[tor-reports] Isis' May 2014 Report

isis isis at torproject.org
Thu Jun 5 09:33:44 UTC 2014 

# -*- mode: org; coding: utf-8 -*-

*** status report 2014/05
**** Isis' May 2014: Review

In May 2014, I:

 * Finished creating unittests with complete coverage for BridgeDB's email
   distributor system. (#9874)

 * Fixed several issues in BridgeDB's email distributor.   ( ̲̅:̲̅:̲̅[̲̅ ̲̅]̲̅:̲̅:̲̅:̲̅) 
   (#5463 #7547 #7550 #11664 #11475 #11753 #12086 #12089 #12091)

 * Added expirations to BridgeDB's CAPTCHAs. (#11215) Then fixed an issue with
   the timestamps used in hashring rotation in BridgeDB's HTTPS distributor.
   (#12147)

 * Started work and additional research on designing BridgeDB's database
   backend improvements (proposal #226).

 * Started setting up a separate server for staging instances of BridgeDB.
   Lots of ♥ and thanks to phobos for getting a new server for this!

 * Reconfigured BridgeDB's continuous integration testing to support three
   simultaneous builds. The first two are both on Python2.7:
     - With Twisted-13.2.0 and PyOpenSSL-0.13.1 (in deployment)
     - With Twisted-14.0.0 and PyOpenSSL-0.14 (latest versions)
   and the last one (which is permitted to fail) is run with PyPy for the
   Python interpreter. [0]

 * Failed to get around to redesigning a better API for subclassing/creating
   new bridge distributors for BridgeDB, because there were too many bugs
   in the email distributor.


Related, but non-Tor work:

 * I built a new mailserver on patternsinthevoid.net which forces TLS with
   ephemeral DH, and does DKIM signing, so I can whitelist myself for testing
   BridgeDB's email server more safely.

                    |-------------------------------|
                    |  ssl added and removed here ↑ | 
                    |________________________________|
                     /
                ˙ ͜ʟ˙ 


   I'm really stoked that my outgoing emails have DKIM signatures now. You can
   get my server's public DKIM key by doing:

       $ host -t TXT mail._domainkey.patternsinthevoid.net

   There's also a DNS PKA record for my email GnuPG key. [1] That key has a
   critical preferred keyserver packet pointing to a page [2] which includes
   the TLS fingerprints for my server. It's like a crypto circlejerk.


[0] $ curl -skvLo ←→ ⌘.ws/◳ 2> >(sed '/^[*<>{} ]/d') && python ←→ # ascii mandelbrot
[1] $ host -t TXT isis._pka.patternsinthevoid.net`
[2] https://blog.patternsinthevoid.net/isis

**** Tickets worked on in May 2014:

***** Component: - Select a component (1 match)
#12148 Leekspin is reporting its version as "unknown"

***** Component: BridgeDB (25 matches)
#5384 Image Steganography for BridgeFinder
#5463 BridgeDB must GPG-sign outgoing mails
#5485 Think about ways to give out non-blocked bridges without making it too easy to enumerate all bridges
#7207 BridgeHerder: A tool to manage bridges
#7547 BridgeDB email response is confusing
#7550 BridgeDB email responder is not interactive
#8241 asking for obfs3 by https doesn't tell you how to ask for obfs3 by gmail
#9332 Implement whitelisting of (email_address, gpg_key_id) pairs for encrypted, automated email bridge distribution
#9678 "Select Language" button on bridges.tpo
#10239 Payment for bridges (and effects this would have)
#10385 Replace BridgeDB's use of python-gpgme with python-gnupg
#11215 Add timestamp/expiry to HMAC verification code in BridgeDB's local CAPTCHAs
#11216 BridgeDB is parsing PTs from `cached-extrainfo*` files cumulatively
#11475 Get bridges email says to use Vidalia
#11514 Captcha not working
#11664 BridgeDB's email server is currently not responding
#11753 BridgeDB's email responses are not translated
#12029 Redesign BridgeDB's class inheritance to make designing new distributors easier
#12030 Create a ORM DatabaseManager for interacting with BridgeDB's database backends
#12031 Create a Key-Value RDBMS system for simple/flat datatypes in BridgeDB
#12086 BridgeDB accepts incoming emails sent to 'givemebridges at serious.ly'
#12089 BridgedDB can be forced to email arbitrary email addresses
#12090 BridgeDB replies with an empty email.
#12091 BridgeDB still isn't checking DKIM verification results properly
#12122 Untranslatable strings in bridgedb.pot
#12147 BridgeDB bridge requests over HTTPS have another timeout issue

***** Component: Firefox Patch Issues (1 match)
#10355 Pipeline defense interferes with twitter and flickr photostreams

***** Component: Tor (3 matches)
#9729 Make bridges publish additional ORPort addresses in their descriptor
#10849 tunneldirconns 0 makes hidden services publish descriptors over http -- and they're refused
#11513 Make UNRESTRICTED_SERVER_CIPHER_LIST non-stupid

***** Component: Tor bundles/installation (1 match)
#10425 tor's geoip6 file is missing in TBB-3.5 and hardcoded to a gitian-builder path

***** Component: TorBrowserButton (2 matches)
#10178 about:tor fails with TBB using system-wide tor
#11751 Tor is not working in this browser

**** In June 2014, I plan to work on:

I'm going to redesign the API for bridgedb's distributors, but I expect that
this will be done around the same time as GSoC. So I'll also be working with
my GSoC student to create a useable Twitter distributor in a way that they
won't need to worry about API changes.

I'm going to start stubbing out classes for the new database management
system, and creating unittests specifying the design.

I'll likely finish setting up the new BridgeDB staging server for testing.

Finish travel arrangements and attend the Tor developer meeting in Paris.

**** Relevant Papers/Research:

Durfee, Glenn. Cryptanalysis of RSA using algebraic and lattice methods.
  Diss. stanford university, 2002.
  http://vanilla47.com/PDFs/Cryptography/RSA%20Cryptography/Cryptoanalysis%20of%20RSA/CRYPTANALYSIS_OF_RSA_USING_ALGEBRAIC_AND_LATTICE_METHODS.pdf

Boneh, Dan. "Twenty years of attacks on the RSA cryptosystem."
  Notices of the AMS 46.2 (1999): 203-213.
  http://sofia.nmsu.edu/~pmorandi/math331s01/AMSNotices-2-1999-boneh.pdf

Salah, Imad Khaled, Abdullah Darwish, and Saleh Oqeili. "Mathematical Attacks
  on RSA Cryptosystem." Journal of Computer science 2.8 (2006).
  http://thescipub.com/pdf/10.3844/jcssp.2006.665.671

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20140605/0bcd129e/attachment.sig>

More information about the tor-reports mailing list