Re: [tor-dev] [tor-reports] Sebastian's August 2015
On 06/09/15 13:01, Sebastian Hahn wrote: > Hi there, > Hi Sebastian, > Next up is more of the same, especially focusing on website tickets > and preparing the community team's dev meeting contributions. Maybe we could have a session at the dev meeting to talk about the website (content, structure, translations, etc.). What do you think? (cc'ing @tor-dev in case more people are interested) Saludos. --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Where are the GetTor downloads (e.g. GitHub)?
Hi David, > > My question is, is there a static URL on GitHub or similar that has the > latest downloads? That is, one that people can access even without > having used GetTor? Such a URL would be more useful than a typical > mirror for many users. > Yes, you can find the latest Tor Browser versions here: https://github.com/gettorbrowser/dl Although you will need to know which is the latest version in order to construct a direct download link. I might work on that by the end of my SoP if people find it useful. We are also trying to get an official account for it, but it's still on progress (https://trac.torproject.org/projects/tor/ticket/10692). p.s.: GetTor is not sending links for the latest version (something is broken with the fetch latest torbrowser script). I'm currently having troubles with my internet connection, so I'll work on it once I have access again. Saludos. --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Summer of Privacy: Enhance GetTor
Hello people, I just wanted to let you know that this summer I'll be working in improving the current GetTor. I've wrote about this before here [0] and I detailed my plan for the summer here [1]. Thanks to the nice will of the people running this program and my mentors, I'm starting with a different schedule ("Winter schedule" [2]), which started yesterday :) If you have comments or new ideas about GetTor, I'd love the hear it. Best regards, Israel Leiva. [0] https://lists.torproject.org/pipermail/tor-dev/2015-April/008718.html [1] https://people.torproject.org/~ilv/sop_proposal_2015.html [2] https://trac.torproject.org/projects/tor/wiki/doc/gsoc signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
> > If this conversation moves elsewhere, I would really like to be kept in the > loop. > To all the people interested, below you'll find a wiki page where we can keep track of all the ideas that have come up. If you have your own idea, please add it :) https://trac.torproject.org/projects/tor/wiki/org/roadmaps/GetTor/future Best, --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
> > People can use the Tor network to download Tor Browser, with the aid of a > bootstrapping program. (Which can be much simpler than Tor Browser itself - > see below.) > > If people can't use the Tor network to download a file, then it's unlikely > that Tor Browser will work for them. > > My reasoning went something like this: > 1. If we can put Tor Browser in an App Store, people won't need to use an app > that downloads Tor Browser > 2. If an App Store doesn't allow Tor Browser, then people need an app that > will download Tor Browser > 3. Perhaps the App Store will allow an app that can download Tor Browser over > the Tor network (this could be as simple as tor, torify, and wget > executables, and a GUI frontend) > Well, your reasoning makes sense. I guess we'll have to figure out if we can put something like that in an app store (and in an official account). I'll have it in mind as an option, thanks. --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
> Hi, > Hi! > Maybe an important difference here is that GetTor is a way to circumvent > censorship (if I understand correctly), while our extension works to > provide authentication only. I think it's a good idea to rely on browser > stores not to be censored in the same way as your website. But our > extension for example, is downloaded from the browser but then is > executed from a webpage on our website and relies on description files > provided by our website to verify downloads that are done one any of our > mirrors. In this scenario, both our website and our mirrors could be > easily blocked by someone who wants to block our downloads while not > blocking the browser store. > You are right, thanks for the clarification. GetTor should work when access to Tor Project is blocked, so the scenario you mention would not work in our case. In any case, the idea would be to rely on browser stores and start from there. > Still, if you think that you can reuse part of our extension we would be > very happy to work together with you to make this possible. We almost > finished specifying the extension and Giorgio Maone from NoScript has > started coding a first prototype. > > Great! I'm sure your work will be of help to us if we decide to do something similar. I'll contact you if anything comes up :) --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
On 19/06/15 17:17, Adam Pritchard wrote: >> >> Oh, nice! Although for some reason ./testssl.sh --mx torproject.org does >> not work for me, it says torproject.org has no mx records. >> > > Weird. I just ran it and put the output into a gist -- pretty[1], plain[2]. > And the CheckTLS sender test[3], for good measure. > Weird indeed, it still doesn't work me. Anyway, thanks for the outputs. I'm worried though, because the script shows a lot of NOT oks :/ > > Not a comprehensive list, but here's a start... > > Email services that play nice with strong TLS client/server reqs: > > * Gmail > * Yahoo (but maybe not some of the regional ones? Like yahoo.de?) > * Hotmail/Outlook.com > * qq.com (Chinese email service) > > Email services that do *not*: > > * sina.cn, sina.net, sina.com.cn, sina.com (Chinese) > * 163.com (Chinese) > * tom.com (Chinese) > * 126.com (Chinese) > Thank you. --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
Hi Adam, On 18/06/15 16:40, Adam Pritchard wrote: >> >> I'm currently the maintainer of GetTor [1], and together with Nima and >> Sukhbir we have been talking about the future of it. > > > If this conversation moves elsewhere, I would really like to be kept in the > loop. > Good, I'll create a wiki page to keep track of the discussion and ideas (I'll post it later to this thread). > I'm the primary maintainer of Psiphon's email auto-responder, which was > initially modeled on Tor's approach. Psiphon is, obviously, also extremely > interested in robust ways of making our tools available in censoring > regions. (So, Satori, etc., are also interesting.) > Great, I've heard of Psiphon before, and I'm sure both projects could benefit from working on new/better ways to expand the autoresponder service. > Relatedly... > > When doing Logjam, etc., testing on our responder I found testssl.sh[1] to > be a handy tool. Used like so: > ./testssl.sh --mx torproject.org > > CheckTLS[2] is also good for actually doing email send and receive tests. > Oh, nice! Although for some reason ./testssl.sh --mx torproject.org does not work for me, it says torproject.org has no mx records. > We're currently struggling a bit with just how hardcore we can be in > securing our server communications. Right now Postfix is configured[3] to > only connect out using TLS and only accept incoming TLS connections from > servers with a verifiable cert. That seems reasonable, except... we're > getting complaints that Chinese mail services don't meet those criteria, > and Chinese users can't/won't/don't use Gmail/Hotmail/Yahoo. > > ...As an example of the sort of shared hurdles we might encounter. > Yeah, our current approach is to get to many people as possible (that's why, for example, we don't do DKIM verification). Maybe we can share experiences about it. Do you have a list of those services? Anyway, I'll be taking a look at Psiphon's code :) Thanks, --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
Hi, > > The distributor sounds like a great idea, but, with Option 2, the user should > always be able to fall back to actual links to the cloud services (wherever > possible). This allows users who have trouble with the automated download to > retry later, perhaps at a different location, or with a different browser. > Yes, this makes a lot of sense. This means that we'll need to have hardcoded values in the distributor. Using the front domain technique could help here to avoid blocking those harcoded URLs. >> 2) In case we develop the distributor, should the email autoresponder >> remain? > > I'm a big fan of diversity in distribution methods, but there are only a > limited number of software maintainers… > True that. >> >> 3) If you agree on developing the distributor, what option you think >> would fit better? (please suggest better options) > > If the distributor is a backend (Option 1), it would help to have mirror(s). > But I wonder if we are just re-creating a single point of failure, and would > be better using a CDN. It would be a terrible experience to succeed in > downloading an app, only to find that the distributor was blocked. > Yes, I'm thinking that, in the end, having an API and mirrors would be the same as doing Option 2 (e.g. having static mirrors on a CDN). > Is it possible to submit an app to the app stores (I am thinking Apple's > restrictions, here) that would bootstrap a Tor Browser download over the Tor > network? > > For example: > 1. Download app > 2. The app has various CDN links (or a way of getting them) and a some > predefined bridges > 3. The app tries the CDN links and bridges in order of reliability / expense > 4. If the links or bridges fail, the user gets advice on how to find new, > uncensored links or bridges and input them. > 5. App downloads and verifies Tor Browser using the CDN or the Tor network > > In most cases, the user experience would be one-click: > 1. Open the app > 2. See a recommended option highlighted out of a list of working options > 3. click download > 4. see a progress bar > 5. Get a verified Tor Browser > Yes, the use experience that you mention is what we're looking for. About using the Tor network... I'm not sure about it. It's like using Tor to download Tor? Still, I'll write it down as an option. Thanks teor! Best, --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
Hi Griffin, On 16/06/15 05:54, Griffin Boyce wrote: > > While I don't necessarily want to discourage you from working on > GetTor, it's worth noting the duplicated effort in terms of distribution > apps. My primary project makes downloading Tor (and other privacy > software) from un-censored sources easy, verifying sha256 hashes easy, > along with distributing tutorials and bridges [1][2]. > Au contraire, thanks for pointing this out. I'm familiar with your work, I just forgot to mention it as a reference of similar work. And yes, the idea is not to duplicate effort :) > The project is called Satori -- it's under heavy development, but has > traction, particularly in Iran and China [3]. Satori comes partly from > the fact that I don't scale -- 1-to-1 distribution is important but > takes a lot of time and a handful of trainers can't help everyone. So I > can write applications and increase my positive impact (particularly > once guides are included and translations are finished). Downloads are > via accessible CDNs and torrents. > Although the result would be similar (the desktop flow is pretty much what we want), for the moment I'm not sure if we want do it in the same way. We're still brainstorming though.. (I'll create a wiki page and send it later in this thread in case you want to collaborate). When new versions of Tor Browser are available, how does the update process works in Satori (uploading it, doing checksums, etc)? > To answer your questions: 1) distributors are important IMO (see > above). 2) I've always liked the idea of email autoresponders for > software, but as the size of the Tor Browser increases, I'm not sure how > viable it will be. It may be worthwhile to experiment with sending > unblocked CDN links and torrent files. 3) I considered an API but don't > think it would work as it just recreates the single point of failure > that one is trying to avoid with this kind of project. At least for me, > the focus on CDN and bittorrent-based software distribution make the > most sense. > With respect to point 2), we do not send attachments, we're sending Dropbox links and soon enough we'll be sending Github links too. About 3), right now we're figuring out if we can use an API (or something similar) with some sort of mirroring approach that could help us avoid the single point of failure that you mention. As I said, we're still discussing, so we might get to the same conclusion as you :) Thanks for your comments Griffin! Best, --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] The future of GetTor
On 16/06/15 05:15, intrigeri wrote: > Hi, > Hi, > > You might be interested in the work that's happening there: > https://tails.boum.org/blueprint/bootstrapping/extension/ > > (I'm not directly involved in this, for more information ask > sajol...@pimienta.org.) > This looks great, thanks for the link! I still haven't read it in depth, but a priori it seems that it's quite close to what we want to achieve (as one component of the distributor, at least). Best, --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] The future of GetTor
Hi people, I'm currently the maintainer of GetTor [1], and together with Nima and Sukhbir we have been talking about the future of it. First, let me present you what is (roughly) the current status of GetTor: * We send links to download Tor Browser, along with its signature file. These files are stored on Dropbox. I will be working on integrate new cloud/hosting services during Summer of Privacy. * We send these links via email. I will be working on new modules to send links via chat (XMPP) and Twitter (DM) during Summer of Privacy. * We send links to download the English (US) package of Tor Browser. I will be working on support for more locales during Summer of Privacy. That is what we have now. Is not much, but it works (more info in [1]). So, what about it? Software evolves, and we think it might be the time of GetTor to go beyond its current design. Moreover, we have received valid concerns that emails could be tampered and users could get malicious versions of Tor Browser (although we have no evidence that this is happening). Right now, when you get the Tor Browser via this method is up to you to verify its integrity. With this in mind, we have been discussing about the idea of having a signed and verified distributor app (desktop), available on official channels (OSX app store, Google Chrome store, etc), which could ease the process of downloading and verifying the integrity of Tor Browser. In other words, a user should be able to download and make sure it has the right file with just a few clicks. However, we have different thoughts on how this should work: * Option 1: GetTor should work as a backend and have an API. The distributor (and even other apps) would send queries to this API asking for links. The problem with this is that if Tor Project's website is blocked, is quite possible that the API would be blocked too (e.g. gettor.torproject.org). * Option 2: The distributor is in charge of presenting various alternatives to the user and getting the files directly from the cloud/hosting services. So, the purpose of this email is to get feedback from the community, and my specific questions to you people are the following: 1) What do you think of the distributor idea? It is something you or others would want? 2) In case we develop the distributor, should the email autoresponder remain? 3) If you agree on developing the distributor, what option you think would fit better? (please suggest better options) I would really love to hear your comments about this idea, my work at Summer of Privacy might change depending on this discussion, so please feel free to express your feelings about it :) Thanks for your time! [1] https://www.torproject.org/projects/gettor.html.en [2] https://trac.torproject.org/projects/tor/wiki/org/roadmaps/GetTor --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Summer of Privacy: Enhance GetTor
Hi people, My name is Israel Leiva. I'm a student of BSc. in Computer Science at Universidad de Santiago de Chile. I'm also the maintainer of GetTor and one of the students selected for Tor Summer of Privacy. This summer I'll be working on GetTor, improving what I did in last year's GSoC and adding new stuff. In short, I will: * Improve stats and debugging. * Deploy more providers: GDrive, GitHub. * Enable more distributions channels: XMPP, Twitter. * Create tests for GetTor. * New features, like send mirrors list and localized Tor Browser. I started to work on most of this stuff in last year's GSoC, and I will finish it during this TSoP. For more details, you can read my proposal 'Enhance GetTor' on [0]. My mentors will be Sukhbir and Nima. I'm really happy to be working at the Tor Project again and I hope to do my best. If you have comments or new ideas about [0], I'm all ears [0] https://people.torproject.org/~ilv/sop_proposal_2015.html Have a nice day! --ilv signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] GetTor development status
Hi people. We've been working very hard to get GetTor deployed as soon as possible. Meanwhile, I'd like to tell you what we've been up to. 1) Changed from logging quite a bit of stuff, to not logging at all. GetTor actually creates log files, but they remain empty. We'll see what we need to log on the way. 2) Changed from keeping stats about the requests (os, locale, etc) to just keep a counter to know how many requests we've received so far. The only exception is with some info necessary to avoid flood, namely: the hashed user, number of requests for that user and the last time that user made a request. All of this is stored in a SQLite database. 3) For now we'll only send Dropbox links. We now use long urls with the ?dl=1 prefix to automatically download the file, instead of the old short urls used (during the revamp). You can see an example of what urls should be sent on [1]. We hope to implement other providers in the future. We'll need an official Dropbox account for this, this is one of the things we're waiting to deploy. 4) You can check a template of the message that should be sent when sending the links on [2], under the "links_msg" msgid. The interpolated info is: operating system, locale, the links (see [1] for links format). We're working on making this as usable as possible, so any thought on this is very welcome! 5) I still have pending an script to synchronize with the latest version of TBB on dist.tp.o and upload that to Dropbox. Help here is very welcome too. I think that is for now. Any comment/feedback is welcome. If you have any crazy ideas about new ways to distribute the TBB with GetTor, please tell us. I have created two files in the Github repo: providers [3] and distribution_methods [4]. Make a pull request if you're feeling inspired :) [1] https://github.com/ileiva/gettor/blob/master/providers/dropbox.links [2] https://github.com/ileiva/gettor/blob/master/lang/smtp/i18n/en/LC_MESSAGES/en.po [3] https://github.com/ileiva/gettor/blob/master/providers.txt [4] https://github.com/ileiva/gettor/blob/master/distribution_methods.txt happy hacking, -- 0xA456E2CE540BFC0E ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] GetTor dev meeting (Friday 10th, 5.30pm UTC)
Hi people! We are having our GetTor dev meeting on Friday 10th at 5.30pm UTC. It will take place at the #tor-dev IRC channel in the OFTC network. This is the last meeting before we deploy the new version of GetTor. Everyone is welcome to participate! Have a nice day. -- 4096R/540BFC0E ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] [GSoC] Revamp GetTor summary
Hi! First of all, I want to thank the people at tor-dev that make this happen every year, it was an awesome experience and I sincerely hope to be around for a long time. I also want to thank my mentor Sukhbir for always being around to solve doubts and checking up my progress, and to my co-mentor Nima for his always useful advices and comments. Secondly, I would like to give you a brief summary of what I did during this 3-4 months: 1) Rewrote GetTor from scratch. Now it should be easier to add new ways to distribute download links for TBB. 2) Created two components for this new GetTor: SMTP and XMPP. 3) Enabled the (old) multilingual feature. Now you can receive replies in your language (in case translation exists). 4) Created a component to automatically upload TBB to Dropbox. 5) Enabled basic blacklisting of users. It basically prevents flood by specifying a limit of requests during a certain period of time. 6) Added a small SQLite database for 5) and to get some stats. No real info about the addresses/accounts stored. I would really appreciate any feedback on the work done, specially about the points 5) and 6). Do these points make sense to you? The plan for now is to keep doing tests and deploy it asap (hopefully during September). As always, you can check the code on [0]. That would be for now, have a nice weekend! [0] https://github.com/ileiva/gettor/tree/master/src Best, -- 4096R/540BFC0E ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev