enhancements

New Stable Version 0.2.1.24 released

phobos — Wed, 03 Mar 2010 12:14:34 -0800

Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work again on the latest OS X, and updates the location of a directory authority.

Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time for sure!

The Windows and OS X bundles also come with a newer version of Polipo that fixes some stability and security problems.

People using Tor as a client should upgrade:
https://www.torproject.org/easy-download

Changes in version 0.2.1.23 - 2010-02-13
Major bugfixes (performance):

We were selecting our guards uniformly at random, and then weighting which of our guards we'd use uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.

Major bugfixes:

Make Tor work again on the latest OS X: when deciding whether to use strange flags to turn TLS renegotiation on, detect the OpenSSL version at run-time, not compile time. We need to do this because Apple doesn't update its dev-tools headers when it updates its libraries in a security patch.
Fix a potential buffer overflow in lookup_last_hid_serv_request() that could happen on 32-bit platforms with 64-bit time_t. Also fix a memory leak when requesting a hidden service descriptor we've requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found by aakova.

Minor bugfixes:

Refactor resolve_my_address() to not use gethostbyname() anymore. Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.

Minor features:

Avoid a mad rush at the beginning of each month when each client rotates half of its guards. Instead we spread the rotation out throughout the month, but we still avoid leaving a precise timestamp in the state file about when we first picked the guard. Improves over the behavior introduced in 0.1.2.17.

Changes in version 0.2.1.24 - 2010-02-21
Minor bugfixes:

Work correctly out-of-the-box with even more vendor-patched versions of OpenSSL. In particular, make it so Debian and OS X don't need customized patches to run/build.

January 2010 Progress Report

phobos — Sat, 13 Feb 2010 08:00:04 -0800

New releases, new hires, new funding
On January 19, 2010 we released the latest in the -stable series, Tor 0.2.1.22-stable.
Tor 0.2.1.22 fixes a critical privacy problem in bridge directory authorities -- it would tell you its whole history of bridge descriptors if you make the right directory request. This stable update also rotates two of the seven v3 directory authority keys and locations.
Directory authority changes:

Rotate keys (both v3 identity and relay identity) for moria1 and gabelmoo.

Major bugfixes:

Stop bridge directory authorities from answering dbg-stability.txt directory queries, which would let people fetch a list of all bridge identities they track. Bugfix on 0.2.1.6-alpha.

On January 19, 2010, we released the latest in the -alpha series, Tor 0.2.2.7-alpha.
Tor 0.2.2.7-alpha fixes a huge client-side performance bug, as well as laying the groundwork for further relay-side performance fixes. It also starts cleaning up client behavior with respect to the EntryNodes, ExitNodes, and StrictNodes config options. This release also rotates two directory authority keys, due to a security breach of some of the Torproject servers.
Directory authority changes:

Rotate keys (both v3 identity and relay identity) for moria1 and gabelmoo.

Major features (performance):

We were selecting our guards uniformly at random, and then weighting which of our guards we’d use uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
When choosing which cells to relay first, relays can now favor circuits that have been quiet recently, to provide lower latency for low-volume circuits. By default, relays enable or disable this feature based on a setting in the consensus. You can override this default by using the new "CircuitPriorityHalflife" config option. Design and code by Ian Goldberg, Can Tang, and Chris Alexander.
Add separate per-conn write limiting to go with the per-conn read limiting. We added a global write limit in Tor 0.1.2.5-alpha, but never per-conn write limits.
New consensus params "bwconnrate" and "bwconnburst" to let us rate-limit client connections as they enter the network. It’s controlled in the consensus so we can turn it on and off for experiments. It’s starting out off. Based on proposal 163.

Major features (relay selection options):

Switch to a StrictNodes config option, rather than the previous "StrictEntryNodes" / "StrictExitNodes" separation that was missing a "StrictExcludeNodes" option.

If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes change during a config reload, mark and discard all our origin circuits. This fix should address edge cases where we change the config options and but then choose a circuit that we created before the change.

If EntryNodes or ExitNodes are set, be more willing to use an unsuitable (e.g. slow or unstable) circuit. The user asked for it, they get it.

Make EntryNodes config option much more aggressive even when StrictNodes is not set. Before it would prepend your requested entrynodes to your list of guard nodes, but feel free to use others after that. Now it chooses only from your EntryNodes if any of those are available, and only falls back to others if a) they’re all down and b) StrictNodes is not set.

Now we refresh your entry guards from EntryNodes at each consensus fetch -- rather than just at startup and then they slowly rot as the network changes.

Major bugfixes:

Stop bridge directory authorities from answering dbg-stability.txt directory queries, which would let people fetch a list of all bridge identities they track. Bugfix on 0.2.1.6-alpha.

Minor features:

Log a notice when we get a new control connection. Now it’s easier for security-conscious users to recognize when a local application is knocking on their controller door. Suggested by bug 1196.
New config option "CircuitStreamTimeout" to override our internal timeout schedule for how many seconds until we detach a stream from a circuit and try a new circuit. If your network is particularly slow, you might want to set this to a number like 60.
New controller command "getinfo config-text". It returns the contents that Tor would write if you send it a SAVECONF command, so the controller can write the file to disk itself.
New options for SafeLogging to allow scrubbing only log messages generated while acting as a relay.
Ship the bridges spec file in the tarball too.
Avoid a mad rush at the beginning of each month when each client rotates half of its guards. Instead we spread the rotation out throughout the month, but we still avoid leaving a precise timestamp in the state file about when we first picked the guard. Improves over the behavior introduced in 0.1.2.17.

Minor bugfixes (compiling):

Fix compilation on OS X 10.3, which has a stub mlockall() but hides it. Bugfix on 0.2.2.6-alpha.
Fix compilation on Solaris by removing support for the DisableAllSwap config option. Solaris doesn’t have an rlimit for mlockall, so we cannot use it safely. Fixes bug 1198; bugfix on 0.2.2.6-alpha.

Minor bugfixes (crashes):

Do not segfault when writing buffer stats when we haven’t observed a single circuit to report about. Found by Fabian Lanze. Bugfix on 0.2.2.1-alpha.
If we’re in the pathological case where there’s no exit bandwidth but there is non-exit bandwidth, or no guard bandwidth but there is non-guard bandwidth, don’t crash during path selection. Bugfix on 0.2.0.3-alpha.
Fix an impossible-to-actually-trigger buffer overflow in relay descriptor generation. Bugfix on 0.1.0.15.

Minor bugfixes (privacy):

Fix an instance where a Tor directory mirror might accidentally log the IP address of a misbehaving Tor client. Bugfix on 0.1.0.1-rc.
Don’t list Windows capabilities in relay descriptors. We never made use of them, and maybe it’s a bad idea to publish them. Bugfix on 0.1.1.8-alpha.

Minor bugfixes (other):

Resolve an edge case in path weighting that could make us misweight our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1.
Fix statistics on client numbers by country as seen by bridges that were broken in 0.2.2.1-alpha. Also switch to reporting full 24-hour intervals instead of variable 12-to-48-hour intervals.
After we free an internal connection structure, overwrite it with a different memory value than we use for overwriting a freed internal circuit structure. Should help with debugging. Suggested by bug 1055.
Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m too.

Removed features:

Remove the HSAuthorityRecordStats option that version 0 hidden service authorities could have used to track statistics of overall hidden service usage.

On January 19, 2010, we released an updated Tor Browser Bundle, version 1.3.1.

update Firefox to 3.5.7
update Pidgin to 2.6.5
update Tor to 0.2.1.22

On January 25, 2010, we released Vidalia 0.2.7.

Remove the explicit palette set for the configuration dialog that prevented the dialog from inheriting colors from the user’s current system theme. (Ticket #485. Patch from mkirk.)
Correct the path to the badge pixmap used in time skew warning messages. (Ticket #537. Patch from mkirk.)
Fix compilation on Debian GNU/kFreeBSD. Patch from dererk.
Clean up a couple status event messages related to dangerous port warnings.
Change the vidalia_ru.nsh output encoding from KOI8-R to Windows-1251. (Ticket #527)
Add an option for building an OS X 10.4 compatible binary.

On January 26, 2010, we released an updated -alpha, Tor 0.2.2.8-alpha.
Major bugfixes:

Fix a memory corruption bug on bridges that occured during the inclusion of stats data in extra-info descriptors. Also fix the interface for geoip_get_bridge_stats* to prevent similar bugs in the future. Diagnosis by Tas, patch by Karsten and Sebastian. Fixes bug 1208; bugfix on 0.2.2.7-alpha.

Minor bugfixes:

Ignore OutboundBindAddress when connecting to localhost. Connections to localhost need to come _from_ localhost, or else local servers (like DNS and outgoing HTTP/SOCKS proxies) will often refuse to listen.

Design, develop, and implement enhancements that make Tor a better tool for users in censored countries.
Submitted Proposal 169. A backward-compatible change to the Tor connection establishment protocol to avoid the use of TLS renegotiation. In response to others using TLS renegotiation incorrectly, vendors are pulling support for TLS renegotiation. As TLS renegotiation disappears from the Internet, Tor’s use of it will stand out. In order to blend in with the crowd, we need to remove TLS renegotiation from the Tor protocol. The full spec can be found at http://gitweb.torproject.org//tor.git?a=blob;f=doc/spec/proposals/169-el....

Architecture and technical design docs for Tor enhancements related to blocking-resistance.
Submitted Proposal 169. A backward-compatible change to the Tor connection establishment protocol to avoid the use of TLS renegotiation. In response to others using TLS renegotiation incorrectly, vendors are pulling support for TLS renegotiation. As TLS renegotiation disappears from the Internet, Tor’s use of it will stand out. In order to blend in with the crowd, we need to remove TLS renegotiation from the Tor protocol. The full spec can be found at http://gitweb.torproject.org//tor.git?a=blob;f=doc/spec/proposals/169-el....

Hide Tor’s network signature.
Submitted Proposal 169. A backward-compatible change to the Tor connection establishment protocol to avoid the use of TLS renegotiation. In response to others using TLS renegotiation incorrectly, vendors are pulling support for TLS renegotiation. As TLS renegotiation disappears from the Internet, Tor’s use of it will stand out. In order to blend in with the crowd, we need to remove TLS renegotiation from the Tor protocol. The full spec can be found at http://gitweb.torproject.org//tor.git?a=blob;f=doc/spec/proposals/169-el....

Grow the Tor network and user base. Outreach.

Paul, Karsten, and Roger attended Financial Cryptography and Data Security 2010 Conference. Roger Dingledine presented a paper he had written with Tsuen-Wan Ngan and Dan Wallach on “Building Incentives into Tor”. This paper won Best Paper Award at the conference. Learn more at http://fc10.ifca.ai/.
Karsten and Roger attended the Workshop on Ethics in Computer Security Research, http://www.cs.stevens.edu/~spock/wecsr2010/. They presented “A Case Study on Measuring Statistical Data in the Tor Anonymity Network.”
Andrew attended the Internet Freedom speech by Secretary of State Clinton, http://www.state.gov/secretary/rm/2010/01/135519.htm.
Roger and Jacob discussed Tor with the Pirate Party of Sweden.
Jacob met with NorduNet to discuss their bandwidth authority and how to help Tor grow in the NorduNet, http://www.nordu.net.
Jacob and Wikileaks people met with policymakers in Iceland to discuss freedom of speech, freedom of press, and that online privacy should be a fundamental right.
Roger, Karen, and Andrew met with CDT, Internews, and BBG to discuss various topics.
Andrew was interviewed for 90 minutes by vbs.tv about Tor, online anonymity and privacy, and the increasing usage of Tor as a censorship circumvention tool. vbs.tv will release the interview in 2010.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.

On January 19, 2010, we released an updated Tor Browser Bundle, version 1.3.1.

update Firefox to 3.5.7
update Pidgin to 2.6.5
update Tor to 0.2.1.22

Bridge relay and bridge authority work.
From the Tor 0.2.2.8-alpha release notes;
Fix a memory corruption bug on bridges that occurred during the inclusion of stats data in extra-
info descriptors. Also fix the interface for geoip get bridge stats to prevent similar bugs in the
future. Diagnosis by Tas, patch by Karsten and Sebastian. Fixes bug 1208; bugfix on 0.2.2.7-
alpha.
Roger and Christian defined a roadmap for bridgedb updates, scalability, and bugfixes. The plan can be found at http://gitweb.torproject.org//bridgedb.git?a=blob_plain;f=TODO;hb=HEAD

Scalability, load balancing, directory overhead, efficiency.
From the 0.2.2.7-alpha release notes:
We were selecting our guards uniformly at random, and then weighting which of our guards we’duse uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
When choosing which cells to relay first, relays can now favor circuits that have been quiet recently, to provide lower latency for low-volume circuits. By default, relays enable or disable this feature based on a setting in the consensus. You can override this default by using the new “CircuitPriorityHalflife” configuration option. Design and code by Ian Goldberg, Can Tang, and Chris Alexander.
Mike Perry implemented consensus parameters for the Circuit Build Times constants and found good defaults based on experimentation on a few simulated links. The simulations seem to indicate that tor does really poorly on links with greater than 1 second of latency. Mike wrote up his findings at http://archives.seul.org/or/dev/Jan-2010/msg00012.html. Mike’s work on circuit build times should improve tor client performance as the clients pick new guard nodes and learn better circuit build times.

More reliable (e.g. split) download mechanism.
Enhanced get-tor to handle Apple OS X split files.

Translation work, ultimately a browser-based approach.
Updated translations via the translation portal for Chinese, Norwegian, Russian, Dutch, French,
Polish, Swedish, Italian, German, Spanish, Burmese, and Turkish languages.

December 2009 Progress Report

phobos — Sat, 13 Feb 2010 07:35:12 -0800

New releases, new hires, new funding
Erinn Clark joins Tor to develop, enhance, and upgrade our package build system. Her initial goals are to configure, maintain, and automate builds of tor and vidalia for Windows, OS X, ubuntu, debian, centos, fedora, and opensuse systems. Secondary goals are to develop a builtbot system that includes as many disparate operating systems as possible, including Apple OS X and Microsoft
Windows flavors.
On December 2, 2009, we released torbutton 1.2.3. This is the first release that addresses the
Firefox 3.5.x codebase. It contains the following changes:

bugfix: bug 950: Preserve useragent and download settings across toggle
bugfix: bug 1014: Fix XML Parsing Error on XHTML sites in Tor mode
bugfix: bug 1041: Preserve tab history in FF3.5
bugfix: bug 1047: Fix spurious user agent change notice
bugfix: bug 1053: Partial fix for ’TypeError: browser is undefined’ error
bugfix: bug 1084: Preserve HTTP accept language for Non-Tor usage
bugfix: bug 1085: Fix test settings issues with dead privoxy
bugfix: bug 1088: Clean up some namespace issues in the main chrome window
bugfix: bug 1091: Fix a lockup when ’Ask Every Time’ cookie pref is set
bugfix: bug 1093: Fix cert acceptance dialogs in Firefox 3.5
bugfix: bug 1146: Fixes for properly handling tab restore in FF3.5
bugfix: bug 1152: Close tabs on toggle prevents toggling in FF3.5”
bugfix: bug 1154: Clarify ”Last Tor test failed” message
misc: Disable geolocation in FF3.5 during Tor mode
misc: Disable DNS prefetch in FF3.5 in Tor mode and for Tor-loaded tabs
misc: Disable offline app cache during Tor mode
misc: Disable specific site zoom settings during Tor mode
new: Transfer Google cookies between country-code domains. This should make it such that captchas only need to be solved once per Tor session, as opposed to for each country.

On December 16, 2009, we released Torbutton 1.2.4. This fixes a number of bugs found after two weeks of live testing by users. It contains the following changes:

bugfix: bug 1169: Fix blank popup conflict with Google Toolbar
bugfix: bug 1171: Properly store and set network.dns.disablePrefetch
bugfix: bug 1165: Fix an exception on toggle in FF3.6
bugfix: bug 1163: Fix history loss in FF3.6
bugfix: Fix a typo error during logging
bugfix: Properly handle session restore in FF3.6
misc: Kill a warning message about missing properties in window-mapper.js
new: Add a new pref to disable Livemark updates during Tor usage (FF3.5+)

On December 21, 2009, we released an update to the -stable Tor branch, Tor 0.2.1.21. It fixes compatibility with newer OpenSSL libraries that work around the renegotiation bug. The full changelog is:
Tor 0.2.1.21 fixes an incompatibility with the most recent OpenSSL library. If you use Tor on Linux / Unix and you’re getting SSL renegotiation errors, upgrading should help. We also recommend an upgrade if you’re an exit relay.
Major bugfixes:

Work around a security feature in OpenSSL 0.9.8l that prevents our handshake from working unless we explicitly tell OpenSSL that we are using SSL renegotiation safely. We are, of course, but OpenSSL 0.9.8l won’t work unless we say we are.
Avoid crashing if the client is trying to upload many bytes and the circuit gets torn down at the same time, or if the flip side happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.

Minor bugfixes:

Do not refuse to learn about authority certs and v2 networkstatus documents that are older than the latest consensus. This bug might have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha. Spotted and fixed by xmux.
Fix a couple of very-hard-to-trigger memory leaks, and one hard-to- trigger platform-specific option misparsing case found by Coverity Scan.
Fix a compilation warning on Fedora 12 by removing an impossible-to- trigger assert. Fixes bug 1173.

On December 31, 2009, we released Tor Browser Bundle 1.3.0. The major change was the upgrade of Firefox to the 3.5 branch. The full changelog is:

upgrade Firefox to 3.5.6
update Pidgin to 2.6.4
update Torbutton to 1.2.4
upgrade Tor to 0.2.1.21

Design, develop, and implement enhancements that make
Tor a better tool for users in censored countries.
Updated the get-tor email autoresponder to better handle translations into non-English languages. Also updated to better handle split downloads of torbrowser bundle and mac os x vidalia bundles.
Mike finished his six week analysis of the Firefox 3.5 code base for privacy and anonymity leaks. The notes from the audit are documented in https://www.torproject.org/torbutton/design/FF35_AUDIT.

Grow the Tor network and user base. Outreach.

Jacob presented at the Arab Bloggers Conference in Beirut, Lebanon. http://www.arabloggers.com/
Jacob met with Al Jazeera in Doha, Qatar. http://www.aljazeera.net/
Jacob met with Rainbow House in Amman, Jordan.
Andrew and Roger attended a circumvention technology workshop in California.
Jacob, Roger, Karsten, Steven, and others attended 26C3 in Berlin, Germany. http://events.ccc.de/congress/2009/wiki/index.php/Main_Page. Jacob and Roger presented on ”Tor and censorship: lessons learned”, http://events.ccc.de/congress/2009/Fahrplan/events/3554.en.html. We mirrored the video and slides at https://blog.torproject.org/blog/tor-and-censorship-lessons-learned.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.
On December 31, 2009, we released Tor Browser Bundle 1.3.0. The major change was the upgrade of Firefox to the 3.5 branch. The full changelog is:

upgrade Firefox to 3.5.6
update Pidgin to 2.6.4
update Torbutton to 1.2.4
upgrade Tor to 0.2.1.21

Mike, Roger, and Andrew met with the Chrome team at Google to discuss integration of Tor into Chrome’s ”incognito mode”. We need some APIs to make the integration smoother, and to be able to scale the Tor Network to handle the expected traffic from Chrome users.

Scalability, load balancing, directory overhead, efficiency.

We did a one weekend test of the performance impact of changing circuit package window from 1000 cells to 101. The test and numbers are based on research by Csaba Kiraly. ”Effectof Tor window size on performance. Email to or-dev@freehaven.net, February 2009. http://archives.seul.org/or/dev/Feb-2009/msg00000.html”. The test appeared to be a null operation, it didn’t help nor hurt performance of the network as a whole.
Karsten continues to work on metrics about the Tor Network. We have a new metrics portal, http://metrics.torproject.org/ that shows the output, raw data, process for the collection, and the statistical analysis performed. Currently, our basic process is to collect, collate, and transform the data into graphs with R. Two organizations have offered to take the raw data from http://archives.torproject.org/ and import it into their data analysis products. We’re continuing to work on both tactics at this time.

More reliable (e.g. split) download mechanism.
OS X split dmg files will be available with each release going forward. The split dmg files are a native format for OS X 10.3 (Panther) and above; so users on low bandwidth connections should easily be able to work with these.

Translation work, ultimately a browser-based approach.

Hundreds of updated translations for torbutton, tor website, vidalia, torcheck, and get-tor in the following languages: Swedish, Brazillian Portugese, Polish, Russian, Spanish, Norwegian, Burmese, Chinese, Farsi, Arabic, Portugese, Ukranian, German, Spanish, French, Finnish, Italian, Dutch, and Turkish.
Runa applied updates to the process of syncing between the translation portal and live website. And she continues to maintain the translation portal.
Carolyn found translators for Russian, Ukrainian, and Burmese languages. She’s currently working on finding translators for Arabic, Farsi, and Spanish languages.

Tor 0.2.2.6-alpha released

phobos — Wed, 02 Dec 2009 21:29:12 -0800

On November 19, we released the latest in the Tor alpha series, version 0.2.2.6-alpha. This release lays the groundwork for many upcoming features:
support for the new lower-footprint "microdescriptor" directory design,
future-proofing our consensus format against new hash functions or
other changes, and an Android port. It also makes Tor compatible with
the upcoming OpenSSL 0.9.8l release, and fixes a variety of bugs.

It can be downloaded at https://www.torproject.org/download.html.en

Major features:

Directory authorities can now create, vote on, and serve multiple
parallel formats of directory data as part of their voting process.
Partially implements Proposal 162: "Publish the consensus in
multiple flavors".
Directory authorities can now agree on and publish small summaries
of router information that clients can use in place of regular
server descriptors. This transition will eventually allow clients
to use far less bandwidth for downloading information about the
network. Begins the implementation of Proposal 158: "Clients
download consensus + microdescriptors".
The directory voting system is now extensible to use multiple hash
algorithms for signatures and resource selection. Newer formats
are signed with SHA256, with a possibility for moving to a better
hash algorithm in the future.
New DisableAllSwap option. If set to 1, Tor will attempt to lock all
current and future memory pages via mlockall(). On supported
platforms (modern Linux and probably BSD but not Windows or OS X),
this should effectively disable any and all attempts to page out
memory. This option requires that you start your Tor as root --
if you use DisableAllSwap, please consider using the User option
to properly reduce the privileges of your Tor.
Numerous changes, bugfixes, and workarounds from Nathan Freitas
to help Tor build correctly for Android phones.

Major bugfixes:

Work around a security feature in OpenSSL 0.9.8l that prevents our
handshake from working unless we explicitly tell OpenSSL that we
are using SSL renegotiation safely. We are, but OpenSSL 0.9.8l
won't work unless we say we are.

Minor bugfixes:

Fix a crash bug when trying to initialize the evdns module in
Libevent 2. Bugfix on 0.2.1.16-rc.
Stop logging at severity 'warn' when some other Tor client tries
to establish a circuit with us using weak DH keys. It's a protocol
violation, but that doesn't mean ordinary users need to hear about
it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13.
Do not refuse to learn about authority certs and v2 networkstatus
documents that are older than the latest consensus. This bug might
have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
Spotted and fixed by xmux.
Fix numerous small code-flaws found by Coverity Scan Rung 3.
If all authorities restart at once right before a consensus vote,
nobody will vote about "Running", and clients will get a consensus
with no usable relays. Instead, authorities refuse to build a
consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066.
If your relay can't keep up with the number of incoming create
cells, it would log one warning per failure into your logs. Limit
warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042.
Bridges now use "reject *:*" as their default exit policy. Bugfix
on 0.2.0.3-alpha; fixes bug 1113.
Fix a memory leak on directory authorities during voting that was
introduced in 0.2.2.1-alpha. Found via valgrind.

The original announcement can be found at http://archives.seul.org/or/talk/Nov-2009/msg00106.html

October 2009 Progress Report

phobos — Thu, 12 Nov 2009 07:14:19 -0800

New releases, new hires, new funding
Christian Fromme joins Tor to work on development and maintenance of the growing number of tools we’ve created over the past year. Christian is a great python hacker with a strong security mindset. He’s going to enhance and maintain the tools such as tor weather, get-tor, bridge database, tor control, tor flow, check.torproject.org, etc. Christian has been a volunteer developer for the past year helping to enhance get-tor, tor weather, and generally helping out with our python coding needs.

On October 10, we released Tor version 0.2.2.4-alpha. The release notes can be read at https://blog.torproject.org/blog/tor-0224-alpha-released or below:
Major bugfixes:

Fix several more asserts in the circuit build times code, for example one that causes Tor to fail to start once we have accumulated 5000 build times in the state file. Bugfixes on 0.2.2.2-alpha; fixes bug 1108.

New directory authorities:

Move moria1 and Tonga to alternate IP addresses.

Minor features:

Log SSL state transitions at debug level during handshake, and include SSL states in error messages. This may help debug future SSL handshake issues.
Add a new ”Handshake” log domain for activities that happen during the TLS handshake.
Revert to the ”June 3 2009” ip-to-country file. The September one seems to have removed most US IP addresses.
Directory authorities now reject Tor relays with versions less than 0.1.2.14. This step cuts out four relays from the current network, none of which are very big.

Minor bugfixes:

Fix a couple of smaller issues with gathering statistics. Bugfixes on 0.2.2.1-alpha.
Fix two memory leaks in the error case of circuit build times parse state. Bugfix on 0.2.2.2-alpha.
Don’t count one-hop circuits when we’re estimating how long it takes circuits to build on average. Otherwise we’ll set our circuit build timeout lower than we should. Bugfix on 0.2.2.2-alpha.
Directory authorities no longer change their opinion of, or vote on, whether a router is Running, unless they have themselves been online long enough to have some idea. Bugfix on 0.2.0.6-alpha. Fixes bug 1023.

Code simplifications and refactoring:

Revise our unit tests to use the ”tinytest” framework, so we can run tests in their own processes, have smarter setup/teardown code, and so on. The unit test code has moved to its own subdirectory, and has been split into multiple modules.

On October 11, we released Tor 0.2.2.5-alpha. The release notes can be read at https://blog.torproject.org/blog/tor-0225-alpha-released or below:
Major bugfixes:

Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha.

New directory authorities:

Move dizum to an alternate IP address.
Code simplifications and refactorings
Numerous changes, bugfixes, and workarounds from Nathan Freitas to help Tor build correctly for Android phones.

On October 14th we released Vidalia 0.2.5. The release notes can be read at https://blog.torproject.org/blog/vidalia-025-released or below:

Add support in the Network settings page for configuring the Socks4Proxy and Socks5Proxy* options that were added in Tor 0.2.2.1-alpha. Patch from Christopher Davis.
Add a ”Automatically distribute my bridge address” checkbox (enabled by default) to the bridge relay settings options. (Ticket #524)
Add ports 7000 and 7001 to the list of ports excluded by the IRC category in the exit policy configuration tab. (Ticket #517)
Add a context menu for highlighted event items in the ”Basic” message log view that allows the user to copy the selected item text to the clipboard.
Maybe fix a time conversion bug that could result in Vidalia displaying the wrong uptime for a relay in the network map. Stop trying to enforce proper quoting and escaping of arguments to be given to the proxy executable (e.g., Polipo). Now the user is on their own for properly formatting the command line used to start the proxy executable. (Ticket #523)

Design, develop, and implement enhancements that make Tor a better tool for users in censored countries.

Jacob and Nathan Frietas finished development of Orbot, a tor client and relay with a graphical control interface for the Android mobile operating system. More details can be found at http://openideals.com/2009/10/22/orbot-proxy/.

Karsten rewrote the directory archive script that evaluates whether an IP address was a relay at a given point in the past in Python.

Started comparing free and commercial GeoIP databases for their accuracy. It would be great if someone else (a student?) would pick up this work and move it forward.

Grow the Tor network and user base. Outreach.

Andrew attended the Salzburg Global Seminar SIM Initiative 2020 Vision: Setting a Long-Term Agenda for Global Media Development from October 3 - 8. http://www.salzburgglobal.org/2009/sim.cfm?nav=news&IDMedia=1. A quick writeup of the seminar was posted at https://blog.torproject.org/blog/seminar-salzburg-global.
Roger gave a talk at Drexel University, https://www.cs.drexel.edu/research/colloquia.
Andrew gave a talk about Freedom of Speech, Online Censorship, and Tor at the US Agency for International Development. It was attended by members of US AID, State Department, and National Security Staff from The White House.
Roger, Jacob, Karsten, and Mike attended the 2009 Google Summer of Code Mentors Summit at Google HQ.
Andrew gave a talk about Tor and its Privacy by Design at the 2009 Access and Privacy Workshop in Toronto, Canada. http://www.verney.ca/onap2009/agenda_dynamic.php.
Jacob gave a talk at the 25th NorduNet Conference, http://www.nordu.net/conference/ndn2009web/welcome.html.
Andrew, Wendy, and others were interviewed for a Tech Review article on Tor being blocked by the Chinese Government for the first time ever, http://www.technologyreview.com/printer_friendly_article.aspx?id=23736.
Karsten attended EMANICS Workshop on Network Security in Bremen, Germany, and gave a 90-minute talk on Tor and my metrics work.
Karsten and Sebastian attended PET-CON 2009.2 in Regensburg, Germany, and talked about measuring sensitive data in the Tor network.
Finished paper on ”A Case Study on Measuring Statistical Data in the Tor Anonymity Network” together with Steven and Roger and submitted it to WECSR 2010.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.
Testing program updates to Tor Browser Bundle destined for the next release. The multi-protocol instant messaging client we use, Pidgin, includes voip and video chat functionality. Vidalia 0.2.5 inclusion to make the process of acquiring bridge addresses or becoming a bridge easier.

Bridge relay and bridge authority work.
The bridge distribution backend is now far more reliable than it was, and the algorithm has been retuned with design from Nick and Roger. Now the bridgedb code is much more willing to hand out a user’s first few bridges, but it is much harder to get it to hand out a whole bunch of bridges.

Scalability, load balancing, directory overhead, efficiency.
Nick rewrote the directory authority backend code to be able to provide multiple flavors of directory info: a new flavor that can be used for low-directory-bandwidth clients, and the existing flavor to support existing clients. This is the authority-side of proposals 158 and 162; once the authorities are migrated to this, we can start rolling out the client-side. Once it’s done, the directory overhead for clients should be dramatically reduced.

More reliable (e.g. split) download mechanism.
Christian rolled out changes to the email auto-responder, get-tor, to better handle emails coming to us in various languages. 50% more emails are being answered correctly since the change.
Thanks to some open internet activists in India, we have a fine new mirror of the Tor website in country at http://www.torproject.org.in/.
4 new website mirrors joined, 4 existing mirrors left.

Translation work

6 German updates to the website.
114 Italian updates to Torbutton.
17 Italian updates to the website.
Updated Arabic translation of Torbutton.
Complete Burmese translation of Torbutton.
Complete Burmese translation of Torcheck.
Complete Danish translation of Torcheck.
Brazilian translation of Torbutton.

Tor Browser Bundle 1.2.3 and 1.2.4 Released

phobos — Sun, 12 Jul 2009 20:50:41 -0700

Tor Browser Bundle 1.2.3 was released on July 8, 2009. It contains the following changes:

Update Vidalia to 0.1.14
Update Tor to 0.2.1.17-rc
Update Pidgin to 2.5.8

TBB 1.2.3 was replaced by 1.2.4 on July 11, 2009 to include:

Include libeay32.dll from OpenSSL 0.9.8k to make QT happy
Update Vidalia to 0.1.15

TBB 1.2.4 is available at https://torproject.org/torbrowser.