Mozilla Research Call: Tune up Tor for Integration and Scale

by gaba | May 8, 2019

What alternative protocol architectures and route selection protocols would offer acceptable gains in Tor performance? Would they preserve Tor properties? Is it possible to improve Tor performance without changing protocols? Is it truly possible to deploy Tor at scale? And what would the full integration of Tor and Firefox look like? Those are some of the questions that Mozilla is calling researchers to answer in the privacy & security part of their Mozilla Research Grants program:

“Mozilla has an interest in potentially integrating more of Tor into Firefox, for the purposes of providing a Super Private Browsing (SPB) mode for our users. Tor offers privacy and anonymity on the Web, features which are sorely needed in the modern era of mass surveillance, tracking and fingerprinting."

Integrating Tor into Firefox would bring real private browsing and a safer internet experience to an unprecedented number of people around the world. But Tor has never been deployed at this scale, and there are a lot of considerations to research before Mozilla gives this a try.

Our community and software benefits greatly from the research community, so we are eager and available to discuss any proposal or idea you are considering to submit to Mozilla’s program. Here are some tips around what we think good research needs to do in order to ensure it has the best chance of being adopted by Tor or any other large software project.

Tor has many lists of research ideas, which we are working to consolidate. With respect with this request for proposals, the most useful place to start is the performance section of our open research problems blog post. That section discusses congestion control, datagram Tor, and load balancing problems and ideas.

The exit censorship problem is also a major usability barrier to using Tor, and research into cryptographic rate limiting systems based on newer anonymous credentials would also be in-scope.

Since the 2018 research topics blog post, we posted additional material discussing the need for frameworks to accurately measure side channels in current Tor versus protocol proposals providing congestion signaling of various kinds. Importantly, such frameworks allow us to compare various ways of reducing congestion on the Tor network via datagram designs or explicit congestion notification in current Tor.

Finally, with Walking Onions, we could drastically lower Tor's consensus interval to provide faster load balancing feedback. What are the consequences of this change in terms of additional traffic to relays? How much benefit do we get for this? See the Load Balancing subsection of the Network Performance research topics for related load balancing ideas that could benefit from a faster consensus interval.

We will continue updating our wiki page on network performance research, and we are available to discuss any idea you may want to submit to Mozilla, as well as to help make sure that you can have a strong story about how your research plan will work together with Tor: Please email us at research@torproject.org.

The deadline to apply for the grant through Mozilla is May 31, 2019.

 

Comments

Please note that the comment area below has been archived.

May 09, 2019

Permalink

At first Mozilla should start to also protect their non-Tor users by default. Things like the studies system which allows Mozilla to remotely change your browser settings or install AddOns for an experiment are a big NO for privacy-savvy people. Soon they're also doing their own DNS resolving (with CloudFlare DoH) by default, which will lead to big headache for many admins when every application does DNS resolving themself and not letting the system do their job...

Mozilla should go back to their roots and be the privacy-browser for everyone. Only this way they can regain their market share. The organization of Mozilla should be replaced with different people, the current ones are only leading to more market share decrease.

At first Mozilla should start to also protect their non-Tor users by default. Things like the studies system which allows Mozilla to remotely change your browser settings or install AddOns for an experiment are a big NO for privacy-savvy people.

In some way I agree. Yet, I also see how collecting information and having capabilities to run studies help to advance Firefox. Of course, it would be great if studies, crash reporting, usage statistics and all other information sent to Mozilla could be made even more privacy friendly. I personally am willing to accept a bit less privacy to help Mozilla and Mozilla, nicely enough, asked if I'd be willing to share some information.

Soon they're also doing their own DNS resolving (with CloudFlare DoH) by default, which will lead to big headache for many admins when every application does DNS resolving themself and not letting the system do their job...

Being an sysadmin myself, I know this will break some of our company network setup which isn't too great. Still, there is a bigger picture to consider, this will render esni useful. This is a feature very important for privacy and censorship prevention. While I agree the operating system should do it, I don't see support for DNS over TLS (or any other secure DNS resolving) to be ready and deployed any time soon. Hence, it's great to see Mozilla and Cloudflare step up and try to improve the situation.

Before anyone complains about Cloudflare being involved. Let's not forget that they could have ignored broken DNS entirely. Yet, they decided to do something. Well done Cloudfare! Instead blaming them for having to monopoly when it comes to DNS over HTTPS and DNS over TLS, we should make sure there are alternatives.

Mozilla should go back to their roots and be the privacy-browser for everyone.

I'm not sure what you mean by their roots. Back in 1998 when Mozilla was founded, privacy on the Internet wasn't a concern. Also, I don't think Mozilla has ever been more aware of the importance of privacy. Just look at how Mozilla has been supporting Tor, improved tracking protection and implemented containers. It is my believe that the Internet used to be more private, whether or not you used Firefox, not because browser have degraded but rather because the internet changed. Marketing and thus tracking on the internet is a rather new phenomenon and so is mass surveillance and, thus, privacy concern are rather recent too.

Only this way they can regain their market share. The organization of Mozilla should be replaced with different people, the current ones are only leading to more market share decrease.

Would you mind explaining how replacing the people would make any difference? What would you expect them to do differently that would improve the situation? I'm not much of a sales person. So, I don't know what would have to change to get people to use Firefox.

I don't know if there is any plans of making containers available in Tor Browser. However, First Party Isolation used by Tor Browser uses the same technology.

A blog post from the Tor Project described it this way:

Our first major target in the uplift project was a feature called <a href="<a href="https://www.torproject.org/projects/torbrowser/design/#identifier-linkability">First" rel="nofollow">https://www.torproject.org/projects/torbrowser/design/#identifier-linka…</a> Party Isolation</a>, which provides a very strong anti-tracking protection (at the risk of breaking some websites). Mozilla formed a <a href="<a href="https://wiki.mozilla.org/Security/FirstPartyIsolation">dedicated" rel="nofollow">https://wiki.mozilla.org/Security/FirstPartyIsolation">dedicated</a> team</a> to take the First Party Isolation features in Tor Browser and implement them in Firefox, using the same technology we used to build the <a href="<a href="https://blog.mozilla.org/tanvi/2016/06/16/contextual-identities-on-the-web/">containers</a&gt" rel="nofollow">https://blog.mozilla.org/tanvi/2016/06/16/contextual-identities-on-the-…</a>; feature. The team also developed thorough test and QA processes to make sure that the isolation in Firefox is as strong as what’s in Tor Browser -- and even identified some ways to add even stronger protections. The Mozilla team worked closely with the Tor Browser team, including weekly calls and an in-person meeting in September.

> Let's not forget that they could have ignored broken DNS entirely

They did ignore the problem. Including encrypted DNS is great for firefox but what about all of the other applications installed on your system? The only way to fix this properly is to have a local DNS resolver listening on localhost that proxies DNS (dnscrypt-proxy is one such example, you can actually configure tor to proxy dns too which is a pretty cool feature - although latency might be an issue!). Of course once they turn on encrypted DNS by default your local resolver will be bypassed altogether anyway.

They did ignore the problem. Including encrypted DNS is great for firefox but what about all of the other applications installed on your system?

I don't think Mozilla can do more than that really. Having some sort of secure DNS integrated into Linux (multiple distros), Mac, Windows, Android and iOS isn't really something Mozilla can't just do. Even if Mozilla decided to get support in all these systems, that would take decades to be deployed everywhere (if they even can get everyone to support it). So, I'd argue they did not ignore the problem. Rather, they went for a solution that can be rolled out to all system in a reasonable time.

> Having some sort of secure DNS integrated into Linux (multiple distros), Mac, Windows, Android and iOS isn't really something Mozilla can't just do.

Microsoft, Google, and Apple certainly push pretty damn hard on standardizing bodies to roll out their proprietary solutions on all systems.

+1 for dnscrypt-proxy, Tor DNS, and dnscrypt-proxy over Tor!

> Of course once they turn on encrypted DNS by default your local resolver will be bypassed altogether anyway.

That's DNS over HTTPS (DoH), what Mozilla-Cloudflare are doing. DNScrypt is encrypted as well but not dependent on TLS, more third-party root Certificate Authorities (CA), PKI, running a web server, ... Yes, bypassed into the hands of monetized PKI hierarchy, centralizing control by hurdles and network effect.

Anyone seeking better understanding of the relationship of companies like Google, Facebook, and Amazon to ordinary citizens should read the eloquent book by Zuboff, Surveillance Capitalism.

AFAIK, Mozilla does not appear to be acting like those companies and that's a very good thing for us, given our reliance upon FF being maintained/developed by generally trustworthy people.

May 09, 2019

Permalink

I don't know if it qualifies for what you are doing, but...
HORNET: High-speed Onion Routing at the Network Layer

May 09, 2019

Permalink

Tor should integrate wireguard; people are getting upwards of 600 mbps compared to OpenVPN

May 09, 2019

Permalink

Mozilla suddenly interested helping TOR! What a delight! Open the dialogue! What if, maybe we modify TOR properties? For scale!
The wonderful job they’ve been doing with Firefox really gives a warm fuzzy. I’m sure timing is nothing related to them killing addons.

I just wanted to point out that suddenly isn't the right word here.

Mozilla has supported Tor for some time now:

This is just a collection of events in the relationship between Mozilla and the Tor project. I'm sure this enough proof for this being all but sudden. If not, the web has more proof.

That is an impressive list; thanks for taking the time to make it.

Clearly Mozilla is as close a friend as TP can expect to find in the big wide world, and it Tor really becomes integrated into FF that will make all web surfers much safer and also will (amazing thought!) make it hard for our worst enemies (e.g. FBI) to criminalize Tor.

Mozilla has been helping for a long time, by integrating privacy improvements developed by the Tor project. This is a far cry from other browsers, which are primarily interested in how much information they can gather and phone home on their users.

> What a delight! Open the dialogue! What if, maybe we modify TOR properties? For scale!

Well, yes, as a matter of fact we should indeed be delighted that TP will be working more closely with Mozilla.

We need to greatly increase the Tor user base because:

o ordinary citizens all over the world really need Tor right this minute,

o few of them knew this until recently but the tide appears to be turning,

o Tor faces existential political threats from those (governments, FBI, spooks generally) who wish to ensure that ordinary citizens remain voiceless, powerless, and friendless; with a sufficiently large user base, this threat would be greatly reduced.

But before regular Tor users can number in the billions rather than in the millions, the Tor network will have to grow, a lot, without breaking. That wouldn't happen by itself even if Tor Project were a wealthy monopolistic company; the fact that the Tor network is volunteer owned and operated is one of our greatest strengths but it also complicates the difficult problem of gracefully conquering any issues which arise with scaling.

Mozilla is not a super-rich monopolistic heartless predatory surveillance capitalism juggernaught like Google or Amazon, but it brings significant resources to the table and it's damned good they appreciate the neccessity of growing the Tor network and are willing to devote considerable effort to helping us all to do that right.

> Tor faces existential political threats from those (governments, FBI, spooks generally) who wish to ensure that ordinary citizens remain voiceless, powerless, and friendless; with a sufficiently large user base, this threat would be greatly reduced.

Speaking of political threats, I urge Tor Project to join with other groups such as EFF and ACLU to oppose this very bad idea:

cnn.com
Bitcoin-Bashing Democrat Calls for Blanket Ban on Cryptocurrencies
A California Democrat is urging his colleagues to pass a law that would ban cryptocurrencies in the United States. | Source: (i) Shutterstock (ii) Shutterstock; Edited by CCN
Samantha Chang
9 May 2019

> Bitcoin-bashing Democrat Congressman Brad Sherman is urging his colleagues to pass a law that would ban cryptocurrencies in the United States.

This is a very bad proposal from one of many members of Congress who often express very narrow and even bigoted views on complicated technical topics they do not understand and do not wish to understand, which tends to make for awful public policy positions. An intriguing aspect of Chang's article is that she claims Democrats are anti-crypto while Republicans are pro-crypto,

> ... Republicans — who are generally pro-business — are far more open to promoting entrepreneurial ventures. For example, Hester Peirce, one of five SEC commissioners, is so pro-bitcoin that she has been nicknamed “Crypto Mom” (an ironic moniker considering she has no children). Peirce is a Republican appointed by President Donald Trump. Trump has a number of top aides that are pro-crypto, including acting White House Chief of Staff Mick Mulvaney. Similarly, CFTC chairman Christopher Giancarlo has earned the title of “Crypto Dad” for his pro-bitcoin positions. Giancarlo is also a Republican. Unfortunately for crypto fans, he’s retiring soon. But his presumptive replacement, Heath Tarbert, will probably be open-minded about crypto given Trump’s hiring track record.

IMO it would be far more accurate to say that the Republican Party elite and the Democratic Party elite both tend to oppose crypto for ordinary citizens. Hillary Clinton (the Democratic Party centrist candidate in 2016) did, as did former candidate Al Gore, but so does former FBI Director James Comey, Mike Pompeo and a host of others who are either Republicans working in the Drump administration or Republicans opposed to Drumpism. It is true that the 2020 Democratic Party Presidential candidate being heavily promoted in Democratic-leaning mainstream press venues as the "front runner" [sic], Joe Biden, was one of the leading opponents of PGP and a promoter of NSA's Clipper Chip. But Biden is also a leading promoter of big business who consistently has taken pro-big-bank, pro-Wall-Street and anti-union positions, much like old school Republicans.

The truth is, both the Democratic and Republican elites tend to be anti-encryption, anti union, pro-big-business, pro-dragnet, often pro-war, as are most Drump administration figures. Ordinary citizens have few friends outside the Progressive wing of the Democratic Party and, sometimes, the Libertarian wing of the Republican Party. These are important factors to bear in mind when reaching out to reporters who write about Tor, seeking to improve the truthfulness of coverage of our embattled but growing global community.

For example, Tor is perfect for union organizers at companies like Amazon, Google, Lyft and Uber, all of which are working hard to prevent their "gig workers" from unionizing (and are likely hiring shady firms like NSO to attack the more effective union organizers with APT malware). But most Democratic Party MOCs are likely to be covertly hostile to such movements; Republican Party MOCs are likely to be openly hostile. But both those groups may be willing to listen to arguments that Tor can improve national security by improving government, corporate. and citizen cybersecurity.

May 09, 2019

Permalink

> “Mozilla has an interest in potentially integrating more of Tor into Firefox, for the purposes of providing a Super Private Browsing (SPB) mode for our users. Tor offers privacy and anonymity on the Web, features which are sorely needed in the modern era of mass surveillance, tracking and fingerprinting."

Fantastically fabulous news! :-)

This project could be of enormous benefit to the Tor community as well as FF users, both because it will help grow the userbase and because Mozilla is making the same point some posters in this blog have been urging Tor leadership to make to funders, techcos, and legislators (especially in the US Congress): Tor is an essential part of the *solution* to the cybersecurity mess, "Fake News" mess, etc, not a cause of these problems. And Tor is one of the few parts of the solution which is ready right now, and has even been "battle tested" for years in the real world.

Many thanks to Mozilla for taking this important step. I hope the project is a brilliant success!

This post should be enshrined in some Tor Bible...
Its about time people woke up and dropped the Tor = Bad nonsense.

I for one am tired tired tired of it.

Tor (and lets not forget i2p) are now becoming ESSENTIAL.

Those of us who struggle to debunk FUD often find ourselves troubled by the fact that our efforts to attenuate FUD often have the opposite effect, of amplyfing it. Here is a thoughtful article which offers no solutions but which I thought was rather eloquent:

wired.com
The Existential Crisis Plaguing Online Extremism Researchers
Paris Martineau
2 May 2019

Sigh... I remember when many of us thought the Internet would make the world a better place by bringing people closer together. Just the opposite happened, which is just what we did not need in an epoch when humans are confronting multiple seemingly intractable global problems, any one of which appears to have the capability of more or less wiping us all out.

> many of us thought the Internet would [bring] people closer together. Just the opposite happened

The Internet did not cause it, but it made it simpler for predisposing parties to accelerate. They are effects of optimized surveillance capitalism, addiction tuned content bubbles, deified malignant consumerism, inbreeding of lawmakers and robber barons, weakening of financial safety nets, and so on. People forget that the culture online was not overwhelmed by such forces in the 1990's before the height of the dot-com bubble, the Patriot Act, Newt Gingrich, the repeal of the Glass-Steagall Act, Citizens United v. FEC, mergers of multimedia conglomerates, and so on.

Recognize Tim Berners-Lee, Robert Cailliau, the Homebrew Computer Club, the Chaos Computer Club, Usenet, the free software movement, OSI, Bruce Perens, remix culture. Decades later, groups, inventions, and forces that were not involved or not prevalent in the early years of the Internet have amplified the polarization of societies. I see it as a matter of regularly revising the metrics governing all facets of life to reflect what is most important to everyone alive now and generations from now toward being universally net beneficial or minimally destructive when they are amplified as they always have been and inevitably will be. Things are always changing, and there is no reason to think that today's world cannot change too. Turn pessimism of division into motivation to learn new things, listen for uncorrupted feelings, and do your part for good, important causes.

Also that there is a whole sector of industry devoted to being paid in exchange for giving upvotes and downvotes, writing comment replies, and harassing or taking down content that their wealthy clients -- businesspeople, politicians, lawyers, doctors, police, etc. -- happen not to like. "Reputation management" is their euphemism for gaming these systems.

On a much higher level, it was learned this week that Israeli intelligence contractors had developed and sold spyware targeting WhatsApp that installs in the background even if you don't pick up the call and sold it to Saudi Arabia, UAE, Qatar, and Mexico who used it to silence journalists.

> especially in the US Congress

huffpost.com
Valerie Plame Left Washington A Spy. She Wants Back In As A Congresswoman.
Jennifer Bendery
9 May 2019

So what is her position on Tor? Is she for it or against it? If she is against it, we need to form a Tor Party which can field opposition candidates.

Snowden/Manning in 2020!

May 10, 2019

Permalink

Why not just use Librefox, Librefox with tor or just Tor Browser

Mozilla claims it supports users and freedom
Yet pulls the gab addon and screws the entire addon store
Leaks data and uses telemetry

Theirs a reason why Waterfox+palemoon+librefox exists
its because standard stock firefox cant be trusted

NoScript is essential to current Tor Browser. Does it work reliably and safely with these alternative browsers? If a similar cert issue arose, isn't it likely that the devs of the alternative browsers would need more time to find a workaround?

It seems to me that the alternative browsers might not offer any real security/privacy advantages to counterbalance the cost of switching from FF. Further, Mozilla has just made an invaluable gesture to the Tor community by offering to help us figure out how to scale the global Tor network without breaking it, which is probably our biggest problem right now (after fixing critical bugs and fending off political attacks from FBI &c).

In an ideal world, of course, TB would be built for security and privacy from the ground up, which would likely turn out to be more or less incompatible with things many users might not loathe to give up, such as watching YouTube videos. Trying to add security features after basic design decisions have been made is problematic, but at least Mozilla appears to be serious about trying to make FF safer.

If I recall correctly, back when "ich sun" managed to improperly issue him/her/itself a genuine "Google" cert, Mozilla played a stellar role in proving that something horrible which was intended to be "impossible" had actually happened in the real world, and in quickly booting the guilty CA from FF. This prompt action by Mozilla did much to blunt the impact of that very serious incident.

Metaphorically: Pantex had carelessly mailed a nuclear weapon to some kid in Nebraska. While the government sat on its hands, Mozilla defused the bomb and ensured that Pantex was shut down.

(As a matter of fact, if FBI wanted to rehabilitate its tarnished reputation among Tor users, raiding Pantex would be a smart move, given how many times they have come close to accidentally blowing up Texas with an American nuke. Doesn't anyone care about Texas?)

May 12, 2019

Permalink

Can the tor browser team try to integrate IPFS &| Dat filesharing any point in time?

We want access to decentralized websites from within the tor browser.

May 14, 2019

Permalink

As given on a website (techfragments dot com) under the post 'The 12 Best Firefox About:Config Performance Tweaks' I implemented as many tweaks as possible and as were available in latest Firefox build and in Tor, and I am experiencing increase in speed. But I have disabled NoScript. I thank Duckduckgo and Tor for making it possible for me to read the post.
I do not know how it is related to this specific post, but I wanted to let you know about these tweaks. I think Tor should always remain separate, but if Firefox merges into Tor, it will reach larger audience.

Thank you guys, lots of love to you!

Applying tweaks from a third-party site intended for Firefox and not Tor Browser very likely makes your browser fingerprint more identifiable. Disabling NoScript definitely makes your traffic stand out. smh. Please just use the security level (formerly slider).

Is anyone at Tails Project thinking about this? Tails is closely based upon Debian and I have been worried for some time about the role of hashing in signatures for software installed from the Debian repositories (e.g. via the onion mirrors). I am not a coder myself so I cannot verify this myself from reading the code, but I have the impression that debs themselves are not signed using GPG (which we very much hope is still secure despite being decades old); rather, I believe, a list of hashes of all the debs in the repos is signed using GPG. (Corrections welcomed if I have misunderstood how Debian authenticates debs!) MD-5 hashes would be unacceptably dangerous in this role because MD-5 has been subject to practical chosen prefix collision attacks for many years. Now it seems SHA-1 hashes have also fallen. Note that NSA created the SHA family and is generally acknowledged to know more about how to mount chosen prefix attacks than anyone else, which can only amplify our concern.

Can anyone at Tor Project or Tails Project explain which hashes are used by Debian to authenticate debs?

May 20, 2019

Permalink

It would be damn cool if TOR is integrated in all firefox installations and even maybe other mayor browsers.
Maybe it would make sense to use clients Bandwith as relays to, then TOR would not only depend on Relay servers.

Especially for the usage of P2P Services that use lots of bandwith this would be quite amazing to make censorship resistant distribution of files and Data possible.

May 22, 2019

Permalink

I believe Mozilla should start by integrating all Tor tech that does not need/rely on other software (e.g. Tor relays).

For example, it now has (at least basic) protection against Fingerprinting and Cryptomining. All this kinds of techs that can be integrated directly into Firefox should be the starting point. Even if they are Opt-In.

Then, once they're done, we could move on to depend on other software outside of the browser.

This also brings me to one question: is there a chart or something that might compare what's available in Latest Tor VS what's available in Latest Firefox?

(i know about the list at https://wiki.mozilla.org/Security/Tor_Uplift/Tracking - i just don't know if every feature in the list is present at TOR already and which ones are IN-Browser vs what's dependent on software other than the browser itself)

May 22, 2019

Permalink

Hurrah! An all too rare example of positive press for the Tor community comes from this article in ZDNet which describes (in positive terms!!) Mozilla's very good move:

zdnet.com
Mozilla offers research grant for a way to embed Tor inside Firefox
Mozilla working on a Tor-powered Super Private Browsing (SPB) mode for Firefox.
Catalin Cimpanu for Zero Day
9 May 2019

Thanks again to Mozilla and to everyone who works for good through this project!

May 23, 2019

Permalink

I would prefer work to be put into making TBB more secure.

Some russians rewrote the abandoned RequestPolicy addon, it's now called "Third-party Request Blocker" and awesome a/f, optionally blocks JS as well and it can automatically redirect requests to CloudFlare encumbered websites to archive.org.
There is even more, this tool is written by good people.

Add it to TBB and integrate with the security slider.
Same as Disconnect.me, it never ever broke a website for me, why isn't it part of TBB already?