Here is the April report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4 (With thanks to Lunar for compiling much of it!)
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - Tor 0.2.5.4-alpha was released on April 26th. It includes several security and performance improvements for clients and relays, including blacklisting authority signing keys that were used while susceptible to the OpenSSL "heartbleed" bug, fixing two expensive functions on busy relays, improved TLS ciphersuite preference lists, support for run-time hardening on compilers that support AddressSanitizer, and more work on the Linux sandbox code. It also includes several usability fixes for clients using bridges, two new TransPort protocols supported (one on OpenBSD, one on FreeBSD), and various other bugfixes. https://lists.torproject.org/pipermail/tor-talk/2014-April/032817.html - We spent many hours working on the outcome of OpenSSL bug CVE-2014-0160, also known as the Heartbleed bug. Roger Dingledine wrote a security advisory within hours of the bug's disclosure. Sina Rabbani and Andrea Shepard worked on tracking vulnerable relays. Operators of affected directory authorities generated new signing keys, and we blacklisted the old ones. We also configured directory authorities to reject identity keys of relays that didn't upgrade quickly. https://www.openssl.org/news/vulnerabilities.html#2014-0160 http://heartbleed.com/ https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 https://encrypted.redteam.net/bleeding_edges/ http://charon.persephoneslair.org/~andrea/private/tor-heartbleed-survey/ https://lists.torproject.org/pipermail/tor-dev/2014-April/006663.html https://lists.torproject.org/pipermail/tor-relays/2014-April/004336.html - Lessons from the "Heartbleed" bug have been written down in the form of new proposals: How to change RSA1024 relay identity keys (proposal 230), and Migrating authority RSA1024 identity keys (proposal 231). https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/230-rsa1024-relay-id-migration.txt https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/231-migrate-authority-rsa1024-ids.txt - The Tor 0.2.5.4-alpha release marks the end-of-life for Tor 0.2.2.x; those Tor versions have accumulated many known flaws. Old relays will be rejected from the network once enough directory authorities upgrade. - We accepted Daniel Martà as a Google Summer of Code (GSoC) student to work on reducing bandwidth needed for clients by implementing consensus diffs. https://lists.torproject.org/pipermail/tor-dev/2014-April/006744.html ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - David Fifield released new browser bundles configured to use the meek transport automatically. These bundles use a web browser extension to make the HTTPS requests, so that the TLS layer used is actually Firefox itself. https://trac.torproject.org/projects/tor/wiki/doc/meek https://lists.torproject.org/pipermail/tor-dev/2014-April/006718.html - Ximin Luo started a discussion on how "indirect" pluggable transports like flashproxy or meek are currently handled by Tor as they are based on different assumptions than obfs3 or ScrambleSuit. https://lists.torproject.org/pipermail/tor-dev/2014-April/006689.html - Matthew Finkel and Colin Childs worked on warning bridge operators of the "Heartbleed" vulnerability, and the actions that should be taken as a result. https://lists.torproject.org/pipermail/tor-relays/2014-April/004428.html - As part of GSoC, Marc Juarez is going to work on a framework for website fingerprinting countermeasures, Kostas Jakeliunas will spend his summer writing a bridge address distributor reachable through Twitter, and Quinn Jarrell will work on a pluggable transport combiner. https://lists.torproject.org/pipermail/tor-dev/2014-April/006741.html https://lists.torproject.org/pipermail/tor-dev/2014-April/006749.html https://lists.torproject.org/pipermail/tor-dev/2014-April/006777.html ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - Tor Browser version 3.5.4 was released on April 8th with an updated OpenSSL library fixing the "Heartbleed" vulnerability. https://blog.torproject.org/blog/tor-browser-354-released - Tor Browser version 3.6 was released on April 30th. The 3.6 series features fully integrated pluggable transport support, including an improved Tor Launcher UI for configuring pluggable transport bridges. Installation usability for Mac users is also improved by switching to the more common DMG format. Many more usability fixes and UI improvements were made. https://blog.torproject.org/blog/tor-browser-36-released - Michael Schloh von Bennewitz worked on a guide to configuring a virtual machine for building the Tor Browser Bundle, and another to building with Gitian. https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/VMSetup https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/BuildingWithGitian - David Goulet released the seventh candidate for Torsocks 2.0.0, the wrapper for safely using network applications with Tor. https://lists.torproject.org/pipermail/tor-dev/2014-April/006649.html - Meejah released version 0.9.2 of txtorcon, the Tor controller library for the Twisted Python framework. https://lists.torproject.org/pipermail/tor-dev/2014-April/006766.html - Anthony Basile released the Tor-ramdisk live distribution version 20140409 with updated OpenSSL and kernel. https://lists.torproject.org/pipermail/tor-talk/2014-April/032642.html - David Stainton announced his Tor role for the Ansible automation tool. https://github.com/david415/ansible-tor - GSoC student Israel Leiva will work on revamping GetTor over the summer, and Amogh Pradeep will work on the Orfox browser for Android. https://lists.torproject.org/pipermail/tor-dev/2014-April/006745.html https://lists.torproject.org/pipermail/tor-dev/2014-April/006748.html ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - As part of GSoC, Sreenatha Bhatlapenumarthi will work on rewriting the Tor Weather application that notifies relay operators of downtimes and available software upgrades. https://lists.torproject.org/pipermail/tor-dev/2014-April/006752.html - Arlo Breault announced the release of Bulb, a work-in-progress Tor relay web status dashboard. https://github.com/arlolra/bulb - Major parts of Onionoo have been refactored: the Gson library is now used instead of plain string concatenation to format the JSON output; bandwidth and clients documents for running relays/bridges are now always returned. https://trac.torproject.org/projects/tor/ticket/11577 https://trac.torproject.org/projects/tor/ticket/11428 - Onionoo gained a new field last_running for "seen in a network status with the Running flag" in addition to last_seen for "seen in a network status". https://trac.torproject.org/projects/tor/ticket/11430 - Relays/bridges that haven't been running in the past week can now be part of Onionoo searches: https://trac.torproject.org/projects/tor/ticket/11350 ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - Sukhbir Singh posted a round-up of the various methods by which users can download and run the Tor Browser, covering download mirrors, GetTor, bridge address distribution, and pluggable transports usage as a blog article. https://blog.torproject.org/blog/ways-get-tor-browser-bundle - Andrew Lewman reported on his week in Stockholm for the Civil Rights Defender's Defenders Days where he trained activists and learned more about the situation in Moldova, Transnistria, Burma, Vietnam, and Bahrain. https://lists.torproject.org/pipermail/tor-reports/2014-April/000504.html - Andrew Lewman spoke at F.ounders NYC. http://f.ounders.com/ - Roger attended an FBI workshop to make sure we keep up relationships there and also to see if we can use them for anything further. - Kelley Misata represented Tor at the Women in Cyber Security Conference. http://www.csc.tntech.edu/wicys/ - William Papper presented a functioning beta version of a prototype new download page for our website. https://wpapper.github.io/tor-download-web/ - Karen, Roger, and others helped plan and caption a pluggable transport explanation video that our funders will use to teach people about pluggable transports. In the future hopefully we'll reuse and adapt it for a broader audience. ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Philipp Winter relayed the call for papers for the 4th USENIX Workshop on Free and Open Communications on the Internet on the Tor blog. https://blog.torproject.org/blog/call-papers-foci14-workshop - Nick Hopper led a hotpets submission around the "move to one guard" design. Expect a tech report or equivalent soon. - Roger participated in a panel at an NSF "the future of science" workshop in DC, which wanted him to be there to talk to people about surveillance, how the NSA leaks impact Tor, and why it would be useful for NSF to fund continued research on this topic. - Roger reviewed another 14 Usenix Security papers: https://www.usenix.org/conference/usenixsecurity14 - Roger reviewed an NSF proposal in the censorship circumvention space. I hope they fund it. - Roger did a Tor talk at George Mason University: http://today.gmu.edu/64330/ http://freehaven.net/~arma/slides-gmu14.pdf and met with students, including some working on Tor performance research, especially an updated Defenestrator ("N23") design. - Roger visited Berkeley, including: - Guest lecture in Xiao Qiang's digital activism class, where they're working on many interesting and practical projects around circumventing censorship (similar to Dan Boneh's class from a few years back). - Two hour Q&A discussion with grad students around Tor research topics. - Talked to David Fifield about Meek and about his font enumeration attacks. - Talked to Paul Pierce about his botnet research and what lessons we can learn for how to handle the botnet that's still sitting on Tor. - Talked to Adam Lerner who helps run the UW Tor exit relay. They are a great success story about running a fast exit at a university, but they've also made some compromises to be able to do it -- most notably they add network filters (regexps) to avoid getting hassled by their network admins who keep complaining that their computer is surely compromised. So technically we should be giving them the BadExit flag, but then we'd lose their contribution. We should keep working on the right balance here. _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
