progress report

October 2009 Progress Report

phobos — Thu, 12 Nov 2009 07:14:19 -0800

New releases, new hires, new funding
Christian Fromme joins Tor to work on development and maintenance of the growing number of tools we’ve created over the past year. Christian is a great python hacker with a strong security mindset. He’s going to enhance and maintain the tools such as tor weather, get-tor, bridge database, tor control, tor flow, check.torproject.org, etc. Christian has been a volunteer developer for the past year helping to enhance get-tor, tor weather, and generally helping out with our python coding needs.

On October 10, we released Tor version 0.2.2.4-alpha. The release notes can be read at https://blog.torproject.org/blog/tor-0224-alpha-released or below:
Major bugfixes:

Fix several more asserts in the circuit build times code, for example one that causes Tor to fail to start once we have accumulated 5000 build times in the state file. Bugfixes on 0.2.2.2-alpha; fixes bug 1108.

New directory authorities:

Move moria1 and Tonga to alternate IP addresses.

Minor features:

Log SSL state transitions at debug level during handshake, and include SSL states in error messages. This may help debug future SSL handshake issues.
Add a new ”Handshake” log domain for activities that happen during the TLS handshake.
Revert to the ”June 3 2009” ip-to-country file. The September one seems to have removed most US IP addresses.
Directory authorities now reject Tor relays with versions less than 0.1.2.14. This step cuts out four relays from the current network, none of which are very big.

Minor bugfixes:

Fix a couple of smaller issues with gathering statistics. Bugfixes on 0.2.2.1-alpha.
Fix two memory leaks in the error case of circuit build times parse state. Bugfix on 0.2.2.2-alpha.
Don’t count one-hop circuits when we’re estimating how long it takes circuits to build on average. Otherwise we’ll set our circuit build timeout lower than we should. Bugfix on 0.2.2.2-alpha.
Directory authorities no longer change their opinion of, or vote on, whether a router is Running, unless they have themselves been online long enough to have some idea. Bugfix on 0.2.0.6-alpha. Fixes bug 1023.

Code simplifications and refactoring:

Revise our unit tests to use the ”tinytest” framework, so we can run tests in their own processes, have smarter setup/teardown code, and so on. The unit test code has moved to its own subdirectory, and has been split into multiple modules.

On October 11, we released Tor 0.2.2.5-alpha. The release notes can be read at https://blog.torproject.org/blog/tor-0225-alpha-released or below:
Major bugfixes:

Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha.

New directory authorities:

Move dizum to an alternate IP address.
Code simplifications and refactorings
Numerous changes, bugfixes, and workarounds from Nathan Freitas to help Tor build correctly for Android phones.

On October 14th we released Vidalia 0.2.5. The release notes can be read at https://blog.torproject.org/blog/vidalia-025-released or below:

Add support in the Network settings page for configuring the Socks4Proxy and Socks5Proxy* options that were added in Tor 0.2.2.1-alpha. Patch from Christopher Davis.
Add a ”Automatically distribute my bridge address” checkbox (enabled by default) to the bridge relay settings options. (Ticket #524)
Add ports 7000 and 7001 to the list of ports excluded by the IRC category in the exit policy configuration tab. (Ticket #517)
Add a context menu for highlighted event items in the ”Basic” message log view that allows the user to copy the selected item text to the clipboard.
Maybe fix a time conversion bug that could result in Vidalia displaying the wrong uptime for a relay in the network map. Stop trying to enforce proper quoting and escaping of arguments to be given to the proxy executable (e.g., Polipo). Now the user is on their own for properly formatting the command line used to start the proxy executable. (Ticket #523)

Design, develop, and implement enhancements that make Tor a better tool for users in censored countries.

Jacob and Nathan Frietas finished development of Orbot, a tor client and relay with a graphical control interface for the Android mobile operating system. More details can be found at http://openideals.com/2009/10/22/orbot-proxy/.

Karsten rewrote the directory archive script that evaluates whether an IP address was a relay at a given point in the past in Python.

Started comparing free and commercial GeoIP databases for their accuracy. It would be great if someone else (a student?) would pick up this work and move it forward.

Grow the Tor network and user base. Outreach.

Andrew attended the Salzburg Global Seminar SIM Initiative 2020 Vision: Setting a Long-Term Agenda for Global Media Development from October 3 - 8. http://www.salzburgglobal.org/2009/sim.cfm?nav=news&IDMedia=1. A quick writeup of the seminar was posted at https://blog.torproject.org/blog/seminar-salzburg-global.
Roger gave a talk at Drexel University, https://www.cs.drexel.edu/research/colloquia.
Andrew gave a talk about Freedom of Speech, Online Censorship, and Tor at the US Agency for International Development. It was attended by members of US AID, State Department, and National Security Staff from The White House.
Roger, Jacob, Karsten, and Mike attended the 2009 Google Summer of Code Mentors Summit at Google HQ.
Andrew gave a talk about Tor and its Privacy by Design at the 2009 Access and Privacy Workshop in Toronto, Canada. http://www.verney.ca/onap2009/agenda_dynamic.php.
Jacob gave a talk at the 25th NorduNet Conference, http://www.nordu.net/conference/ndn2009web/welcome.html.
Andrew, Wendy, and others were interviewed for a Tech Review article on Tor being blocked by the Chinese Government for the first time ever, http://www.technologyreview.com/printer_friendly_article.aspx?id=23736.
Karsten attended EMANICS Workshop on Network Security in Bremen, Germany, and gave a 90-minute talk on Tor and my metrics work.
Karsten and Sebastian attended PET-CON 2009.2 in Regensburg, Germany, and talked about measuring sensitive data in the Tor network.
Finished paper on ”A Case Study on Measuring Statistical Data in the Tor Anonymity Network” together with Steven and Roger and submitted it to WECSR 2010.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.
Testing program updates to Tor Browser Bundle destined for the next release. The multi-protocol instant messaging client we use, Pidgin, includes voip and video chat functionality. Vidalia 0.2.5 inclusion to make the process of acquiring bridge addresses or becoming a bridge easier.

Bridge relay and bridge authority work.
The bridge distribution backend is now far more reliable than it was, and the algorithm has been retuned with design from Nick and Roger. Now the bridgedb code is much more willing to hand out a user’s first few bridges, but it is much harder to get it to hand out a whole bunch of bridges.

Scalability, load balancing, directory overhead, efficiency.
Nick rewrote the directory authority backend code to be able to provide multiple flavors of directory info: a new flavor that can be used for low-directory-bandwidth clients, and the existing flavor to support existing clients. This is the authority-side of proposals 158 and 162; once the authorities are migrated to this, we can start rolling out the client-side. Once it’s done, the directory overhead for clients should be dramatically reduced.

More reliable (e.g. split) download mechanism.
Christian rolled out changes to the email auto-responder, get-tor, to better handle emails coming to us in various languages. 50% more emails are being answered correctly since the change.
Thanks to some open internet activists in India, we have a fine new mirror of the Tor website in country at http://www.torproject.org.in/.
4 new website mirrors joined, 4 existing mirrors left.

Translation work

6 German updates to the website.
114 Italian updates to Torbutton.
17 Italian updates to the website.
Updated Arabic translation of Torbutton.
Complete Burmese translation of Torbutton.
Complete Burmese translation of Torcheck.
Complete Danish translation of Torcheck.
Brazilian translation of Torbutton.

August 2009 Progress Report

phobos — Mon, 21 Sep 2009 07:19:26 -0700

New releases

On August 4, we released Tor Browser Bundle 1.2.7. It is updated primarily due to Firefox 3.0.13 with its ssl fixes.

The full changelist is:
1.2.7: Released 2009-08-04

update Firefox to 3.0.13
add Polish translation
update libevent to 1.4.12

On August 19, we released Tor Browser Bundle 1.2.8. The big changes are the inclusion of statically linked openssl dlls to resolve a few geoip lookup and functionality issues with Vidalia, and the upgrade to the new Vidalia 0.2.2.

The full list of updates and fixes:

update Torbutton to 1.2.2
update Vidalia to 0.2.2
compile OpenSSL 0.9.8k with Visual C to make dlls
update Pidgin to 2.6.1

On August 3rd, we release Vidalia 0.2.1. This is a major change in the way OS X and Windows bundles are installed, as well as many usability enhancements. This also sets the stage for a plugin-API being developed over the next few months.

The changes are:

Add a "Find Bridges Now" button that will attempt to automatically
download a set of bridge addresses and add them to the list of bridges
in the Network settings page.
Add support for building with Google's Breakpad crash reporting
library (currently disabled by default).
Show or hide the "Who has used my bridge recently?" link along with
the other bridge-related widgets when the user toggles the relay mode
in the Network settings page. (Ticket #480)
Tolerate bridge addresses that do not specify a port number, since Tor
now defaults to using port 443 in such cases.
Add support for viewing the map as a full screen widget when built
with KDE Marble support.
Compute the salted hash of the control password ourself when starting
Tor, rather than launching Tor once to hash the password, parsing the
output, and then again to actually start Tor.
Add a signal handler that allows Vidalia to clean up and exit normally
when it catches a SIGINT or SIGTERM signal. (Ticket #481)
If the user chooses to ignore further warnings for a particular port,
remove it from the WarnPlaintextPorts and RejectPlaintextPorts
settings immediately. Also remember their preferences and reapply them
later, even if Tor is unable to writes to its torrc.(Ticket #493)
Don't display additional plaintext port warning message boxes until
the first visible message box is dismissed. (Ticket #493)
Renamed the 'make win32-installer' CMake target to 'make dist-win32'
for consistency with our 'make dist-osx' target.
Fix a couple bugs in the WiX-based Windows installer related to building
a Marble-enabled Vidalia installer.
Write the list of source files containing translatable strings to a
.pro file and supply just the .pro file as an argument to lupdate, rather
than supplying all of the source file names themselves.

On August 14th, we release Vidalia 0.2.2. It addresses an issue with openssl which causes the geoip lookups to fail on various versions of Windows. It also switches from the Nullsoft Installer to the Microsoft System Installer for better compatibility with Microsoft Windows.
There are now separate Apple OS X builds, one for PowerPC architectures and one for i386 architectures. No more Universal binary bloat to download.
The changes are:

When the user clicks "Browse" in the Advanced settings page to locate
a new torrc, set the initial directory shown in the file dialog to the
current location of the user's torrc. (Ticket #505)
Use 'ditto' to strip the architectures we don't want from the Qt
frameworks installed into the app bundle with the dist-osx,
dist-osx-bundle and dist-osx-split-bundle build targets.
Fix a bug in the CMakeLists.txt files for ts2po and po2ts that caused
build errors on Panther for those two tools.
Include rebuilt OpenSSL libraries in the Windows packages that are
built with the static (/MT) version of the Microsoft Visual C++
Runtime. Otherwise, we would require users to install the MSVC
Redistributable, which doesn't work for portable installations such as
the Tor Browser Bundle.
Remove the NSIS file for the Vidalia installer since we now ship
MSI-based installers on Windows.

On August 27th, we released Vidalia 0.2.3. This fixes some more bugs with "Who has used by bridge" functionality and switches to Qt signals for event handling.
The changes are:

Create the data directory before trying to copy over the default
Vidalia configuration file from inside the application bundle on Mac
OS X. Affects only OS X drag-and-drop installer users without a
previous Vidalia installation.
Change all Tor event handling to use Qt's signals and slots mechanism
instead of custom QEvent subclasses.
Fix another bug that resulted in the "Who has used my bridge?" link
initially being visible when the user clicks "Setup Relaying" from
the control panel if they are running a non-bridge relay.
(Ticket #509, reported by "vrapp")
Always hide the "Who has used my bridge?" link when Tor isn't running,
since clicking it won't return useful information until Tor actually
is running.

On August 9th, we released Torbutton 1.2.2.
The changes and enhancements are:

bugfix: Workaround Firefox Bug 440892 to prevent external apps from
being launched (and thus bypassing proxy settings) without user
confirmation. Independently reported by Greg Fleischer and optimist.
bugfix: Create a separate "No Proxy For" option and remove the
string "localhost" from proxy exemptions. Prevents a theoretical
proxy bypass condition discovered by optimist. Fix based on patch from
optimist.
bugfix: bug 970: Purge undo tab list on Tor toggle.
bugfix: bug 1040: Scrub URLs from log level 4 and higher log messages.
Mac OS writes Firefox console messages to disk by default.
bugfix: bug 1033: Fix FoxyProxy conflict that caused some FoxyProxy
strings to fail to display.
misc: bug 1006: Pop up a more specific failure message for pref
changing errors during Tor toggle.
misc: Fix a couple of strict javascript warns on FF3.5
misc: Add chrome url protection call to conceal other addons during
non-Tor usage. Patch by Sebastian Lisken.
misc: Remove torbutton log system init message that may have scared some
paranoids.

Architecture and technical design docs

Update our secure updater, Thandy, to have optional BitTorrent support to distribute load spikes following new releases better. Currently, it uses the mainline BitTorrent libraries that can be installed along with Thandy, but there is also some groundwork to support other BitTorrent libraries later on.

Advocacy and outreach.

Andrew, Jacob, Karsten, Mike, Nick, and Roger attended the Privacy Enhancing Technologies Symposium in Seattle, WA. Details can be found at http://petsymposium.org/2009/. Jacob, Karsten, Mike, and Roger each presented their work on Tor.

Jacob, Karsten, Mike, Roger, and Sebastian attended Hacking at Random 2009 in Vierhouten, Netherlands. Details of the conference can be found at https://wiki.har2009.org/page/Main_Page. Jacob and Roger presented about Tor.

Jacob attended FooCamp 2009. More details can be found at http://foocamp09.wiki.oreilly.com/wiki/index.php/Main_Page. Jacob presented about Tor.

Andrew contacted Tor relay operators that started running a relay between June 12, 2009 and July 13, 2009; ostensibly for the Iranian protest movement. Of the 37 new relays, 13 had gone offline. After contacting the relay operators, 7 of the 13 are back online.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.

On August 4, we released Tor Browser Bundle 1.2.7. It is updated primarily due to Firefox 3.0.13 with its ssl fixes.

The full changelist is:
1.2.7: Released 2009-08-04

update Firefox to 3.0.13
add Polish translation
update libevent to 1.4.12

The full list of updates and fixes:

update Torbutton to 1.2.2
update Vidalia to 0.2.2
compile OpenSSL 0.9.8k with Visual C to make dlls
update Pidgin to 2.6.1

Jacob and Steve Tyree started work on a portable Tor Browser Bundle for Apple OS X. Jacob started work on a portable Tor Browser Bundle for generic Linux. Both bundles are currently in developer testing, gearing up for an alpha release in September 2009.

Updated TorVM with current packages for torbutton, tor, qemu. Added geoip and pycrypto to TorVM.

Scalability, load balancing, directory overhead, efficiency.

Continued metrics work with torperf and directory request statistics. Update bufferstats report, http://git.torproject.org/checkout/metrics/master/report/buffer/bufferst...
Updated circuit window report, http://git.torproject.org/checkout/metrics/master/report/circwindow/circ...

updated statistics on directory requests, http://git.torproject.org/checkout/metrics/master/report/dirarch/

And updated measurements on overall tor network performance, http://git.torproject.org/checkout/metrics/master/report/performance/tor...

Continued work on our bandwidth node scanner to provide better extra-info for clients to make better routing decisions.

Added a seventh directory authority run by Jacob Appelbaum.

More reliable (e.g. split) download mechanism.

Christian Fromme started work on our email auto-responder, get-tor, to better handle split downloads via email.

Jon, our mirror volunteer, continued to contact mirrors and update their status accordingly. The net change is zero, but we added a new mirror and removed a stale mirror.

Translation work

Runa, our Google Summer of Code student, finished the project to allow for website content to be translated via the Tor Translation Portal, https://translation.torproject.org/. The conversion tools are now live and Danish and Farsi are the first languages enabled in the Tor Translation Portal for testing.

In August, there were:

8 Russian updates for the website
29 Polish updates for the website
15 Chinese updates for the website
Danish updates for Torbutton
Nederlandish updates for Torbutton

July 2009 Progress Report

phobos — Mon, 10 Aug 2009 01:07:57 -0700

New releases

On July 8th, we released Vidalia 0.1.15..

On July 8th, we updated the Tor 0.2.0.35-stable bundles with the new Vidalia to fix an ssl issue and the Firefox Torbutton extension installation for OS X users.

On July 8th, we released Tor 0.2.1.17-rc.

Tor Browser Bundle 1.2.3 was released on July 8, 2009.
TBB 1.2.3 was replaced by 1.2.4 on July 11, 2009
TBB 1.2.5 was released on July 25th. It solely included an update to Tor 0.2.1.18 .
TBB 1.2.6 was released on July 28th. It solely included an update to Tor 0.2.1.19.

On July 24th, we released Tor 0.2.1.18.

On July 28th, we released Tor 0.2.1.19.

Make Tor a better tool for users in censored countries

Tor 0.2.1.18 is our new stable. That is, this is the first stable release
of the 0.2.1.x branch. The 0.2.0.x branch went stable in July of 2008.
From the 0.2.1.18 release:

If the bridge config line doesn't specify a port, assume 443.
This makes bridge lines a bit smaller and easier for users to
understand.

If we're using bridges and our network goes away, be more willing
to forgive our bridges and try again when we get an application
request.

Architecture and technical design docs for Tor enhancements related to blocking-resistance.

Proposal 166 details four steps we're taking to safely collect data
about Tor's network performance and network usage: 1) directory client
counts by country, 2) entry guard client counts by country, 3) relay
cell statistics, and 4) exit traffic by port and volume.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/166-st...

Hide Tor's network signature

Part of the reason why Tor might be especially slow in Iran could
be that they're doing deep packet inspection (DPI) to throttle SSL
connections. Tor's strategy of looking like SSL might turn out to be a
bad move in this case. It's hard to tell whether the SSL throttling is
actually happening, of course, because we get plenty of mixed information
from our sources in Iran. But if it *is* happening, we should start
investigating traffic obfuscation approaches that a) don't look like SSL,
but b) don't look recognizably like any other protocol.

Some other Iran circumvention developers have come up with a patch to
obfuscate ssh traffic:
http://github.com/brl/obfuscated-openssh/tree/master
http://c-skills.blogspot.com/2008/12/sshv2-trickery.html

Sometime soon we should start looking at designs to super-encrypt the
Tor link traffic in this way.

Grow the Tor network and user base. Outreach

On July 1st, Andrew gave a detailed Tor talk at the National Cyber Forensics and Training Alliance. Andrew's blog about the event is at https://blog.torproject.org/blog/visit-ncfta.

On July 7th, Andrew was a panelist for the CIMA/NED discussion on Iran and the Role of New Media, http://cima.ned.org/events/new-media-in-iran.html. Andrew's blog about the event is at https://blog.torproject.org/blog/cimaned-panel-iran-and-new-media.

On July 15th, Andrew presented Tor at Webinno22, http://www.webinnovatorsgroup.com/2009/07/06/the-webinno22-demo-companie.... Further discussions about online privacy startups and business deals with various investors and their seed companies are continuing since this event.

June 2009 Progress Report

phobos — Sat, 11 Jul 2009 19:06:32 -0700

New releases

On June 20th we released Tor 0.2.1.16-rc.
On June 21st, we released Tor Browser Bundle 1.2.1.
On June 23rd, we released Tor Browser Bundle 1.2.2.
On June 24th, we released Tor 0.2.0.35-stable. We expect that this release is the last of the 0.2.0.x -stable series, soon to be replaced with the 0.2.1.x series.
On June 30th, we released Vidalia 0.1.14.

Censorship circumvention

Packaged rpms for Red Flag Linux version 6. Red Flag Linux is reported to be the new operating system for all Internet cafe's in China. So far, no one has seen this conversion actually happen, but now we're ready if it does.

Our email autoresponder, gettor , received a number of patches to deal with dkim issues, including finding a dkim bug that prevented yahoo email users from fetching Tor. This bug has been fixed. Additionally, we've whitelisted some domains where we
see we're having lots of use but dkim isn't always configured properly. We've had thousands of users from China using gettor.

Outreach/Advocacy

Andrew, Roger, and Wendy attended Computers, Freedom, and Privacy 2009 Conference (http://www.cfp2009.org). Andrew presented a “quicktake” talk on “Who uses Tor?”. Andrew and Roger, along with Paul Syverson, and a North African blogger, hosted a panel on “It Takes A Village To Be Anonymous”. Due to the sensitive situation surrounding the blogger, this panel was not recorded.

Andrew talked with the Committee to Protect Journalists (http://cpj.org) about online security and circumvention tools.

Jillian C. York blogged at KnightPulse about “Average citizens browse anonymously
”, http://www.knightpulse.org/blog/09/06/04/average-citizens-browse-anonymo...

Due to Iranian's usage of Tor during the recent election, the general press/media conducted a few interviews with Andrew:

Computer World, http://www.computerworld.com/action/article.do?command=viewArticleBasic&...
Cnet News, http://news.cnet.com/8301-13578_3-10267287-38.html
Deutche Welle, http://www.dw-world.de/dw/article/0,,4400882,00.html
Technology Review, http://www.technologyreview.com/web/22893/
Origo, in Hungary, http://www.origo.hu/techbazis/internet/20090618-a-kiberforradalmarok-feg...
O'Reilly, http://radar.oreilly.com/2009/06/tor-and-the-legality-of-runnin.html
Washington Times, http://www.washingtontimes.com/news/2009/jun/26/protesters-use-navy-tech...
Arte TV video interview, the 30-minute video interview can't be put online, but will be shown to their viewers in late June/early July 2009. http://www.arte.tv
EFF, http://www.eff.org/deeplinks/2009/06/help-protesters-iran-run-tor-relays...
A Houston Radio station did an on-air interview, but didn't put the interview online.
A Romanian newspaper did an interview, but didn't put the story online.
Public Rado International did a more in-depth interview. They expect it to be on PBS Radio and BBC Radio 4 in early July 2009.

A number of blogs and other media picked up these original interviews and spread the word even further:

Preconfigured privacy (circumvention) bundles for USB or LiveCD.

Tor Browser Bundle 1.2.1 and 1.2.2 released in June. Planning a migration of the base operating system for the Incognito LiveCD to switch from Gentoo to an Ubuntu variant. We can always use help in maintaining Incognito.

Scalability, load balancing, directory overhead, efficiency.

June was spent documenting, stabilizing, and streamlining the bandwidth authority scanner, which has been runningfor a while on the Directory Authority named ides.

It is good enough to start running on multiple authorities now to produce actual results for clients to use.

More reliable (e.g. split) download mechanism.

Our email autoresponder, gettor , received a number of patches to deal with dkim issues, including finding a dkim bug that prevented yahoo email users from fetching Tor. This bug
has been fixed. Additionally, we've whitelisted some domains where we see we're having lots of use but dkim isn't always configured properly. We've had thousands of users from China using gettor.

The Tor Check website (check.torproject.org) had a few bugs and we've fixed all but two. We sometimes still have false negatives (because the Tor client doesn't know to fetch the consensus at any specific time) and we also still sometimes barf python exceptions because mod_python has some weird exception from time to time. We also accepted a patch from Marcus Greip that extends the TorBulkExitList to allow arbitrary ports rather than just port 80.

Footprints from Tor Browser Bundle.

Reduced the scanning for plugins Portable Firefox can do on launch of the application. There is still an issue where Firefox displays other plugins to users, but they aren't actually valid plugins and won't run on command. Firefox acquires the names through queries to the Windows Registry.

Translations

16 Polish website updates
8 Italian website updates
3 German website updates

May 2009 Progress Report

phobos — Wed, 10 Jun 2009 11:41:55 -0700

New releases
On May 25, we released Tor 0.2.1.15-rc.
On May 17, we released Tor VM 0.0.2.
On May 25, we released Vidalia 0.1.13 containing

Remove an old warning on the relay settings page that running a bridge
relay requires Tor 0.2.0.8-alpha or newer.
Add a workaround for a bug that prevented Vidalia's tray icon from
getting added to the system notification area on Gnome when Vidalia was
run on system startup. Patch by Steve Tyree. (Ticket #247)
Fix a bug that prevented the control panel from displaying when
running on the Enlightenment window manager. Patch by Steve Tyree.
Rename the CMake variables used to store the location of Qt's lupdate
and lrelease executables. Recent versions of CMake decided to use the
same variable name, which was stomping on mine, resulting in the wrong
lupdate and lrelease executables being used.
Use the TorProcess subclass of QProcess for launching Tor when hashing
a control password so we can take advantage of its PATH+=:/usr/sbin
trick on Debian there too.
If a RouterDescriptor object is empty, don't try to display it in the
router descriptor details viewer. (Ticket #479)
Wait until Vidalia has registered for log events via the control port
before ignoring Tor's output on stdout. Previously we would start
ignoring Tor's stdout after successfully authenticating, but before
registering for log events which, in some cases, could lead to
messages not appearing in the message log.
Update many translations and remove others than are no longer
up-to-date enough to be useful.

On May 25th, we released Tor Browser Bundle 1.2.0 containing

Switch to launching Firefox directly from Vidalia to
allow multiple instances of Firefox
Update Firefox to 3.0.10
Update to Qt 4.5.1
Update Firefox prefs.js to stop scanning for plugins
Update libevent to 1.4.11
Include the Tor geoip database
Update Vidalia to 0.1.13
Update Tor to 0.2.1.15-rc

Design, develop, and implement enhancements that make Tor a better
tool for users in censored countries.

Matt added "fetch bridges" features to Vidalia 0.2.x. This provides a link to automatically request bridges from https://bridges.torproject.org for users.

Architecture and technical design docs for Tor enhancements
related to blocking-resistance.
Proposal 160 aims to let authorities modify the bandwidth they put in
the consensus for each relay. This step will allow us to adjust the
weights we advertise for clients, once the measurements from TorFlow
start giving us better weights.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/160-ba...

Proposal 161 describes how node bandwidth ratios are
computed and how they can be produced in parallel.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/161-co...

Proposal 162 describes "consensus flavors": the size of the networkstatus
consensus is critical, since every user fetches it every few hours. So
we need a way to add new fields -- and remove old fields -- in a way
that lets old clients continue to use the consensus. The current plan
is to build and distribute several different versions at once, so each
client can fetch the one with the format they expect.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/162-co...

Proposal 163 starts to consider the problem of clients using relays as
single-hop proxies. If many clients start doing this (say, to improve
their own performance), it puts additional risk on the relays, since now
an attacker can expect to discover both client origins and destinations
by attacking the relay. Our current strategy for forcing clients to use
more than one hop is quite fragile, and it looks like we will soon need
more robust strategies.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/163-de...

Proposal 164 suggests ways to make it easier for relay operators to
discover why they are not listed in the networkstatus consensus. We have
a handle of people each week ask us on IRC why their relay isn't listed,
and currently the only way to answer is to have a competent directory
authority operator go dig around in various files in his datadirectory.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/164-re...

Proposal 165 focuses on simplifying the steps required to add a new
directory authority. The current approach requires manual work from every
directory authority operator within a space of several hours. As the
number of authorities grows, this synchronization is becoming impractical
-- and that's causing us to leave the number of authorities small, which
makes us vulnerable to other attacks. Once this proposal is finalized
and deployed, we'll hopefully be able to add new authorities more
smoothly.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/165-si...

Grow the Tor network and user base. Outreach.
Jacob attended CONFidence in Krakow, Poland as a keynote speaker. http://2009.confidence.org.pl/

Andrew and Jacob attended the Soul of a New Machine conference in Berkeley, CA. http://hrc.berkeley.edu/events/newmachineconference/

Roger and Andrew attended the 7th Annual Chinese Internet Research Conference in Philadelphia, PA. http://www.global.asc.upenn.edu/index.php?page=167

Karsten attended SIGINT 09 in Cologne.

Mike gave a presentation on TorFlow at CodeCon.

Roger met with Nick, Paul Syverson and Aaron Johnson at Yale to work more on Paul's research question: if we trust some Tor relays differently than others, how should we select our paths to be safe, and how do we analyze how safe the paths are?

Roger did a talk for about 15 OSI people in Budapest, Hungary.

Preconfigured privacy (circumvention) bundles for USB or LiveCD
The two large changes were the ability to run multiple instances of Firefox at once, such that a user's personal firefox shouldn't share data with the firefox from our bundle. The other change is the ability to stop TBB firefox from scanning the system for potential plugins, like Windows Media, Java, etc.

Started work on a hardened branch of Incognito live CD to help protect users from possible bugs in the programs running.

Scalability, load balancing, directory overhead, efficiency.

We documented the metrics we collect to help us determine the best ways to scale the Tor network. http://blog.torproject.org/blog/performance-measurements-and-blockingres... A number of nodes are now collecting this information to assist our network-wide measurements.

Much progress on torctl and torflow tools being used to measure real and potential performance of nodes in the public tor network.

Mike wrote proposal 161 describing how node bandwidth ratios are
computed and how they can be produced in parallel. The proposal can be found at http://git.torproject.org/checkout/tor/master/doc/spec/proposals/161-com...

Karsten finished a first patch to dump statistics about local queues to disk every 15 minutes. A first impression of how these data could be evaluated can be found in http://freehaven.net/~karsten/volatile/bufferstats-2009-05-25.pdf. The goal is to see if our buffer allocation algorithms are sufficient or need tweaking.

More reliable (e.g. split) download mechanism.
Developed the ability to split Apple OS X bundles into 1.44MB chunks. The functionality is native to OS X versions 10.4 and newer. It will not work in versions 10.3.9 or earlier releases.

Translation work, ultimately a browser-based approach
11 Polish updates
4 German updates
Portugese torbutton updates
Danish torbutton updates
Romanian torbutton updates
11 Italian updates
3 Chinese updates

April 2009 Progress Report

phobos — Mon, 11 May 2009 19:27:48 -0700

New releases
On April 12, we released 0.2.1.14-rc. Read the details in the announcement.

Outreach
Roger attended an ITSG conference in Chicago.

Roger, Nick, Jacob, and Mike attended the CodeCon conference in San Francisco, http://www.codecon.org/2009/.

Andrew met with the Center for Democracy and Human Rights in Saudi Arabia to discuss using Tor for their mission, http://cdhr.info.

Roger and Andrew met with the Department of Justice CyberCrime Division to give an overview of how Tor works and how we could better work with law enforcement.

Wendy, Roger, and Andrew had a dinner with Internews Central Asia media development staff.

Andrew attended the CIMI/NED panel on World Press Freedom, http://cima.ned.org/860/world-press-freedom-day-2009.html.

Andrew attended Boston Barcamp4 and spoke about Free Network Services and Online Privacy, http://www.barcampboston.org/.

Roger and Andrew met with Human Rights in China to give an overview of Tor and possible applications for their mission.

Scalability
From the 0.2.1.14-rc changelog:
Clients replace entry guards that were chosen more than a few months ago. This change should significantly improve client performance, especially once more people upgrade, since relays that have been a guard for a long time are currently overloaded.

Continued work on TorFlow, a tool for scanning the public Tor network and detecting misconfigured, overloaded, and evil nodes.

Translations
Count and languages updated:
20 Japanese website
16 Portugese website
3 Polish website
3 Chinese website
7 French website
14 Italian website
31 Norwegian website
1 Danish website
1 Vietnamese torbutton
1 Turkish torbutton
1 Greek torbutton
1 Arabic torbutton
1 Ukranian torcheck
1 Netherland torcheck
1 Thai torcheck
1 Burmese torcheck
1 German website
2 Russian website
1 Hindi torcheck
1 Greek torcheck

March 2009 Progress Report

phobos — Mon, 13 Apr 2009 05:56:43 -0700

New releases, new hires, new funding

On March 9, we released Tor 0.2.1.13-alpha. It includes the following fixes and enhancements:

o Major bugfixes:
- Correctly update the list of which countries we exclude as exits, when the GeoIP file is loaded or reloaded. Diagnosed by lark. Bugfix on 0.2.1.6-alpha.

o Minor bugfixes (on 0.2.0.x and earlier):
- Automatically detect MacOSX versions earlier than 10.4.0, and
disable kqueue from inside Tor when running with these versions.
We previously did this from the startup script, but that was no
help to people who didn't use the startup script. Resolves bug 863.
- When we had picked an exit node for a connection, but marked it as
"optional", and it turned out we had no onion key for the exit,
stop wanting that exit and try again. This situation may not
be possible now, but will probably become feasible with proposal
158. Spotted by rovv. Fixes another case of bug 752.
- Clients no longer cache certificates for authorities they do not
recognize. Bugfix on 0.2.0.9-alpha.
- When we can't transmit a DNS request due to a network error, retry
it after a while, and eventually transmit a failing response to
the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
- If the controller claimed responsibility for a stream, but that
stream never finished making its connection, it would live
forever in circuit_wait state. Now we close it after SocksTimeout
seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
- Drop begin cells to a hidden service if they come from the middle
of a circuit. Patch from lark.
- When we erroneously receive two EXTEND cells for the same circuit
ID on the same connection, drop the second. Patch from lark.
- Fix a crash that occurs on exit nodes when a nameserver request
timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
been suppressing the bug since 0.1.2.10-alpha. Partial fix for
bug 929.
- Do not assume that a stack-allocated character array will be
64-bit aligned on platforms that demand that uint64_t access is
aligned. Possible fix for bug 604.
- Parse dates and IPv4 addresses in a locale- and libc-independent
manner, to avoid platform-dependent behavior on malformed input.
- Build correctly when configured to build outside the main source
path. Patch from Michael Gold.
- We were already rejecting relay begin cells with destination port
of 0. Now also reject extend cells with destination port or address
of 0. Suggested by lark.

o Minor bugfixes (on 0.2.1.x):
- Don't re-extend introduction circuits if we ran out of RELAY_EARLY
cells. Bugfix on 0.2.1.3-alpha. Fixes more of bug 878.
- If we're an exit node, scrub the IP address to which we are exiting
in the logs. Bugfix on 0.2.1.8-alpha.

o Minor features:
- On Linux, use the prctl call to re-enable core dumps when the user
is option is set.
- New controller event NEWCONSENSUS that lists the networkstatus
lines for every recommended relay. Now controllers like Torflow
can keep up-to-date on which relays they should be using.
- Update to the "February 26 2009" ip-to-country file.
On March 10, we released Tor Browser Bundle 1.1.10. It includes:
Update Tor to 0.2.1.13-alpha
Update Firefox to 3.0.7
Update Pidgin to 2.5.5

On March 31, we released Tor Browser Bundle 1.1.11. It includes:
Update Firefox to 3.0.8
Add Italian language bundles
Update Torbutton to 1.2.1
Update Vidalia to 0.1.12

On March 21, we released Torbutton 1.2.1, it includes:
bugfix: bug 773: Fixed Noscript conflict issue.
bugfix: bug 866: Fixed conflict with ZoTero
bugfix: bug 908: Make UserAgentSwitcher's 'default' button restore Torbutton's spoofed user agent if Tor is enabled.
bugfix: bug 909: Get Torbutton to "properly" react to users changing their Firefox cookie lifetime settings as opposed to using the Torbutton interface.
bugfix: bug 834: Fix session saving and startup issues
bugfix: bug 875: Removed docShell == null popup during toggle for some users
bugfix: bug 910: fixed a locale spoofing issue in navigator.appVersion
bugfix: bug 747: Attempt to fix 'fullscreen' resizing issues.
bugfix: Stop-gap timezone spoofing fix for Linux and Mac for FF3. Requires a one-line patch to Firefox for Windows to work.
bugfix: Clear SSL Session IDs on toggle. (See FF Bug 448747)
misc: bug 931: Added a socks v4 vs v5 version choice to custom prefs.
misc: bug 836: redesign startup preference window to make it more understandable
misc: Torbutton now presents itself as Windows FF3.0.7.

On March 16, we released TorVM 0.0.1 as a testing release for user feedback and testing. More about TorVM can be read at https://www.torproject.org/torvm/

Vidalia 0.1.12 16-Mar-2009
o Fix a bug in the hidden service settings configuration class that
could lead to compile errors in Visual Studio and on IRIX.
o Fix a build error that occurred on IRIX when using the MIPSPro
compiler. Patch from Matthew Saunier.
o Remove two duplicated strings in the Spanish translation of Qt's
internal strings (qt_es.po). The duplicated strings caused build
errors when building with Qt 4.5. (Ticket #469)
o Remove the code that altered PublishServerDescriptor when becoming a
bridge, since Tor handles that itself now, and ensure that BridgeRelay
is reset when going from bridge to just-a-client mode.
o Remove an unnecessary #include from helpbrowser.cpp.
o Add an application icon based on Tor's logo to the vidalia.desktop
file.

Vidalia 0.2.0 19-Mar-2009
o Add support for changing UI languages without having to restart
Vidalia.
o Add preliminary support for using the KDE Marble widget for the
network map. It's currently a compile-time option and is disabled by
default.
o Add support for displaying Tor's plaintext port warnings. Also gives
the user the option to disable future warnings.
o Add an interface for displaying the geographic distribution of
clients who have recently used a bridge operator's relay.
o Add tooltips to tree items in the help browser's table of contents. Some
of the help topic labels are a bit long.
o Switch to a simpler About dialog and move the license information to a
separate HTML-formatted display.
o Switch to a simpler drag-and-drop installer in the OS X bundles.
o Switch to an MSI-based installer on Windows.
o Clear the list of default CA certificates used by QSslSocket before adding
the only one we care about. Suggested by coderman.
o Support building with Visual Studio again.
o Add a Debian package structure from dererk.
o Updated Albanian, Czech, Finnish, Polish, Portuguese, Romanian,
Swedish, Turkish and many other translations.

The Vidalia 0.2.0 release was also posted to the blog,
https://blog.torproject.org/blog/technology-preview-marble-and-vidalia02...

Design, develop, and implement enhancements

The Torbutton 1.2.1 update fixes a number of bugs that protect users in censored countries. Continued work on TorVM for easier and safer usage of Tor. Continued development of the secure updater client for Tor.

Architecture and technical design docs for Tor enhancements
related to blocking-resistance.

Nick wrote up a blog entry describing our current plans for making
libevent (and ultimately) Tor work well on Windows:
https://blog.torproject.org/blog/some-notes-progress-iocp-and-libevent

Grow the Tor network and user base. Outreach.

Andrew attended the LibrePlanet 2009 conference, http://www.fsf.org/associate/meetings/2009/. Discussed Tor, free network services, and free software.

Karsten, Sebastian, and others helped organize and then attended Pet-Con 2009, http://www.pet-con.org/index.php/PET_Convention_2009.1.

Nick wrote a blog post about the secure updater for Tor, codenamed Thandy, for Google's Open Source blog: http://google-opensource.blogspot.com/2009/03/thandy-secure-update-for-t...

Finished analyzing directory archives from February 2006 to February
2009. This analysis gives a slightly better picture of the Tor network
than the analysis of the 2008 data. The analysis shows that there is a
clear trend reversal in the number of German relays in 2008, , but for other countries the number of relays has continued to increase.

http://freehaven.net/~karsten/metrics/dirarch-2009-03-31.pdf

On March 17, Roger attended a hearing at the US Sentencing Commission,
where Seth Schoen from EFF was testifying in opposition to a new "if
you use a proxy when committing a crime, it's a sophisticated crime so
you get more jail-time" clause they were considering. It turned out one
of the commissioners is an avid Tor user, so they were sympathetic to
his testimony.

On March 24-25, Roger and Andrew met with the Psiphon team in Toronto.
We taught them about Tor's perspective on blocking-resistance, and about
our bridges design. We also helped review their future design plans. We
still have concerns that their closed design and implementation will
ultimately mean they are less effective than they could be, but it's
good to have alternate circumvention approaches available.

Tor (in combination with EFF) got accepted to Google Summer of Code
2009. Google will be funding roughly 5 students to work on Tor-related
development projects over this coming summer:
https://blog.torproject.org/blog/eff-and-tor-google-summer-code-2009
Our current thoughts are to focus on porting Polipo to Windows; improving
usability and features for Torbutton; working harder to get WML support
into Pootle, so people can translate our website with a browser; and
further work on Thandy to make it scale better when 100000 users all
try to upgrade in the same day.

Hal Roberts released his Berkman Center report on the "landscape of
circumvention technologies" as of 2007, which recommends Tor and Psiphon:
https://blog.torproject.org/blog/berkman-2007-circumvention-landscape-an...

Roger and Nick participated in the Codecon program committee, and helped
to choose a variety of good development projects to showcase in April. Two
of these turned out to be libevent (including the new Windows work),
and Torflow:
http://www.codecon.org/2009/program.html

Roger had lunch on March 4 with Micah Sherr, a PhD student at Penn who
is working on a new path selection algorithm for Tor, that tries to
minimize path latency rather than maximize bandwidth. Roger poked some
holes in his design, and hopefully will help him over the next few months
to fix them. You can read more about Micah's design in Section 4.3 of the
"performance.pdf" document.

We worked with Global Voices to help them update their "guide to blogging
anonymously":
https://blog.torproject.org/blog/updated-guide-blogging-anonymously
In particular, we updated it to include recommendations for using Tor
Browser Bundle, since TBB didn't exist when the guide was first written.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.

On March 10, we released Tor Browser Bundle 1.1.10. It includes:
Update Tor to 0.2.1.13-alpha
Update Firefox to 3.0.7
Update Pidgin to 2.5.5

On March 31, we released Tor Browser Bundle 1.1.11. It includes:
Update Firefox to 3.0.8
Add Italian language bundles
Update Torbutton to 1.2.1
Update Vidalia to 0.1.12

Bridge relay and bridge authority work.

From the changelog item from Vidalia 0.1.12:
o Remove the code that altered PublishServerDescriptor when becoming a
bridge, since Tor handles that itself now, and ensure that BridgeRelay
is reset when going from bridge to just-a-client mode.

Scalability, load balancing, directory overhead, efficiency.

Roger and Steven wrote the Performance Roadmap as published at https://www.torproject.org/press/2009-03-12-performance-roadmap-press-re...

Footprints from Tor Browser Bundle.

March 17, updated research on traces left behind by the Tor Browser Bundle. The current document can be found at https://svn.torproject.org/svn/torbrowser/trunk/docs/traces.txt.

Translations
21 Polish website translations
20 French website translations
53 Italian website translations
25 German website translations
5 Chinese website translations
5 Updates from the translation portal for torbutton, in French, Italian, and Bokmål (Norwegian)

February 2009 Progress Report

phobos — Tue, 10 Mar 2009 08:24:22 -0700

New releases, new hires, new funding
On February 8, we released versions 0.2.0.34-stable and 0.2.1.12-alpha.

Tor 0.2.0.34 features several more security-related fixes. You should upgrade, especially if you run an exit relay (remote crash) or a directory authority (remote infinite loop), or you're on an older (pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have many known flaws, and nobody should be using them. You should upgrade. If you're using a Linux or BSD and its packages are obsolete, stop using those packages and upgrade anyway.

Enhancements
In Tor 0.2.1.12-alpha, if we're using bridges and our network goes away, be more willing to forgive our bridges and try again when we get an application request. Bugfix on 0.2.0.x.

Continued to develop research and coding items for improving Tor's performance using a number of techniques. We're focusing on six main reasons for slow performance: congestion control, tcp backoff, wrong window sizes at start, lack of priority for circuit control cells, and user load from peer to peer bulk data transfers.

We've implemented KDE Marble as an alternate visualization of the world into Vidalia. The first phase is to get a better 3-D globe for clients. The next phase is to enable “click to exit” so users can choose their country of preference for exit nodes. More on this coming in a future blog post.

Outreach
Andrew and Roger attended an Open Society Institute Forum on, “The Future of Freedom and Control in the Internet Age”, http://www.soros.org/initiatives/fellowship/events/freedom_20090210. Rebecca MacKinnon and Evgeny Morozov both mentioned Tor and its positive uses multiple times during the talk and subsequent Q&A.

Andrew attended Mobile Activism 4 Change barcamp on February 21. This generated some citizen media press about security, privacy, and anonymity in reference to the mobile activist world. You can read more at http://barcamp.org/MobileTechForSocialChangeNewYork.

Jacob attended the InfoActivism camp, http://www.informationactivism.org/, in Bangalore, India. He gave 20 presentations, trainings, and lectures on Tor.

Produced a guide to Tor and circumvention with the Center for Human Rights and Democracy in Saudi Arabia, http://cdhr.info.

Worked with Global Voices (http://globalvoicesonline.org/) to update their guide to anonymous blogging with Tor and Wordpress; http://advocacy.globalvoicesonline.org/projects/guide/. We recommend the Tor Browser Bundle by default, and provide clearer instructions and more pictures to assist users in getting configured quickly and securely.

There was a talk at BlackHat from Xinwen Fu. Our official response and thoughts on the topic are available at https://blog.torproject.org/blog/one-cell-enough

From Feb 6-9, Roger, Nick, Wendy, and Andrew attended ShmooconV, http://shmoocon.org/, in February. Discussed Tor present and futures with many of the attendees.

End of Feb, Steven and Roger went to Financial Crypto 2009. We talked more with economics and "economics of information security" professors and researchers to get a better intuition about how to balance usability and load on the network. Steven also did a lightning talk on the "TLS footprint" arms race question: should we wait to fix known flaws, to slow down the arms race, or should we fix everything asap to discourage the censors from even trying?

Feb 17, Roger did a guest lecture on Tor in Drexel's senior-level computer
security class.

In Feb we also met with the Freedom House (http://www.freedomhouse.org/), to help them understand how Tor works and to try to help with the trainings they're organizing.

Jillian C. York continued her blogging for Tor at KnightPulse with “From Tunisia to Japan: Anonymity Everywhere”, http://www.knightpulse.org/blog/09/02/25/tunisia-japan-anonymity-everywh...

Tor bundles for USB drives or LiveCDs
On February 18, we released Tor Browser Bundle 1.1.9 with an updated Tor version to 0.2.1.12-alpha, Vidalia updated to 0.1.11, and Firefox 3.0.6. Andrew has taken over building the bundle to reduce the time between tor releases and bundles which include it. This should make PETER from the blog happy.

Updated the Incognito LiveCD TODO list to provide some more direction and tasks for the near future, http://archives.seul.org/or/cvs/Feb-2009/msg00056.html

We continued development and enhancement of TorVM with software updates to libevent, openwrt, vidalia, openvpn, tor, and win pcap. Enhanced the self-extraction and build scripts for easier creation by less technical users.

Scalability, load balancing, directory overhead, and efficiency
We wrote up a summary of directory overhead work here:
https://blog.torproject.org/blog/overhead-directory-info%3A-past%2C-pres...

Csaba Kiraly has been doing research on how to reduce the overall load on the Tor network, while also reducing latency for clients: http://archives.seul.org/or/dev/Feb-2009/msg00000.html

Alternate acquisition methods
Updated our get-tor email auto-responder to include more languages, added in the English version of the tor browser bundle, tested gmail download and resuming interrupted downloads, and fleshed out the design for easier localization of the message text and commands.

Translation
We had a combined 113 commits across Polish, Chinese, Italian, German, Spanish, Russian, Argentinian, Brazilian Portuguese, and Romanian languages. 41 of these commits were through our translation portal.

January 2009 Progress Report

phobos — Sun, 22 Feb 2009 17:23:37 -0800

New releases, new hires, new funding

Tor 0.2.1.10-alpha (released January 6) fixes two major bugs in bridge
relays (one that would make the bridge relay not so useful if it had
DirPort set to 0, and one that could let an attacker learn a little bit
of information about the bridge's users), and a bug that would cause your
Tor relay to ignore a circuit create request it can't decrypt (rather
than reply with an error). It also fixes a wide variety of other bugs.
http://archives.seul.org/or/talk/Jan-2009/msg00078.html

Tor 0.2.1.11-alpha (released Jan 20) finishes fixing the "if your Tor is
off for a week it will take a long time to bootstrap again" bug. It also
fixes an important security-related bug reported by Ilja van Sprundel. You
should upgrade. (We'll send out more details about the bug once people
have had some time to upgrade.)
http://archives.seul.org/or/talk/Jan-2009/msg00171.html

Tor 0.2.0.33 (released Jan 21) fixes a variety of bugs that were making
relays less useful to users. It also finally fixes a bug where a relay or
client that's been off for many days would take a long time to bootstrap.
http://archives.seul.org/or/announce/Jan-2009/msg00000.html

Tor Browser Bundle 1.1.8 (released Jan 22) updates Tor to 0.2.1.11-alpha
(security update), updates OpenSSL to 0.9.8j (security update), updates
Firefox to 3.0.5, updates Pidgin to 2.5.4, and updates libevent to 1.4.9.
https://svn.torproject.org/svn/torbrowser/trunk/README

This month we also hired three new people: Martin Peck is working on
Tor VM, a new way of packaging Tor on Windows that will let people use
Youtube safely again; Mike Perry is working on Torbutton maintenance
and development and on Torflow, a set of scripts to do measurements on
the Tor network; and Andrew Lewman is our new executive director.

Enhancements
Major bugfixes in the Tor 0.2.1.10-alpha and 0.2.0.33 releases:
- If the cached networkstatus consensus is more than five days old,
discard it rather than trying to use it. In theory it could be useful
because it lists alternate directory mirrors, but in practice it just
means we spend many minutes trying directory mirrors that are long
gone from the network. Helps bug 887 a bit; bugfix on 0.2.0.x.

Tor 0.2.1.10-alpha contains cleanups that let Tor build on Google's
Android phone:
- Change our header file guard macros to be less likely to conflict
with system headers. Adam Langley noticed that we were conflicting
with log.h on Android.

Major bugfixes in the Tor 0.2.1.11-alpha and 0.2.0.33 releases:
- Discard router descriptors as we load them if they are more than
five days old. Otherwise if Tor is off for a long time and then
starts with cached descriptors, it will try to use the onion
keys in those obsolete descriptors when building circuits. Bugfix
on 0.2.0.x. Fixes bug 887.

Security bugfixes in the Tor 0.2.1.11-alpha and 0.2.0.33 releases:
- Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.

Circuit-building speedups in Tor 0.2.1.10-alpha:
- When a relay gets a create cell it can't decrypt (e.g. because it's
using the wrong onion key), we were dropping it and letting the
client time out. Now actually answer with a destroy cell. Fixes
bug 904. Bugfix on 0.0.2pre8.

Scalability fixes from the Tor 0.2.0.33 ChangeLog:
- Clip the MaxCircuitDirtiness config option to a minimum of 10 seconds,
and the CircuitBuildTimeout to a minimum of 30 seconds. Warn the user if
lower values are given in the configuration. These fixes prevent a user
from rebuilding circuits too often, which can be a denial-of-service
attack on the network.
- When a stream at an exit relay is in state "resolving" or
"connecting" and it receives an "end" relay cell, the exit relay
would silently ignore the end cell and not close the stream. If
the client never closes the circuit, then the exit relay never
closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
reported by "wood".
- When sending CREATED cells back for a given circuit, use a 64-bit
connection ID to find the right connection, rather than an addr:port
combination. Now that we can have multiple OR connections between
the same ORs, it is no longer possible to use addr:port to uniquely
identify a connection.

Bootstrapping speedups in Tor 0.2.1.11-alpha:
- When our circuit fails at the first hop (e.g. we get a destroy
cell back), avoid using that OR connection anymore, and also
tell all the one-hop directory requests waiting for it that they
should fail. Bugfix on 0.2.1.3-alpha.

Architecture
Proposal 158 ("Clients download consensus + microdescriptors") suggests a
new way forward for reducing directory overhead for clients, and replaced
part of proposal 141. Rather than modifying the circuit-building protocol
to fetch a server descriptor inline at each circuit extend, we instead put
all of the information that clients need either into the consensus itself,
or into a new set of data about each relay called a microdescriptor.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/158-microdes...

From the 0.2.0.33 ChangeLog:
- Never use OpenSSL compression: it wastes RAM and CPU trying to compress
cells, which are basically all encrypted, compressed, or both. It also
made us stand out from other applications on the wire.

Advocacy
Jillian York continued blogging for us about the good uses of Tor:
http://www.knightpulse.org/blog/tor

"Federico Heinz advocates anonymous browsing in Argentina", Jan 8
http://www.knightpulse.org/blog/09/01/08/federico-heinz-advocates-anonym...

"Human Rights Organizations in Argentina welcome anonymous browsing", Jan 25
http://www.knightpulse.org/blog/09/01/25/human-rights-organizations-arge...

"Watch how you get around", Jan 30
http://www.knightpulse.org/blog/09/01/30/watch-how-you-get-around

Pre-configured bundles
Tor Browser Bundle 1.1.8 (released Jan 22) updates Tor to 0.2.1.11-alpha
(security update), updates OpenSSL to 0.9.8j (security update), updates
Firefox to 3.0.5, updates Pidgin to 2.5.4, and updates libevent to 1.4.9.
https://svn.torproject.org/svn/torbrowser/trunk/README

We continued work on Vidalia features to support where we want Tor
Browser Bundle to go. In particular, we're changing it to be able to
launch Firefox natively, rather than use the "PortableFirefox" pile of
complex scripts. We hope this change will also let users run a normal
Firefox alongside TBB. More on that in February.

We also continued work on Tor VM, a new way of packaging Tor on
Windows that will (among other things) let people use Youtube safely
again. Hopefully we'll have some simple instructions up about that in
February too.

Bridges
Major bugfixes in the Tor 0.2.1.10-alpha and 0.2.0.33 releases:
- Bridge relays that had DirPort set to 0 would stop fetching
descriptors shortly after startup, and then briefly resume
after a new bandwidth test and/or after publishing a new bridge
descriptor. Bridge users that try to bootstrap from them would
get a recent networkstatus but would get descriptors from up to
18 hours earlier, meaning most of the descriptors were obsolete
already. Reported by Tas; bugfix on 0.2.0.13-alpha.
- Prevent bridge relays from serving their 'extrainfo' document
to anybody who asks, now that extrainfo docs include potentially
sensitive aggregated client geoip summaries. Bugfix on
0.2.0.13-alpha.

Bugfixes in the Tor 0.2.1.10-alpha release:
- When we made bridge authorities stop serving bridge descriptors over
unencrypted links, we also broke DirPort reachability testing for
bridges. So bridges with a non-zero DirPort were printing spurious
warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.

New feature in Tor 0.2.1.10-alpha:
- New controller event "clients_seen" to report a geoip-based summary
of which countries we've seen clients from recently. Now controllers
like Vidalia can show bridge operators that they're actually making
a difference.
Vidalia will add support for this feature in February.

Alternate download methods
Our "gettor" email auto-responder is up and working:
https://svn.torproject.org/svn/projects/gettor/README
https://www.torproject.org/finding-tor#Mail

Thandy itself is working smoothly at this point too -- it can contact
the central repository, check all the keys, look in the registry and
compare the currently installed version to the new choices, fetch the
right packages, check all the signatures, and launch the install.

As of December we only had a new MSI-based installer for Tor, but not for
Vidalia, Torbutton, or Polipo. Now we do, though it's still in testing:
https://data.peertech.org/torbld

Translations
Our translation server is up and online:
https://translation.torproject.org/
https://www.torproject.org/translation-portal

We continued enhancements to the Chinese and Russian Tor website
translations. Our Farsi translation from this summer is slowly becoming
obsolete; we should solve that at some point.

December 2008 Progress Report

phobos — Mon, 02 Feb 2009 11:28:39 -0800

Releases
Tor 0.2.1.8-alpha (released December 8) fixes some crash bugs in earlier alpha releases, builds better on unusual platforms like Solaris and old OS X, and fixes a variety of other issues.
http://archives.seul.org/or/talk/Dec-2008/msg00129.html

Tor Browser Bundle 1.1.6 (released December 2) and 1.1.7 (released December 12) update Tor to 0.2.1.8-alpha, include a new version of Firefox, and attempt to wrestle with the "AllowMultipleInstances=false" design that could allow us to run Tor Browser Bundle alongside a normal Firefox.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.9-alpha (released December 25) fixes many more bugs, some of them security-related.
http://archives.seul.org/or/talk/Jan-2009/msg00029.html

Bug fixes
Security fixes in the Tor 0.2.1.8-alpha release:
- When the client is choosing entry guards, now it selects at most one guard from a given relay family. Otherwise we could end up with all of our entry points into the network run by the same operator. Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
- The "ClientDNSRejectInternalAddresses" config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
- The "User" and "Group" config options did not clear the supplementary group entries for the Tor process. The "User" option is now more robust, and we now set the groups to the specified user's primary group. The "Group" option is now ignored. For more detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.

Performance scalability fixes from the Tor 0.2.1.9-alpha ChangeLog:
- Clip the MaxCircuitDirtiness config option to a minimum of 10 seconds. Warn the user if lower values are given in the configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
- Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the user if lower values are given in the configuration. Bugfix on 0.1.1.17-rc. Patch by Sebastian.

Relay stability fixes from the Tor 0.2.1.9-alpha ChangeLog:
- Fix a logic error that would automatically reject all but the first configured DNS server. Bugfix on 0.2.1.5-alpha. Possible fix for part of bug 813/868. Bug spotted by coderman.
- When we can't initialize DNS because the network is down, do not automatically stop Tor from starting. Instead, retry failed dns_init() every 10 minutes, and change the exit policy to reject *:* until one succeeds. Fixes bug 691.

Karsten discovered a bug where some directory authorities would take many minutes to send out a network status, because they were rate limiting too low. The short-term fix is to get those authorities to set
"MaxAdvertisedBandwidth 10 KB"
in their torrc, so they don't spend as much of their bandwidth relaying ordinary Tor traffic.
https://bugs.torproject.org/flyspray/index.php?do=details&id=847
We need to consider longer-term solutions too, where clients actually recover more gracefully from this situation.

Advocacy
We finally made our 3-year development roadmap public:
https://blog.torproject.org/blog/our-three-year-development-roadmap-publ...

Jillian York continued blogging for us about the good uses of Tor:
http://www.knightpulse.org/blog/tor

"Syria: Using Tor for Censorship Resistance", Dec 1
http://www.knightpulse.org/blog/08/12/01/syria-using-tor-censorship-resi...

"Australia Addresses Internet Circumvention", Dec 19
http://www.knightpulse.org/blog/08/12/19/australia-addresses-internet-ci...

Howcast produced a quick video for the masses on how to circumvent censorship. We were technical consultants for this video. It's tough to talk about Tor, when the first question you're trying to answer is "What is a proxy? And why do I care?" Howcast did a great job for a high-level overview of circumvention technologies in four minutes.
https://blog.torproject.org/blog/how-circumvent-internet-proxy-howcast

Wendy was a panelist at a conference organized by Paul Ohm and others at Colorado U at the beginning of December on law, wiretapping, and research-oriented data collection: "The Law and Ethics of Network Monitoring":
http://www.silicon-flatirons.org/events.php?id=544

Roger, Karsten, Sebastian, Steven, Jacob, Mike, Peter, Wendy, Frank, Christian, and others attended the 25C3 conference in Berlin, Dec 27-30.
Roger gave a talk there, similar to the DC08 talk but focusing entirely on 'present' and 'future': "Security and anonymity vulnerabilities in Tor: past, present, and future"
http://freehaven.net/~arma/slides-25c3.pdf

There was a workshop after Roger's talk on Germany and data retention. Sebastian Hahn was really great at representing Tor there, particularly because it was right after Roger's talk so he missed half of it, and because it was mostly in German. Roger tried to add the points that a) he really still does want to do Tor talks for German law enforcement (we got a few leads), and b) the major German Tor relay busts were in 2006-2007, not 2008, and maybe we're finally making progress.

Jacob was among the presenters at 25C3 on a talk about how they had managed to forge a root SSL certificate. In short, this meant that they could pretend to be any https site on the Internet, and no browser would complain. Nick wrote up a response explaining how it works and how it can affect Tor users:
"The MD5 certificate collision attack, and what it means for Tor"
http://blog.torproject.org/blog/md5-certificate-collision-attack%2C-and-...

New features
New feature from the Tor 0.2.1.8-alpha ChangeLog:
- New DirPortFrontPage option that takes an html file and publishes it as "/" on the DirPort. Now relay operators can provide a disclaimer without needing to set up a separate webserver. There's a sample disclaimer in contrib/tor-exit-notice.html.

We continued work on Thandy (our secure updater) this month.

Thandy itself is working smoothly at this point -- it can contact the central repository, check all the keys, look in the registry and compare the currently installed version to the new choices, fetch the right packages, check all the signatures, and launch the install.

We also now have a branch of Vidalia that has the GUI components for our updater in and working. It launches the updater to check for updates periodically, and there's a "check now" button. It does the update via Tor if Tor is up and running, and via direct connection otherwise.

We had hoped to be able to get away with patching our current .nsi Windows installer, but it turns out that "nsi silent (non-GUI) install" and "Vista" are not compatible concepts: Vista only likes MSI-based silent installs, due to that whole permissions thing that Vista gets so excited about.

So we now have a shiny new wxs-based msi installer for Tor on Windows:
https://svn.torproject.org/svn/tor/trunk/contrib/tor.wxs.in
with buildbot-style output here:
https://data.peertech.org/torbld

The new installer has been tested for install, upgrade, repair and removal. But that's just Tor, and our recommended download bundle contains four components: Tor, Vidalia (the GUI), Torbutton (our Firefox extension), and either Privoxy or Polipo (an http proxy configured to use Tor -- we're migrating from Privoxy to Polipo).

So, the next step is to work on MSI installer files for the other three, plus a meta-msi file for the bundle. We're aiming to have a first go of that at the beginning of January. That way we can give a simpler demo of "download this bundle, then it will automatically notice that it should upgrade Tor, and it will fetch the new package and upgrade."

In other news, Roger had a long chat with Justin Cappos in early December. Justin did his PhD thesis on security of package managers, and is now a post-doc at UW working on (among other things) auto-update frameworks. See the beginning of a thread here:
http://archives.seul.org/or/dev/Dec-2008/msg00010.html

Translations
We have our translation server up and online:
https://translation.torproject.org/
https://www.torproject.org/translation-portal

We continued enhancements to the Chinese and Russian Tor website translations. Our Farsi translation from this summer is slowly becoming obsolete; we should solve that at some point.