[tor-commits] [community/develop] Add starter project ideas

Thu Jan 23 10:16:38 UTC 2020

commit b0158db91a3f99e7e664b9d1577f4374947546d7
Author: Pili Guerra <pili at piliguerra.com>
Date:   Wed Jan 22 17:59:56 2020 +0100

    Add starter project ideas
---
 .../gsoc/cloudflare-captcha-monitoring/contents.lr | 47 ++++++++++++++++
 content/gsoc/onion-toolbox/contents.lr             | 58 ++++++++++++++++++++
 content/gsoc/tor-relay-ipv6-support/contents.lr    | 56 +++++++++++++++++++
 content/gsoc/tor-weather/contents.lr               | 64 +++++++++++++++++++++-
 4 files changed, 223 insertions(+), 2 deletions(-)

diff --git a/content/gsoc/cloudflare-captcha-monitoring/contents.lr b/content/gsoc/cloudflare-captcha-monitoring/contents.lr
new file mode 100644
index 0000000..e6ba0d5
--- /dev/null
+++ b/content/gsoc/cloudflare-captcha-monitoring/contents.lr
@@ -0,0 +1,47 @@
+_model: project
+---
+_template: project.html
+---
+active: True
+---
+section: GSoC
+---
+section_id: gsoc
+---
+color: primary
+---
+key: 1
+---
+languages: javascript
+---
+mentors: arma, gk
+---
+difficulty: medium
+---
+title: Cloudflare Captcha Monitoring
+---
+summary:
+
+We should track the rate that cloudflare gives captchas to Tor users over time.
+
+---
+description: 
+
+My suggested way of doing that tracking is to sign up a very simple static webpage to be fronted by cloudflare, and then fetch it via Tor over time, and record and graph the rates of getting a captcha vs getting the real page.
+
+The reason for the "simple static page" is to make it really easy to distinguish whether we're getting hit with a captcha. The "distinguishing one dynamic web page from another" challenge makes exitmap tricky in the general case, but we can remove that variable here.
+
+One catch is that Cloudflare currently gives alt-svc headers in response to fetches from Tor addresses. So that means we need a web client that can follow alt-srv headers -- maybe we need a full Selenium like client?
+
+Once we get the infrastructure set up, we would be smart to run a second one which is just wget or curl or lynx or something, i.e. which doesn't behave like Tor Browser, in order to be able to track the difference between how Cloudflare responds to Tor Browser vs other browsers.
+
+I imagine that Cloudflare should be internally tracking how they're handling Tor requests, but having a public tracker (a) gives the data to everybody, and (b) helps Cloudflare have a second opinion in case their internal data diverges from the public version.
+
+The Berkeley ICSI group did research that included this sort of check:
+https://www.freehaven.net/anonbib/#differential-ndss2016
+https://www.freehaven.net/anonbib/#exit-blocking2017
+but what I have in mind here is essentially a simpler subset of this research, skipping the complicated part of "how do you tell what kind of response you got" and with an emphasis on automation and consistency.
+
+There are two interesting metrics to track over time: one is the fraction of exit relays that are getting hit with captchas, and the other is the chance that a Tor client, choosing an exit relay in the normal weighted faction, will get hit by a captcha.
+
+Then there are other interesting patterns to look for, e.g. "are certain IP addresses punished consistently and others never punished, or is whether you get a captcha much more probabilistic and transient?" And does that pattern change over time?
\ No newline at end of file
diff --git a/content/gsoc/onion-toolbox/contents.lr b/content/gsoc/onion-toolbox/contents.lr
new file mode 100644
index 0000000..a551ba8
--- /dev/null
+++ b/content/gsoc/onion-toolbox/contents.lr
@@ -0,0 +1,58 @@
+_model: project
+---
+_template: project.html
+---
+active: True
+---
+section: GSoC
+---
+section_id: gsoc
+---
+color: primary
+---
+key: 1
+---
+languages: javascript
+---
+mentors: hiro, asn
+---
+difficulty: medium
+---
+title: Onion Tool Box
+---
+summary:
+
+Myonion is a developer tool box, providing a command line interface and a GUI to configure and deploy existing services via .onion. A minimal prototype for myonion already [exists](https://github.com/hiromipaw/myonion).
+
+Someone that may want to run an onion service can use the myonion wrapper app to start a .onion from their computer and sharea static website or a web application.
+
+Myonion can also be used to deploy the resulting configured app to a defined set of cloud providers.
+
+---
+description: 
+
+## Problem definition
+
+It is not necessarily difficult to use onion services, but it might be tricky to configure a web service to be offered via .onion so that it doesn’t leak sensitive information.
+
+There are detailed [guides](https://riseup.net/en/security/network-security/tor/onionservices-best-practices) available for users that would like to offer a web application via .onion and some tools have been developed to help service operators: discover known misconfiguration or [vulnerabilities](https://onionscan.org/) or deploy an [onion site](https://github.com/alecmuffett/eotk).
+
+## Scope
+
+Myonion provides a way to build and deploy onion ready applications, allowing developers to build and test web applications and easily share them with others, bundling the code and configuration in a lightweight, portable Docker container application that runs thesame everywhere.
+
+The experience for developers will be similar to using other industry solutions, like the [Docker desktop app](https://www.docker.com/products/docker-desktop).
+
+Developers using myonion are provided with pre-defined and customizable application templates, with corresponding configuration and a test set, eliminating  error-prone manual setup and known onion service configuration mistakes.
+
+The resulting application is therefore deployable via a set of endpoint management tools to known providers. Providing a way to deploy onion services at scale.
+
+## Impact
+
+The idea behind myonion is to make onion services accessible to developers that might be interested to innovate in the privacy space, building applications that are designed for privacy and security.
+
+Involving a wider developer community can help creating a better image of Tor and onion services, replacing the “dark net” narrative with the secure and private web one.
+
+Onion services can also be relevant to all those people interested in the “zero-trust” strategy. The concept behind zero-trust is to adopt strategies and tools to help prevent data breaches by eliminating the concept of trust from an organization’s network architecture, with the principle of never trust, always verify.
+
+Ultimately myonion is about creating a better experience for onion services developers and operators and therefore fostering a more legitimate onion service ecosystem.
diff --git a/content/gsoc/tor-relay-ipv6-support/contents.lr b/content/gsoc/tor-relay-ipv6-support/contents.lr
new file mode 100644
index 0000000..3624ca1
--- /dev/null
+++ b/content/gsoc/tor-relay-ipv6-support/contents.lr
@@ -0,0 +1,56 @@
+_model: project
+---
+_template: project.html
+---
+active: True
+---
+section: GSoC
+---
+section_id: gsoc
+---
+color: primary
+---
+key: 1
+---
+languages: C
+---
+mentors: teor, ahf, dgoulet, catalyst
+---
+difficulty: Medium
+---
+title: Improve Tor Relay IPv6 Support
+---
+summary:
+
+Tor helps people stay safe on the internet, by keeping their internet use secure and anonymous. More Tor clients are running on IPv6-only or dual-stack networks. But only 20% of Tor’s available relay bandwidth supports IPv6. We want to automate relay IPv6 address discovery and reachability checks, so that it is easier for relay operators to run IPv6 relays.
+
+---
+description: 
+
+Students may choose to focus on designing and implementing core features, tor relay testing, reporting statistics, or diagnosing and fixing bugs.
+
+
+## Prerequisites
+
+* Network configuration skills
+* Basic understanding of Internet Protocol (IP) versions
+
+Recommended:
+
+* Experience testing network software
+* Experience running Internet-connected servers
+
+## Links/Resources
+
+https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#IPv6
+
+https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/IPv6Features#ReachabilityChecks
+
+## Programming skills needed:
+
+* C coding
+* Building Unix-based software
+
+Recommended:
+
+* Experience with network programming
diff --git a/content/gsoc/tor-weather/contents.lr b/content/gsoc/tor-weather/contents.lr
index 9c7faa6..3bc6714 100644
--- a/content/gsoc/tor-weather/contents.lr
+++ b/content/gsoc/tor-weather/contents.lr
@@ -22,9 +22,69 @@ title: Tor Weather
 ---
 summary:
 
-Summary of project
+Tor Weather is the most efficient way to achieve and maintain a healthy Tor network on the long run.
 
 ---
 description: 
 
-Longer description
+Tor Weather was [discontinued on 2016-04-04](https://lists.torproject.org/pipermail/tor-relays/2016-April/009009.html), however "Tor Weather is still a good idea, it just needs somebody to implement it."
+
+How Tor Weather looked like:
+https://web.archive.org/web/20141004055709/https://weather.torproject.org/subscribe/
+
+## Motivation
+
+If a relay disappears today, it is unlikely that anyone will notice or even send an email to the operator unless it is a big one.
+
+Relay operators and the entire tor network would benefit from a Tor Weather service because it notifies relay operators when the state of their relays changed (and more). This will increase the likelihood that relay operators notice problems and actually mitigate the problem otherwise there is no "user feedback" since tor can cope with disappearing relays quite well.
+
+It also:
+- shows the relay operator that someone actually cares if their relays go down or become outdated or have another problem
+- gives the operator relay best-practices information. 
+
+## Expected Effects
+
+If enough operators subscribe to such a service:
+- relays might become more long lived / the churn rate might decrease
+- the fraction of relays running outdated tor versions might decrease
+- the fraction of exits with broken DNS might decrease 
+
+It also has the benefit of being able to contact relay operators:
+- completely automatically
+- even if they choose to not set a public ContactInfo string in their torrc files. 
+
+## Ideas for Notification Types
+
+_(sorted by importance)_
+
+Support subscribing via single relay FP or MyFamily groups (should not need any subscription change if a relay gets added to the family).
+
+- [ ] Email me when my node is down
+_How long before we send a notification?_
+- [ ] email me when my relay is affected by a security vulnerability
+- [ ] email me when my relay runs an end-of-life version of tor
+- [ ] email me when my relay runs an outdated tor version (note: this should depend on the related onionoo bugs to avoid emailing alpha relay people)
+- [ ] email me when my exit relay fails to resolve hostnames (DNS failure)
+- [ ] email me when my relay looses the [ ] stable, [ ] guard, [ ] exit flag
+- [ ] email me when my MyFamily configuration is broken (meaning: non-mutual config detected or relay with same contactInfo but no MyFamily)
+- [ ] email me when you detect issues with my relay
+- [ ] email me with suggestions for configuration improvements for my relay (only once per improvement)
+- [ ] email me when my relay is on the top [ ] 20 [ ] 50 [ ] 100 relays list
+- [ ] email me with monthly/quarterly status information that includes information like what my position in the overall relay list is (sorted by CW), how much traffic my relay did during the last month and what fraction of the months time your relay was included in consensus as running (this shows information on how many % of the months' consensuses this relay has been included and running)
+- [ ] aggregate emails for all my relays into a single digest email
+- [ ] email me about new relay requirements
+- [ ] email me about tor relay operator events
+
+
+*Task:* Write a specification describing the meaning of each checkbox 
+
+## Security and Privacy Implications
+
+The service stores email addresses of potential tor relay operators, they should be kept private and safeguarded, but a passive observer can collect them by watching outbound email traffic if no TLS is used. Suggest to use a dedicated email address for this service.
+
+## Additional Ideas
+
+- easy: integration into tor: show the URL pointing to the new Tor Weather service like the current link to the lifecycle blogpost when tor starts and detects to be a new relay
+- Provide an uptimerobot-style status page for relay operators using onionoo data 
+
+



