[tor-reports] SponsorF March 2014 report

Roger Dingledine arma at mit.edu
Thu Apr 10 07:56:13 UTC 2014

Here is the March report for SponsorF Year4:
(With thanks to Lunar for compiling most of it!)


1) Tor: performance, scalability, reachability, anonymity, security.

- We released Tor on March 23rd. In addition to the fixes
from, it contains two new anti-DoS features for Tor relays,
resolves a bug that kept SOCKS5 support for IPv6 from working, fixes
several annoying usability issues for bridge users, and removes more old
code for unused directory formats. This release also marks the first
step toward the stabilization of Tor 0.2.5, as from now on no feature
patches not already written will be considered for inclusion.

- George Kadianakis made a detailed analysis of the performance and
anonymity implications of switching to only a single guard node:
Nicholas Hopper did further experimentations using the TorPS simulator.
The current outcome is that there are many complex research questions
here, but we should probably do it anyway.

- Roger talked briefly to the Georgetown / Penn team about integrating
their network coordinate system, and/or alternate path selection schemes,
into Tor. The consensus for now is that most of their research is
premature or shown-to-be-not-a-good-idea-yet. One promising idea would
be to integrate the network coordinating system into the relays, and
see how it would behave in practice, so we can get more intuition. That
would require a proposal -- the ball is in their court now.


2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events

- David Fifield published a guide to patching meek, an HTTP pluggable
transport, so that it can be used to send traffic via Lantern, a
censorship circumvention system which acts as an HTTP proxy and proxies
traffic through trusted friends.

- The meek development repository has been moved to Tor Project's

- George Kadianakis announced obfsproxy version 0.2.7. The new release
fixes an important bug where scramblesuit would reject clients if they
try to connect a second time after a short amount of time has passed.

- Version 0.0.2 of obfsclient -- a C++ implementation of obfs3 and
ScrambleSuit -- has been released.

- BridgeDB version 0.1.5 was released on March 16th and version 0.1.6
on March 26th. Bridge descriptor parsing reliability has been improved.
A custom solution for CAPTCHA has replaced the nearly impossible to
solve CAPTCHA served by Google reCAPTCHA service.

- Roger wrote about the current situation of how Tor is able to circumvent
censorship on Chinese Internet accesses.

- Roger talked to SRI and Farsight about publishing their Jumpbox code,
and/or doing an integrated TBB-PT release. Jumpbox (driving a browser to
make your plausible-looking http requests, rather than trying to pretend
to be a browser on your own) appears quite similar to what David Fifield
and Sathya have each been doing.


3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.

- Tor Browser version 3.5.3 was released on March 19th as a safe upgrade
for every Tor Browser user. Among important security fixes in the
browser code, the new version contains an updated Tor, a fix for a
potential freeze, a fix for the Ubuntu keyboard issue and a way to
prevent disk leaks when watching videos.

- Tor Browser version 3.6-beta-1 was released on March 18th. It
incorporates the same changes as version 3.5.3, minor fixes and
usability improvements, but more importantly the result of a months-long
effort to seamlessly integrate pluggable transports. In the network
settings, users can now choose "Connect with provided bridges" and
select from "obfs3" [12], "fte" [13] or "flashproxy" [14]. Entering
custom bridges is also supported and will work for direct, obfs2 and
obfs3 bridges.

- Mike Perry wrote an introduction to Tor Browser development.

- David Goulet released the fourth candidate of the Torsocks rewrite.

- On March 9th, Anthony G. Basile released a new version of
the tor-ramdisk micro Linux distribution for relay operators.

- Ramo released a new Tor plugin aimed at relay operators for Nagios
monitoring system.

- Tails 0.23 was released on March 19th. Two major new features:
Tails will now do "MAC spoofing" by default to hide the hardware address
used on the local network, and it now supports bridge and pluggable
transports configuration through the same interface used in recent Tor
Browser. It also includes several security fixes, several small bugfixes
and minor improvements.

- Patrick Schleizer announced the release of version 8 of Whonix --
an operating system focused on anonymity, privacy and security based on
the Tor anonymity network, Debian and security by isolation.


4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.

- Onionoo is now able to provide per-bridge statistics. This should
allow visualizations about where are users coming from and what
type of pluggable transport they are using.

- Onionoo now provides fractional uptimes of relays and bridges.

- We started considering how to track performance and total contribution
for a subset of relays, in the "Metrics for assessing EFF's Tor relay
challenge?" thread:
In an ideal world, these same scripts and graphing engines could be used
to look at other relay sub-populations and track diversity and changes
over time.


5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.

- The Tor Project has received 32 proposals for 2014 edition of the
Google Summer of Code.

- Kelley Misata delivered a talk "Journalists -- Staying Safe in
a Digital World" at the Computer-Assisted Reporting Conference in

- David Rajchenbach-Teller from Mozilla reached out to the Tor
Browser developers about their overhaul of the Firefox Session Restore
mechanism. This is another milestone in the growing collaboration
between the Tor Project and Mozilla.

- Tails won the 2014 Endpoint Security prize from Access. The prize
recognizes Tails's unique positive impact on the endpoint security of
at-risk users in need.

- Alex reported on an important case about Tor relay operators which
came to court in Athens, Greece on March 18th. The defendant, a Tor
relay operator, was acquitted after proving that the IP address used for
criminal activity was in fact a Tor relay.

- The Tor network is seeing an increased number of users from inside
Turkey after Twitter and other sites have been blocked by the Turkish
government. A short blog post on how to get the Tor Browser was written,
and translated in Turkish.

- Jacob Appelbaum presented a keynote titled "Free software for freedom,
surveillance and you" at LibrePlanet 2014 in Boston.

- A FreedomBox developer, James Valleroy came for help on the best way
to configure the FreedomBox as a Tor bridge.

- A Tor exit operator held an Ask Me Anything on Reddit.


6) Research: Assist the academic community in analyzing/improving Tor.

- Members of the Prosecco research team released a new attack on the TLS
protocol -- dubbed "Triple Handshake" -- allowing impersonation of a
given client when client authentication is in use together with session
resumption and renegotiation. Nick Mathewson published a detailed
analysis of why Tor is not affected, and also outlines future
changes to make Tor resistant to even more potential TLS issues.

- Sebastian Urbach announced that Trying Trusted Tor Traceroutes, a Tor
network measurement collaboration with groups including NRL, has reached
100 completed runs from different IPs.

- Nick Hopper presented his "Challenges in protecting Tor hidden services
from botnet abuse" paper at FC:

- Roger reviewed Usenix Security papers, including several anonymity
papers. Similarly, Nick Mathewson and other Tor folks reviewed PETS

More information about the tor-reports mailing list