torbutton

Tor Browser Bundle 1.1.11 Released

phobos — Tue, 31 Mar 2009 12:19:52 -0700

An updated Tor Browser Bundle is released to address the Firefox 3.0.7 security issues. It includes:

Update Firefox to 3.0.8
Add Italian language bundles
Update Torbutton to 1.2.1
Update Vidalia to 0.1.12

This updated TBB can be downloaded from https://www.torproject.org/easy-download as the "zero install bundle".

October 2008 Progress Report

phobos — Mon, 01 Dec 2008 16:43:12 -0800

Design
We continued enhancements to the Chinese and Russian Tor website translations. We also have a second Chinese translator for the website now, so hopefully we will get more prompt translations there. Our Farsi translation from this summer is slowly becoming obsolete; we should solve that at some point.

We added a new "30 second summary" web page for Tor:
https://www.torproject.org/30seconds
and a new "easy download" page since the original is so complex:
https://www.torproject.org/easy-download

In the upcoming Vidalia 0.2.0 development release:
- Support changing UI languages without having to restart Vidalia.
- Updated Czech, Polish, Romanian and Turkish translations.

In the upcoming Vidalia 0.1.10 stable release:
- Add a prettier dialog for prompting people for their control port password that also includes a checkbox for whether the user wants Vidalia to remember the entered password, a Help button, and a Reset button (Windows only).
- Fix a crash bug that occurred when the user clicks 'Clear' in the message log toolbar followed by 'Save All'.
- Uncheck the Torbutton options by default in the Windows bundle installer if Firefox is not installed.
- Add an Windows bundle installer page that warns the user that they should install Firefox, if it looks like they haven't already done so.

It looks like Australia is soon to be joining the ranks of countries with a nationwide filtering regime:
http://arstechnica.com/news.ars/post/20081016-net-filters-required-for-a...

Proposals
We finished the first iteration of our auto-updater spec:
https://svn.torproject.org/svn/updater/trunk/specs/thandy-spec.txt
We detail our current auto-updater progress below.

Proposal 156 (Tracking blocked ports on the client side) moves us closer to having clients be able to automatically detect which ports are blocked by their local firewall, so they can bootstrap faster and avoid picking entry guards that aren't reachable for them. The the next steps here are to a) decide if this overall approach is the right approach, and b) revise the patch to be more memory-friendly.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/156-tracking...

Advocacy
Roger started a "Brainstorming about Tor, Germany, and data retention" thread on or-dev:
http://archives.seul.org/or/dev/Oct-2008/msg00001.html
which eventually turned into a blog post:
https://blog.torproject.org/blog/tor%2C-germany%2C-and-data-retention
as well as a (rejected) 25C3 submission. While I had originally been thinking of the issue in terms of what the ISP of a Tor relay might do, the discussion also came up about what responsibilities a Tor relay operator has with respect to the vague new data retention laws:
http://archives.seul.org/or/talk/Oct-2008/threads.html#00126
The ultimate result was a clarified perspective on logging inside Tor:
http://archives.seul.org/or/talk/Oct-2008/msg00274.html

We finally tracked down and solved the mysterious DoS attacks on some of the Tor directory authorities:
http://archives.seul.org/or/talk/Oct-2008/msg00056.html

We started chatting with Aaron about his "tor2web" proxy idea for letting non-Tor users access hidden service content:
http://tor.theinfo.org/
Somebody should follow up on that more to encourage him to keep at it.

Announced Joel Reardon's thesis on or-talk, and followed up with him to point him to some pieces of anonbib he needs to read more, to tell him about 25C3, and to remind him to publish his new measurement tools lest they become lost to time.

Roger and Karsten got the patches from proposal 155 into svn, and ultimately into the upcoming 0.2.1.7-alpha release. These were the bulk of the October progress for that NLnet project:
https://www.torproject.org/projects/hidserv.html.en#Oct08

Mike deleted the router-stability file for his directory authority (ides), which should provide temporary relief from bug 696 (which was causing most of the Stable flags to be assigned wrong, and in turn was causing instant messaging and related connections over Tor to be way more flaky than they should be):
https://bugs.torproject.org/flyspray/index.php?do=details&id=696
If his router-stability file gets corrupted again, we will have learned something.

Roger, Jacob, and Mike went to the Google Summer of Code Mentor Summit on Oct 24-26 in Mountain View, where we met with a few hundred other GSoC mentors and generally shared information about Tor and how to make good use of summer students working on free software tools.

We also went to dinner with Niels Provos while we were there, to talk about options for the "Google gives you a captcha if you're using Tor" problem. It looks like the right answer there will be for Torbutton to automate some workaround.

Andrew started working with Jillian York, so she can start blogging about the great uses of Tor. More news in November, e.g.
https://blog.torproject.org/blog/knight-pulse%2C-jillian%2C-and-tor

Matt Edman printed Vidalia T-shirts, and sent them out to the folks who have helped work on Vidalia lately. He is also working with a volunteer to clean up the Vidalia website, make new logos, clean up the installer graphics, etc.

Andrew wrote a blog post about anonymity in South Korea:
https://blog.torproject.org/blog/online-anonymity-debate-south-korea

Distribution
Work on the Tor VM project continues. We have a working prototype available now with a walk-through and screenshots:
http://peertech.org/files/demo/testinfo.html

We plan to release a more public alpha installer in November.

Scalability
From the Tor 0.2.1.7-alpha ChangeLog:
"The "ClientDNSRejectInternalAddresses" config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv."

Packaging
We changed our auto update design from code-name Glider to code-name Thandy, since there's a World of Warcraft cheat program named Glider and it might be a problem for WoW players that try to use Tor.

We've got the PKI and server-side for the auto updater in place. We wrote up a howto walking through how to set up the server-side for the updater, including how to assign roles and generate keys:
https://svn.torproject.org/svn/updater/trunk/doc/HOWTO

We've also decided that Python should work fine for the client-side too. Mike found some techniques to include only exactly the python libs we need, rather than the whole mess of python libs:
http://www.py2exe.org/index.cgi/BetterCompression
and Martin has been messing with saving some additional space by sharing the openssl lib between Tor and Thandy.

The next steps for November are:
- Roger is going to figure out what PKI we want for the first round of testing (what roles, which keys, how many, who, etc), and deploy a Thandy server so we can put some basic packages on it for testing.
- Nick is going to finish the client-side of Thandy, in terms of teaching it how to decide which packages and bundles are out of date, and teaching it to download new files and check all the right signatures.
- Martin is going to package Thandy plus all the right python libs in an easy Windows exe that hopefully isn't too big.
- Matt Edman is going to add a simple interface to Vidalia for client-side Thandy configuration: stuff like a GUI for telling the user that new updates have appeared and letting the user click "yes, please update me now", etc.
- Nick and Matt are going to brainstorm more about the interface between Vidalia and Thandy. For example, which program should keep state about the versions of each package that are installed, which program should be responsible for noticing if an install or upgrade attempt fails, etc.

All the steps but the last I think are going to be pretty straightforward. This last step has the most potential pitfalls in it, since we're trying to keep Thandy general and platform-independent yet *something* (either Thandy or Vidalia, or something in between) has to tackle all the crazy Windows-specific pieces.

It also looks like we should move the Tor packages and bundles from NSIS (Nullsoft installer) to MSI installer, as MSI can handle versioning and automatic installs (and uninstalls!) more gracefully. It's not yet clear yet if we're going to try to squeeze that installer shift into the November development timeframe.

Tor Browser Bundle
We've started to think about moving the Tor Browser Bundle from Firefox 2 to Firefox 3. This will mean we should measure new traces. We'll do it once Torbutton is known to be more stable on Firefox 3, which should happen in early 2009.

July 2008 Progress Report

phobos — Sun, 17 Aug 2008 20:11:31 -0700

Releases:

Torbutton 1.2.0rc5 (released July 6) provides improved addon compatibility, better preservation of Firefox preferences that we touch, fixing issues with Tor toggle breaking for some option combos, and an improved 'Restore Defaults' button. This version also features Firefox 3 cookie jar support, and support for storing cookie jars in memory.
http://archives.seul.org/or/talk/Jul-2008/msg00026.html

Vidalia 0.1.6 (released July 8) fixes a bug introduced in 0.1.3 that could cause excessive CPU usage or crashing on some platforms; continues to prepare Vidalia's strings for easier translation; adds a Romanian GUI and installer translation; and updated the Farsi, Finnish, French, German, and Swedish translations.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.6/CHANG...

Tor 0.2.0.29-rc (released July 8) fixes two big bugs with using bridges, fixes more hidden-service performance bugs, and fixes a bunch of smaller bugs.
http://archives.seul.org/or/talk/Jul-2008/msg00038.html

Torbutton 1.2.0rc6 (released July 12) features fixes for a nasty history loss bug, an exception during Tor toggle, javascript being disabled in some tabs, better pref handling, and more.
http://archives.seul.org/or/talk/Jul-2008/msg00049.html

Tor 0.2.0.30 (released July 15) is the first stable release of the 0.2.0.x branch. The previous stable branch (0.1.2.x) went stable in April of 2007. We are still waiting for Torbutton and Vidalia to stabilize before announcing the Windows and OS X packages on the or-announce announcements
list. We expect to do that in August.

Tor Browser Bundle 1.1.1 (released July 20) updates Vidalia to release 0.1.6, updates Pidgin Portable to 2.4.3, updates Pidgin OTR plugin to 3.2, updates Tor to 0.2.1.2-alpha, updates Torbutton to 1.2.0rc6, and sets TZ=UTC environment variable in RelativeLink (needed by Torbutton).
https://svn.torproject.org/svn/torbrowser/trunk/README

Torbutton 1.2.0 (released July 30) is finally a stable release for the new Torbutton tree that includes application-level privacy protections.
https://svn.torproject.org/svn/torbutton/trunk/src/CHANGELOG

From the Tor 0.2.0.29-rc ChangeLog:
"When a hidden service was trying to establish an introduction point, and Tor had built circuits preemptively for such purposes, we were ignoring all the preemptive circuits and launching a new one instead. Bugfix on 0.2.0.14-alpha."
"When a hidden service was trying to establish an introduction point, and Tor *did* manage to reuse one of the preemptively built circuits, it didn't correctly remember which one it used, so it asked for another one soon after, until there were no more preemptive circuits, at which point it launched one from scratch. Bugfix on 0.0.9.x."

The upcoming Tor 0.2.1.3-alpha and 0.2.1.4-alpha releases include more fixes for hidden service performance and robustness, have slightly improved bootstrap status event behavior, and start hunting down a horrible bug that looks like it could leak private information:
https://bugs.torproject.org/flyspray/index.php?do=details&id=779

Proposals:

Proposal 145 (Separate "suitable as a guard" from "suitable as a new guard") suggests one approach for separating the role of "is still useful as an entry guard" from "should be an option when choosing a new entry guard". This step will help us load balance over the network better.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/145-newguard...

Proposal 146 (Add new flag to reflect long-term stability) discusses how to ship the Tor client with a set of alternate sources for initial bootstrap directory information. We already have this feature in Tor 0.2.0.x, called the "fallback consensus", but we never enabled it because the Tor client would spend too long trying directory mirrors that were long since gone from the network. This proposal moves us closer to being able to distinguish the more long-term reliable mirrors.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/146-long-ter...

Proposal 147 (Eliminate the need for v2 directories in generating v3 directories) helps wean us off of needing the old deprecated v2 directory design. Currently we only use it to give advance warning to the v3 authorities about relays that haven't heard about yet, so they can fetch information about those relays before the time arrives to make an official vote about their state.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/147-prevotin...

Proposal 148 (Stream end reasons from the client side should be uniform) describes a simple fix for a potential anonymity flaw in Tor's core protocol for passing explanations from one end of a Tor circuit to the other when an application stream ends.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/148-uniform-...

Proposal 149 (Using data from NETINFO cells) starts talking about how to make use of the timestamp and IP address listed in Tor's new NETINFO cells. In theory we can use them to decide if our clock is skewed, and to decide if a traffic analysis man-in-the-middle attack is happening against us. In practice it appears more complex than we expected.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/149-using-ne...

Proposal 150 (Exclude Exit Nodes from a circuit) allows users to specify which relays should never be used as the last (exit) hop in a circuit. We took the proposal one step further and allowed users to also specify IP addresses and netmasks for which relays to avoid in the exit position.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/150-exclude-...

Proposal 151 (Improving Tor Path Selection) is a draft proposal to implement the results of Fallon Chen's Google Summer of Code project. Her plan is to measure the expected time it takes to establish a circuit, and then abandon circuits that take significantly longer than that to form. The assumption is that circuits that take a long time to set up will generally have unacceptably high latency as well.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/151-path-sel...

Proposal 154 (Automatic Software Update Protocol) starts the discussion of how to let Vidalia automatically manage updates for Tor, Polipo, Vidalia, etc. This is very important for keeping users up to date with respect to security and stability fixes. We will especially aim to do the updates over Tor, a) for privacy, and b) so users who are blocked from the Tor website will still be able to upgrade seamlessly.
https://svn.torproject.org/svn/tor/trunk/doc/spec/proposals/154-automati...

Research:

Karsten Loesing's report on 7 ways to improve the performance and robustness of Tor hidden services:
http://freehaven.net/~karsten/hidserv/discussion-2008-07-15.pdf

Four new research papers on Tor came out in July:
http://freehaven.net/anonbib/#loesing2008performance
http://freehaven.net/anonbib/#improved-clockskew
http://freehaven.net/anonbib/#mccoy-pet2008
http://freehaven.net/anonbib/#danezis-pet2008

We continued evaluating the TBB footprints here:
https://svn.torproject.org/svn/torbrowser/trunk/docs/traces.txt

In particular, we added a new "Registry modifications" section to that file, describing some new traces that appear to be left behind after operating Tor Browser Bundle, even from the USB key. One of the most worrying is the "user assist" registry key that gets set, and (incredible as it sounds) is obfuscated by rot-13 before being set.

Ease of Use:

The first Incognito (Gentoo-based Tor LiveCD) release of 2008 is also nearing completion, and we expect to see it released in August.

Finally, we contracted to start work on the Tor VM project. The idea is to run a Linux kernel and a Tor client inside a thin VM (like QEMU) on Windows, and then transparently intercept outgoing connections and redirect them into Tor. This approach will a) make proxy-avoiding side-channel and sidejacking attacks less devastating, and b) isolate the Tor client from the rest of the OS to provide a more robust security approach. Current design document is under development at
https://svn.torproject.org/svn/torvm/trunk/doc/design.html

Getting Tor:

We have established our "gettor" email auto-responder script that lets people mail gettor@torproject.org and retrieve a copy of Tor from their mailbox. We still need to ponder more usability issues, such as translation.
https://www.torproject.org/finding-tor

We have also automated the process of checking Tor website mirrors: there's a new update-mirrors.pl script in the website directory that generates a list of mirrors ordered by when they last synced with the main website.
https://www.torproject.org/mirrors

Translations:

We have our translation server up and online:
https://translation.torproject.org/

We revised our translation tutorial here:
https://www.torproject.org/translation-portal

Users continued to submit updated translations for many different languages.

We continued enhancements to the Chinese and Russian Tor website
translations. We added Vidalia, Torbutton, and website translations
into Farsi.

We also added the strings for Vidalia's installer; this required writing several scripts to convert from the "nsh" (nullscript installer language) format to the "po" (preferred by Pootle) format and back.

Stable Torbutton Release Approaches

mikeperry — Sun, 06 Jul 2008 18:45:08 -0700

For those of you just tuning in: Over the past year, I have been the maintainer of the Torbutton Firefox extension, adding a number of features and security enhancements to transform Torbutton from a simple proxy switcher into a secure way to fully isolate all browser state from one proxy state to another and defend against all known privacy and IP address leakage attacks.

The release candidate phase of the extension started about a month ago, but with the release of Firefox 3 and Torbutton 1.2.0rc series occurring at the same time, we've hit a number of unexpected rough spots and snags. However, with the 1.2.0rc5 release of Torbutton, I'm pleased to report that the majority of those now seem to be behind us (a few annoying Firefox bugs notwithstanding).

Thanks to contributions from arno, the Cookie Jar features now work with Firefox 3. They have even been improved to allow cookies to persist in memory-based jars across Tor toggle (as opposed to requiring Tor cookies to be written to disk to preserve them), which I personally already find very useful.

In addition, Torbutton is now much better about preserving users' custom Firefox preferences, including password and form fill preferences. Amusingly, the fact that we touch these preferences to protect users during Tor usage led to wild speculation on the addons.mozilla.org page that we were using them to steal passwords and send user details to Alexa. Of course, simply grepping the source code for 'Alexa' and related IP addresses proves this to be false, but that didn't stop at least three people (or at least three sock puppets) from running with the rumor that Torbutton is a password stealer. Ignorance sure is contagious.

At any rate, after over a year since development began, it looks like we're finally getting really close to declaring Torbutton 1.2.0 'stable', which should coincide nicely with the upcoming Tor 0.2.0 stable release and bundles. It's been a long road!

May 2008 Progress Report

phobos — Tue, 24 Jun 2008 20:39:17 -0700

Tor 0.2.0.26-rc (released May 13) fixes a major security vulnerability caused by a bug in Debian's OpenSSL packages. All users running any 0.2.0.x version should upgrade, whether they're running Debian or not.
http://archives.seul.org/or/talk/May-2008/msg00048.html

Vidalia 0.1.3 (released May 25) adds a hidden service configuration UI designed and implemented by Domenik Bork, as well as a few other bugfixes.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.3/CHANG...

The Tor Browser Bundle 1.0.2 (released May 3) and 1.0.3 (released May 16) include upgraded versions of Tor, Vidalia, Torbutton, and Firefox.

We added three new part-time developers in May. We hired Matt Edman as a part-time employee at the beginning of May, to work on Vidalia maintenance, bugfixes, and new features. We also are funding Karsten Loesing to work on making hidden service rendezvous and interaction faster, and Peter Palfrader to work on lowering the overhead of directory requests, especially during bootstrap, which should directly improve the experience for Tor users on modems or cell phones.

Google has agreed to give us some funding to work on auto-update for Windows. Our plan is for Vidalia to look at the majority-signed network status consensus to decide when to update and to what version (Tor already lists what versions are considered safe, in each network status document). We should actually do the update via Tor if possible, for additional privacy, and we need to make sure to check package signatures to ensure package validity. Last, we need to give the user an interface for these updates, including letting her opt to migrate from one major Tor version to the next.

We continued enhancements to the Chinese and Russian Tor website translations. Vidalia also added a Turkish translation.

From the Vidalia 0.1.3 ChangeLog:
"If we're running Tor >= 0.2.0.13-alpha, then check the descriptor annotations for each descriptor before deciding to do a geoip lookup on its IP address. If the annotations indicate it is a special purpose descriptor (e.g., bridges), then don't do the lookup at all."

"Remove the 'Run Tor as a Service' checkbox. Lots of people seem to be clicking it even though they don't really need to, and we end up leaving them in a broken state after a reboot."

"Only display the running relays in the big list of relays to the left of the network map. Listing a big pile of unavailable relays is not particularly useful, and just clutters up the list."

We worked toward a Torbutton 1.2.0rc1 release candidate, which will include support for Firefox 3 along with a huge pile of privacy-related bugfixes.

We spent much of the first half of May dealing with a surprise massive security vulnerability in a crypto library that comes with Debian:
http://archives.seul.org/or/announce/May-2008/msg00000.html

You can read a more detailed explanation of the effects of the flaw here:
https://blog.torproject.org/blog/debian-openssl-flaw%3A-what-does-it-mea...

Part of dealing with the flaw meant doing some quick design work so we could let new Tor users be safe without making it so old Tor users were cut off from the network:
https://www.torproject.org/svn/trunk/doc/spec/proposals/136-legacy-keys....

Sometime in late June or early July we will disable this workaround, meaning all the 0.2.0.x users who haven't upgraded yet will be cut off.

We are preparing for the Tor gathering at the Privacy Enhancing Technologies Symposium in Leuven in July. This is looking like it will be the largest physical gathering of Tor developers ever -- main developers attending include Roger Dingledine, Nick Mathewson, Jacob Appelbaum, Mike Perry, Matt Edman, Steven Murdoch, and Karsten Loesing; Tor researchers include Paul Syverson and Ian Goldberg; and we'll have 5 of our 7 Google Summer of Code students there as well.
https://blog.torproject.org/events/roger%2C-nick%2C-steven%2C-matt%2C-ka...
http://petsymposium.org/2008/program.php

The upcoming TBB release in June will include optional instant messaging support via Pidgin + Off-The-Record Messaging; replace the startup batch script with an actual application (named RelativeLink), so TBB now has a helpful Tor icon rather than an ugly batch file icon; and optionally support using WinRAR to produce a self-extracting split bundle.

We now have a more thorough set of TBB build instructions:
https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/INSTALL

We also documented the build and deploy process for a new TBB version:
https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/DEPLOYMENT

We finished integrating a UPnP library into Vidalia. This feature allows users who want to set up a Tor relay but don't want to muck with manual port forwarding on their router/firewall to just click a button and have Vidalia interact with their router/firewall automatically. This approach won't work in all cases, but it should work in at least some. The upcoming Vidalia 0.1.4 (scheduled for June) release has folded the UPnP library and GUI changes into the main Vidalia tree, along with a "test" button to try speaking UPnP at the local router and tell the user whether it worked; these features will be available by default in the 0.2.0.x stable release.

We spent May hunting for a better online translation option, since Launchpad (intended to be used for Vidalia translation) has an ugly interface and can't handle our file formats well, and Babelzilla (intended to be used for Torbutton translation) artificially limited the number of concurrent translators we could have.

In early June we hit upon Pootle, which is a translation server that we host, as opposed to a shared web service that other organizations host. We've set up a test server at http://translation.torproject.org/ and imported strings for Vidalia, Torbutton, and Torcheck. We hope to have a lot more to show here in June.

April 2008 Progress Report

phobos — Wed, 14 May 2008 09:53:24 -0700

Tor 0.2.0.24-rc (released Apr 22) adds dizum (run by Alex de Joode)
as the new sixth v3 directory authority, makes relays with dynamic IP
addresses and no DirPort notice more quickly when their IP address
changes, fixes a few rare crashes and memory leaks, and fixes a few
other miscellaneous bugs. Tor 0.2.0.25-rc (released Apr 23) makes Tor
work again on OS X and certain BSDs.
http://archives.seul.org/or/talk/May-2008/msg00014.html

Torbutton 1.1.18 (released Apr 17) fixes many usability and interoperability
items, in an attempt to make the new Torbutton not so obnoxious in its
zeal to protect the user. It also includes new translations for French,
Russian, Farsi, Italian, and Spanish.

We did a complete overhaul of the https://check.torproject.org/
page. Now it accepts a language choice,
e.g. https://check.torproject.org/?lang=fa-IR
Available languages are German, English, Spanish, Italian, Farsi,
Japanese, Polish, Portugese, Russian, and Chinese. The Tor Browser
Bundle automatically uses the appropriate language as its home page,
based on which language of the Browser Bundle was downloaded.

Started on a documentation page to explain to users what bridges are,
how they can decide whether they need one, and how to configure their
Tor client to use them:
https://www.torproject.org/bridges.html

We've also started working on a design proposal for making it easier
to set up a private or testing Tor network. With the advent of the v3
directory protocol, it currently takes up to 30 minutes before a test
network will produce a useful networkstatus consensus. Also, there are
a dozen different config options that need to be set correctly for
a Tor network running on a single IP address to not trigger various
security defenses. This approach should let more people set up their
own Tor networks, either for testing or because they can't reach the
main Tor network.
https://www.torproject.org/svn/trunk/doc/spec/proposals/135-private-tor-...

We have the beginnings of a grand plan for how to successfully scale
the Tor network to orders of magnitude more relays than we have
currently. Much more work and thinking remain.
https://www.torproject.org/svn/trunk/doc/spec/proposals/ideas/xxx-grand-...

We also did a retrospective on currently open but not finished design
proposals, so we don't have as many "open" proposals in the pipeline
but not getting attention:
http://archives.seul.org/or/dev/Apr-2008/msg00009.html

We added several more research papers that we'd like to see written to
the https://www.torproject.org/volunteer#Research page. In May we'll add
a few more and then start pointing academic professors at the new list.

The development version of Vidalia now has GUI boxes to configure an http
proxy that Vidalia should launch when it starts. (The Tor Browser Bundle
already uses these config options internally to launch Polipo when it
starts.) The next steps are to make sure that Polipo (our preferred new
http proxy) is stable enough on Windows, and then start shipping some
new standard bundles with Polipo rather than Privoxy.

We cleaned up the Torbutton install in the OS X bundles so it installs
Torbutton for the local user, rather than global. Hopefully this will
make OS X users happier.

We're making progress on integrating a UPnP library into Vidalia. This
feature will allow users who want to set up a Tor relay but don't want
to muck with manual port forwarding on their router/firewall to just
click a button and have Vidalia interact with their router/firewall
automatically. This approach won't work in all cases, but it should work
in at least some. We hope to land the first version of this in May.

Steven Murdoch and Robert Watson worked towards a final version of
their PETS 2008 paper called "Metrics for Security and Performance in
Low-Latency Anonymity Systems." The final version will be available in
May at:
http://www.cl.cam.ac.uk/~sjm217/papers/pets08metrics.pdf

So far there appear to be no free-software zip splitters that work
on Windows and produce self-contained exe files for automatically
reconstructing the file. Rather than using a closed-source shareware
application (as it seems a shame to put a trust gap in our build process
when we don't need to), the current plan is to write some instructions
for users to fetch the 7zip program, and then fetch a set of blocks,
and run a batch file to reconstruct them. We're in the process of trying
to learn how large the blocks can be -- preliminary guess is 2MB.

We have a first draft of a translation portal up here:
https://www.torproject.org/translation-portal

The Vidalia GUI now has (manual) translation instructions:
http://trac.vidalia-project.net/wiki/Translations

We've registered the Vidalia project on "LaunchPad", which is a
web-based translation site that is compatible with Vidalia's string
format:
https://translations.launchpad.net/vidalia/trunk/+pots/vidalia
We're currently working to try to upload our current translations into
the LaunchPad interface.

We've registered the Torbutton project on "BabelZilla", which is a
web-based translation site designed specifically for Firefox extensions.
We've uploaded the current translation strings:
http://www.babelzilla.org/index.php?option=com_wts&Itemid=88&extension=3...

Lastly, we've begun developer-oriented documentation for how to manage
and maintain these various translation web-interfaces:
https://www.torproject.org/svn/trunk/doc/translations.txt

March 2008 Progress Report

phobos — Fri, 11 Apr 2008 19:02:18 -0700

Tor 0.2.0.23-rc (released Mar 24) is the fourth release candidate for the 0.2.0 series. It makes bootstrapping faster if the first directory mirror you contact is down. The bundles also include the new Vidalia 0.1.2 release.
http://archives.seul.org/or/talk/Mar-2008/msg00204.html

Tor 0.2.0.22-rc (released Mar 18) is the third release candidate for the 0.2.0 series. It enables encrypted directory connections by default for non-relays, fixes some broken TLS behavior we added in 0.2.0.20-rc, and resolves many other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
http://archives.seul.org/or/talk/Mar-2008/msg00136.html

Tor 0.2.0.21-rc (released Mar 2) is the second release candidate for the 0.2.0 series. It makes Tor work well with Vidalia again, fixes a rare assert bug, and fixes a pair of more minor bugs. The bundles also include Vidalia 0.1.0 and Torbutton 1.1.16.
http://archives.seul.org/or/talk/Mar-2008/msg00025.html

Torbutton 1.1.16 (released Mar 3) and 1.1.17 (released Mar 15) fix many more potential privacy and identity leaks, mostly based on exploits found by Greg Fleischer, and try to start adding support for Firefox 3.
https://torbutton.torproject.org/dev/CHANGELOG

Vidalia 0.1.0 (released Mar 1), 0.1.1 (released Mar 17), and 0.1.2 (released Mar 24) changes the build process from make to cmake, starts doing encrypted geoip fetches rather than plaintext geoip fetches, checks if the user is running a dangerous or obsolete version of Tor and pops up a window warning them, waits to turn the Vidalia taskbar onion green until Tor reports that it has established a circuit, folds in the patches from Tor Browser Bundle to have Vidalia launch a browser and/or an http proxy, and fixes many miscellaneous bugs.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.2/CHANG...

From the Tor 0.2.0.23-rc ChangeLog:
“When a tunneled directory request is made to a directory server that's down, notice after 30 seconds rather than 120 seconds. Also, fail any begindir streams that are pending on it, so they can retry elsewhere. This was causing multi-minute delays on bootstrap.”

From the Tor 0.2.0.22-rc ChangeLog:
“Enable encrypted directory connections by default for non-relays, so censor tools that block Tor directory connections based on their plaintext patterns will no longer work. This means Tor works in certain censored countries by default again.”

From the Vidalia 0.1.1 ChangeLog:
“TunnelDirConns and PreferTunneledDirConns are now enabled by default as of Tor 0.2.0.22-rc. Don't check the 'My ISP blocks connections to the Tor network' box simply because TunnelDirConns is enabled. Checking the box still enables encrypted directory connections on older Tors.”

From the Vidlia 0.1.0 ChangeLog:
“Listen for the DANGEROUS_VERSION general status event and warn the user if their version of Tor is no longer recommended.”
“Listen for the CIRCUIT_ESTABLISHED client status event and only turn the yellow onion status icon green after Tor has successfully established a circuit.”
“Add a "How do I find a bridge?" link and corresponding help text to the 'Network' settings page.”
“Add a 'BrowserExecutable' configuration option to launch a Web browser when Tor has built a circuit, and exit Vidalia when the browser is closed.”
“Add 'ProxyExecutable' and 'ProxyExecutableArguments' configuration options to launch a proxy application with given parameters when Vidalia starts, and close it when Vidalia exits.”
“Rename the 'Relay' settings page to the 'Sharing' settings page.”

From the Tor 0.2.0.21-rc ChangeLog:
“We were sometimes miscounting the number of bytes read from the network, causing our rate limiting to not be followed exactly. Bugfix on 0.2.0.16-alpha. Reported by lodger.”

From the Vidalia 0.1.2 ChangeLog:
“Bridges are no longer required to have a DirPort set as of Tor 0.2.0.13-alpha, so stop forcing it on for bridges. At some point, we'll likely start forcing DirPort to be disabled for bridges, and on by default but optional for normal relays.”

Tor Browser Bundle 1.0.0 (released Mar 20) and 1.0.1 (released Mar 26) makes it work correctly with Polipo again, updates the versions of many of its components, and makes it easier to build the Bundle with custom included "jar" (plug-in) files as well as "xpi" (extension) files.
https://tor-svn.freehaven.net/svn/torbrowser/trunk/README

We moved the Tor Browser Bundle website into the main Tor website, so it can re-use our translation infrastructure. Currently its frontpage is available in English, German, Italian, Polish, and Russian.

February 2008 Progress Report

phobos — Tue, 11 Mar 2008 17:47:23 -0700

Tor 0.2.0.20-rc (released Feb 24) is the first release candidate for the 0.2.0 series. It makes more progress towards normalizing Tor's TLS handshake, makes hidden services work better again, helps relays bootstrap if they don't know their IP address, adds optional support for linking in openbsd's allocator or tcmalloc, allows really fast relays to scale past 15000 sockets, and fixes a bunch of minor bugs reported by Veracode.
http://archives.seul.org/or/talk/Feb-2008/msg00279.html

Tor 0.2.0.19-alpha (released Feb 9) makes more progress towards normalizing Tor's TLS handshake, makes path selection for relays more secure and IP address guessing more robust, and generally fixes a lot of bugs in preparation for calling the 0.2.0 branch stable.
http://archives.seul.org/or/talk/Feb-2008/msg00134.html

Torbutton 1.1.13 (released Feb 1), 1.1.14 (released Feb 24), and 1.1.15 (released Feb 26) fix many more potential privacy and identity leaks, mostly based on exploits found by Greg Fleischer. They also add support for automatic updates via the usual Firefox extension upgrade approach.
https://torbutton.torproject.org/dev/CHANGELOG

Work continued toward the upcoming Vidalia 0.1.0 release (which came out March 1): support for launching Firefox and Polipo as supporting applications; support for learning from Tor when the first circuit is ready so it can inform the user; and many other bugfixes including a few security fixes.
http://trac.vidalia-project.net/browser/vidalia/releases/vidalia-0.1.0/C...

The Tor 0.2.0.19-alpha release contained many security-related cleanups based on an anonymously submitted code review from a static analysis tool. The Tor 0.2.0.20-rc release contained even more security-related cleanups, based on an external security analysis and audit by Veracode. Hopefully cleanups at this stage will reduce the number of times we need to push out an urgent new stable "0.2.0" release for security reasons.

From the Tor 0.2.0.19-alpha ChangeLog:
“When connecting to a bridge without specifying its key, insert the connection into the identity-to-connection map as soon as a key is learned. This prevents the Tor user's log from showing a confusing complaint periodically.”
“When our consensus networkstatus has been expired for a while, stop being willing to build circuits using it. Now clients won't give themselves away by behaving uniquely if they start up with an old networkstatus view.”

From the Tor 0.2.0.20-rc ChangeLog:
“Choose which bridge to use proportional to its advertised bandwidth, rather than uniformly at random. This should speed up Tor for bridge users. Also do this for people who set StrictEntryNodes.”

From the Tor 0.2.0.19-alpha ChangeLog:
“If we're a relay, avoid picking ourselves as an introduction point, a rendezvous point, or as the final hop for internal circuits.”
“Directory caches now fetch certificates from all authorities listed in a networkstatus consensus, even when they do not recognize them. This bugfix is particularly important for bridge users, since the bridges are their only contact point for fetching new directory information.”

From the Tor 0.2.0.20-rc ChangeLog:
“Servers that don't know their own IP address should go to the authorities for their first directory fetch, even if their DirPort is off or if they don't know they're reachable yet. This will help them bootstrap better.”

From the Tor 0.2.0.20-rc ChangeLog:
“We were comparing the raw BridgePassword entry with a base64'ed version of it, when handling a "/tor/networkstatus-bridges" directory request. Now compare correctly. This bugfix should allow bridge communities (formerly known as bridge families) to work better. Noticed by Veracode.”

From the Tor 0.2.0.19-alpha ChangeLog:
“Do not include recognizeable strings in the commonname part of Tor's x509 certificates.”

From the Tor 0.2.0.20-rc ChangeLog:
“Enable the revised TLS handshake based on the one designed by Steven Murdoch in proposal 124, as revised in proposal 130. It includes version negotiation for OR connections as described in proposal 105. The new handshake is meant to be harder for censors to fingerprint, and it adds the ability to detect certain kinds of man-in-the-middle traffic analysis attacks. The version negotiation feature will allow us to improve Tor's link protocol more safely in the future.”

From the Tor 0.2.0.20-rc ChangeLog:
“Tune parameters for cell pool allocation to minimize amount of RAM overhead used.”
“Add OpenBSD malloc code from phk as an optional malloc replacement on Linux: some glibc libraries do very poorly with Tor's memory allocation patterns. Pass --enable-openbsd-malloc to get the replacement malloc code.”
“Stop imposing an arbitrary maximum on the number of file descriptors used for extremely high-throughput servers. Bug reported by Olaf Selke; patch from Sebastian Hahn.”

From the Tor 0.2.0.19-alpha ChangeLog:
“Patch from "Andrew S. Lists" to catch when we contact a directory mirror at IP address X and he says we look like we're coming from IP address X. This was causing some Tor relays to test their reachability by testing the wrong address, and never actually publish to the main list.”

We cleaned up the Tor Browser Bundle's webpage and instructions based on feedback from users who were visiting Iran and Burma. Also started preparations to make it easy for our translators to provide an alternate languages. As of March 10, we have English, German, Italian, Polish, and Russian translations. We are working to coordinate an Arabic translation too.
https://torbrowser.torproject.org/

The new Tor Browser Bundle 0.0.7 (released Feb 8) and 0.0.8 (released Feb 15) include security updates for Firefox (2.0.12), security updates for Torbutton (1.1.13), automate generation of internationalized bundles, allow optional extensions to be placed in build-scripts/extensions, build Polipo with regular expression support (activating the forbiddenFile option), and update Polipo configuration based on suggestions from Incognito's Polipo configuration:
https://tor-svn.freehaven.net/svn/torbrowser/branches/stable/README

January 2008 Progress Report

phobos — Mon, 18 Feb 2008 16:09:33 -0800

Tor 0.2.0.18-alpha (released Jan 25) adds a sixth v3 directory authority run by CCC, fixes a big memory leak in 0.2.0.17-alpha, and adds new config options that can warn or reject connections to ports generally associated with vulnerable-plaintext protocols.
http://archives.seul.org/or/talk/Jan-2008/msg00442.html

Tor 0.2.0.16-alpha and 0.2.0.17-alpha (released Jan 17) add a fifth v3 directory authority run by Karsten Loesing, and generally clean up a lot of features and minor bugs.
http://archives.seul.org/or/talk/Jan-2008/msg00254.html

Tor 0.1.2.19 (released Jan 17) fixes a huge memory leak on exit relays, makes the default exit policy a little bit more conservative so it's safer to run an exit relay on a home system, and fixes a variety of smaller issues.
http://archives.seul.org/or/announce/Jan-2008/msg00000.html

We continued work on the "BridgeDB" module: major progress on January was to improve robustness of the email subsystem so it is better at detecting forged mails that claim to be from gmail but are actually from elsewhere.

Work continued toward the upcoming Torbutton 1.1.13 release (which came out Feb 1). This new release has several significant security-related fixes:
https://torbutton.torproject.org/dev/CHANGELOG

Work continued toward the upcoming Vidalia 0.1.0 release: support for launching Firefox and Polipo as supporting applications; support for learning from Tor when the first circuit is ready so it can inform the user; and many other bugfixes including a few security fixes:
http://trac.vidalia-project.net/browser/vidalia/trunk/CHANGELOG

We added a "How do I find a bridge?" link and corresponding help text to Vidalia's 'Network' settings page.

From the Tor 0.2.0.16-alpha ChangeLog:
“Do not try to download missing certificates until we have tried to check our fallback consensus.” This change gets us closer to being able to bootstrap without ever needing to contact the central directory authorities.

New proposal "Version 2 Tor connection protocol" that specifies the details of our proposed new TLS handshake and how it interacts with current clients and servers:
https://www.torproject.org/svn/trunk/doc/spec/proposals/130-v2-conn-prot...

New proposal "Block Insecure Protocols by Default" in collaboration with researchers at University of Colorado to warn and/or refuse users when they try to use ports commonly associated with vulnerable-plaintext protocols:
https://www.torproject.org/svn/trunk/doc/spec/proposals/129-reject-plain...

Implemented in Tor 0.2.0.18-alpha:
“New config options WarnPlaintextPorts and RejectPlaintextPorts so Tor can warn and/or refuse connections to ports commonly used with vulnerable-plaintext protocols. Currently we warn on ports 23, 109, 110, and 143, but we don't reject any.”

Started work on a roadmap of all the future features and extensions we know we need. It's still mostly in outline form at this point:
https://www.torproject.org/svn/trunk/doc/design-paper/roadmap-future.pdf

From the Tor 0.2.0.18-alpha ChangeLog:
“If we've gone 12 hours since our last bandwidth check, and we estimate we have less than 50KB bandwidth capacity but we could handle more, do another bandwidth test.” Bridge relays that weren't getting any use were seeing their bandwidth estimate fall to 0 after the first few days of uptime.

From the Tor 0.2.0.16-alpha ChangeLog:
“Make bridges round reported GeoIP stats info up to the nearest multiple of 8, not down. Now we can distinguish between "0 people from this country" and "1 person from this country", without needing to collect precise statistics.”
“Bridge authorities are no longer willing to serve bridge descriptors over unencrypted connections.” This will discourage people from writing tools that don't bother using encrypted connections.

We continued to deploy the new design for the normalized TLS handshake. Thanks to some assistance from an OpenSSL development team member, we were able to get closer to completing a new version-2 style TLS handshake. In early February we have successfully made such a handshake: so we expect that February will be the month when this feature finally rolls out.

From the Tor 0.1.2.19 ChangeLog:
“Exit policies now reject connections that are addressed to a relay's public (external) IP address too, unless ExitPolicyRejectPrivate is turned off. We do this because too many relays are running nearby to services that trust them based on network address.” This change will allow more people to run relays comfortably, thus expanding the network.
“Stop thinking that 0.1.2.x directory servers can handle "begin_dir" requests. Should ease bugs 406 and 419 where 0.1.2.x relays are crashing or mis-answering these types of requests.”
“Fix a memory leak on exit relays; we were leaking a cached_resolve_t on every successful resolve. Reported by Mike Perry.”

From the Tor 0.2.0.16-alpha ChangeLog:
“Major performance improvement: Switch our old ring buffer implementation for one more like that used by free Unix kernels. The wasted space in a buffer with 1MB of data will now be more like 8KB than 1MB. The new implementation also avoids realloc();realloc(); patterns that can contribute to memory fragmentation.”

The Tor Browser Bundle now has its own webpage, complete with an installation guide and screenshots:
https://torbrowser.torproject.org/

The new 0.0.6 Tor Browser Bundle (released Jan 29) includes Polipo, includes a newer Tor release, and fixes a few configuration aspects to make it more secure:
https://tor-svn.freehaven.net/svn/torbrowser/branches/stable/README

A new version of the Incognito Privacy LiveCD was released on Jan 26. It includes new versions of many components, and also some bugfixes on the USB support:
http://anonymityanywhere.com/incognito/