Here is the September report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4 (With thanks to Lunar for compiling much of it!)
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - We released Tor 0.2.5.7-rc, the first release candidate in the 0.2.5.x series, on September 11th. This version fixes several regressions from earlier in the 0.2.5.x release series, as well as some long-standing bugs related to ORPort reachability testing and failure to send CREATE cells. https://lists.torproject.org/pipermail/tor-talk/2014-September/034740.html - We released Tor 0.2.5.8-rc on September 22nd. It fixes a bug that affects consistency and speed when connecting to hidden services, and it updates the location of one of the directory authorities. Pending any bad surprises, this should be the last version before declaring Tor 0.2.5.x stable. https://lists.torproject.org/pipermail/tor-talk/2014-September/034937.html - We updated the current stable branch to Tor 0.2.4.24, also on September 22nd, fixing the same issues as Tor 0.2.5.8-rc did, as well as updating the GeoIP database. https://lists.torproject.org/pipermail/tor-talk/2014-September/034937.html - Tim reported on progress made towards a fuzzer for Tor, based on the Tor research framework previously announced by Gareth Owen. https://lists.torproject.org/pipermail/tor-dev/2014-September/007471.html - George Kadianakis continued work on the "guardfraction" part of proposal 236. After an initial implementation and a first round of feedback, the code is getting closer to being integrated. https://lists.torproject.org/pipermail/tor-dev/2014-September/007489.html https://bugs.torproject.org/13125 https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/236-single-guard-node.txt ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - Yawning Angel released a new set of experimental Tor Browser builds containing the proposed obfs4 pluggable transport. https://lists.torproject.org/pipermail/tor-dev/2014-August/007420.html - We've asked bridge operators to help the deployment of obfs4 bridges. We also now have a Debian package too. https://lists.torproject.org/pipermail/tor-relays/2014-September/005372.html - meek can now route traffic through Microsoft Azure cloud service as an alternative to Google AppEngine and Amazon EC2. https://lists.torproject.org/pipermail/tor-dev/2014-September/007525.html - David Fifield gave an overview of meek's costs for September 2014. It's still under the $10 mark. https://lists.torproject.org/pipermail/tor-dev/2014-October/007576.html - Arturo and others are working on bridge reachability testing via ooni: https://trac.torproject.org/projects/tor/ticket/12545 https://lists.torproject.org/pipermail/tor-reports/2014-October/000671.html ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - We released Tor Browser 3.6.5 and 4.0-alpha-2 on September 2nd. Among the major changes, version 3.6.5 upgrades Firefox to 24.8.0esr, and includes an improved prompt to help users defend against HTML5 canvas image fingerprinting. Version 4.0-alpha-2 additionally includes the code for the forthcoming Tor Browser secure-updater and better hardening for Windows and Linux builds. https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-released - Tor Browser 3.6.6 and 4.0-alpha-3 were announced on September 25th. Both include Firefox security updates and fixes for an intermittent deadlock during startup, and now prevent intermediate SSL certificates from being written to disk. The alpha series also resolves several issues with the upcoming Tor Browser secure-updater. https://blog.torproject.org/blog/tor-browser-366-released https://blog.torproject.org/blog/tor-browser-40-alpha-3-released - Tails 1.1.1 was released on September 2nd, upgrading key components like Tor, Iceweasel, and Linux. This release disables I2P by default when Tails is booted to reduce the attack surface after a vulnerability was discovered and fixed in I2P. https://tails.boum.org/news/version_1.1.1/ - Tails 1.1.2 was subsequently released on the 26th to push out security fixes for a flaw in certificate verification in the NSS library, and others for APT, bash, and GnuPG. https://tails.boum.org/news/version_1.1.2/ - The Tails team has started to produce test versions based on the next Debian release, Jessie, which will be frozen on November 5th. https://mailman.boum.org/pipermail/tails-testers/2014-September/000071.html - Nathan Freitas released Orbot 14.0.8 and then 14.0.8.1. The latter includes Tor 0.2.5.7-rc. These versions bring fixes for transproxy/iptables settings, an issue with airplane mode, and improvements for transparent proxying. https://lists.mayfirst.org/pipermail/guardian-dev/2014-September/003752.html https://lists.mayfirst.org/pipermail/guardian-dev/2014-September/003773.html - Anthony G. Basile released version 20140925 of tor-ramdisk, with updates to Tor, BusyBox, OpenSSL, and the Linux kernel. https://lists.torproject.org/pipermail/tor-talk/2014-September/034950.html - Patrick Schleizer announced the release of version 9 of Whonix, an anonymous operating system based on Tor, Debian, and security-by-isolation. https://lists.torproject.org/pipermail/tor-talk/2014-September/034909.html ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - A new graph now displays the usage of all pluggable transports with different colors for each transport. https://bugs.torproject.org/12432 https://metrics.torproject.org/users.html?graph=userstats-bridge-transport#userstats-bridge-transport - A new mailing list has been created for important announcement to users of the Onionoo API. https://lists.torproject.org/cgi-bin/mailman/listinfo/onionoo-announce - Onionoo documents now include a version number, which should help transitions for Onionoo clients in the future. https://lists.torproject.org/pipermail/onionoo-announce/2014/000000.html - Several improvements are being made to enhance the quality of the codebase of metrics-lib and Onionoo. https://bugs.torproject.org/12882 https://bugs.torproject.org/11573 https://bugs.torproject.org/13080 https://bugs.torproject.org/12868 - The Onionoo front-end is now monitored by Tor's Nagios instance. This step is important since when Onionoo falls over, Atlas, Globe, and other front-end services break. - To better understand hidden services, Roger Dingledine asked relay operators to consider running a Tor branch that collects statistics about number of circuits and number of cells the relay sees that have to do with exiting, with hidden services, and with circuits where the relay is not the final hop. Initial results indicate that hidden service traffic is a tiny fraction of overall Tor network traffic. https://lists.torproject.org/pipermail/tor-relays/2014-September/005352.html https://trac.torproject.org/projects/tor/ticket/13192 ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - Roger Dingledine continued discussion on his blog post about how the growing number of websites blocking Tor is a threat to all Tor users and what could be done about it. https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users - April Glaser and Alison Macrina published an article for BoingBoing on efforts by Massachusetts librarians to guarantee their patrons' right to access information without fear of surveillance or censorship through usage of Tor and Tails. http://boingboing.net/2014/09/13/radical-librarianship-how-nin.html - The EFF has ended its 2014 Tor Challenge. 1635 Tor relays (including 326 exit relays) were started up or increased their capacity as part of the challenge. https://www.eff.org/deeplinks/2014/09/tor-challenge-inspires-1635-tor-relays ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Roger Dingledine wrote up a walkthrough of the controller events emitted when accessing a Tor hidden service. https://trac.torproject.org/projects/tor/wiki/doc/TorControlPortWalkthrough-HS - Otto Huhta posted a thesis paper examining an attack that links different Tor circuits back to the same user, using only information available to a Tor middle node. It still needs more attention from the Tor research community. http://www0.cs.ucl.ac.uk/staff/G.Danezis/students/Huhta14-UCL-Msc.pdf - It's becoming increasingly clear that our 'bwauth' scripts to measure and readjust load on the Tor network are not handling the change in capacity in the network. That is, relays are increasingly not getting accurate bandwidth weights in the consensus. Somebody should work on improved measurement algorithms, perhaps including robustness to various attacks while we're at it. I've talked to (and helped) several research groups who are looking into the question. _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
