Here is the February report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4 (With much thanks to Lunar for compiling the first drafts!)
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - We released Tor 0.2.5.2-alpha on February 13. It incorporates all the fixes from 0.2.4.18-rc and 0.2.4.20, like the "poor random number generation" fix and the "building too many circuits" fix. This release brings with it several new features of its own, among them the forced inclusion of at least one relay capable of the NTor handshake in every three-hop circuit, which should reduce the chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable. https://lists.torproject.org/pipermail/tor-talk/2014-February/032150.html - We released Tor 0.2.4.21 on February 28. It further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch. https://lists.torproject.org/pipermail/tor-talk/2014-March/032242.html - Nick Mathewson wrote a Python script to convert the new MaxMind GeoIP2 binary database to the format used by Tor for its geolocation database: https://github.com/nmathewson/mmdb-convert - George et al discussed a key revocation mechanism for hidden services: https://lists.torproject.org/pipermail/tor-dev/2014-January/006146.html Nick Hopper suggested a scheme that uses multiple hidden service directories to cross-certify their revocation lists: https://lists.torproject.org/pipermail/tor-dev/2014-January/006149.html - Nick Mathewson wrote proposal 227, meant to extend the Tor consensus document to include digests of the latest versions of one or more package files, to allow software using Tor to determine its up-to-dateness, and help users verify that they are getting the correct software: https://lists.torproject.org/pipermail/tor-dev/2014-February/006230.html - During the winter dev meeting a discussion outlined several improvements to anonymity issues related to Guard nodes: https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting/notes/GuardDesign ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - We released obfsproxy 0.2.6 on February 3rd. It adds ScrambleSuit to the set of available pluggable transports: http://www.cs.kau.se/philwint/scramblesuit/ Bridge operators have been asked to update their software and configuration: https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html There are around 250 bridges which already support ScrambleSuit. But we also found a bug in the protocol which will necessitate upgrades: https://trac.torproject.org/projects/tor/ticket/11100 - George wrote a guide on how Tor manages pluggable transports, both on the server side and on the client side, with an eye toward other projects using pluggable transports: https://lists.torproject.org/pipermail/tor-talk/2014-January/031984.html - "Yawning Angel" has continued writing obfsclient, a C++ pluggable transport client: https://lists.torproject.org/pipermail/tor-dev/2014-February/006211.html - George described several ways in which the existing obfsproxy code could be reworked to support a DNS-based pluggable transport: https://lists.torproject.org/pipermail/tor-dev/2014-February/006250.html - "Yawning Angel" has submitted a draft of a proposal to extend the SOCKS5 protocol when communicating with pluggable transports to allow passing more per-bridge meta-data to the transport and returning more meaningful connection failure response codes back to Tor: https://lists.torproject.org/pipermail/tor-dev/2014-February/006300.html ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - Two releases of the Tor Browser Bundle happened on February 10th and February 15th. Version 3.5.2 brings Tor users important security fixes from Firefox and contains fixes to the "new identity" feature, window size rounding, and the welcome screen with right-to-left language, among others: https://blog.torproject.org/blog/tor-browser-352-released Then version 3.5.2.1 fixed a bug in the localization of the browser interface: https://blog.torproject.org/blog/tor-browser-3521-released - Mike Perry wrote a summary of TBB work in February: https://lists.torproject.org/pipermail/tor-reports/2014-March/000473.html - The Tails team has released version 0.22.1 of the Debian-based Tor live system on February 5th. The new release contains security fixes to Firefox, NSS, and Pidgin, an updated Linux kernel, several fixes for regressions and small issues, and turn on the default usage of the integrated upgrader: https://tails.boum.org/news/version_0.22.1/ - The Tails team summarized the work they have done in January: https://tails.boum.org/news/report_2014_01/ - David Fifield has created an experimental bundle for testers with tor-fw-helper and flashproxy: https://lists.torproject.org/pipermail/tor-qa/2014-February/000324.html Then he made a second batch after some initial testing: https://lists.torproject.org/pipermail/tor-qa/2014-February/000338.html - Kevin Dyer wrote a patch to include the Format-Transforming Encryption protocol in the Tor Browser Bundle: https://lists.torproject.org/pipermail/tor-dev/2014-February/006223.html and it looks like FTE will be included by default (but not used by default) in TBB 3.6: https://bugs.torproject.org/10362 - David Goulet has made progress on the development of Torsocks 2.x, a wrapper for Unix-like operating systems that will redirect network calls in applications to Tor: https://lists.torproject.org/pipermail/tor-dev/2014-February/006172.html ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - Karsten Loesing has migrated the Onionoo GeoIP database to newer Maxmind databases using Nick Mathewson's mmdb-convert tool. - We started on providing more detailed information (e.g. platform, provided transports) about running bridges: https://bugs.torproject.org/10680 ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - Lunar attended the 14th FOSDEM, one of the largest free software event in Europe. The project had a small booth shared with Mozilla and there was even a relay operator meetup: https://lists.torproject.org/pipermail/tor-reports/2014-February/000444.html - Aaron Gibson presented Tor at the New Media Inspiration 2014 conference in Prague, Czech Republic: http://www.tuesday.cz/akce/new-media-inspiration-2014/ - Colin Childs presented Tor at a CryptoParty, in Winnipeg, Canada: http://wiki.skullspace.ca/CryptoParty - Andrew Lewman talked about Tor and other privacy issues at the Privacy SOS CryptoParty at the NorthEastern University in Boston, MA: https://lists.torproject.org/pipermail/tor-reports/2014-February/000463.html - Public events were organized around the winter dev meeting in Reykjavik: a Crypto Party joined by many Tor developers, an evening talk at Reykjavik University with more than 60 attendees, 15 journalists for the digital safety training event on Thursday, and approximately 55 people participated in the public hack day event on Friday. https://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting - Roger also did a 3-hour training for Icelandic law enforcement on the Saturday after the dev meeting. It turns out the "IceTor" group runs some quite fast exit relays in Iceland: https://blog.torservers.net/20140210/reimbursement-report-2014-01.html and law enforcement there had forgotten the meeting with Andrew several years ago. - On February 11th, the Tor Project participated in "The Day We Fight Back", a global day of mobilization against NSA mass surveillance: https://thedaywefightback.org/ - "Bluerasberry" started a proposal for partnership with the Wikimedia Foundation. Wikipedia wants to do something nice for Tor, but there's a lot of confusion and controversy about what they can actually do that would be useful. https://meta.wikimedia.org/wiki/Grants:IdeaLab/Partnership_between_Wikimedia_community_and_Tor_community ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Nearly 100 different Tor relays have participated in the "The Trying Trusted Tor Traceroutes" experiment, which aims to fill in the gaps about actual Internet routes that traffic takes between Tor relays: https://lists.torproject.org/pipermail/tor-relays/2014-February/003865.html http://datarepo.cs.illinois.edu/relay_scoreboard.html - Roger Dingledine helped Hyoung-Kee Choi and his students diagnose an issue with their experiment on the Tor bandwidth scanner: https://lists.torproject.org/pipermail/tor-talk/2014-February/032096.html - Max Jakob Maass published the preliminary results of a test in which the RIPE Atlas measurement API was used to retrieve the SSL certificate of torproject.org from as many countries as possible in order to detect attempted attacks or censorship: https://lists.torproject.org/pipermail/tor-talk/2014-February/032173.html - The CFP for FOCI 2014 (4th Workshop on Free and Open Communications on the Internet) is now up: https://www.usenix.org/conference/foci14/call-for-papers _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
