[tor-reports] SponsorF January 2014 report
Roger Dingledine
arma at mit.edu
Mon Feb 10 02:52:17 UTC 2014
Here is the January report for SponsorF Year4:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4
------------------------------------------------------------------------
1) Tor: performance, scalability, reachability, anonymity, security.
- There were no Tor releases in January, so I'll save the summaries of
progress there for when we put out actual releases.
- Directory authorities have been upgrading their directory signing key to
2048-bit RSA (rather than 1024-bit, since 1024-bit is uncomfortably small
these days). We now have a majority (seven of nine) authorities upgraded:
https://bugs.torproject.org/10324
https://people.torproject.org/~linus/sign2048.html
- In December, Nick submitted an internet-draft to randomize gmt_unix_time
in TLS Hello records:
http://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00
(since its main effect is to act as yet another fingerprint for
recognizing users)
------------------------------------------------------------------------
2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events
occur).
- We're continuing to head towards having a unified TBB with integrated
obfsproxy+flashproxy and deterministic builds:
https://trac.torproject.org/projects/tor/ticket/10006
- We merged ScrambleSuit into Obfsproxy:
https://trac.torproject.org/projects/tor/ticket/10598
https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/HEAD:/obfsproxy/transports/scramblesuit
and a new release is forthcoming.
- Yawning wrote a C obfs3 implementation:
https://github.com/Yawning/obfsclient
which is especially helpful for mobile where Python apps are tough to
deploy. This second implementation also helped to uncover some ambiguities
in the obfs spec:
https://trac.torproject.org/projects/tor/ticket/10782
- David Fifield proposed a simple http/https hybrid transport that
makes use of https vhosting to reach appengine:
https://lists.torproject.org/pipermail/tor-dev/2014-January/006159.html
https://trac.torproject.org/projects/tor/wiki/doc/meek
https://www.bamsoftware.com/git/meek.git/
- Kevin Dyer released versions 0.2.3, 0.2.4, and 0.2.5 of fteproxy. These
releases focused on removing dependencies on third party libraries,
performance improvements, bug fixes, and enhancements (to the build
process) to support integration with the gitian build process.
There is now has a testing version of TBB 3.6 bundled with fteproxy:
https://trac.torproject.org/projects/tor/ticket/10362#comment:11
- Roger, Arturo, and George met with M-Lab, Georgia Tech, Stonybrook,
and Least Authority to discuss collaborations on Internet censorship
measurement tools and projects. One of the medium-term measurement goals
is to detect (and track in an ongoing way) whether various pluggable
transport protocols (e.g. Websocket, SSL, obfs3) are blocked from networks
around the world.
- Roger met with Griffin Boyce about the state of Flash proxy, Cupcake,
and general usability of blogging platforms that normal activists can set
up for themselves. Cupcake (a Chromium extension to run a Flash proxy)
is another great example of transitions from this grant:
http://cupcakebridge.com/
------------------------------------------------------------------------
3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.
- Mike wrote up a summary of TBB work in January:
https://lists.torproject.org/pipermail/tor-reports/2014-February/000438.html
including the release of TBB 3.5.1:
https://blog.torproject.org/blog/tor-browser-351-released
- Orbot -- the Guardian Project's port of Tor on Android platforms --
has received a major update. Version 13 includes "all the latest bling
across the board" meaning Tor 0.2.4.20 and updated versions of OpenSSL
and XTables. Nathan also mentions "some important fixes to the Orbot
service, to ensure it remains running in the background, and the active
notification keeps working, as well. Finally, we've changed the way
the native binaries are installed, making it more reliable and clean
across devices."
https://guardianproject.info/apps/orbot/
https://lists.mayfirst.org/pipermail/guardian-dev/2014-January/002973.html
After the initial release candidates, 13.0.1, 13.0.2 and then 13.0.3
were quickly made available to fix various reported issues:
https://lists.mayfirst.org/pipermail/guardian-dev/2014-January/003016.html
The new release is available from the Guardian Project's website,
F-Droid repository, or Google Play:
https://guardianproject.info/releases/
- Tails summarized their recent work on their Debian-based Tor live system:
https://tails.boum.org/news/report_2013_12/
- Koumbit has been working on Torride, a live distribution to run Tor
relays -- not unlike Tor-ramdisk -- but based on Debian. Version 1.1.0
has been released on January 10th:
https://redmine.koumbit.net/projects/torride
http://opensource.dyc.edu/tor-ramdisk/
https://redmine.koumbit.net/news/17
------------------------------------------------------------------------
4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.
- Karsten added two new graphs to metrics.torproject.org in our continued
efforts to visualize the diversity of the Tor network over time:
https://metrics.torproject.org/network.html#advbwdist-perc
https://metrics.torproject.org/network.html#advbwdist-relay
https://bugs.torproject.org/10460
- Microdescriptor historical tarballs are now available on the metrics
website:
https://metrics.torproject.org/data.html#relaydesc
- We continued to make progress at a version of the Globe relay explorer
that doesn't require JavaScript:
https://globe.torproject.org/
https://trac.torproject.org/projects/tor/ticket/10407
https://lists.torproject.org/pipermail/tor-dev/2014-February/006165.html
------------------------------------------------------------------------
5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.
- "The Inside Story of Tor, the Best Internet Anonymity Tool the
Government Ever Built", cover article at
http://www.businessweek.com/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency
- Roger, Andrew, Kelley, and Karen met with Spitfire to discuss press
strategies:
https://lists.torproject.org/pipermail/tor-reports/2014-January/000434.html
- Roger did a talk at NSF:
https://lists.torproject.org/pipermail/tor-talk/2014-January/031701.html
http://freehaven.net/~arma/slides-nsf14.pdf
Afterwards Roger met with some DHS program managers who would like
somebody to do a study to assess how much Tor traffic is "good" or
"bad" (motivated by the NIJ study we mentioned in the 30c3 talk in
Hamburg). We really need a great university research group to take this
on, but it's a huge open research question right now whether such a
study could be done both accurately and safely.
- Jake did a talk with Christian Grothoff for the Council of Europe:
https://lists.torproject.org/pipermail/tor-reports/2014-February/000450.html
http://www.theinquirer.net/inquirer/news/2325775/the-council-of-europe-wants-action-on-eavesdropping
- We launched the www-team list for volunteers to help make our website
more accessible and useful:
https://blog.torproject.org/blog/tor-website-needs-your-help
- Many Tor people attended the Real-World Cryptography conference in NYC,
to help them understand Tor's threat model and to better understand how
new developments will impact Tor.
https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-january-29th-2014
------------------------------------------------------------------------
6) Research: Assist the academic community in analyzing/improving Tor.
- Roger met with NRL researchers to provide advice and guidance in
their trust-based path selection research. The big question they're
wrestling with this month is what threat model they should consider --
they're hunting for one that's both straightforward to analyze and also
represents some real adversary.
- Rob posted a summary of his upcoming NDSS paper on how to turn a
denial-of-service attack against Tor guards into an anonymity attack:
https://blog.torproject.org/blog/new-tor-denial-service-attacks-and-defenses
- Philipp Winter posted a summary of his tech report about detecting
Tor exit relays that monitor or modify exit traffic:
https://blog.torproject.org/blog/what-spoiled-onions-paper-means-tor-users
- Roger shepherded an FC short paper on how there are too many CA certs
in normal browsers / operating systems, and how to reduce the number.
"You Won't Be Needing These Any More: On Removing Unused Certificates
>From Trust Stores"
http://fc14.ifca.ai/program.html
- Roger talked more with the Leuven / Drexel team that's working on
evaluating website fingerprinting attacks. They're aiming to show that
false positive rates go up faster than previous literature expected,
once you consider more realistic web pages in more realistic quantities.
- Nick Hopper will present a short paper at FC on defending Tor from
botnet invasion:
http://fc14.ifca.ai/program.html
(earlier version tech reported at
https://research.torproject.org/techreports/botnet-tr-2013-11-20.pdf )
Meanwhile, Microsoft has continued cleaning up the bots:
https://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx
--Roger
More information about the tor-reports
mailing list