ssteele's blog

Tor at the Heart: The Tor Project

Throughout the month of December, we've highlighted a few of our fellow travelers on the road to Internet freedom in a series of blog posts titled "Tor at the Heart." We wanted to show some of the many other projects out there and their connection to us. Just like a heart, Tor helps to fortify these projects as they provide Internet freedom around the world.

This past year we saw very dangerous trends of Internet censorship growing around the world. Activists in Brazil, China, Greece, India, Indonesia, Iran, Russia, Saudi Arabia, Sudan, and Turkey all experienced serious censorship events. The entire African continent saw a spike of censorship events, especially in Uganda, Chad, Ethiopia, Zimbabwe, Congo and Burundi.

Technological tools like Tor are often the only way people within those countries can communicate to the outside world.

Tor is also important for those of us lucky enough to live in countries without major censorship events. Journalists use Tor to communicate more safely with whistleblowers and dissidents. Everyday people use Tor to keep their Internet activities concealed from advertisers, ISPs, and web sites. Tor is important for anyone who doesn't want their browsing habits linked to them.

2016 has been a very busy year at the Tor Project. We created our own UX team to improve our tools usability, we fixed zero-days in less than 12 hours, we have started to apply very strong sandboxing to Tor Browser, we kicked off the next generation of onion services project, and we have done many other important updates on our network and applications.

And 2017 is shaping up to be even more intense. We are working to deploy new features, including better mobile connectivity and better visualizations of our data so that others can easily explore and learn from them. We are working to improve the user interface on our website and various apps. And we’re working on better ways to safeguard our users, including sandboxing Tor at the application level and investigating quantum computing.

As we wind down our 2016 end-of-year fundraising campaign, won't you take a minute to contribute a financial donation? Giving is easy, and you'll get the warm glow of knowing that you've done your small part to help someone in an oppressive part of the world be able to get her story out to the rest of us. We'll even throw in a t-shirt and/or other swag, if you choose, so you can show the world how cool you are and that you care about digital freedom.

To donate:

https://torproject.org/donate/donate-blog31

Thanks for your help. Here's wishing you and yours a healthy, happy 2017!

Tor at the Heart: Firefox

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Firefox <3 Tor Browser

by Ethan Tseng and Richard Barnes

If you’ve used Tor, you’ve probably used Tor Browser, and if you’ve used Tor Browser you’ve used Firefox. By lines of code, Tor Browser is mostly Firefox -- there are some modifications and some additions, but around 95% of the code in Tor Browser comes from Firefox. The Firefox and Tor Browser teams have collaborated for a long time, but in 2016, we started to take it to the next level, bringing Firefox and Tor Browser closer together than ever before. With closer collaboration, we’re enabling the Tor Browser team to do their jobs more easily, adding more privacy options for Firefox users, and making both browsers more secure.

The Tor Browser team builds Tor Browser by taking Firefox ESR and applying some patches to it. These changes add valuable privacy features for Tor Browser users, but having these changes also means that every time the Tor Browser team wants to use a new version of Firefox, they have to update the patches to work with the new version. These updates take up a substantial fraction of the effort involved in producing Tor Browser.

In 2016, we started an effort to take the Tor Browser patches and “uplift” them to Firefox. When a patch gets uplifted, we take the change that Tor Browser needs and we add it to Firefox in such a way that it’s disabled by default, but can be enabled by changing a preference value. That saves the Tor Browser team work, since they can just change preferences instead of updating patches. And it gives the Firefox team a way to experiment with the advanced privacy features that Tor Browser team is building, to see if we can bring them to a much wider audience.

Our first major target in the uplift project was a feature called First Party Isolation, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a dedicated team to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the containers feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what’s in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.

First Party Isolation will be incorporated in Firefox 52, the basis for the next major version of Tor Browser. As a result, the Tor Browser team won’t have to update their First Party Isolation patches for this version. In Firefox, First Party Isolation is disabled by default (because of the compatibility risk), but Firefox users can opt in to using First Party Isolation by going to about:config and setting “privacy.firstparty.isolate” to “true”.

We’re excited to continue this collaboration in 2017. Work will start soon on uplifting a set of patches that prevent various forms of browser fingerprinting. We’ll also be looking at how we can work together on sandboxing, building on the work that Yawning Angel has done for Tor Browser and the Firefox sandboxing features that are scheduled to start shipping in early 2017.

Finally, we should recognize the value of the continued collaboration between Mozilla and the Tor Project with regard to security vulnerabilities. The importance of this collaboration was on display only a few weeks ago, when we were both simultaneously notified of a zero-day exploit targeted at Tor Browser using a vulnerability in Firefox. Working together, we were able to develop, test, and ship a fix to both browsers in under 24 hours.

The collaboration between the Firefox and Tor Browser teams is a great example of how Mozilla’s principles of openness and participation can help advance security and privacy in the Internet. We’re proud of all we’ve accomplished together with the Tor Project in 2016, and we’re looking forward to continuing to making the web more secure and more private.

Tor at the Heart: Notes from a Board Member

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Tor Saves Lives

by Cindy Cohn

I joined the Tor Board of Directors because Tor saves lives.

By allowing people to access knowledge, share information, organize and find communities of support in otherwise hostile environments, Tor represents one of the strongest examples of how technology can be marshaled to serve the causes of freedom, safety, liberty and human rights for people around the world. It’s easy enough to say: “speak truth to power” when the risks are low. To ensure that people can really do that in today’s digital world – where the stakes can be much, much higher – often requires some technical assistance. That’s where Tor comes in.

Before I started fighting for freedom online, I was a human rights lawyer. I spent time at the United Nations and helped organize a small NGO, called the Unrepresented Nations and Peoples Organization, which serves as a central hub for oppressed groups seeking a voice internationally. Its members range from the Ogoni in Nigeria to Tibetans to West Papuans. I saw first hand how hard it is to sneak information about human rights abuses out of repressive countries and how important it is to build networks of support inside and outside of those environments.

This experience is why, when I first learned about Tor, I immediately saw how it sits at the heart of ensuring that the world we’re building with digital technologies can be at least as much, if not more humane than the physical world. In addition to helping those facing government repression, Tor also serves as protection closer to home, and even inside the home for those seeking information and assistance to escape from domestic abuse. Tor of course has other uses, some good and some rotten, but that’s no different than most technologies. Even a hammer can be used to hit someone over the head. The difference is in what we do with it.

So when Shari Steele and I talked about how to usher Tor into its next phase, I offered to join with her to do it.

I have a core belief that those of us with access to power – be it personal, technical, legal or situational – have a duty to try to steer it toward empowering the people in the rest of the world to live better, safer and more free lives. That Tor exists demonstrates that many others share this core belief. The knowledge that there is a large posse of us building and supporting these tools, along with the courage shown by those who rely on Tor, keeps me energized.

There’s no doubt that a strong, well-run Tor can help more people. While the work of ensuring that the organization stays strong, stays on course, pays its bills and treats people well isn’t always the glamorous part, it’s necessary. For me, helping Tor do that well is how I help Tor save lives.

Please support the Tor Project!
Donate today!

Tor at the Heart: Qubes OS

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Qubes OS

by Michael Carbone and Andrew David Wong

Qubes OS is a security and privacy-oriented free and open source operating system that provides you with a safe platform for communications and information management. Its architecture is built to enable you to define different security environments (or "qubes") on your computer to manage the various parts of your digital life, including safely using Tor.


"If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better."
--- Edward Snowden


Qubes OS allows you to safely manage the different communications, data, and identities in your digital life in securely compartmentalized qubes. All of these qubes are integrated into a single desktop environment with unforgeable colored window borders so that you can easily identify applications and windows from different security environments.

Some features of Qubes OS include:

Safer anonymous browsing

Qubes incorporates Whonix to provide a safer way to use Tor Browser, by compartmentalizing the Tor Browser and Tor process in separate qubes. This means that if the Tor Browser is exploited, the attacker still cannot discover your real IP address, because the Tor Browser and its qube do not know your real IP address. Moreover, that compromise cannot spread from Tor Browser to the Tor process, since they are isolated in different qubes, so any other Tor-related activities you have in other qubes remain secure and private.

Enforce Tor use for non-Tor-aware applications

Once a qube is set to use the Tor network, all network traffic that leaves it is forced to go through Tor. This means that no matter which applications you use, they will not be able to leak your real IP address, even if they are not Tor-aware.

All software and OS updates through Tor

Qubes allows users to download all software and OS updates through Tor, which means that network attackers can't target you with malicious updates or selectively block you from receiving certain updates. In addition, downloading all updates through Tor preserves your privacy, since it prevents your ISP and package repositories from tracking which packages you install.

Robust and safe networking

In addition to easily running non-Tor-aware programs through the Tor network, you can -- at the same time -- have other qubes go through VPNs or be non-networked, for instance to enable easily accessible but offline storage of sensitive information like your password manager. Common attack vectors like network cards are isolated in their own hardware qube while their functionality is preserved through secure networking and firewalls.

Secure communications

Qubes is integrated with existing secure communications tools like Pretty Good Privacy (PGP) to provide security-in-depth and reduce user error. With Split-GPG functionality, a compromise of your email client does not enable an adversary to access your private PGP key.

Safely interact with untrusted media

You can open an untrusted attachment from your email client, and any potential malicious payload in the document is isolated to a separate disposable, non-networked qube. No information from that session can be sent to the attacker, since it is not connected to the internet, and after the document has been read, the entire domain is deleted. You can convert the PDF to a “trusted PDF” that is known not to be malicious, which you could then share with colleagues or save in an offline Documents qube for later reference. In the same way, a potentially malicious DOC file can be opened in a disposable qube that enables the user to edit the file, save it, and send it without providing an opportunity for potential computer compromise.

Windows integration

Many users still rely on Windows-based programs for their work. Qubes enables them to do so securely.

Physical security

Qubes also protects your computer against some physical attacks. If an adversary plugs a malicious USB device into your computer while you're not watching, it isn't game over. Qubes isolates the entire USB stack from the rest of the system. And if you want to dual-boot, or if your computer is seized at the border and then returned, you can tell whether a malicious bootloader was installed, so you know not to input your decryption password.

Smooth integration of qubes

Integrated file and clipboard copy and paste operations make it easy to work across various qubes without compromising security. The innovative Template system separates software installation from software use, allowing qubes to share a root filesystem without sacrificing security (and saving disk space).


There are many different ways to contribute to Qubes, including creating artwork, reporting bugs, editing documentation, making financial contributions and more. If your company would like to license Qubes, please contact the Qubes team.

Tor at the Heart: Whonix

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!


Whonix

Whonix is a privacy ecosystem that utilizes compartmentalization to provide a private, leak-resistant environment for many desktop computing activities. Whonix helps users use their favorite desktop applications anonymously. A web browser, IRC client, word processor, and more come pre-installed with safe defaults, and users can safely install custom applications and personalize their desktops with Whonix.

Whonix is designed to run inside a VM and to be paired with Tor. Whonix is composed of two or more virtual machines that run on top of an existing operating system. The primary purpose of this design is to isolate the critical Tor software from the risk-laden environments that often host user-applications, such as email clients and web browsers. Whonix consists of two parts: the first part solely runs Tor and acts as a gateway for a user's Internet traffic, called Whonix-Gateway. The other, called Whonix-Workstation, is for a user's work and is located on a completely isolated network. Even if the user's workstation is compromised with root privileges, it cannot easily reveal IP addresses or leak DNS requests or bypass Tor, because it has neither full knowledge nor control over where and how its traffic is routed. This is security by isolation, and it averts many threats posed by malware, misbehaving applications, and user error.

One of Whonix's core strengths is its flexibility. Whonix can run on Linux, MacOS, or Windows. It can torrify nearly any application's traffic running on nearly any operating system, and it doesn't depend on the application's cooperation. It can even isolate a server behind a Tor Hidden Service running on a separate OS. It can route traffic over VPNs, SSH tunnels, SOCKS proxies, and major anonymity networks, giving users flexibility in their system setups.

Whonix was originally built around compatibility-focused Virtualbox, then time-tested KVM was added as an option. Now Whonix is shipped-by-default with the advanced, security-focused virtualization platform QubesOS. Whonix even supports Qubes' DisposableVMs.

Whonix has a safe default configuration that includes a restrictive firewall, privacy-enhanced settings for Debian, AppArmor profiles, and pre-configured and stream isolated applications.

The Whonix team is currently focused on improving usability for new Whonix users. A Quick-Start Guide will be available shortly to allow users to install and try Whonix on most existing systems.

Whonix is based in Germany but has users and developers from around the world. Like many open-source projects, Whonix depends on the donations and contributions of supporters. It's easy to get involved!

Tor at the Heart: NetAidKit

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

by Menso Heus

The NetAidKit is a USB-powered router that connects to your wired or wireless network and helps you increase your privacy and beat online censorship for all your devices. Acting as a friendly man-in-the-middle, the NetAidKit is able to send all your network traffic over a VPN or Tor connection without needing to configure any of your devices. This also means that if you have specific hardware devices that are unable to run Tor, you can simple connect them to the NetAidKit to make all the traffic go over Tor anyway.

Free Press Unlimited and Radically Open Security developed the NetAidKit specifically for non-technical users, and the NetAidKit comes with an easy to use web interface that allows users to connect to Tor or upload OpenVPN configuration files and connect to VPN networks.

The NetAidKit transparently routes traffic over Tor. We believe this is a great (and free) way to circumvent censorship, but it obviously does not provide the same anonymity benefits that the Tor Browser Bundle provides. This is something we warn users about specifically every time they connect to Tor, recommending they also the Tor Browser Bundle if they wish to remain anonymous.

At the same time, by routing all traffic over Tor, NetAidKit provides a tool for users' e-mail, social media clients and other network applications to run over Tor as well, providing Tor's benefits to applications other than a browser.

The NetAidKit runs on OpenWRT and uses the OpenWRT tor client. Current challenges include getting the obfuscating protocols to work on the NetAidKit since it has a limited storage capacity. We hope that in 2017 we can improve Tor support further by collaborating with the Tor Project.

For more information and links to our Github repository, visit https://netaidkit.net/

Tor at the Heart: Flash Proxy

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom. Donate today!

Flash Proxy

Sometimes Tor bridge relays can be blocked despite the fact that their addresses are handed out only a few at a time. Flash proxies create many, generally ephemeral bridge IP addresses, with the goal of outpacing a censor's ability to block them. Rather than increasing the number of bridges at static addresses, flash proxies make existing bridges reachable by a larger and changing pool of addresses.

"Flash proxy" is a name that should make you think "quick" and "short-lived." Our implementation uses standard web technologies: JavaScript and WebSocket. (In the long-ago past we used Adobe Flash, but do not any longer.)

Flash Proxy is built into Tor Browser. In fact, any browser that runs JavaScript and has support for WebSockets is a potential proxy available to help censored Internet users.

How It Works

In addition to the Tor client and relay, we provide three new pieces. The Tor client contacts the flash proxy facilitator to advertise that it needs a connection. The facilitator is responsible for keeping track of clients and proxies, and assigning one to another. The flash proxy polls the facilitator for client registrations, then begins a connection to the client when it gets one. The transport plugins on the client and the relay broker the connection between WebSockets and plain TCP.

A sample session may go like this:

1. The client starts Tor and the client transport plugin program (flashproxy-client), and sends a registration to the facilitator using a secure rendezvous. The client transport plugin begins listening for a remote connection.
2. A flash proxy comes online and polls the facilitator.
3. The facilitator returns a client registration, informing the flash proxy where to connect.
4. The proxy makes an outgoing connection to the client, which is received by the client's transport plugin.
5. The proxy makes an outgoing connection to the transport plugin on the Tor relay. The proxy begins sending and receiving data between the client and relay.

From the user's perspective, only a few things change compared to using normal Tor. The user must run the client transport plugin program and use a slightly modified Tor configuration file.

Cupcake

Cupcake is an easy way to distribute Flash Proxy, with the goal of getting as many people to become bridges as possible.

Cupcake can be distributed in two ways:

  • As a Chrome or Firefox add-on (turning your computer into a less temporary proxy)
  • As a module/theme/app on popular web platforms (turning every visitor to your site into a temporary proxy)

Tor at the Heart: GlobaLeaks

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom. Donate today!

GlobaLeaks

GlobaLeaks is an open source whistleblowing framework that empowers anyone to easily set up and maintain a whistleblowing platform. GlobaLeaks focuses on portability and accessibility and can help many different types of users—media organizations, activist groups, corporations and public agencies—set up their own submission systems. It is a web application running as a Tor Hidden Service that whistleblowers and journalists can use to anonymously exchange information and documents. Started in 2011 by a group of Italians, the project is now developed by the Hermes Center for Transparency and Digital Human Rights.

One of the main goals of GlobaLeaks is to provide a configurable system to meet the needs of under-resourced groups and activists who are communicating in their native languages. By default the platform enforces a strict data deletion policy, encryption of file content on disk, and routing of all network requests through the Tor Network. But configurability allows implementing organizations to make choices about how they engage in the process. The tool makes it easy to choose what languages to use, how long data is stored on the system, and the questions a source must answer before they create a submission.

To date over 60 organizations in more than 20 languages have used GlobaLeaks to set up whistleblowing systems. Investigative journalists are using it to produce evidence in controversial stories, NGOs and public agencies are using it to better handle their communication with sources, and we have even seen businesses adopt the tool to handle internal corruption reporting.

At the end of 2015 Ecuador Transparente, a GlobaLeaks user, uncovered political manipulation by state organizations. MexicoLeaks has produced award winning journalism while fighting local corruption with the help of the software. You can even see how the Elephant Action League uses the software to combat wildlife crime in the documentary The Ivory Game.

NGOs also use GlobaLeaks to manage the communication process with sources. Organizations like Transparency International Italy and Amnesty International rely on the system to provide a communication channel off email and telephone networks. The PubLeaks project in the Netherlands uses it to provide a contact point for over 42 Dutch media groups.

A project that uses GlobaLeaks has even helped provide the justification for improving legal protection for whistleblowers. The Serbian parliament recently passed a legal framework for whistleblower protection. Pijstrka.rs was acknowledged by the prime minister of Serbia at an anti-corruption conference in Belgrade for its exemplary role in protecting Serbians reporting on corruption.

In all of these contexts, it is crucially important for sources to remain anonymous. Without the work of the Tor Project, the existence of the Tor Network and the larger Tor community, none of this work would be possible.

Going forward, the development of the project is focused on making it easier to install and maintain a node and improving the resilience of the platform to attacks. If you would like to get involved, you can help translate the project, hunt for bounty, author new code, or donate to the project.

Syndicate content Syndicate content