[tor-reports] SponsorF May 2014 report

Roger Dingledine arma at mit.edu
Mon Jun 9 06:16:49 UTC 2014

Here is the May report for SponsorF Year4:
(With thanks to Lunar for compiling much of it!)


1) Tor: performance, scalability, reachability, anonymity, security.

- Tor was released on May 16th. This new stable version
backports numerous high-priority fixes from the Tor 0.2.5 alpha release
series. These include blocking all authority signing keys that may have
been affected by the OpenSSL "heartbleed" bug, choosing a far more secure
set of TLS ciphersuites by default, closing a couple of memory leaks
that could be used to run a target relay out of RAM, and several others.

- Daniel Martí has been working on proposal 140 to implement consensus
diffs and so reduce the amount of information downloaded hourly by Tor

- Nick Mathewson worked on proposal 236, which deals with the proposed
transition to single guard nodes for Tor clients. The amendments include
the retention of multiple guards for directory requests, since
trusting a single source for the completeness and freshness of directory
info is suboptimal.


2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events

- Yawning has announced a new pluggable transport, currently named obfs4.
The protocol resembles ScrambleSuit but uses Daniel J. Bernstein's
cryptographic primitives to mitigate some performance/denial-of-service
concerns. Instead of obfs3 style UniformDH and CTR-AES256/HMAC-SHA256,
obfs4 uses a combination of Curve25519, Elligator2, HMAC-SHA256,
XSalsa20/Poly1305, and SipHash-2-4.

- David Fifield released a new round of Tor Browser packages modified
to include meek, the pluggable transport which uses tricks similar to

- David Fifield published "A Child's Garden of Pluggable Transports", a
detailed visualization of different pluggable transport protocols.

- Arturo released Ooniprobe 1.0.2. The new version brings security
fixes, a manpage, and a test for Tor bridge reachability, among other

- Isis rewrote the email bridge distributor of BridgeDB in order to fix
some fundamental design problems with the old code.

- Griffin Boyce released the first version of Satori, an app for Google
Chrome that distributes circumvention software in a difficult-to-block
way and makes it easy for users to check if it's been tampered with

- Israel Leiva published the initial version of a design proposal for
the "Revamp GetTor" Google Summer of Code project.


3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.

- Tor Browser 3.6.1 was released on May 7th. Apart from updating HTTPS
Everywhere and NoScript, the new release mainly solves a regression
experienced by proxy users.

- Nicolas Vigier setup the Tor Browser test suite to run automatically
when a new build is ready. The results are emailed to the tor-qa
mailing list.

- Michael Schloh von Bennewitz spent time analyzing a privacy (local disk)
leak in Tor Browser: when one copies a significant chunk of text to the
clipboard, a temporary file is created with its content.

- Nicolas Vigier has been investigating some extra connections made by
the Tor Browser on startup to the local resolver and the default port
of the SOCKS proxy.

- Georg Koppen has successfully built test packages of the Tor Browser
with ASan hardening. AddressSanitizer (ASan) is a powerful memory error
detector: software built with such technology makes it a lot harder to
exploit programming errors related to memory management.
(Unfortunately these first test packages are not very portable, and
also it turns out that Firefox has a lot of bugs so the test packages
are not as stable as we might want.)

- Tails 1.0 was released on May 1st. It marks the 36th stable release
since the very first release in June 2009. Over Tails 0.23, the new
version brings security fixes from Firefox and Tor, an updated I2P,
several enhancements to the Tor configuration interface, and the
appearance of the new Tails logo.

- Tails 1.1 beta1, which is based the latest stable Debian version
(as opposed to oldstable), was released to testers on May 30th.

- Alpha releases of Orbot v14 (Tor for Android) are now available for
testing. They include support for the obfs3 and ScrambleSuit protocols,
thanks to obfsclient (a C++ rather than Python implementation, so much
better suited to Android).

- Cure53 audited the security of the Onion Browser, a web browser for
iOS platforms that tunnels traffic through Tor. All reported issues
should have been fixed in release 1.5 on May 14th.

- David Goulet reported on the status of the development of Torsocks 2.0,
the library for safely "torifying" applications via LD_PRELOAD tricks.

- Anthony G. Basile released version 20140520 of tor-ramdisk, the micro
Linux distribution whose only purpose is to host a Tor relay in an
environment that maximizes security and privacy. The new version upgrades
Tor to version


4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.

- Karsten Loesing recompressed the tarballs of archived metrics data.
The new compression algorithm (xz rather than bz2) reduced their total
size from 212 gigabytes to 33 gigabytes -- an 85% gain!

- The metrics library now properly handles router descriptor with
non-ASCII characters.

- Scramblesuit usage is now visible on the bridge users graph.
(There are very few such users, because there are very few such

- Onionoo search by contacts is now working again:

- Onionoo now uses the Gson library to format and parse JSON documents
instead of custom code:

- Karsten Loesing has been looking at new libraries that could
improve the metrics code base in future refactoring:


5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.

- Martin Kepplinger ran a "Create a Tor relay!" session during
Linuxwochen in Vienna, Austria on May 8th.

- Andrew Lewman was invited to speak on a panel at Sida and then
at the Stockholm Internet Forum:

- Karen Reilly went to the launch event of SaferJourno by Internews:
Digital Security Resources for Media Trainers.

- Karen Reilly was present at the ISC (USAID's Internet security
program) annual meeting. People from various repressive countries met
developers to talk about tools they need.

- Karen Reilly spoke at "Strategies for Digital Security in Development
Projects" hosted by Appropriate IT and CommunityRED together with IREX
and the ISC Project on May 17th.

- Karen Reilly talked with Al Jazeera for several days about journalist

- Karen Reilly helped with presenting Tor and our pluggable transport
ideas at the Pentagon, where various military folks want to know how they
can use our tools to stay safe (and avoid censorship) on the Internet too.

- Lunar worked on updating and localizing the EFF's interactive "Tor
and HTTPS" visualization.


6) Research: Assist the academic community in analyzing/improving Tor.

- Our HotPETS paper on "tradeoffs around moving to one guard" got in:
I expect there will be some debate about it in Paris / Amsterdam.

- Roger Dingledine, Ian Goldberg, and other members of the larger Tor
community attended the 35th IEEE Symposium on Security and Privacy in
San Jose, California.

Two highlights of research discussions:

* Sukhbir Singh has been making progress on scaling ExperimenTor to work
on Ian's shiny new huge cluster. Ian was looking for some straightforward
experiments to run that would show that the new Tor network simulator
works well, and also would be the right amount of work to finish a
Master's thesis. I suggested "simulate the situation where a botnet
shows up with many Tor clients, which use TAP handshakes whereas other
clients use nTor handshakes, and the botnet clients are all accessing a
hidden service. Then explore the parameter space for what happens when
the hidden service goes away and the clients start thrashing trying
to reach it." That project will hopefully achieve the right balance of
instrumenting the simulator vs instrumenting Tor, and also it's a space
we really want to get more intuition on.

* Damon McCoy and Paul Pearce were both interested in the "follow the
money" question around the Sefnit botherder -- if we can temporarily
disrupt the bot traffic, they can look for the resulting disruption in
clickfraud, and learn more about which companies are getting screwed by
this guy; then we can inform the companies that they're getting ripped
off, and their back pressure will reduce the profit from operating the
botnet. This is of course a delicate operation, since an adversary with
a five million node botnet can make a big mess if it puts its mind to
it. I've introduced Damon and Paul to the Microsoft anti-botnet guy who
was doing cleanup. The early answer appears to be that the Tor component
to Sefnit "seems to be a largely legacy component. All their recent
activity is not Tor related." That's a great sign, but work remains to
help everybody else in the world draw the conclusion that using Tor for
your botnet C&C is counterproductive.

More information about the tor-reports mailing list