Opened 12 months ago

Closed 9 months ago

#19690 closed task (fixed)

Tonga (Bridge Authority) Permanent Shutdown Notice

Reported by: shamrock Owned by: isis
Priority: Very High Milestone: Tor: 0.2.8.x-final
Component: Core Tor/DirAuth Version: Tor: 0.2.8.5-rc
Severity: Critical Keywords: TorCoreTeam201608
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Dear friends,

Given recent events, it is no longer appropriate for me to materially contribute to the Tor Project either financially, as I have so generously throughout the years, nor by providing computing resources. This decision does not come lightly; I probably ran one of the first five nodes in the system and my involvement with Tor predates it being called "Tor" by many years.

Nonetheless, I feel that I have no reasonable choice left within the bounds of ethics, but to announce the discontinuation of all Tor-related services hosted on every system under my control.

Most notably, this includes the Tor node "Tonga", the "Bridge Authority", which I recognize is rather pivotal to the network

Tonga will be permanently shut down and all associated crytographic keys destroyed on 2016-08-31. This should give the Tor developers ample time to stand up a substitute. I will terminate the chron job we set up so many years ago at that time that copies over the descriptors.

In addition to Tonga, I will shut down a number of fast Tor relays, but the directory authorities should detect that shutdown quickly and no separate notice is needed here.

I wish the Tor Project nothing but the best moving forward through those difficult times,

--Lucky

Child Tickets

Change History (19)

comment:1 Changed 12 months ago by yawning

  • Component changed from - Select a component to Core Tor/DirAuth
  • Milestone set to Tor: 0.2.8.x-final
  • Severity changed from Normal to Critical
  • Version set to Tor: 0.2.8.5-rc

Thanks for letting us know and for running the bridge auth. Triaging so this goes to the right place.

comment:2 Changed 12 months ago by isis

  • Owner set to isis
  • Status changed from new to assigned

Thanks for the heads up, Lucky! And thank you so much for every way you've contributed over the years.

comment:3 Changed 12 months ago by cypherpunks

Thank for the longstanding help for Tor!

Which recent events gave the reason for quitting all?

comment:4 Changed 11 months ago by isis

  • Keywords TorCoreTeam201608 added

Adding to my august tickets.

comment:5 Changed 10 months ago by shamrock

To fully test the upcoming Tonga Bridge Authority key destruction procedure, I am shutting down an old IPv6-test bridge that I once set up based on a request received on #tor-dev when IPv6-capable bridges were a novelty and a test bridge was needed. This should have no discernible impact on the network. The sole purpose of this bridge (not Bridge Authority) shutdown test is to perform a full walkthrough of the key and key backups destruction procedure. Mentioning this here just to keep you all appraised.

comment:6 Changed 10 months ago by shamrock

Moving Tonga decommissioning date to 2016-09-02 per request by Karsten to enable the new Bridge Authority Bitfroest to catch up on the dataset.

comment:7 Changed 10 months ago by shamrock

If you haven't already, please take Tonga off the notification list that sends out an email to the operator if a directory authority is down. This doesn't have to wait until 2016-09-02, since in the off chance that Tonga between now and then were to suffer a catastrophic failure requiring manual operator intervention to restore, I would not engage in that manual effort given how little time remains.

comment:9 Changed 10 months ago by karsten

Thank you, shamrock, for postponing the Tonga shutdown by two days! Here's a graph showing how bridges are transitioning from Tonga to Bifroest. That graph doesn't show recent numbers from Bifroest, because we're not done setting up scripts to copy descriptors to CollecTor. But we can assume that >1k bridges have switched over by now. Those extra two days will for sure help with getting more bridges from Tonga to Bifroest before Tonga disappears. Thanks!

comment:10 Changed 10 months ago by karsten

And here's an updated graph.

comment:11 Changed 10 months ago by karsten

New day, new graph. Looks like transition has slowed down.

comment:12 follow-up: Changed 10 months ago by karsten

New graph shows that transition has stopped. Guess we'll lose 1.3k bridges in two days from now.

comment:13 in reply to: ↑ 12 ; follow-up: Changed 10 months ago by bugzilla

Replying to karsten:

New graph shows that transition has stopped. Guess we'll lose 1.3k bridges in two days from now.

Windoze bridges?

@shamrock:
Who is guilty of it?

comment:14 in reply to: ↑ 13 ; follow-up: Changed 10 months ago by karsten

Replying to bugzilla:

Replying to karsten:

New graph shows that transition has stopped. Guess we'll lose 1.3k bridges in two days from now.

Windoze bridges?

Not Windows bridges, but Linux bridges for the most part:

 421 Tor 0.2.7.6 on Linux
 151 Tor 0.2.5.12 on Linux
 124 Tor 0.2.8.6 on Linux
 106 Tor 0.2.4.23 on Windows 8
  94 Tor 0.2.4.23 on Windows 7
  79 Tor 0.2.4.27 on Linux
  59 Tor 0.2.6.10 on Linux
  44 Tor 0.2.8.2-alpha on Linux
  40 Tor 0.2.5.10 on Linux
  22 Tor 0.2.4.22 on Windows 7

comment:15 in reply to: ↑ 14 Changed 10 months ago by bugzilla

Replying to karsten:
Hmm, mandatory auto-update mechanism (take or die) from Tor consensus is required.

421 Tor 0.2.7.6 on Linux

Maybe, Tor should warn/info when the repository is different from the recommended.

124 Tor 0.2.8.6 on Linux

Suspiciously. But people that check manually for a new version can be aware since Aug 24 only...

44 Tor 0.2.8.2-alpha on Linux

What's the reason to allow alphas to be bridges? Separate "alpha bridges" category for clients who like experiments is preferable.

94 Tor 0.2.4.23 on Windows 7

There are no reasons not to update on Windows except that Expert Bundle lacks auto-updater. But it has 0.2.8.6 version now, so your data shows that all Windows bridges, except those 0.2.4.x highly outdated, are maintained by up-to-date rebuilding from source. Is it plausible?

comment:16 Changed 10 months ago by karsten

I don't see anything in the suggestions above that would help move hundreds of bridges from Tonga to Bifroest in the next 24 hours. But that's okay, we already have plenty of bridges on Bifroest, and we have the bridges that come bundled with Tor Browser. Here's a new graph.

comment:17 Changed 10 months ago by shamrock

As previously announced Tonga will be decommissioned today, probably within the hour. You may wish to disable Tonga's ssh key on bridges.torproject.org and enable any IP-based ssh restrictions. This also is the kickoff for major scheduled maintenance on the underlying server hardware. Consequently, I will not receive email sent to the cypherpunks.to domain or be able to read IRC. If someone needs to get in touch with me, find me on other IM channels. I expect any non-Tor related services running on the same physical server, such as my email, to be back up by no later than Monday. Hopefully much sooner if all goes well.

comment:18 Changed 10 months ago by karsten

Here's another graph, which will be the last graph in this series, unless there's a good reason to post another one.

See this Metrics graph for the total number of bridges, which includes both bridge authorities for the time when both made their descriptors available to CollecTor. The first dip is when Bifroest didn't report descriptors, the second is when Tonga went away.

Is there anything else to be done here? If not, how about we close this ticket?

comment:19 Changed 9 months ago by isis

  • Resolution set to fixed
  • Status changed from assigned to closed

This task was completed in late August. At the same time, code related to temporarily having multiple directory authorities was merged into BridgeDB, see #20088.

Note: See TracTickets for help on using tickets.