[tor-reports] SponsorF November 2014 report

Roger Dingledine arma at mit.edu
Tue Dec 9 10:13:22 UTC 2014


Here is the November report for SponsorF Year4:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4
(With thanks to harmony for managing Tor Weekly News!)

------------------------------------------------------------------------

1) Tor: performance, scalability, reachability, anonymity, security.

After much back-and-forth, work by Andrea Shepard to make Tor's cell
scheduling mechanism more efficient was finally merged. Although
performance is not yet affected, these changes could form the basis of
other improvements to managing congestion caused by "mismanaged
socket output" in the Tor network, as discussed by Jansen et al. in
"Never Been KIST".
https://trac.torproject.org/projects/tor/ticket/9262
http://freehaven.net/anonbib/#jansen14-kist

We've added a new directory authority run by Riseup:
https://trac.torproject.org/projects/tor/ticket/13296

Damian Johnson sketched out a roadmap for further development of Stem,
the Tor controller library in Python, welcoming "more general ideas
on directions to take Stem, the tor-prompt, and this whole space".
https://lists.torproject.org/pipermail/tor-dev/2014-November/007831.html
https://stem.torproject.org/

Gareth Owen started a discussion of suspicious relay behaviors that
automated Tor network tests could scan for, in addition to those that
are already monitored.
https://lists.torproject.org/pipermail/tor-dev/2014-November/007870.html

Roger Dingledine and Sambuddho Chakravarty responded on the Tor blog to
inaccurate reports of a new attack against Tor, based on a recent study
co-authored by Sambuddho. "It's great to see more research on traffic
correlation attacks, especially on attacks that don't need to see the
whole flow on each side. But it's also important to realize that traffic
correlation attacks are not a new area."
https://blog.torproject.org/blog/traffic-correlation-using-netflows
https://blog.torproject.org/blog/traffic-correlation-using-netflows#comment-78918
Andrew Lewman ended up posting a much simpler summary for journalists:
https://blog.torproject.org/blog/quick-summary-recent-traffic-correlation-using-netflows

------------------------------------------------------------------------

2) Bridges and Pluggable transports: make Tor able to adapt to new
blocking events (including better tracking when these blocking events
occur).

Roger gave a presentation at the final SponsorF PI meeting:
http://freehaven.net/~arma/slides-nov14.pdf

Arturo Filastò reported on OON's ongoing study of Tor bridge reachability
in different countries, and the recent hackfest on the same topic.
https://blog.torproject.org/blog/ooni-bridge-reachability-study-and-hackfest

Israel Leiva wrote about his Google Summer of Code project to revamp
and revive the "GetTor" email autoresponder, which now sends dropbox
and other cloud URLs rather than sending the packages themselves:
https://blog.torproject.org/blog/say-hi-new-gettor

------------------------------------------------------------------------

3) Bundles: improve the Tor Browser Bundle and other Tor bundles and
packages, especially improving bridge and pluggable transport support
in TBB.

Mike Perry announced the first alpha release in the Tor Browser 4.5
series. This version goes some way to restoring one of the features most
missed by users following the removal of the now-defunct Vidalia
interface from Tor Browser -- the ability to quickly visualize the
Tor circuit that the current page is using. Clicking on the green
Torbutton icon in the Tor Browser window now brings up a small diagram
showing the IP addresses of all relays in a circuit, and the states in
which they are located; this may help users evaluate the suitability of
the circuits their Tor has selected, and also to quickly identify a
malicious exit relay if they notice unusual behavior in downloaded pages
and files.
Another key user-facing innovation in this release is the "security
slider". Users can now choose from four security settings in Torbutton's
"Preferences" window -- "low (default), "medium-low", "medium-high",
and "high" -- that allow them to customize their Tor Browser based on
their own security and usability needs, while still working to prevent
"partitioning" attacks, which try to identify users based on their
unusual browser configuration.
https://blog.torproject.org/blog/tor-browser-45-alpha-1-released
https://www.torproject.org/projects/torbrowser.html#downloads-alpha

Nathan Freitas announced the release of Orbot 14.1.3, which includes
improved handling of background processes; it builds on the earlier
14.1.0, which brought with it support for Android 5.0 Lollipop, as well
as stability fixes. Orweb was brought up to version 0.7, also
introducing support for the new Android release.
https://lists.mayfirst.org/pipermail/guardian-dev/2014-November/004068.html

Nathan Freitas announced version 14.1.4 of Orbot, the Tor client for
Android, which brings with it further improvements to background service
operation, as well as theme and layout tweaks.
https://lists.mayfirst.org/pipermail/guardian-dev/2014-November/004080.html

------------------------------------------------------------------------

4) Metrics: provide safe but useful statistics, along with the underlying
data, about the Tor network and its users and usage.

Karsten Loesing offered an update on developments in the world of
Onionoo, including new mirrors and search improvements:
https://lists.torproject.org/pipermail/onionoo-announce/2014/000002.html

Karsten Loesing spruced up the documentation on the Tor Metrics portal,
including a handy glossary of frequently-used Tor-specific terms:
https://lists.torproject.org/pipermail/tor-dev/2014-November/007834.html
https://metrics.torproject.org/
https://metrics.torproject.org/about.html

There is now a "Tor network tools team" which encompasses Atlas, Depictor,
DocTor, ExitMap, Globe, Metrics, Navigator, Onionoo, Stem, and a Sybil
attack detector. They reported on their November:
https://lists.torproject.org/pipermail/tor-reports/2014-December/000722.html

------------------------------------------------------------------------

5) Outreach: teach a broad range of communities about how Tor works,
why it's important, and why this broad range of user communities is
needed for best safety.

Some law enforcement groups arrested some people doing bad things on
the Internet, and tried to smear Tor and scare Tor users in the process:
https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous
http://www.dailydot.com/politics/oops-we-counted-wrong-silk-road-dark-net-tor/

Mozilla, makers of the Firefox browser upon which Tor Browser is based,
announced a series of projects to "accelerate pragmatic and user-focused
advances in privacy technology for the Web, giving users more control,
awareness and protection in their Web experiences".  The Tor Project is
one of Mozilla's two partners in this Polaris Privacy Initiative, and the
collaboration will involve looking at the Firefox codebase to see if its
relationship to Tor Browser and the Tor development process can be made
more efficient, giving Tor engineers more time to focus on other important
issues. Mozilla also stated their intention to run several high-capacity
Tor middle relays, contributing to a faster and more stable Tor network.
https://blog.mozilla.org/privacy/2014/11/10/introducing-polaris-privacy-initiative-to-accelerate-user-focused-privacy-online/
https://blog.torproject.org/blog/partnering-mozilla

Nick gave a lecture for 6.858 at MIT:
https://www.youtube.com/watch?v=rIf_VZQr-dw

------------------------------------------------------------------------

6) Research: Assist the academic community in analyzing/improving Tor.

Roger and many others attended ACM WPES / CCS in Phoenix:
https://www.cylab.cmu.edu/news_events/events/wpes2014/program
http://www.sigsac.org/ccs/CCS2014/pro_agenda.html
The highlight this year was a series of papers on website fingerprinting
attacks. Some of the papers showed that practical, realistic website
fingerprinting attacks were much harder than had been shown in previous
papers. We're working with the authors on a guest blog post to explain
further details.

Roger also worked with Vern Paxson's group at Berkeley to help steer them
in the right direction for further research on censorship-resistance
and pluggable transports. Among other topics, they want to do a more
thorough economic and game-theory analysis of the censorship arms race.

Roger, alas, declined his Usenix Security 2015 PC invitation. It was a
great experience in 2014 but it soaked up a whole month.



More information about the tor-reports mailing list