Arti 1.1.5 is released: Onion Services, RPC, and a security patch
Arti is our ongoing project to create a next-generation Tor client in Rust. Now we're announcing the latest release, Arti 1.1.5.
In the past months, our efforts have been divided between onion services and work on a new RPC API (a successor to C Tor's "control port") that will give applications a safe and powerful way to work with Arti without having to write their code in Rust or link Arti as a library (unless they want to).
For onion services this month, we have continued work on our protocol infrastructure to support the cryptographic handshakes and protocols used for onion services, and begun design work on a key management system for onion services.
Our RPC code is still in an "infrastructure-only" state: the backend has progressed significantly, and now includes an object-reference system we'll use to enforce security via a capability-style design, but as of yet it supports no useful functionality. (We expect to land initial functionality this month.) For information on the general shape of our design, see the work-in-progress specification document.
Finally, this release also fixes a security issue: there was a bug in our SOCKS code that could be exploited to cause a denial-of-service attack against an Arti client. We are classifying this as a low-severity issue, since exploiting it would require the attacker to have access to localhost. Thanks to Jakob Lell for reporting this issue; it is tracked as TROVE-2023-001.
There have been many smaller changes as well; for those, please see the CHANGELOG.
Thanks to everyone who has contributed to this release, including Alexander Færøy, Jakob Lell, Jim Newsome, Saksham Mittal, and Trinity Pointard.
Finally, our deep thanks to Zcash Community Grants for funding the development of Arti!