[tor-reports] SponsorF June 2014 report

[Roger Dingledine]

Here is the June report for SponsorF Year4:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4
(With thanks to Lunar for compiling much of it!)

------------------------------------------------------------------------

1) Tor: performance, scalability, reachability, anonymity, security.

- Tor 0.2.5.5-alpha was released on June 18th, fixing a wide variety of
remaining issues in the Tor 0.2.5.x release series, including a couple
of DoS issues, some performance regressions, a large number of bugs
affecting the Linux seccomp2 sandbox code, and various other bugfixes.
Among the major security improvements is an adjustment to the way Tor
decides when to close TLS connections, which should improve Tor's
resistance against some kinds of traffic analysis, and lower some
overhead from needlessly closed connections.
https://lists.torproject.org/pipermail/tor-talk/2014-June/033347.html

- Nick Mathewson wrote an analysis on the impact of the OpenSSL
"EarlyCCS bug" on Tor:
https://lists.torproject.org/pipermail/tor-talk/2014-June/033161.html

------------------------------------------------------------------------

2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events
occur).

- BridgeDB version 0.2.2 has been deployed with many fixes and
translation updates. The email autoresponder is back in fully working
state.
https://gitweb.torproject.org/bridgedb.git/blob_plain/cb8b01bc:/CHANGELOG

- George Kadianakis wrote a blog post about the upcoming developments in
pluggable transports.
https://blog.torproject.org/blog/recent-and-upcoming-developments-pluggable-transports

- David Fifield updated the experimental Tor Browser builds that
include the meek pluggable transport. The new packages are based on
Tor Browser version 3.6.2.
https://lists.torproject.org/pipermail/tor-talk/2014-June/033229.html
https://people.torproject.org/~dcf/pt-bundle/3.6.2-meek-1/

- The server component of Flashproxy has entered Debian. The package,
named pt-websocket, should help getting more deployment.
https://packages.debian.org/sid/pt-websocket

- Marc Juarez, our gsoc student, continued work on a pluggable
transport to help us test website fingerprinting defenses:
https://lists.torproject.org/pipermail/tor-reports/2014-June/000567.html
https://lists.torproject.org/pipermail/tor-reports/2014-July/000581.html

- In May (missed in the last report), Kevin Dyer released libfte, a
"filter" version of fteproxy does the cryptographic transformations of
network traffic:
https://github.com/kpdyer/libfte
He also released a version of fteproxy that depends upon libfte, instead
of using its own FTE code; and released two versions of fteproxy: 0.2.14
and 0.2.15, which included various bugfixes.
https://github.com/kpdyer/fteproxy

------------------------------------------------------------------------

3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.

- Version 3.6.2 of the Tor Browser has been released featuring a fix
to allow the configuration of a local HTTP or SOCKS proxy with all
included Pluggable Transports, as well as important fixes to mitigate
recent OpenSSL vulnerabilities, and other security updates.
https://blog.torproject.org/blog/tor-browser-362-released

- Tails 1.0.1 has been released on June 10th. This minor update contains
several security fixes and upgrade Tor and I2P to their latest stable
versions.
https://tails.boum.org/news/version_1.0.1/

- Georg Koppen announced a new set of experimental hardened Linux builds
of the Tor Browser that include both AddressSanitizer and Undefined
Behaviour Sanitizer (UBSan).
https://lists.torproject.org/pipermail/tor-qa/2014-June/000428.html

- The most versatile Tor controller, Stem, is now at version 1.2.
The new version includes an interactive controller prompt, and a new
connect() function for ease of integration.
https://blog.torproject.org/blog/stem-release-12

- meejah released a new version of txtorcon -- a Twisted-based
asynchronous Tor control protocol implementation. Version 0.10.0 adds
support for Twisted's endpoint strings. Any Twisted program that uses
endpoints can accept "onion:" strings to bring up (i.e. host) a hidden
service easily.
https://lists.torproject.org/pipermail/tor-dev/2014-June/007006.html

- Mike Perry summarized the month of June for the Tor Browser Team:
https://lists.torproject.org/pipermail/tor-reports/2014-July/000584.html

------------------------------------------------------------------------

4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.

- The new CollecTor service has been launched. This is an improved
spin off of the directory archive section from the Metrics portal.
Archive tarballs are now provided in a directory structure rather than a
single directory, recently published descriptors can now be accessed
much more easily, and the documentation of descriptor formats has
been updated.
https://collector.torproject.org/

- Lukas Erlacher has released OnionPy 0.1.5. A library for
object-oriented access to the Onionoo database.
https://lists.torproject.org/pipermail/tor-dev/2014-June/007018.html

- Onionoo now properly includes bridge pool assignments.
https://bugs.torproject.org/12203

- The relay-search service
(https://metrics.torproject.org/relay-search.html) has been shut down
and the metrics website database schema cleaned up. This reduced the
database size from 95 GiB to 3 GiB. Cronjobs to update graph data are
now running within minutes rather than hours.

------------------------------------------------------------------------

5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.

- The EFF announced its 2014 Tor Challenge to encourage the creation
of new relays:
https://blog.torproject.org/blog/tor-challenge-2014
We're well over 1000 relays that have signed up.
Roger also revamped the Tor relay documentation pages:
https://www.torproject.org/docs/tor-relay-debian
https://www.torproject.org/docs/tor-doc-relay

- fr33tux delivered a presentation in French at Université de technologie
Belfort-Montbéliard.
https://lists.torproject.org/pipermail/tor-talk/2014-June/033337.html

- Colin Childs presented Tor at the Winnipeg Cryptoparty on June 7th.

- Lunar attended Backbone 409 near Barcelona, to spread the word about
the open and community nature of the Tor network:
https://lists.torproject.org/pipermail/tor-reports/2014-June/000568.html

- Karsten started a "Tor documentation map" to help us understand what
we have and what we don't have in terms of user-facing documents:
https://trac.torproject.org/projects/tor/wiki/doc/DocumentationList#TorDocumentationMap

- Andrew talked to a member of parliament in Iceland about Internet
censorship in Iceland.

- Roger, David Fifield, George, Philipp Winter, and others attended a
circumvention researcher summit with Google in Seattle. There were many
research groups present, and we made some good progress at understanding
useful shared research directions and at considering how to (and how
not to) compose pluggable transports. I'm especially excited by the
freedom.js and librtc work that the UW group is leading.

- Roger gave an invited presentation at the SponsorF PI meeting:
http://freehaven.net/~arma/slides-jun14.pdf
(Alas the slides aren't as useful without the voiceover -- in my copious
free time I'll aim to write up some of the more useful points I made.)

------------------------------------------------------------------------

6) Research: Assist the academic community in analyzing/improving Tor.

- Tariq Elahi introduced PrivEx, an effort to collect statistics from Tor
exits in a privacy-sensitive manner.
https://lists.torproject.org/pipermail/tor-dev/2014-June/006999.html

- Roger coordinated the stipends for PETS, to make sure people from the
broader security community can integrate with the researchers there.

- Roger, Philipp, and others finished reviewing FOCI 2014 papers and
participated in the selection meeting. There are some great papers
this year:
https://www.usenix.org/conference/foci14
https://www.usenix.org/conference/foci14/workshop-program

- Robert has published the results of a three-week-long test of the
interconnectivity between 6730 relays in order to determine how many
relays are firewalling certain outbound ports (and thus messing with
connectivity inside the Tor network).
https://bugs.torproject.org/12131#comment:11