[tor-reports] What Nick did in April 2014

Nick Mathewson nickm at torproject.org
Thu May 1 14:42:59 UTC 2014 

Hi, friends.  Here's what I did in April 2014.

The heartbleed bug went public, and like all the rest of the
openssl-using world, we had to run in circles.  Other people did much
more work here than I; I wrote a couple of  design proposals for how
to do RSA1024 migration "the right way" (proposals 230, 231), and
wrote the code to block authority signing keys that had been used on
authorities while the bug was in effect (#11464)

We've been charging ahead on getting 0.2.5.x-alpha out.  This month,
we put out Tor 0.2.5.4-alpha. We merged dozens of fixes and patches,
including some for IPv6 usage, IPv6 with DNSPorts, pluggable transport
usability, and *BSD transparent proxies.  Code I worked on myself
included
  * authority signing key blocking (11464)
  * Numerous sandbox code fixes
  * automatic support for the AddressSanitizer and UbSan sanitizers
for run-time checking for a number of security issues. (11477)
  * Numerous pluggable transport and client usability fixes,
particularly at bootstrap time (eg 9665, 2454)
  * Improved memory-DoS resistance by using measured memory levels to
decide when we're almost out of memory.
  * major performance improvement (conjectured) when running a relay
that's low on circuit IDs. (11553)
 *  fix a significant memory leak in microdesc parsing (11649)

I went methodically through the code-analysis tools we've tried,
including several with high with false positive rates, looking for
bugs in Tor.  These led to a couple of important fixes and a lot of
code improvements.  Tools used include clang's dynamic sanitizers (see
above, 11232), clang's static analysis tool (8793), valgrind on the
unit tests (11649, 11618), coverity scan, and our own check-docs tool.

I updated the client and server ciphersuites in Tor's TLS usage to
prefer the use of ECDHE with strong ciphers, and to match (on the
client side) a newer firefox ciphersuite lists. (11438, 11513, 11528).

I merged proposals 232 to 236 to the torspec repository.

I started work on a "roadmap" -- really, a list of all the coding
projects I'd like us to do in tor over the next few years.  It's been
a while since we had one.  I finished the first major section and
started on the second.

I participated in the last stages of student selection for GSoC, and
talked with the accepted students about preparing their projects.

Towards the end of the month, I triaged the tickets pending backport
for 0.2.4.x in , and spent a lot of time discussing proper criteria
for backports to stable.

In May:
 * I hope we can put out a stable 0.2.4.22, and an 0.2.5.5-alpha with
(nearly?) all of the issues in 0.2.5 resolved.
 * I hope I can finally finish that roadmap thing.
 * I should revise proposals that target 0.2.6.
 * I hope we can do some 0.2.6 work at last!

cheers!
-- 
Nick

More information about the tor-reports mailing list