Version 37 (modified by mparte, 7 years ago) (diff)

ironed out some confusions in "simple ways to contribute" section

Eleventh issue of Tor Weekly News. Covering what's happening from from September 4th, 2013 to September 10th, 2013. To be released on September 11th, 2013.


Subject: Tor Weekly News — September, 11th 2013

Tor Weekly News                                     September 11th, 2013

Welcome to the eleventh issue of Tor Weekly News, the weekly newsletter that
covers what is happening in the XXX Tor community.

Tor is out

On 5th September, Roger Dingledine announced the release of a new release candidate 
for Tor 0.2.4 series [XXX]. It comes with very handy feature in the current situation [XXX]
- prioritizing faster and safer circuit-level handshakes "NTor" over "TAP" used by
0.2.3 clients.

“Relays now process the new "NTor" circuit-level handshake requests with higher 
priority than the old "TAP" circuit-level handshake requests. We still process 
some TAP requests to not totally starve 0.2.3 clients when NTor becomes popular. 
A new consensus parameter "NumNTorsPerTAP" lets us tune the balance later if we 
need to. Implements ticket 9574 [XXX].”

Roger asks relay operators to consider upgrading to version due the huge 
circuit overload we see nowadays [XXX]. Upgrading to development branch is surprisingly
easy using this guide [XXX].



Toward a better performance measurement tool

“I just finished […] sketching out the requirements and a software design
for a new Torperf implementation“ announced Karsten Loesing [XXX] on
the tor-dev mailing list.

The report begins with: “Four years ago, we presented a simple tool to
measure performance of the Tor network.  This tool, called Torperf,
requests static files of three different sizes over the Tor network and
logs timestamps of various request substeps. These data turned out to be
quite useful to observe user-perceived network performance over 
time [XXX]. However, static file downloads are not the typical use case
of a user browsing the web using Tor, so absolute numbers are not very
meaningful. Also, Torperf consists of a bunch of shell scripts which
makes it neither very user-friendly to set up and run, nor extensible to
cover new use cases.”

The specification lay out the various requirements for the new tool, and
details several experiments like visiting high profile websites with an
automated graphical web browser, downloading static files, crafting a
canonical web page, measuring hidden service performance, and checking
on upload capacity.

Karsten added “neither the requirements nor the software design 
are set in stone, and the implementation, well, does not exist yet.
Plenty of options for giving feedback and helping out, and most parts
don't even require specific experience with hacking on Tor. Just in case
somebody's looking for an introductory Tor project to hack on.”

Saytha already wrote that this was enough material to get the 
implementation started [XXX]. The project needs enough work for anyone 
interested. Feel free to join him!


Monthly status reports for XXX month 2013

The wave of regular monthly reports from Tor project members for the
month of XXX has begun. XXX released his report first [XXX], followed
by reports from name 2 [XXX], name 3 [XXX], and name 4 [XXX].


MOAR reports:
Sukhbir Singh
Matt Pagan
Ximin Luo
Pearl Crescent
Andrew Lewman
Mike Perry
Kelley Misata
Nick Mathewson
Jason Tsai
Damian Johnson

Miscellaneous news

Thanks Frenn vun der Enn [XXX] for setting up a new mirror [XXX] of the 
Tor project website.


With the Google Summer of Code ending in two weeks, the students have 
sent their the next to last reports: Kostas Jakeliunas for the 
Searchable metrics archive [XXX], Johannes Fürmann for EvilGenius [XXX],
Hareesan for the Steganography Browser Extension [XXX], and Cristian-Matei
Toader for Tor capabilities [XXX].


Damian Johnson anounced [XXX] he had completed the rewrite of DocTor in
Python [XXX],  “a service that pulls hourly consensus information and
checks it for a host of issues (directory authority outages, expiring
certificates, etc). In the case of a problem it notifies
tor-consensus-health@ [XXX], and we in turn give the authority operator 
a heads up.”


On Tuesday September 3rd, the IRC meeting was held to discuss a progress on sponsor F [XXX]
project. See Karsten Loesing’s notes for output [XXX].



XXX: Reported vulnerabilities [XXX].

 [XXX] vulnerability report source

Help Desk Roundup
We had a number of emails this week asking about the recent stories in 
the New York Times, the Guardian, and Pro Publica regarding NSA's cryptographic 
capabilities. Some users asked whether there was a backdoor in Tor. Others asked 
if Tor's crypto was broken. 

There is absolutely no backdoor in Tor. We have been vocal in the past about how
tremendously irresponsible it would be to backdoor our users[xxx]. We also have
an FAQ entry explaining some ways we would fight back if anyone tried[xxx].

We do not have any more facts about NSA's cryptanalysis capabilities than have 
been published in newspapers. However it is the belief of many Tor developers 
that even considering these new developments, Tor's encryption is effective. 
Tor uses TLS for link encryption. If the TLS is good, an outside attacker can't 
even get to Tor's crypto. If the TLS is bad, good thing we have Tor's crypto. 

Breaking SSL/TLS could involve something besides cracking cryptographic 
primitives. For example an attack could be accomplished by finding some 
vulnerability in the way the https protocol is implemented, or by compromising 
the computers of Certificate Authorites to get their private keys. Or by legally 
coercing Certificate Authorities to hand over their private keys and shut up 
about it. I'm sure there are other ways it could be done as well. The math that 
makes encryption hard to break still stands. Tor's code is completely open source 
and has many eyes inspecting it. The encryption that Tor uses is summarized on the
FAQ page[xxx] and detailed in the Tor specification[xxx]. 


Simple Ways to Contribute This Week 

Each week will be listed here some simple tasks that people who want to
begin to hack on the Tor Project could do.

If you're hacking on Tor and want a ticket featured here, add "easy" to
the keywords field on Trac.

Highlighted this week:

* Let User's know which IP is making a new control port connection [XXX]
  Why? Let User's know which IP/application is making a new control port 
  connection so they have info to go on to rule out an attack. 
  Practice: C, Network Service Primitives 

* Change 'your' to 'this' on page [XXX]
  Why? A small percentage of users will misinterpret "your browser" to
  mean their existing browser with dire consequences.
  Practice: Git, Patch, Diff

* Add tests to Stem to try and detect new versions of Tor [XXX]
  Why? Reduce workload for keeping Stem up to date with changes in Tor & 
  making sure programs that rely on Stem are kept closely up to date with
  Practice: Python, Tor Control Protocol, Testing

Upcoming events

Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV
          | Berlin, Germany
Oct 09-10 | Andrew speaking at Secure Poland 2013
          | Warszawa, Poland

This issue of Tor Weekly News has been assembled by XXX, XXX, and

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [XXX], write down your
name and subscribe to the team mailing list [XXX] if you want to
get involved!


Possible items: