alpha

Tor 0.2.1.6-alpha Released

phobos — Tue, 14 Oct 2008 17:25:11 -0700

Tor 0.2.1.6-alpha further improves performance and robustness of hidden
services, starts work on supporting per-country relay selection, and
fixes a variety of smaller issues.

The original announcement can be found at
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Changes in version 0.2.1.6-alpha - 2008-09-30

Major features:

Implement proposal 121: make it possible to build hidden services
that only certain clients are allowed to connect to. This is
enforced at several points, so that unauthorized clients are unable
to send INTRODUCE cells to the service, or even (depending on the
type of authentication) to learn introduction points. This feature
raises the bar for certain kinds of active attacks against hidden
services. Code by Karsten Loesing.
Relays now store and serve v2 hidden service descriptors by default,
i.e., the new default value for HidServDirectoryV2 is 1. This is
the last step in proposal 114, which aims to make hidden service
lookups more reliable.
Start work to allow node restrictions to include country codes. The
syntax to exclude nodes in a country with country code XX is
"ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
refinement to decide what config options should take priority if
you ask to both use a particular node and exclude it.
Allow ExitNodes list to include IP ranges and country codes, just
like the Exclude*Nodes lists. Patch from Robert Hogan.

Major bugfixes:

Fix a bug when parsing ports in tor_addr_port_parse() that caused
Tor to fail to start if you had it configured to use a bridge
relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
When extending a circuit to a hidden service directory to upload a
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
requests failed, because the router descriptor had not been
downloaded yet. In these cases, we now wait until the router
descriptor is downloaded, and then retry. Likewise, clients
now skip over a hidden service directory if they don't yet have
its router descriptor, rather than futilely requesting it and
putting mysterious complaints in the logs. Fixes bug 767. Bugfix
on 0.2.0.10-alpha.
When fetching v0 and v2 rendezvous service descriptors in parallel,
we were failing the whole hidden service request when the v0
descriptor fetch fails, even if the v2 fetch is still pending and
might succeed. Similarly, if the last v2 fetch fails, we were
failing the whole hidden service request even if a v0 fetch is
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
DNS replies need to have names matching their requests, but
these names should be in the questions section, not necessarily
in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.

Minor features:

Update to the "September 1 2008" ip-to-country file.
- Allow ports 465 and 587 in the default exit policy again. We had
rejected them in 0.1.0.15, because back in 2005 they were commonly
misconfigured and ended up as spam targets. We hear they are better
locked down these days.
Use a lockfile to make sure that two Tor processes are not
simultaneously running with the same datadir.
Serve the latest v3 networkstatus consensus via the control
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
Better logging about stability/reliability calculations on directory
servers.
Drop the requirement to have an open dir port for storing and
serving v2 hidden service descriptors.
Directory authorities now serve a /tor/dbg-stability.txt URL to
help debug WFU and MTBF calculations.
Implement most of Proposal 152: allow specialized servers to permit
single-hop circuits, and clients to use those servers to build
single-hop circuits when using a specialized controller. Patch
from Josh Albrecht. Resolves feature request 768.
Add a -p option to tor-resolve for specifying the SOCKS port: some
people find host:port too confusing.
Make TrackHostExit mappings expire a while after their last use, not
after their creation. Patch from Robert Hogan.
Provide circuit purposes along with circuit events to the controller.

Minor bugfixes:

Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
Reported by Tas.
Fixed some memory leaks -- some quite frequent, some almost
impossible to trigger -- based on results from Coverity.
When testing for libevent functions, set the LDFLAGS variable
correctly. Found by Riastradh.
Fix an assertion bug in parsing policy-related options; possible fix
for bug 811.
Catch and report a few more bootstrapping failure cases when Tor
fails to establish a TCP connection. Cleanup on 0.2.1.x.
Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
bootstrapping with tunneled directory connections. Bugfix on
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
When asked to connect to A.B.exit:80, if we don't know the IP for A
and we know that server B rejects most-but-not all connections to
port 80, we would previously reject the connection. Now, we assume
the user knows what they were asking for. Fixes bug 752. Bugfix
on 0.0.9rc5. Diagnosed by BarkerJr.
If we are not using BEGIN_DIR cells, don't attempt to contact hidden
service directories if they have no advertised dir port. Bugfix
on 0.2.0.10-alpha.
If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
Bugfix on 0.2.0.x (??).
Avoid a "0 divided by 0" calculation when calculating router uptime
at directory authorities. Bugfix on 0.2.0.8-alpha.
Make DNS resolved controller events into "CLOSED", not
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
bug 807.
Fix a bug where an unreachable relay would establish enough
reachability testing circuits to do a bandwidth test -- if
we already have a connection to the middle hop of the testing
circuit, then it could establish the last hop by using the existing
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
circuits no longer use entry guards in 0.2.1.3-alpha.
If we have correct permissions on $datadir, we complain to stdout
and fail to start. But dangerous permissions on
$datadir/cached-status/ would cause us to open a log and complain
there. Now complain to stdout and fail to start in both cases. Fixes
bug 820, reported by seeess.
Remove the old v2 directory authority 'lefkada' from the default
list. It has been gone for many months.

Code simplifications and refactoring:

Revise the connection_new functions so that a more typesafe variant
exists. This will work better with Coverity, and let us find any
actual mistakes we're making here.
Refactor unit testing logic so that dmalloc can be used sensibly
with unit tests to check for memory leaks.
Move all hidden-service related fields from connection and circuit
structure to substructures: this way they won't eat so much memory.

September 2008 Progress Report

phobos — Tue, 14 Oct 2008 17:07:12 -0700

Releases
Vidalia 0.1.9 (released September 2) fixes a big pile of bugs and inconveniences in the earlier releases. This new release marks the first "stable" release of Vidalia, in that we have now branched into a stable (0.1.x) branch and a development (0.2.x) branch.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.9/CHANG...

Tor 0.2.0.31 (released September 3) addresses two potential anonymity issues, starts to fix a big bug we're seeing where in rare cases traffic from one Tor stream gets mixed into another stream, and fixes a variety of smaller issues.
http://archives.seul.org/or/announce/Sep-2008/msg00000.html

Tor 0.2.1.6-alpha (released September 30) further improves performance and robustness of hidden services, starts work on supporting per-country relay selection, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Circumvention Enhancements
From the Vidalia 0.1.9 ChangeLog:
"Correct the location of the simplified Chinese help files so they will actually load again."

From the Tor 0.2.1.6-alpha ChangeLog:
"Start work to allow node restrictions to include country codes. The syntax to exclude nodes in a country with country code XX is "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some refinement to decide what config options should take priority if you ask to both use a particular node and exclude it."
This feature should allow users in China to specify that they don't want to enter (and/or exit) in China, which in theory could provide stronger security for them.

From the Tor 0.2.1.6-alpha ChangeLog:
"Allow ports 465 and 587 in the default exit policy again. We had rejected them in 0.1.0.15, because back in 2005 they were commonly misconfigured and ended up as spam targets. We hear they are better locked down these days."
This feature lets people use GMail with Tor in more flexible ways. This approach is especially important for people trying to send email in certain configurations when their network wants to block or monitor them.

From the Tor 0.2.1.6-alpha ChangeLog:
"Provide circuit purposes along with circuit events to the controller."
This change will allow Vidalia to mark circuits in its graphical interface, so users don't get confused about why Tor is building strange circuits in the background when it's really just doing encrypted directory updates.

Matt and Andrew fixed a bug in the Vidalia bundle installer where it tried to detect if Firefox was installed, and unclick the "install Torbutton" option if not, but it didn't detect right. Now if Firefox is missing we put up a warning explanation about how you really ought to be using Tor with Firefox.

We also finally started working on a fix for the Vidalia bug where if Vidalia launches Tor and then crashes later, when you start Vidalia again it'll cryptically ask for your control password.
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#TorPasswordPro...
The first fix is to add a "reset" button to the cryptic message, that kills Tor for you and restarts it, and a "help" button that explains what's going on. These will be out in the next development Vidalia release, hopefully in October.

Camilo Viecco submitted a patch for our RPM spec (build) file to let us build Red Hat / SuSE packages for 64-bit architectures. Andrew included these patches in 0.2.1.6-alpha.

Advocacy
Steven Murdoch taught a lecture at the FIDIS/IFIP Brno Summer School in the Czech Republic.
http://www.buslab.org/SummerSchool2008/
The presentation was on anti-censorship in general especially on Tor. The students seemed to be interested so he encouraged them to look at Tor and see if there is anything they'd like to work on. We will see if anything comes from that.

We've also been discussing creating a Facebook application, for allowing relay operators to show off that they are running a Tor relay and hopefully encourage more to do so. We think this is a good enough idea to try building it, so Steven has started to do so. As well as adding bling to a user's profile, it would also allow us to map the network of node operators. This is one of the more promising research fields to resist Sybil attacks, see e.g.
"A Sybil-proof one-hop DHT, Chris Lesniewski-Laas"
http://pdos.csail.mit.edu/papers/sybil-dht-socialnets08.pdf

Steven had a related story regarding host-based security from his trainings in Kyrgyzstan and Poland. See also
http://www.f-secure.com/weblog/archives/00001494.html

Jacob was in a story by Declan about Internet Traceback plans:
"The Chinese Government, the NSA, Verisign and the ITU are getting together to trace users"
http://news.cnet.com/8301-13578_3-10040152-38.html

The current issue of Make Magazine has an article on how to use Tor:
http://www.make-digital.com/make/vol15/?pg=102

Helped Kasimir add new Tor controller features so Torstatus can switch to using the v3 directory system:
http://trunk.torstatus.kgprog.com/

Ease of Use
Steven is working on a new branch of Vidalia that can be used in Tor Browser Bundle, for launching Firefox directly without needing the extra installer scripts called "Firefox Portable". If we get this working, then we can hopefully make progress on running multiple Firefoxes at once (one used for Tor launched by TBB, and one used for non-Tor).
http://trac.vidalia-project.net/browser/vidalia/branches/alt-launcher

Jacob Appelbaum worked on a set of instructions for rebranding Firefox, if we decide that we need to call the browser that ships in the Tor Browser Bundle something other than "Firefox". The instructions aren't complete, for example because we need more replacement logos.
https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/branding/
It looks like the process of rebranding Firefox 3 is much more straightforward. We have "move to FF3" on our TBB roadmap.

Work by Martin and Kyle on the Tor VM project continues. We have a very early prototype available now:
http://peertech.org/files/demo/testinfo.html
and we hope to give it some more testing and better documentation in the coming months.

Scalability
Joel Reardon, Ian Goldberg's student at Waterloo, has finished the final version of his thesis "Improving Tor using a TCP-over-DTLS tunnel":
http://uwspace.uwaterloo.ca/handle/10012/4011
We funded this research (along with 4x matching funding from MITACS in Canada) in the hopes that it would move us close enough to being able to switch to a UDP design that we can put it on the Tor development roadmap at some point. Many large challenges remain, but this is also promising work in that it shows that we can expect very serious performance improvements if we go this route.

We've started hunting more thoroughly for solutions to Bug 676:
https://bugs.torproject.org/flyspray/index.php?do=details&id=696
The issue is that some of the v3 directory authorities are keeping bad statistics on uptimes and stability of relays, which means they are not assigning the Stable or Guard flag correctly to them. The result is that the networkstatus consensus mislabels them, and clients end up not choosing relays or circuits in an efficient manners. This bug not only results in bad performance for clients, but also results in overloading some relays, leading to worse performance.

From the Tor 0.2.1.6-alpha ChangeLog:
"Implement most of Proposal 152: allow specialized servers to permit single-hop circuits, and clients to use those servers to build single-hop circuits when using a specialized controller. Patch from Josh Albrecht. Resolves feature request 768."
"Fixed some memory leaks -- some quite frequent, some almost impossible to trigger -- based on results from Coverity."

Several security- and integrity-related bugfixes from Tor 0.2.0.31:
"Make sure that two circuits can never exist on the same connection with the same circuit ID, even if one is marked for close. This is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc."
"Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv."
"If not enough of our entry guards are available so we add a new one, we might use the new one even if it overlapped with the current circuit's exit relay (or its family). Anonymity bugfix pointed out by rovv."