Opened 4 years ago

Closed 4 years ago

#19690 closed task (fixed)

Tonga (Bridge Authority) Permanent Shutdown Notice

Reported by: shamrock Owned by: isis
Priority: Very High Milestone: Tor: 0.2.8.x-final
Component: Core Tor/DirAuth Version: Tor:
Severity: Critical Keywords: TorCoreTeam201608
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Dear friends,

Given recent events, it is no longer appropriate for me to materially contribute to the Tor Project either financially, as I have so generously throughout the years, nor by providing computing resources. This decision does not come lightly; I probably ran one of the first five nodes in the system and my involvement with Tor predates it being called "Tor" by many years.

Nonetheless, I feel that I have no reasonable choice left within the bounds of ethics, but to announce the discontinuation of all Tor-related services hosted on every system under my control.

Most notably, this includes the Tor node "Tonga", the "Bridge Authority", which I recognize is rather pivotal to the network

Tonga will be permanently shut down and all associated crytographic keys destroyed on 2016-08-31. This should give the Tor developers ample time to stand up a substitute. I will terminate the chron job we set up so many years ago at that time that copies over the descriptors.

In addition to Tonga, I will shut down a number of fast Tor relays, but the directory authorities should detect that shutdown quickly and no separate notice is needed here.

I wish the Tor Project nothing but the best moving forward through those difficult times,


Child Tickets

Change History (19)

comment:1 Changed 4 years ago by yawning

Component: - Select a componentCore Tor/DirAuth
Milestone: Tor: 0.2.8.x-final
Severity: NormalCritical
Version: Tor:

Thanks for letting us know and for running the bridge auth. Triaging so this goes to the right place.

comment:2 Changed 4 years ago by isis

Owner: set to isis
Status: newassigned

Thanks for the heads up, Lucky! And thank you so much for every way you've contributed over the years.

comment:3 Changed 4 years ago by cypherpunks

Thank for the longstanding help for Tor!

Which recent events gave the reason for quitting all?

comment:4 Changed 4 years ago by isis

Keywords: TorCoreTeam201608 added

Adding to my august tickets.

comment:5 Changed 4 years ago by shamrock

To fully test the upcoming Tonga Bridge Authority key destruction procedure, I am shutting down an old IPv6-test bridge that I once set up based on a request received on #tor-dev when IPv6-capable bridges were a novelty and a test bridge was needed. This should have no discernible impact on the network. The sole purpose of this bridge (not Bridge Authority) shutdown test is to perform a full walkthrough of the key and key backups destruction procedure. Mentioning this here just to keep you all appraised.

comment:6 Changed 4 years ago by shamrock

Moving Tonga decommissioning date to 2016-09-02 per request by Karsten to enable the new Bridge Authority Bitfroest to catch up on the dataset.

comment:7 Changed 4 years ago by shamrock

If you haven't already, please take Tonga off the notification list that sends out an email to the operator if a directory authority is down. This doesn't have to wait until 2016-09-02, since in the off chance that Tonga between now and then were to suffer a catastrophic failure requiring manual operator intervention to restore, I would not engage in that manual effort given how little time remains.

comment:9 Changed 4 years ago by karsten

Thank you, shamrock, for postponing the Tonga shutdown by two days! Here's a graph showing how bridges are transitioning from Tonga to Bifroest. That graph doesn't show recent numbers from Bifroest, because we're not done setting up scripts to copy descriptors to CollecTor. But we can assume that >1k bridges have switched over by now. Those extra two days will for sure help with getting more bridges from Tonga to Bifroest before Tonga disappears. Thanks!

comment:10 Changed 4 years ago by karsten

And here's an updated graph.

comment:11 Changed 4 years ago by karsten

New day, new graph. Looks like transition has slowed down.

comment:12 Changed 4 years ago by karsten

New graph shows that transition has stopped. Guess we'll lose 1.3k bridges in two days from now.

comment:13 in reply to:  12 ; Changed 4 years ago by bugzilla

Replying to karsten:

New graph shows that transition has stopped. Guess we'll lose 1.3k bridges in two days from now.

Windoze bridges?

Who is guilty of it?

comment:14 in reply to:  13 ; Changed 4 years ago by karsten

Replying to bugzilla:

Replying to karsten:

New graph shows that transition has stopped. Guess we'll lose 1.3k bridges in two days from now.

Windoze bridges?

Not Windows bridges, but Linux bridges for the most part:

 421 Tor on Linux
 151 Tor on Linux
 124 Tor on Linux
 106 Tor on Windows 8
  94 Tor on Windows 7
  79 Tor on Linux
  59 Tor on Linux
  44 Tor on Linux
  40 Tor on Linux
  22 Tor on Windows 7

comment:15 in reply to:  14 Changed 4 years ago by bugzilla

Replying to karsten:
Hmm, mandatory auto-update mechanism (take or die) from Tor consensus is required.

421 Tor on Linux

Maybe, Tor should warn/info when the repository is different from the recommended.

124 Tor on Linux

Suspiciously. But people that check manually for a new version can be aware since Aug 24 only...

44 Tor on Linux

What's the reason to allow alphas to be bridges? Separate "alpha bridges" category for clients who like experiments is preferable.

94 Tor on Windows 7

There are no reasons not to update on Windows except that Expert Bundle lacks auto-updater. But it has version now, so your data shows that all Windows bridges, except those 0.2.4.x highly outdated, are maintained by up-to-date rebuilding from source. Is it plausible?

comment:16 Changed 4 years ago by karsten

I don't see anything in the suggestions above that would help move hundreds of bridges from Tonga to Bifroest in the next 24 hours. But that's okay, we already have plenty of bridges on Bifroest, and we have the bridges that come bundled with Tor Browser. Here's a new graph.

comment:17 Changed 4 years ago by shamrock

As previously announced Tonga will be decommissioned today, probably within the hour. You may wish to disable Tonga's ssh key on and enable any IP-based ssh restrictions. This also is the kickoff for major scheduled maintenance on the underlying server hardware. Consequently, I will not receive email sent to the domain or be able to read IRC. If someone needs to get in touch with me, find me on other IM channels. I expect any non-Tor related services running on the same physical server, such as my email, to be back up by no later than Monday. Hopefully much sooner if all goes well.

comment:18 Changed 4 years ago by karsten

Here's another graph, which will be the last graph in this series, unless there's a good reason to post another one.

See this Metrics graph for the total number of bridges, which includes both bridge authorities for the time when both made their descriptors available to CollecTor. The first dip is when Bifroest didn't report descriptors, the second is when Tonga went away.

Is there anything else to be done here? If not, how about we close this ticket?

comment:19 Changed 4 years ago by isis

Resolution: fixed
Status: assignedclosed

This task was completed in late August. At the same time, code related to temporarily having multiple directory authorities was merged into BridgeDB, see #20088.

Note: See TracTickets for help on using tickets.