nickm's blog

Hi! I recently wrote up a status report for the progress we're making on hacking Libevent, and I thought I'd post it here too.

BACKGROUND

Tor currently uses Libevent for its high-performance networking calls. Libevent is a software library originally written by Niels Provos (then of UMichigan, now of Google), and now co-developed by Niels Provos and the Tor Project's Nick Mathewson. Its purpose is to provide consistent fast interfaces to various operating systems' mutually incompatible fast networking facilities. Libevent gives applications two basic interfaces to these networking layers: a low-level interface where the application is notified when an operation (like a network read or write) is ready to begin, and a higher-level interface where Libevent itself manages network operations and the application is notified when the network operations are completed. read more »

As of 7 January, we're down to 0 issues on Coverity Scan. This is great news!

In case you haven't heard of them, Coverity makes top-of-the-line static analysis tools (programs that analyse other programs looking for possible bugs). They're a big serious company, with a serious "enterprise" pricing structure. But, fortunately to us, they have a program to provide the use of these tools, free of charge, to selected open source projects. They've been scanning development snapshots of Tor for bugs since last September.

In September, they found 171 issues in our code. Many of these were just sloppiness in our unit tests' error handing, but a good fraction were real bugs in our main codebase, a couple of which could have resulted in crashes under unusual circumstances that probably would have been hard to debug. By December, we were down to 15 issues. Now we're at 0, at long last. read more »

Today, a team of security researchers and cryptographers gave a talk at the 25th Chaos Communication Congress (25C3), about a nifty attack against X.509 certificates generated using the MD5 digest algorithm. We figured that people will ask us about how this attack affects Tor, so I'm writing an answer in advance.

The short version: This attack doesn't affect Tor.

The medium version: This attack doesn't affect Tor, since Tor doesn't ever use MD5 certificates, and since Tor doesn't care what certificate authorities say. On the other hand, this attack probably does affect your browser. Check your browser vendor for updates over the next few days and weeks, and make sure you install them. read more »

Once again, with sponsorship from the amazing folks at the EFF, the Tor Project has been accepted as a mentoring organization in Google's Summer of Code. This program funds students to work on open source and free software projects over the summer, and provides organizations like ours with a chance to work with great and enthusiastic coders from around the world.

Many thanks first to Google for the opportunity, and to EFF for their continuing help and support. We'd also like to thanks everyone in the Tor community who agreed to help mentor students with us this summer, especially those who contributed to our project ideas list.

If you're a student interested in working with the Tor Project under the Google Summer of Code program this year, please check out Google's FAQ for the program, and the Tor Project's GSoC 2008 page for more information. If you have any questions that aren't answered there, just stop by our IRC channel and ask. We look forward to seeing you there!

Also, be sure to check out the other great organizations who will be mentoring students this year.

Hi, folks! I'm in the San Francisco area for the week, so I thought it would be good to have an impromptu meetup for Tor users, operators, and enthusiasts. So if that's you, and if you're in town, and you'd like to chat, hang out, or whatever, stop on by. I'll try to hang around for a couple of hours at least.
When: 7pm, Thursday.
Where: the Sugarlump Coffee Lounge, at 2862 24th St, at Bryant.
I hope you can make it!