[tor-commits] [community/develop] Add starter project ideas

[pili]

commit b0158db91a3f99e7e664b9d1577f4374947546d7
Author: Pili Guerra <p...@piliguerra.com>
Date:   Wed Jan 22 17:59:56 2020 +0100

    Add starter project ideas
---
 .../gsoc/cloudflare-captcha-monitoring/contents.lr | 47 ++++++++++++++++
 content/gsoc/onion-toolbox/contents.lr             | 58 ++++++++++++++++++++
 content/gsoc/tor-relay-ipv6-support/contents.lr    | 56 +++++++++++++++++++
 content/gsoc/tor-weather/contents.lr               | 64 +++++++++++++++++++++-
 4 files changed, 223 insertions(+), 2 deletions(-)

diff --git a/content/gsoc/cloudflare-captcha-monitoring/contents.lr 
b/content/gsoc/cloudflare-captcha-monitoring/contents.lr
new file mode 100644
index 0000000..e6ba0d5
--- /dev/null
+++ b/content/gsoc/cloudflare-captcha-monitoring/contents.lr
@@ -0,0 +1,47 @@
+_model: project
+---
+_template: project.html
+---
+active: True
+---
+section: GSoC
+---
+section_id: gsoc
+---
+color: primary
+---
+key: 1
+---
+languages: javascript
+---
+mentors: arma, gk
+---
+difficulty: medium
+---
+title: Cloudflare Captcha Monitoring
+---
+summary:
+
+We should track the rate that cloudflare gives captchas to Tor users over time.
+
+---
+description: 
+
+My suggested way of doing that tracking is to sign up a very simple static 
webpage to be fronted by cloudflare, and then fetch it via Tor over time, and 
record and graph the rates of getting a captcha vs getting the real page.
+
+The reason for the "simple static page" is to make it really easy to 
distinguish whether we're getting hit with a captcha. The "distinguishing one 
dynamic web page from another" challenge makes exitmap tricky in the general 
case, but we can remove that variable here.
+
+One catch is that Cloudflare currently gives alt-svc headers in response to 
fetches from Tor addresses. So that means we need a web client that can follow 
alt-srv headers -- maybe we need a full Selenium like client?
+
+Once we get the infrastructure set up, we would be smart to run a second one 
which is just wget or curl or lynx or something, i.e. which doesn't behave like 
Tor Browser, in order to be able to track the difference between how Cloudflare 
responds to Tor Browser vs other browsers.
+
+I imagine that Cloudflare should be internally tracking how they're handling 
Tor requests, but having a public tracker (a) gives the data to everybody, and 
(b) helps Cloudflare have a second opinion in case their internal data diverges 
from the public version.
+
+The Berkeley ICSI group did research that included this sort of check:
+​https://www.freehaven.net/anonbib/#differential-ndss2016
+​https://www.freehaven.net/anonbib/#exit-blocking2017
+but what I have in mind here is essentially a simpler subset of this research, 
skipping the complicated part of "how do you tell what kind of response you 
got" and with an emphasis on automation and consistency.
+
+There are two interesting metrics to track over time: one is the fraction of 
exit relays that are getting hit with captchas, and the other is the chance 
that a Tor client, choosing an exit relay in the normal weighted faction, will 
get hit by a captcha.
+
+Then there are other interesting patterns to look for, e.g. "are certain IP 
addresses punished consistently and others never punished, or is whether you 
get a captcha much more probabilistic and transient?" And does that pattern 
change over time?
\ No newline at end of file
diff --git a/content/gsoc/onion-toolbox/contents.lr 
b/content/gsoc/onion-toolbox/contents.lr
new file mode 100644
index 0000000..a551ba8
--- /dev/null
+++ b/content/gsoc/onion-toolbox/contents.lr
@@ -0,0 +1,58 @@
+_model: project
+---
+_template: project.html
+---
+active: True
+---
+section: GSoC
+---
+section_id: gsoc
+---
+color: primary
+---
+key: 1
+---
+languages: javascript
+---
+mentors: hiro, asn
+---
+difficulty: medium
+---
+title: Onion Tool Box
+---
+summary:
+
+Myonion is a developer tool box, providing a command line interface and a GUI 
to configure and deploy existing services via .onion. A minimal prototype for 
myonion already [exists](https://github.com/hiromipaw/myonion).
+
+Someone that may want to run an onion service can use the myonion wrapper app 
to start a .onion from their computer and sharea static website or a web 
application.
+
+Myonion can also be used to deploy the resulting configured app to a defined 
set of cloud providers.
+
+---
+description: 
+
+## Problem definition
+
+It is not necessarily difficult to use onion services, but it might be tricky 
to configure a web service to be offered via .onion so that it doesn’t leak 
sensitive information.
+
+There are detailed 
[guides](https://riseup.net/en/security/network-security/tor/onionservices-best-practices)
 available for users that would like to offer a web application via .onion and 
some tools have been developed to help service operators: discover known 
misconfiguration or [vulnerabilities](https://onionscan.org/) or deploy an 
[onion site](https://github.com/alecmuffett/eotk).
+
+## Scope
+
+Myonion provides a way to build and deploy onion ready applications, allowing 
developers to build and test web applications and easily share them with 
others, bundling the code and configuration in a lightweight, portable Docker 
container application that runs thesame everywhere.
+
+The experience for developers will be similar to using other industry 
solutions, like the [Docker desktop 
app](https://www.docker.com/products/docker-desktop).
+
+Developers using myonion are provided with pre-defined and customizable 
application templates, with corresponding configuration and a test set, 
eliminating  error-prone manual setup and known onion service configuration 
mistakes.
+
+The resulting application is therefore deployable via a set of endpoint 
management tools to known providers. Providing a way to deploy onion services 
at scale.
+
+## Impact
+
+The idea behind myonion is to make onion services accessible to developers 
that might be interested to innovate in the privacy space, building 
applications that are designed for privacy and security.
+
+Involving a wider developer community can help creating a better image of Tor 
and onion services, replacing the “dark net” narrative with the secure and 
private web one.
+
+Onion services can also be relevant to all those people interested in the 
“zero-trust” strategy. The concept behind zero-trust is to adopt strategies 
and tools to help prevent data breaches by eliminating the concept of trust 
from an organization’s network architecture, with the principle of never 
trust, always verify.
+
+Ultimately myonion is about creating a better experience for onion services 
developers and operators and therefore fostering a more legitimate onion 
service ecosystem.
diff --git a/content/gsoc/tor-relay-ipv6-support/contents.lr 
b/content/gsoc/tor-relay-ipv6-support/contents.lr
new file mode 100644
index 0000000..3624ca1
--- /dev/null
+++ b/content/gsoc/tor-relay-ipv6-support/contents.lr
@@ -0,0 +1,56 @@
+_model: project
+---
+_template: project.html
+---
+active: True
+---
+section: GSoC
+---
+section_id: gsoc
+---
+color: primary
+---
+key: 1
+---
+languages: C
+---
+mentors: teor, ahf, dgoulet, catalyst
+---
+difficulty: Medium
+---
+title: Improve Tor Relay IPv6 Support
+---
+summary:
+
+Tor helps people stay safe on the internet, by keeping their internet use 
secure and anonymous. More Tor clients are running on IPv6-only or dual-stack 
networks. But only 20% of Tor’s available relay bandwidth supports IPv6. We 
want to automate relay IPv6 address discovery and reachability checks, so that 
it is easier for relay operators to run IPv6 relays.
+
+---
+description: 
+
+Students may choose to focus on designing and implementing core features, tor 
relay testing, reporting statistics, or diagnosing and fixing bugs.
+
+
+## Prerequisites
+
+* Network configuration skills
+* Basic understanding of Internet Protocol (IP) versions
+
+Recommended:
+
+* Experience testing network software
+* Experience running Internet-connected servers
+
+## Links/Resources
+
+https://trac.torproject.org/projects/tor/wiki/TorRelayGuide#IPv6
+
+https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/IPv6Features#ReachabilityChecks
+
+## Programming skills needed:
+
+* C coding
+* Building Unix-based software
+
+Recommended:
+
+* Experience with network programming
diff --git a/content/gsoc/tor-weather/contents.lr 
b/content/gsoc/tor-weather/contents.lr
index 9c7faa6..3bc6714 100644
--- a/content/gsoc/tor-weather/contents.lr
+++ b/content/gsoc/tor-weather/contents.lr
@@ -22,9 +22,69 @@ title: Tor Weather
 ---
 summary:
 
-Summary of project
+Tor Weather is the most efficient way to achieve and maintain a healthy Tor 
network on the long run.
 
 ---
 description: 
 
-Longer description
+Tor Weather was [discontinued on 
2016-04-04](https://lists.torproject.org/pipermail/tor-relays/2016-April/009009.html),
 however "Tor Weather is still a good idea, it just needs somebody to implement 
it."
+
+How Tor Weather looked like:
+​https://web.archive.org/web/20141004055709/https://weather.torproject.org/subscribe/
+
+## Motivation
+
+If a relay disappears today, it is unlikely that anyone will notice or even 
send an email to the operator unless it is a big one.
+
+Relay operators and the entire tor network would benefit from a Tor Weather 
service because it notifies relay operators when the state of their relays 
changed (and more). This will increase the likelihood that relay operators 
notice problems and actually mitigate the problem otherwise there is no "user 
feedback" since tor can cope with disappearing relays quite well.
+
+It also:
+- shows the relay operator that someone actually cares if their relays go down 
or become outdated or have another problem
+- gives the operator relay best-practices information. 
+
+## Expected Effects
+
+If enough operators subscribe to such a service:
+- relays might become more long lived / the churn rate might decrease
+- the fraction of relays running outdated tor versions might decrease
+- the fraction of exits with broken DNS might decrease 
+
+It also has the benefit of being able to contact relay operators:
+- completely automatically
+- even if they choose to not set a public ContactInfo string in their torrc 
files. 
+
+## Ideas for Notification Types
+
+_(sorted by importance)_
+
+Support subscribing via single relay FP or MyFamily groups (should not need 
any subscription change if a relay gets added to the family).
+
+- [ ] Email me when my node is down
+_How long before we send a notification?_
+- [ ] email me when my relay is affected by a security vulnerability
+- [ ] email me when my relay runs an end-of-life version of tor
+- [ ] email me when my relay runs an outdated tor version (note: this should 
depend on the related onionoo bugs to avoid emailing alpha relay people)
+- [ ] email me when my exit relay fails to resolve hostnames (DNS failure)
+- [ ] email me when my relay looses the [ ] stable, [ ] guard, [ ] exit flag
+- [ ] email me when my MyFamily configuration is broken (meaning: non-mutual 
config detected or relay with same contactInfo but no MyFamily)
+- [ ] email me when you detect issues with my relay
+- [ ] email me with suggestions for configuration improvements for my relay 
(only once per improvement)
+- [ ] email me when my relay is on the top [ ] 20 [ ] 50 [ ] 100 relays list
+- [ ] email me with monthly/quarterly status information that includes 
information like what my position in the overall relay list is (sorted by CW), 
how much traffic my relay did during the last month and what fraction of the 
months time your relay was included in consensus as running (this shows 
information on how many % of the months' consensuses this relay has been 
included and running)
+- [ ] aggregate emails for all my relays into a single digest email
+- [ ] email me about new relay requirements
+- [ ] email me about tor relay operator events
+
+
+*Task:* Write a specification describing the meaning of each checkbox 
+
+## Security and Privacy Implications
+
+The service stores email addresses of potential tor relay operators, they 
should be kept private and safeguarded, but a passive observer can collect them 
by watching outbound email traffic if no TLS is used. Suggest to use a 
dedicated email address for this service.
+
+## Additional Ideas
+
+- easy: integration into tor: show the URL pointing to the new Tor Weather 
service like the current link to the lifecycle blogpost when tor starts and 
detects to be a new relay
+- Provide an uptimerobot-style status page for relay operators using onionoo 
data 
+
+




_______________________________________________
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits