Archive

Tor 0.2.0.23-rc (released Mar 24) is the fourth release candidate for the 0.2.0 series. It makes bootstrapping faster if the first directory mirror you contact is down. The bundles also include the new Vidalia 0.1.2 release.
http://archives.seul.org/or/talk/Mar-2008/msg00204.html

Tor 0.2.0.22-rc (released Mar 18) is the third release candidate for the 0.2.0 series. It enables encrypted directory connections by default for non-relays, fixes some broken TLS behavior we added in 0.2.0.20-rc, and resolves many other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
http://archives.seul.org/or/talk/Mar-2008/msg00136.html

Tor 0.2.0.21-rc (released Mar 2) is the second release candidate for the 0.2.0 series. It makes Tor work well with Vidalia again, fixes a rare assert bug, and fixes a pair of more minor bugs. The bundles also include Vidalia 0.1.0 and Torbutton 1.1.16.
http://archives.seul.org/or/talk/Mar-2008/msg00025.html

Torbutton 1.1.16 (released Mar 3) and 1.1.17 (released Mar 15) fix many more potential privacy and identity leaks, mostly based on exploits found by Greg Fleischer, and try to start adding support for Firefox 3.
https://torbutton.torproject.org/dev/CHANGELOG

Vidalia 0.1.0 (released Mar 1), 0.1.1 (released Mar 17), and 0.1.2 (released Mar 24) changes the build process from make to cmake, starts doing encrypted geoip fetches rather than plaintext geoip fetches, checks if the user is running a dangerous or obsolete version of Tor and pops up a window warning them, waits to turn the Vidalia taskbar onion green until Tor reports that it has established a circuit, folds in the patches from Tor Browser Bundle to have Vidalia launch a browser and/or an http proxy, and fixes many miscellaneous bugs.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.2/CHANG...

From the Tor 0.2.0.23-rc ChangeLog: read more »

In early January after 24C3, I travelled to Stuttgart to meet with the
police there. I spoke to about 30 or 40 investigators. My goal wasn't
to advocate for any particular laws or policies (that's up to them,
after all), but rather to help give them background so they can make
more informed decisions: explain who uses Tor and how it works, and try
to answer any questions that come up. In particular, my goals were to
open a discussion about the data retention laws, and also brainstorm
how German Tor operators and German law enforcement can get along better.

It turns out that the fellow who did the September 2006 seizures was
part of this group, and he was very interested to talk to me and learn
more about Tor.

They explained that the data retention laws *they'd* asked for were
basically that large ISPs should be required to answer them when they
ask who had a given IP address at a given time (data the ISPs already
keep for the most part), and as a bonus, it would be nice if they paid
somebody to answer the requests on weekends too. The law that they got
was way more than that, and they don't need or want most of it. read more »

Once again, with sponsorship from the amazing folks at the EFF, the Tor Project has been accepted as a mentoring organization in Google's Summer of Code. This program funds students to work on open source and free software projects over the summer, and provides organizations like ours with a chance to work with great and enthusiastic coders from around the world.

Many thanks first to Google for the opportunity, and to EFF for their continuing help and support. We'd also like to thanks everyone in the Tor community who agreed to help mentor students with us this summer, especially those who contributed to our project ideas list.

If you're a student interested in working with the Tor Project under the Google Summer of Code program this year, please check out Google's FAQ for the program, and the Tor Project's GSoC 2008 page for more information. If you have any questions that aren't answered there, just stop by our IRC channel and ask. We look forward to seeing you there!

Also, be sure to check out the other great organizations who will be mentoring students this year.

Tor 0.2.0.20-rc (released Feb 24) is the first release candidate for the 0.2.0 series. It makes more progress towards normalizing Tor's TLS handshake, makes hidden services work better again, helps relays bootstrap if they don't know their IP address, adds optional support for linking in openbsd's allocator or tcmalloc, allows really fast relays to scale past 15000 sockets, and fixes a bunch of minor bugs reported by Veracode.
http://archives.seul.org/or/talk/Feb-2008/msg00279.html

Tor 0.2.0.19-alpha (released Feb 9) makes more progress towards normalizing Tor's TLS handshake, makes path selection for relays more secure and IP address guessing more robust, and generally fixes a lot of bugs in preparation for calling the 0.2.0 branch stable.
http://archives.seul.org/or/talk/Feb-2008/msg00134.html

Torbutton 1.1.13 (released Feb 1), 1.1.14 (released Feb 24), and 1.1.15 (released Feb 26) fix many more potential privacy and identity leaks, mostly based on exploits found by Greg Fleischer. They also add support for automatic updates via the usual Firefox extension upgrade approach.
https://torbutton.torproject.org/dev/CHANGELOG

Work continued toward the upcoming Vidalia 0.1.0 release (which came out March 1): support for launching Firefox and Polipo as supporting applications; support for learning from Tor when the first circuit is ready so it can inform the user; and many other bugfixes including a few security fixes.
http://trac.vidalia-project.net/browser/vidalia/releases/vidalia-0.1.0/C...

The Tor 0.2.0.19-alpha release contained many security-related cleanups based on an anonymously submitted code review from a static analysis tool. The Tor 0.2.0.20-rc release contained even more security-related cleanups, based on an external security analysis and audit by Veracode. Hopefully cleanups at this stage will reduce the number of times we need to push out an urgent new stable "0.2.0" release for security reasons. read more »

In Tor's annual board meeting in January, we added Isaac Mao to our board of directors. Isaac is a well-known blogger, especially among the Chinese blogging community, and adding him is the first part of our push to make the Tor board (and The Tor Project in general) more international in scope and awareness.

Isaac will take over Rebecca McKinnon's spot on the board, though Rebecca is planning to stick around and continue helping with advice about how to interact with the media and Tor's role in society, especially in Asia. Isaac has a lot of ideas about how to make Tor easier to use and how to get the word out to all the different groups that need it. We're looking forward to working with him!

Tor 0.2.0.18-alpha (released Jan 25) adds a sixth v3 directory authority run by CCC, fixes a big memory leak in 0.2.0.17-alpha, and adds new config options that can warn or reject connections to ports generally associated with vulnerable-plaintext protocols.
http://archives.seul.org/or/talk/Jan-2008/msg00442.html

Tor 0.2.0.16-alpha and 0.2.0.17-alpha (released Jan 17) add a fifth v3 directory authority run by Karsten Loesing, and generally clean up a lot of features and minor bugs.
http://archives.seul.org/or/talk/Jan-2008/msg00254.html

Tor 0.1.2.19 (released Jan 17) fixes a huge memory leak on exit relays, makes the default exit policy a little bit more conservative so it's safer to run an exit relay on a home system, and fixes a variety of smaller issues.
http://archives.seul.org/or/announce/Jan-2008/msg00000.html

We continued work on the "BridgeDB" module: major progress on January was to improve robustness of the email subsystem so it is better at detecting forged mails that claim to be from gmail but are actually from elsewhere.

Work continued toward the upcoming Torbutton 1.1.13 release (which came out Feb 1). This new release has several significant security-related fixes:
https://torbutton.torproject.org/dev/CHANGELOG

Work continued toward the upcoming Vidalia 0.1.0 release: support for launching Firefox and Polipo as supporting applications; support for learning from Tor when the first circuit is ready so it can inform the user; and many other bugfixes including a few security fixes:
http://trac.vidalia-project.net/browser/vidalia/trunk/CHANGELOG

We added a "How do I find a bridge?" link and corresponding help text to Vidalia's 'Network' settings page.

From the Tor 0.2.0.16-alpha ChangeLog:
“Do not try to download missing certificates until we have tried to check our fallback consensus.” This change gets us closer to being able to bootstrap without ever needing to contact the central directory authorities. read more »

Over the past few days there has been some coverage of my PhD thesis, and its relationship to Tor, on blogs and online news sites. It seems like this wave started with a column by Russ Cooper, which triggered articles in PC World and Dark Reading. The media attention came as a bit of a surprise to me, since nobody asked to interview me over this. I'd encourage other journalists writing about Tor to contact someone from the project as we're happy to help give some context.

My thesis is a fairly diverse collection of work, but the articles emphasize the impact of the attacks I discuss on users of anonymity networks like Tor. Actually, my thesis doesn't aim to show that Tor is insecure; the reason I selected Tor as a test case was that it's one of the few (and by far the largest) low-latency system that aims to stand up to observation. Other, simpler, systems have comparatively well understood weaknesses, and so there is less value in researching them.

Quantifying the security of anonymity systems is a difficult question and still being actively worked on. Comparing different systems is even harder since they make different assumptions on the capabilities of attackers (the “threat model”). The mere chance of attacks doesn't indicate that a system is insecure, since they might make assumptions about the environment that are not met, or are insufficiently reliable for the scenario being considered.

The actual goal of my thesis was try to better understand the strengths and weaknesses of systems like Tor, but more importantly to also to suggest a more general methodology for discovering, and resolving flaws. I proposed that the work from the well-established field of covert channels could be usefully applied, and used examples, including Tor, to justify this.

There remains much work to be done before it's possible to be sure how secure anonymity systems are, but hopefully this framework will be a useful one in moving forward. Since in September 2007 I joined the Tor project, I hope I'll also help in other ways too.

Hi, folks! I'm in the San Francisco area for the week, so I thought it would be good to have an impromptu meetup for Tor users, operators, and enthusiasts. So if that's you, and if you're in town, and you'd like to chat, hang out, or whatever, stop on by. I'll try to hang around for a couple of hours at least.
When: 7pm, Thursday.
Where: the Sugarlump Coffee Lounge, at 2862 24th St, at Bryant.
I hope you can make it!