August 2008 Progress Report

Releases

Vidalia 0.1.7 (released August 2) fixes a bug that caused Vidalia to not recognize Tor's version correctly in Tor 0.2.0.x, adds an "nsh2po" tool that helps Pootle translate the Vidalia bundle installer strings, adds "TZ=UTC" to the BrowserExecutable's environment variables when launched via Vidalia, and updates the Czech, French, and German translations.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.7/CHAN…

Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Tor 0.2.1.3-alpha (released August 3) implements most of the pieces to prevent infinite-length circuit attacks (see proposal 110); fixes a bug that might cause exit relays to corrupt streams they send back; allows address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and ExcludeExitNodes config options; and fixes a big pile of bugs.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor 0.2.1.4-alpha (released August 4) fixes a pair of crash bugs in 0.2.1.3-alpha.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to version 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README

Vidalia 0.1.8 (released August 17) makes the bandwidth graph window look better for languages like Farsi, includes ssleay32.dll in the Windows packages so Vidalia won't crash when it finds an incompatible version of ssleay32.dll in the user's $PATH, makes "escape" and "return" shortcuts for the settings window, and fixes a variety of other bugs.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.8/CHAN…

Tor 0.2.0.30 (released July 15, announced August 21) switches to a more efficient directory distribution design, adds features to make connections to the Tor network harder to block, allows Tor to act as a DNS proxy, adds separate rate limiting for relayed traffic to make it easier for clients to become relays, fixes a variety of potential anonymity problems, and includes the usual huge pile of other features and bug fixes.
http://archives.seul.org/or/announce/Aug-2008/msg00000.html

Tor Browser Bundle 1.1.3 (released August 22) fixes a bug in the 0.1.2 release that messed up translations in the homepage, adds "small=1" to the homepage URL so it doesn't show the huge green onion by default, and updates Vidalia to 0.1.8.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.5-alpha (released August 31) moves us closer to handling IPv6 destinations, puts in a lot of the infrastructure for adding authorization to hidden services, lays the groundwork for having clients read their load balancing information out of the networkstatus consensus rather than the individual router descriptors, addresses two potential anonymity issues, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Sep-2008/msg00072.html

Blocking resistance
The Tor 0.2.1.3-alpha and 0.2.1.4-alpha releases include more fixes for hidden service performance and robustness, have slightly improved bootstrap status event behavior, and start hunting down a horrible bug that looks like it could leak private information:
https://bugs.torproject.org/flyspray/index.php?do=details&id=779

Now that the Tor 0.2.0.30 release has been declared stable, ordinary users will finally get bridge features, the new harder-to-block network protocol, and other features by default.

Core Development
We're working on a draft for a new "automatic software update" protocol, code-named Glider, that incorporates the previous proposals 153 and 154 but is easier to extend to other packages, and is easier to implement and maintain on the server side. We hope to have this new draft out as an actual proposal document, along with some early prototypes of the server side, in September.
https://svn.torproject.org/svn/updater/trunk/specs/glider-spec.txt
Part of the ongoing development question is how to write the client side of this auto update engine in a convenient and easy language like Python, yet have it still be extremely compact on the client side -- since Windows doesn't include Python by default, shipping a Python interpreter with the auto updater could add 10MB to the package size.

Roger sent the list of "research directions we should look at" to or-dev, so more people could look at it:
http://archives.seul.org/or/dev/Aug-2008/msg00031.html
We are working these items into a more comprehensive research and development roadmap; stay tuned.

Advocacy
We answered a lot of press organizations about Tor and the Olympics this month. Our main goal was to explain to technical people how bridges work, what they're for, and explain that in most countries right now Tor works just fine out of the box, so bridges are the backup plan for later down the arms race. The CCC (and others) succeeded in making some good press articles, e.g.
http://www.rsf.org/article.php3?id_article=27991
http://www.guardian.co.uk/technology/2008/aug/07/censorship.hacking
http://www.guardian.co.uk/commentisfree/2008/aug/05/china.censorship

Roger attended Black Hat and Defcon. His Defcon talk was:
"Attacks/Vulnerabilities on Tor: past, present, future"
Slides are at http://freehaven.net/~arma/slides-dc08.pdf
He had a packed room of 500+ people. Lucky Green summarized his take-away from the talk as "we would love to work with you if you find any problems with Tor, and we have a good track record of working well with the community." That sounds like what we were aiming for. We're still waiting for the video to come out so we can link to it from the documentation page.

We also talked a lot with the Mozilla people about privacy-impacting bugs in Firefox. We have a list now:
https://www.torproject.org/torbutton/design/#FirefoxBugs
and should start looking for good Firefox developers to fix them and funding to incent them to do so.

We put up our mid-August NLnet reports:
https://www.torproject.org/projects/hidserv#Aug08
https://www.torproject.org/projects/lowbandwidth#Aug08

Jacob spent a long week of hacking in Argentina, for DebConf 8 (the yearly Debian Conference). Lots of Tor advocacy. Another box of Tor stickers applied to many many laptops. Lots of people were interested in Tor and many many people installed Tor on both laptops and servers. This advocacy resulted in at least two new high bandwidth nodes that he helped the administrators configure. The first is in Japan. The second is our first major high bandwidth node in New Zealand.

Coverity (coverity.com) is now scanning Tor. It found a bunch of minor memory leaks, a few false positives, and some other miscellaneous bugs. Nick fixed almost all of the bugs in a quick afternoon, excepting some testing code that has some resource leaks. Jacob is going to work on getting other Tor related projects into Coverity.

Mike Perry has been working lately on publicity for moving more high-profile websites to use SSL correctly. Last year at Defcon he reported a bug in how many sites (including GMail) handle their cookies: he basically described an easy way for anybody in Starbucks to steal your GMail cookie and log into your gmail account, even if you are always very careful to only use "https" when logging in to your gmail account. The attack works because cookies *can* be set with an "only present this cookie on an SSL connection" flag when they're created, but no sites actually set this flag because they are concerned about usability. This attack is easy to perform as a Tor exit relay too. This year, Mike presented an actual tool that performs this attack on a local wireless network in an automated way. Some high-profile sites are slowly moving to use more secure login approaches.

Matt Edman finished running the "Vidalia logo design contest". The contest resulted in 76 entries. There were a lot of questionable submissions (Vidalia ninjas?!), but there were also a few great ones. He is tending towards this entry as his choice for the new Vidalia logo:
http://www.worth1000.com/view.asp?entry=479229

Usability
Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Incognito now comes with much more thorough documentation about which software packages are included, and how they are configured:
http://www.browseanonymouslyanywhere.com/incognito/uploadfiles/docs.html

Incognito's next step is to work on a "hardened" option that uses a more secure kernel and other applications. The goal is to keep the same usability but be even less vulnerable to application-level and kernel-level attacks that could be used to gain access to the system and then try to unveil the user.

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to release 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor Browser Bundle 1.1.3 (released August 22) fixes a bug in the 0.1.2 release that messed up translations in the homepage, adds "small=1" to the homepage URL so it doesn't show the huge green onion by default, and updates Vidalia to 0.1.8.
https://svn.torproject.org/svn/torbrowser/trunk/README

We're working on a new branch of Vidalia that can be used in Tor Browser Bundle, for launching Firefox directly without needing the extra installer scripts called "Firefox Portable". If we get this working, then we can hopefully make progress on running multiple Firefoxes at once (one used for Tor launched by TBB, and one used for non-Tor).
http://trac.vidalia-project.net/browser/vidalia/branches/alt-launcher

The German CCC organization put together a version of the Tor Browser Bundle called the "Freedom Stick" for use in teaching the media about the Chinese firewall and the Olympics:
http://chinesewall.ccc.de/freedomstick-en.html

Scalability
From the Tor 0.2.1.5-alpha ChangeLog:
"More progress toward proposal 141: Network status consensus documents and votes now contain bandwidth information for each router and a summary of that router's exit policy. Eventually this will be used by clients so that they do not have to download every known descriptor before building circuits."

We're worked on getting "Tor Weather" back up and working:
https://weather.torproject.org/
Weather is a service to let relay operators get notified when their relay is unreachable for an extended period of time. It's still in its early experimental stages, but it's already proved useful to its early testers. It's also using SSL as its base URL now.

Jacob has also been working on a Tor network map, to visualize where our relays are. Using all of the known descriptors, it maps each node with some GeoIP code and plot it onto a map. You can interact with the data to see the IP address of each node, the node name and the city/country information if we could find it. Sadly, it *will* lock your browser up for one or two minutes, as there's a lot of data to parse:
http://freehaven.net/~ioerror/maps/v3-tormap.html

khled.8@hotmai.com

September 21, 2008

Permalink

You should include URLs to projects not listed on the main Tor site so we don't have to go searching for real information outside of a change log...

Can you provide an example? I can do this, I'm just wondering which outside projects we didn't link to in the post.

khled.8@hotmai.com

September 21, 2008

Permalink

Hello,

Just installed lastest TOR vidalia bundle 0.1.9. And now unable to change network preferences from TOR configuration back to regular. The window pane appears and won't allow the enable button to change back to normal.

Running Apple OS 10.4.11

thank you.

khled.8@hotmai.com

September 21, 2008

Permalink

I'm using Firefox.

I uninstalled Tor after using it for a day because there are some issues with fitting it in with my pattern of internet working.

But the message 'Tor Disabled' remains, in red, in the bar at the bottom of the screen.

It is more than just a message. If I click on it then it will change to 'Tor Enabled' in green and I'll start to get errors from Firefox because it can't find proxy.

Can anyone tell me how to get rid of this?

regards,

ab :)

I should have paid attention when I first downloaded Tor and a message said it could harm my computer! It did. There is no UNinstall. And I was told any software byprofessionals will ALWAYS have an UNinstall. Anyway I have several messages now that I have to click off every morning because of Tor. It is NOT good software. You CANNOT UNINSTALL IT PROPERLY!

There's better Captchas than that available out there - for free. I took me four attempts to make my last posting.

:)

There's excellent free Forum software, such as Yabb, out there. I think a Forum would be very desirable for this Tor thing. Might I suggest you look into it. Or maybe I should set one up for you and you provide a link to it?

regards,

ab :)

Tor doesn't have an official forum. Having a forum implies we're going to reply and provide support. We would also want to make sure the forum discussions and advice were relevant and providing accurate information. We don't have the resources to handle forum support at this time. The mail lists and irc channel are the best we can offer at this time.

I second the idea of a Forum.

I can appreciate the concerns of the Tor Personnel in relation to time and resources, however, the benefits of having a Forum might outweigh the 'costs' of organising and maintaining it.

Further, it will offer an opportunity for the folks interested in the core objectives of the Project to air some ideas and bounce them off each other; which could only speed up further development activities in the right direction.

Have a nice day guys!

phobos

March 04, 2009

In reply to by Anonymous (not verified)

Permalink

We see the benefits of a forum, we just lack the time to set one up and maintain it. We feel that writing code to improve Tor is a better use of our time and discussing the ideas in a forum. The best places to discuss code and ideas with us is on the mailing lists, irc channels, or face to face at one of the many conferences we attend.

Our goal is to have a forum of some sort online this year. Anyone want to help?

TORPROJECT NEEDS A FORUM for users having trouble installing TOR. Please consider allowing the forum to run on an SSL server and a normal web server.

Would we not run a forum over ssl and maintain zero logs?

@)%*#)@*^%() <-- Captcha

Is there any way to prevent Tor from using servers in a geographical area ?
For example, I may wish to prevent any servers from country A from being used to form circuits.

Many thank you's for any help.

Right now, Tor/Vidalia cannot do this. If you're using linux, try TorK.

Thanks.

I'm hoping someone can direct me to information on how to configure Tor relay with Panda Security 2008.

I'd like to give back to the Tor community by enabling my computer as a relay, but I can't figure out how to convince Panda Firewall to allow Tor/Vidalia/Pivoxy to receive incoming connections.

A previous comment said to open ports in router/firewall software. Panda Security doesn't provide this option (as far as I can see).

More specific assistance would be greatly appreciated.

Any suggestions on where to go to get help with this?

Much thanks!

Hi there,

The router software resides at the boundary of your computers network. Its the physical box that connects you to the Net. It will have an administration page to enable you to modify its operating parameters. You usually access this from a browser. You'll need the routers admin url to do this, then usually log in.

The panda firewall resides on your local machine.

Provided you can either:
A: Put your machine's IP address in the DMZ field for the router, or
B. Find the port forwarding settings for the router and route these ports to your machines MAC address or IP address, depending on the router. If you use the IP address for port forwading, you also need to ensure that IP address is set aside for your PC, so it always gets issued that IP address during DCHP solicitation.

This may sound a little complex at first, or forgive me if you are familiar with this already.

If you need more help, I can give you more detailed instructions, if you can tell me what router model you have.

In all cases, I hope this helps,

CAv.

In the interests of showing willingness to help I've put up a Forum at:

http://brassrazoo.org/forum

for TOR users.

It is only intended as a stop gap measure until someone does something better but if it is useful to anyone then please use it.

It was put up just five minutes ago, I've no more available time at the moment, so bear with it. There's nothing there. Only one forum, one welcome posting.

But it is a forum. It is yours to use if you wish.

regards,

ab :)

Can I use Tor on this Mac OS Power PC ?

i tried the vidalia 9 universal bundle and it said the program that created it could not be found

I had an idea of how to make TOR more anonymous. It basically means connecting to TWO relays.

Step 1. Connect to Relay#1 and Relay#2
Step 2. Relay#1(or #x, #x being anywhere in the circuit) connects to Relay#2
Step 3. Request Data normally.
Step 4. Instead of Relay#1 sending the data back to you, it is subverted to Relay#2.
Step 5. Relay#5 Sends the data to you.

This looks like 2 seperate 1-way connections rather than just a proxy.

Any suggestions?

Opps, Relay#2 sends data, not #5.

i love tor any new updates 4 tor browser bundles . Please update it

Tor is very slow. Please Help.

I'm running tor on linux but seems to be pretty slow. Do you have any ideas?
Thanks!

khled.8@hotmai.com

October 09, 2008

In reply to by Anonymous (not verified)

Permalink

Thanks! You've been really helpful!

Hi, My English is not perfect so maybe its already written somewhere on this site but i didn´t found it. Here are the Q
If Alice and Bob are connected through game, it will also hide the connection between them? Or it works only for internet browsers?

and second one

If Alice needs to create several connections to Bob, will it be with same nodes or each connection will be provided by different path?

Thanks

An answer to the first question is yes, tor works at a TCP layer. Any tcp applications, of which a webbrowser is one, will have the traffic anonymized in transit.

An answer to the second question is most likely over the same circuit.

my PC get bugged.. how to speed up? thanks

set a few entryguards with strict entrynodes:

StrictEntryNodes 1
EntryNodes [name], [fingerprint]

Everytime i try to start TOR i keep getting a message to enter my control password. I do not have a password and was never asked to set one up any ideas.

Hi there,
I've just downloaded TOR and everything with its installation is just fine but I have the following issue: for certain reasons I must use Opera browser as Firefox causes some troubles, and it will be like this until I reinstall my entire Windows. Could you, please, provide me with info about how to activate TOR in Opera? Are they compatible at all?
Thanks in advance

Users tell us the current version of Opera works with Tor and doesn't leak dns requests anymore. You'll need to configure Opera to talk to tor as a proxy server on "localhost:9050".

well what version is current? Opera have no own support for socks but instead point user to use sockscap so my own efort to get this thing to work is a bit hard.

I've been having problems using Firefox 3 with NOSCRIPT & TOR together. This is my config:

NOSCRIPT
TOR
HTTPSENDREFFER .... modified to 0 so no page knows where I came from.
All Java off etc
Cookies off..

Anyways, everytime I have noscript installed with TOR, whenever I try and load a page, it cannot connect with NOSCRIPT being installed. When I uninstall NOSCRIPT, TOR works fine, otherwise it doesn't work with it. Any suggestions?

Thanks

If you remove noscript and leave javascript disabled, does that work? I'm fairly sure you need to have the Firefox setting for javascript enabled for noscript to work correctly.

Hi Folks,

Is there a way to persuade Tor to get a 'New Identity' on an interval ?

I use this feature at times on sites that try to block Tor, and was hoping to make it an automated behaviour.

I am on Windows, with Vidalia 0.1.9.

Many thanks in advance.

I have repeatedly tried to install the latest stable OS X package (both the PPC and the Universal versions) but only get a cryptic try-again message right at the very end of the process. Can anyone direct me to where help and/or suggestions might be available? Thanks!

I was just turned on to Tor yesterday and heard there is a actual "Onion router" which is wireless. is this true? If so where do you get it? Since I am new to this Tor thing I dont get it.....

Is it just for browsing?
If I want to use Bit torrent does it still hide you?

Tor is software, there is no hardware router product from The Tor Project. There may be commercial routers which include Tor however. This will help you understand what tor is for, https://www.torproject.org/overview.html.en

I read that with Blossom you can specify a specific country you want Tor to connect to. But I saw the site was offline. Is there an alternative for Blossom?
Thanks in advance for your reply!

Hi. I'm pretty new to Tor and I really like the software and am using it with Firefox 'fitted with Torbutton'. My question is, is there a way to make Tor stay in one IP address longer? It seems to change IP address every say from between 10 to 30 seconds. I'd like it to stay in one IP longer than that. Perhaps this question had been asked before, if so would someone kindly point a link. Thank you in advance.

phobos

November 18, 2008

In reply to by Anonymous (not verified)

Permalink

Look at http://www.torproject.org/tor-manual.html.en and the setting for TrackHostExits

hi.whenever i connect to tor it says unable to start tor..check if the correct path of tor executable is set..the path is correct only...but it is not running..please help....