[tor-reports] SponsorF August 2014 report

Roger Dingledine arma at mit.edu
Tue Sep 9 15:17:09 UTC 2014 

Here is the August report for SponsorF Year4:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4
(With thanks to Lunar for compiling much of it!)

------------------------------------------------------------------------

1) Tor: performance, scalability, reachability, anonymity, security.

- In mid August we switched the NumEntryGuards consensus parameter from
3 to 1 -- that is, we deployed one of the major recommendations from the
"One Fast Guard for Life" HotPETS 2014 paper. Preliminary analysis from
Aaron Johnson shows that moving from 3 guards to 1 guard gives us the bulk
of the benefit against the guard rotation vulnerabilities discussed in
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
More analysis coming later I hope.

- George Kadianakis continued discussions on the design of the next
generation of Hidden Services and handling of Introduction Point
selection.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007335.html

- The Tor network no longer supports designating relays by nickname,
ending a set of long standing issues.
https://lists.torproject.org/pipermail/tor-talk/2014-August/034380.html

- Nick Mathewson has been working on Trunnel, a tool to automatically
generate binary encoding and parsing code based on C-like
structure descriptions.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007355.html

- Nick Mathewson wrote ed25519-based primitives intended to implement
proposals 220, 224, and 228 (so we can change to stronger identity keys
for relays, hidden services, etc).
https://bugs.torproject.org/12980

------------------------------------------------------------------------

2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events
occur).

- Yawning Angel has made available experimental versions of the Tor
Browser that include the latest version of the obfs4 pluggable
transport.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007404.html
https://lists.torproject.org/pipermail/tor-dev/2014-August/007420.html
https://github.com/Yawning/obfs4

- Thanks to Fabian Keil, liballium and obfsclient are in the FreeBSD
ports tree now:
https://docs.freebsd.org/cgi/getmsg.cgi?fetch=4055628+0+/usr/local/www/db/text/2014/svn-ports-all/20140824.svn-ports-all

- David Fifield published a detailed tutorial on how to use the
"meek" pluggable transport:
https://blog.torproject.org/blog/how-use-%E2%80%9Cmeek%E2%80%9D-pluggable-transport

- David Fifield sent a breakdown of the (surprisingly tiny) costs incurred
by the infrastructure that supports the meek pluggable transport since
its introduction and the new set of users coming with the first alpha
release of the Tor Browser 4.0.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007429.html

------------------------------------------------------------------------

3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.

- We released Tor Browser versions 3.6.4 and 4.0-alpha-1 on August 12.
The stable version contains fixes for several new OpenSSL bugs,
and enables users to see log warnings about the RELAY_EARLY traffic
confirmation attack. The first alpha version of the 4.0 series includes
the meek pluggable transport, and paves the way to the upcoming
auto-updater by using a new directory layout.
https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released

- Mike Perry wrote up more details about the Tor Browser team's work
in August:
https://lists.torproject.org/pipermail/tor-reports/2014-September/000642.html

- Anthony G. Basile announced a new release of tor-ramdisk, an i686 or
x86_64 uClibc-based micro Linux distribution whose only purpose is to
host a Tor server.
http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-August/000132.html

- meejah released a new command-line application, carml, a versatile
set of tools to query and control a running Tor.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007295.html
https://github.com/meejah/carml

- Torsocks is a wrapper program that will force an application's
network connections to go through the Tor network. David Goulet
released version 2.0.0, blessing the new codebase as stable after
more than a year of efforts.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007330.html
https://gitweb.torproject.org/torsocks.git/blob/HEAD:/README.md

- meejah announced the release of version 0.11.0 of txtorcon, a
Twisted-based Python controller library for Tor.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007375.html

- Mike Perry posted an overview of a recent report put together by iSEC
Partners and commissioned by the Open Technology Fund to explore current
and future hardening options for the Tor Browser.
https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study

- The Guardian Project has announced the first working versions of
Orfox, a new Firefox-based secure browser for Android.
https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html
https://github.com/guardianproject/OrfoxFennec

------------------------------------------------------------------------

4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.

- Karsten Loesing published some code to compute similarity metrics in
order to prevent more Sybil attacks in the future.
https://github.com/kloesing/SAD

- David Fifield explored visualizations of the consensus that made the
recent Sybil attack visible.
https://bugs.torproject.org/12813

- Karsten Loesing worked on several performance fixes for Onionoo.
https://bugs.torproject.org/12655
https://bugs.torproject.org/12849
https://bugs.torproject.org/12849

- Onionoo now provides a version field enabling clients to verify
their support of the current data format.
https://bugs.torproject.org/12905

------------------------------------------------------------------------

5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.

- The Electronic Frontier Foundation wrote two blog posts to show why Tor
is important for universities and how universities can help the Tor
network.
https://www.eff.org/deeplinks/2014/08/tor-campus-part-i-its-been-done-and-should-happen-again
https://www.eff.org/deeplinks/2014/08/tor-campus-part-ii-icebreakers-and-risk-mitigation-strategies

- Nick Mathewson was interviewed by Joe McGonegal of "Slice of MIT".
https://slice.mit.edu/2014/08/28/tor-project/

- Lunar attended the 15th annual Debian conference in Portland, Oregon,
and gave a talk on the effort to build Debian packages deterministically,
which is inspired in large part by Tor Browser's use of the same
technology:
http://meetings-archive.debian.net/pub/debian-meetings/2014/debconf14/webm/Reproducible_Builds_for_Debian_a_year_later.webm

- Andrew Lewman gave interviews to the Guardian and the BBC with vast
reach.
http://www.theguardian.com/technology/2014/aug/21/tor-aphex-twin-taylor-swift
http://www.bbc.com/news/technology-28889714

- Roger and others participated in a gathering of circumvention developers
and researchers in San Diego, on the transition day after FOCI ended and
before Usenix Security began. Collaborations and brainstorming sessions
led to stronger ties between groups.

------------------------------------------------------------------------

6) Research: Assist the academic community in analyzing/improving Tor.

- Roger gave a lightning talk at FOCI about the need for better ways
to handle accountability and anonymity, and followed it up with a more
detailed blog post:
https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users

- Roger and Paul were present to receive the Usenix Security "Test of
Time" award for the Tor 2004 paper. They did a short panel in front of
the whole audience to give advice on how to pick good paper topics, and
to discuss why the Tor topic has been so strong over the years.

- It's becoming increasingly obvious that Tor needs more accurate relay
bandwidth measurement -- as the network grows, some fast relays are not
getting large weights in the consensus, so we're effectively wasting
volunteered resources. Several research groups have been looking into
secure bandwidth measurement, which hopefully will include "accurate"
bandwidth measurement somewhere along the way.

- Kevin Dyer gave a talk at USENIX Security on LibFTE: A Toolkit for
Constructing Practical, Format-Abiding Encryption Schemes.
https://kpdyer.com/publications/usenix2014-fte.pdf

- Usenix Security also had a session entitled "Tracking Targeted
Attacks against Civilians and NGOs", where papers from our sub-area
were presented to a broader audience. Hopefully the mainstreaming of
these topics in the academic security world will lead to more, and more
in-depth, papers on the topic.

- Gareth Owen wrote an update about the status of the Java Tor Research
Framework. The framework is a largely fully functional tor client with
code that is easy to read, follow and crucially change for custom
functionality.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007328.html

- Mike Perry posted an updated version of the proposal for website
fingerprinting countermeasures which he co-authored with Marc Juarez as
part of Marc's Google Summer of Code project.
https://lists.torproject.org/pipermail/tor-dev/2014-August/007417.html
https://gitweb.torproject.org/user/mikeperry/torspec.git/blob/refs/heads/multihop-padding-primitives:/proposals/ideas/xxx-multihop-padding-primitives.txt

More information about the tor-reports mailing list