[tor-reports] SponsorF February 2014 report

Roger Dingledine arma at mit.edu
Mon Mar 10 10:15:09 UTC 2014 

Here is the February report for SponsorF Year4:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4
(With much thanks to Lunar for compiling the first drafts!)

------------------------------------------------------------------------

1) Tor: performance, scalability, reachability, anonymity, security.

- We released Tor 0.2.5.2-alpha on February 13. It incorporates all
the fixes from 0.2.4.18-rc and 0.2.4.20, like the "poor random number
generation" fix and the "building too many circuits" fix. This release
brings with it several new features of its own, among them the forced
inclusion of at least one relay capable of the NTor handshake in every
three-hop circuit, which should reduce the chance that we're building
a circuit that's worth attacking by an adversary who finds breaking
1024-bit crypto doable.
https://lists.torproject.org/pipermail/tor-talk/2014-February/032150.html

- We released Tor 0.2.4.21 on February 28. It further improves security
against potential adversaries who find breaking 1024-bit crypto doable,
and backports several stability and robustness patches from the 0.2.5
branch.
https://lists.torproject.org/pipermail/tor-talk/2014-March/032242.html

- Nick Mathewson wrote a Python script to convert the new MaxMind GeoIP2
binary database to the format used by Tor for its geolocation database:
https://github.com/nmathewson/mmdb-convert

- George et al discussed a key revocation mechanism for hidden services:
https://lists.torproject.org/pipermail/tor-dev/2014-January/006146.html
Nick Hopper suggested a scheme that uses multiple hidden service
directories to cross-certify their revocation lists:
https://lists.torproject.org/pipermail/tor-dev/2014-January/006149.html

- Nick Mathewson wrote proposal 227, meant to extend the Tor consensus
document to include digests of the latest versions of one or more package
files, to allow software using Tor to determine its up-to-dateness,
and help users verify that they are getting the correct software:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006230.html

- During the winter dev meeting a discussion outlined several improvements
to anonymity issues related to Guard nodes:
https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting/notes/GuardDesign

------------------------------------------------------------------------

2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events
occur).

- We released obfsproxy 0.2.6 on February 3rd. It adds ScrambleSuit to the
set of available pluggable transports:
http://www.cs.kau.se/philwint/scramblesuit/
Bridge operators have been asked to update their software and
configuration:
https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html
There are around 250 bridges which already support ScrambleSuit. But we
also found a bug in the protocol which will necessitate upgrades:
https://trac.torproject.org/projects/tor/ticket/11100

- George wrote a guide on how Tor manages pluggable transports, both on
the server side and on the client side, with an eye toward other projects
using pluggable transports:
https://lists.torproject.org/pipermail/tor-talk/2014-January/031984.html

- "Yawning Angel" has continued writing obfsclient, a C++ pluggable
transport client:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006211.html

- George described several ways in which the existing obfsproxy code
could be reworked to support a DNS-based pluggable transport:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006250.html

- "Yawning Angel" has submitted a draft of a proposal to extend the SOCKS5
protocol when communicating with pluggable transports to allow passing
more per-bridge meta-data to the transport and returning more meaningful
connection failure response codes back to Tor:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006300.html

------------------------------------------------------------------------

3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.

- Two releases of the Tor Browser Bundle happened on February 10th and
February 15th. Version 3.5.2 brings Tor users important security fixes
from Firefox and contains fixes to the "new identity" feature, window
size rounding, and the welcome screen with right-to-left language,
among others:
https://blog.torproject.org/blog/tor-browser-352-released
Then version 3.5.2.1 fixed a bug in the localization of the browser
interface:
https://blog.torproject.org/blog/tor-browser-3521-released

- Mike Perry wrote a summary of TBB work in February:
https://lists.torproject.org/pipermail/tor-reports/2014-March/000473.html

- The Tails team has released version 0.22.1 of the Debian-based Tor
live system on February 5th. The new release contains security fixes
to Firefox, NSS, and Pidgin, an updated Linux kernel, several fixes
for regressions and small issues, and turn on the default usage of the
integrated upgrader:
https://tails.boum.org/news/version_0.22.1/

- The Tails team summarized the work they have done in January:
https://tails.boum.org/news/report_2014_01/

- David Fifield has created an experimental bundle for testers with
tor-fw-helper and flashproxy:
https://lists.torproject.org/pipermail/tor-qa/2014-February/000324.html
Then he made a second batch after some initial testing:
https://lists.torproject.org/pipermail/tor-qa/2014-February/000338.html

- Kevin Dyer wrote a patch to include the Format-Transforming Encryption
protocol in the Tor Browser Bundle:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006223.html
and it looks like FTE will be included by default (but not used by
default) in TBB 3.6:
https://bugs.torproject.org/10362

- David Goulet has made progress on the development of Torsocks 2.x,
a wrapper for Unix-like operating systems that will redirect network
calls in applications to Tor:
https://lists.torproject.org/pipermail/tor-dev/2014-February/006172.html

------------------------------------------------------------------------

4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.

- Karsten Loesing has migrated the Onionoo GeoIP database to newer
Maxmind databases using Nick Mathewson's mmdb-convert tool.

- We started on providing more detailed information (e.g. platform,
provided transports) about running bridges:
https://bugs.torproject.org/10680

------------------------------------------------------------------------

5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.

- Lunar attended the 14th FOSDEM, one of the largest free software event
in Europe. The project had a small booth shared with Mozilla and there
was even a relay operator meetup:
https://lists.torproject.org/pipermail/tor-reports/2014-February/000444.html

- Aaron Gibson presented Tor at the New Media Inspiration 2014 conference
in Prague, Czech Republic:
http://www.tuesday.cz/akce/new-media-inspiration-2014/

- Colin Childs presented Tor at a CryptoParty, in Winnipeg, Canada:
http://wiki.skullspace.ca/CryptoParty

- Andrew Lewman talked about Tor and other privacy issues at the Privacy
SOS CryptoParty at the NorthEastern University in Boston, MA:
https://lists.torproject.org/pipermail/tor-reports/2014-February/000463.html

- Public events were organized around the winter dev meeting in
Reykjavik: a Crypto Party joined by many Tor developers, an evening
talk at Reykjavik University with more than 60 attendees, 15 journalists
for the digital safety training event on Thursday, and approximately 55
people participated in the public hack day event on Friday.
https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting

- Roger also did a 3-hour training for Icelandic law enforcement on
the Saturday after the dev meeting. It turns out the "IceTor" group runs
some quite fast exit relays in Iceland:
https://blog.torservers.net/20140210/reimbursement-report-2014-01.html
and law enforcement there had forgotten the meeting with Andrew several
years ago.

- On February 11th, the Tor Project participated in "The Day We Fight
Back", a global day of mobilization against NSA mass surveillance:
https://thedaywefightback.org/

- "Bluerasberry" started a proposal for partnership with the Wikimedia
Foundation. Wikipedia wants to do something nice for Tor, but there's
a lot of confusion and controversy about what they can actually do that
would be useful.
https://meta.wikimedia.org/wiki/Grants:IdeaLab/Partnership_between_Wikimedia_community_and_Tor_community

------------------------------------------------------------------------

6) Research: Assist the academic community in analyzing/improving Tor.

- Nearly 100 different Tor relays have participated in the "The Trying
Trusted Tor Traceroutes" experiment, which aims to fill in the gaps
about actual Internet routes that traffic takes between Tor relays:
https://lists.torproject.org/pipermail/tor-relays/2014-February/003865.html
http://datarepo.cs.illinois.edu/relay_scoreboard.html

- Roger Dingledine helped Hyoung-Kee Choi and his students diagnose an
issue with their experiment on the Tor bandwidth scanner:
https://lists.torproject.org/pipermail/tor-talk/2014-February/032096.html

- Max Jakob Maass published the preliminary results of a test in
which the RIPE Atlas measurement API was used to retrieve the SSL
certificate of torproject.org from as many countries as possible in
order to detect attempted attacks or censorship:
https://lists.torproject.org/pipermail/tor-talk/2014-February/032173.html

- The CFP for FOCI 2014 (4th Workshop on Free and Open Communications
on the Internet) is now up:
https://www.usenix.org/conference/foci14/call-for-papers

More information about the tor-reports mailing list