay now generates a bunch of diffs every time it gets a new consensus, and then it compresses them all in several ways, this happens in the background, but for low-powered machines is noticeable as it's taking a lot of resources. We have a couple of design changes to solve this in mind and will be working on it in July as well. [1] https://trac.torproject.org/projects/tor/ticket/22275 [2] https://trac.torproject.org/projects/tor/ticket/22460 [3] https://trac.torproject.org/projects/tor/ticket/22466 [4] https://trac.torproject.org/projects/tor/ticket/22751 [5] https://trac.torproject.org/projects/tor/ticket/22752 [6] https://trac.torproject.org/projects/tor/ticket/22702 [7] https://docs.google.com/spreadsheets/d/1l_m-kHkOrq4UGmTUtpuffbUY85fvcDQJaoF… [8] https://trac.torproject.org/projects/tor/ticket/22819 [9] https://trac.torproject.org/projects/tor/ticket/22883

1 0

Damian's Status Report - June 2017
by Damian Johnson 12 Jul '17

12 Jul '17

Short one this month but here ya go! http://blog.atagar.com/june2017/

1 0

Default obfs4 bridges frosty and dragon reporting 0 bandwidth since ~June 18
by David Fifield 10 Jul '17

10 Jul '17

These bridges, added to Tor Browser in ticket #22468, are reporting 0 bandwidth since a few days ago. Is there something wrong with them? https://atlas.torproject.org/#details/854173307E33686BBBAC36A3A093BEF320B71… https://atlas.torproject.org/#details/D9E712E593400635462172121B7DB90B07669…

1 1

Community Team report June 2017
by Alison 10 Jul '17

10 Jul '17

ello all, Here are the highlights of the Community Team's work in June 2017: June 2017 Community Team report Meeting notes June 2017 ================================================================== https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam#Curre… Tor Meeting planning ================================================================== Alison began planning for the October Tor Meeting in Montreal. Invites will go out very soon! Windows 10 user issue ================================================================== Alison and Phoul identified an issue that was preventing Windows 10 users from opening Tor Browser when they were also using a popular piece of banking software. Phoul was able to get the issue resolved, but this problem has occurred with past versions of both pieces of software, so we are working with the makers of the banking software to prevent this problem in the future. Community Team roadmap ================================================================== We're roadmapping our plans for the rest of 2017 and trying to coordinate our dependencies with other teams, particularly dependencies related to user support. Support portal/support wiki ================================================================== The full support portal has to be put on hold while we wait for an update on that funding, so we've opted to put the questions and answers onto a read-only wiki so that users have something to help them in the meantime. We'll publish the wiki in July with a blog post announcing it. Contributor guidelines ================================================================== Alison, atagar, and arma put the finishing touches on our core contributor (membership) guidelines draft, and arma initiated the proposal discussion on tor-internal at the end of June. Library Freedom Project ================================================================== We completed and submitted the IMLS grant at the beginning of June. We then began working with a graphic design firm on another grant to make infographic posters explaining basic privacy concepts, like encrypted messaging and strong passwords. If we get this grant, we'd print the posters in at least three languages (English, Spanish, and Arabic) and distribute them for free to any interested libraries. Outreach ================================================================== sukhe made plans to give two Tor talks in Toronto in August: https://lists.torproject.org/pipermail/tor-community-team/2017-June/000048.…. He also connected with folks at SFLC India and is working on some talks with them in September. Phoul, Alison, arma and others participated in the Localization Lab AMA. ================================================================== Next up: completing the community team roadmap, more meeting planning including the Montreal meeting and future Global South meeting(s), publishing the support wiki, drafting the code of conduct, writing documentation for FOSS/Tor cultural norms for onboarding new employees, organizing support team feedback to applications team. ================================================================== Thanks for reading! -- Alison Macrina Community Team Lead The Tor Project

1 0

GSoC 2017 - unMessage: Report #3
by Felipe Dau 07 Jul '17

07 Jul '17

Hi everyone! This is my report #3 for the unMessage GSoC project. # Updates Since the last report I mostly worked on making methods asynchronous using `Deferreds` and `@inlineCallbacks` (task #21 [0]), but also on learning how to properly use Twisted's reactor, which will be important for the tests (task #33 [1]). # What's next Continue working on these tasks to have new tests running soon. Thanks, -Felipe [1]: https://github.com/AnemoneLabs/unmessage/issues/21 [2]: https://github.com/AnemoneLabs/unmessage/issues/33

1 0

GSoC 2017 - Crash Reporter for Tor Browser: Report #3
by Nur-Magomed 07 Jul '17

07 Jul '17

Hi everyone! This is my bi-week status report for GSoC project "Crash Reporter for Tor Browser". # Crash Reporter Client: - added feature: blacklist to remove privacy-sensitive fields from reports[1]; - few updates in project-wiki [2]. # What's next Now work is focused on Socorro (crashreporter server side): adapting Socorro Collector (software that gets crashreports from clients) for changed crashreports. And, cypherpunks, thank you for ideas and editions in project-wiki [2]. Kind regards, Nur-Magomed [1] https://github.com/nmago/tor-browser/commit/613e9c65426ee448d8c2dcefbf32ed7… [2] https://trac.torproject.org/projects/tor/wiki/doc/crashreporter

1 0

GSoC 2017 - anon-connection-wizard: Report #3
by iry 07 Jul '17

07 Jul '17

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello Tor people! The following is my bi-week status report for the anon-connection-wizard project. # anon-connection-wizard development ## features implemented - - switched from edit mark approach to torrc.d approach - - integrate anon-connection-wizard with the upcoming whonix14 ## features improved - - remove "advance" button on the main page ## links - - detailed discussion[0] [1] - - commits on Github [2] # torrc.d related work - - posted a feature request against Debian tor package on Debian BTS [3] - - tried to keep up with the torrc.d implementation process [4] # Next step - - torrc.d is a really important feature. I will see what I can help to make it available sooner. - - more testing on the integration with whonix14 - - investigate on how to successfully package it by "make deb-icup" - - use python's temporary directory features instead of .tmp which was created by myself - - continue polishing anon-connection-wizard and implement new features Thank you! Best, iry [0]: http://forums.kkkkkkkkkk63ava6.onion/t/graphical-gui-whonix-setup-wizard - -anon-connection-wizard-technical-discussion/650/280 [1]: http://phabricator.kkkkkkkkkk63ava6.onion/T699 [2]: https://github.com/irykoon/anon-connection-wizard/commits/master [3]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866187 [4]: http://forums.kkkkkkkkkk63ava6.onion/t/torrc-d-is-comming/4041 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJZX7d+AAoJEKFLTbxtzdU8sDwP/jIqXzhR7sHBcmseogmYxlu7 RnSz20JjhG5UCTALntk9czblThDfZhd6/oUdq7UrdXzEXDIjGfExM6OYkWOiIoAW 02q3d0eXtjMXJ5YwGe69AbiV0IaUeQJ5Hp/02/UmD3wnJK9nmNXA6Lo9cfVaEnif b+dt3zAPZpuJo8XNlNd2bG6+qA6qKVKu2FVvtYkogJCrkN18rZ/qXZki8y6hxjIA TVQ0JupbXrTzogT9aMFnAL8Qwndh+B4mVDpmI5AfRyEIMxJ0VDjFZylfypQHMTnk 4GQg22wCALdDzorbuzCQjfU6NKsUz3B4URi1XkamlSvytJaaceqZpfArTJ8/fGJm o3z2j+BnA3WvGMkX2VNPlJKugXlE5dwqFChJz0snLTKs5IQPbU9ImD1g327BXZAn 39WTGUh57c0r2p9auo8G/JJdczx6SAtnqeyogtIA8uXKKilDHPfY1adpBEBg3OMX Nk5C9jEyv/qPT+IitHRaukWWWZ1abH752caCQ7UKVzSj/UWrSE3k8A9vZ6u16UX+ TPc5Yzl3uwJ5Ny7hmeQ42RcSpw3XhOGHpXZ7FVag9rTXewHzJojj0NuF1gao7mDG kJmFc3Rn0ZU3Ueu0BIqLBrQpnYBsx93Zw5xLrx8Tkoy3gilwTAkUsEDYaJrwuLHQ KYxbSTEETvk73dZgiH1z =62jH -----END PGP SIGNATURE-----

1 0

Help brainstorm Tor myths
by Roger Dingledine 07 Jul '17

07 Jul '17

As part of my upcoming Defcon talk on onion services: https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Dingledine I'm thinking of including a section on Tor mythbusting. That is, there are all sorts of Tor misunderstandings and misconceptions floating around, and it seems smart to try to get them organized into one place as a start to resolving them. (Later steps for resolving them should include better and more consistent communication, and actually changing things so Tor is safer/stronger/better. One step at a time.) Below is an initial list to get us started, along with overly brief summaries of the reality underlying the myth. Please contribute more entries! To contribute best, please frame your entry from the perspective of a helpful and concerned Tor user or advocate, rather than as a crackpot conspiracy theorist. (Fun as it might be, I have little interest in socket-puppet trolling myself on stage, so phrasing myths in a constructive manner is the best way to move forward.) And also, don't get too hung up on the quick rebuttal text I've written: the goal here is to brainstorm the myths, not to write the perfect answer to each of them. That can come later. - "I heard the Navy wrote Tor originally (so how can we trust it)." (They didn't. I wrote it.) - "I heard the NSA runs half the exit relays." (Hard to disprove, but it doesn't make any sense for them to run exits. But that shouldn't make you relax, since they already surveil a lot of the internet, including some of the existing exit relays, so they don't *need* to run their own. Also, the Snowden documents give us some good hints that say no. Btw, use SSL.) - "I heard Tor is slow." (You're right, it's not blazing fast. But it's a lot faster than it was in earlier years. Tor's speed has most to do with how much load there is on the network, not on latency between the relays as many people believe. We need more relays.) - "I heard Tor gets most of its money from the US government." (Alas, this one is true. We have three categories of funding: basic research like from NSF, R&D like from the Open Technology Fund, and deployment and training like from the State Dept. See the financial documents that we publish for details. Alternatives would sure be swell.) - "I heard 80% of Tor is bad people." (There have been a bunch of confusing studies about Tor users and usage, and the numbers vary wildly based on what you're measuring and how you classify bad. But for the above stat, you probably heard it from a US DoJ attorney who misunderstood a journalist's article about one of these studies. Or who knows, maybe she maliciously twisted the results. See also the ongoing research work on measuring the "dark web".) - "I heard Tor is broken." (Man, this phrase represents a fundamental misunderstanding of computer security. All the academics go after Tor -- and it's great that they do -- because we're the best thing out there, plus we provide good documentation and help them in analyzing the attacks. You don't hear about breaks in centralized proxy companies because there's nothing interesting about showing flaws in them. Also, security designs adapt and improve, and that's how the field works. I'll try to keep my rant on this one short so it doesn't take over.) Thanks! --Roger

8 8

June 2017 Report for the Tor Browser Team
by Georg Koppen 07 Jul '17

07 Jul '17

Hi all! In June the Tor Browser team made 3 releases, Tor Browser 7.0[1], Tor Browser 7.0.1[2], and Tor Browser 7.5a1[3], switching Tor Browser users to an up-to-date Firefox 52 ESR version. Major new features coming with the switch to Firefox 52 ESR are Firefox's multiprocess mode and in-browser sandboxing. Unfortunately, the long awaited content sandboxing did not make it into the ESR 52 series due to stability issues but we are trying to backport the necessary patches for Tor Browser 7. We'll start with Tor Browser for Linux[4] but hope to do the same for macOS as well if there are different patches needed. For Windows users work on basic sandboxing support was and is ongoing, too.[5] The alpha release is almost identical to Tor Browser 7.0.1 with the notable exception of testing a fix for a vulnerability found in Firefox on Windows systems.[6] It got already upstreamed and all Tor Browser users on Windows will get it with the next Firefox update.[7] Non-release related work involved fixing our test suite for the ESR 52 transition[8] and preparing the launch of our own FP Central instance + using its results for our Q&A.[9] The full list of tickets closed by the Tor Browser team in June is accessible using the `TorBrowserTeam201706` keyword in our bug tracker.[10] In June we already started with addressing regressions coming with our switch to Firefox ESR 52 and plan to continue with that work in July. Interested parties can track the progress in our bug tracker following tickets with the `tbb-7.0-issues, tbb-regression` keywords.[11] Furthermore, we hope to work on some of the remaining `tbb-7.0-must` issues.[12] Finally, rbm nightly builds and making use of our own Panopticlick (a.k.a FP Central) instance is on our agenda for July as well. All tickets on our radar for this month can be seen with the `TorBrowserTeam201707` keyword in our bug tracker.[13] Georg [1] https://blog.torproject.org/blog/tor-browser-70-released [2] https://blog.torproject.org/blog/tor-browser-701-released [3] https://blog.torproject.org/blog/tor-browser-75a1-released [4] https://trac.torproject.org/projects/tor/ticket/22692 [5] https://trac.torproject.org/projects/tor/ticket/16010 [6] https://trac.torproject.org/projects/tor/ticket/21617 [7] https://hg.mozilla.org/releases/mozilla-esr52/rev/012e4429ccd9 [8] https://trac.torproject.org/projects/tor/ticket/21982 [9] https://trac.torproject.org/projects/tor/ticket/22587 [10] https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorB… [11] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… [12] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… [13] https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam2017…

1 1