Session: Tor research

Leader: Steven Murdoch

Past/present research from participants

Website fingerprinting: Traffic analysis attacks Emulating browser fingerprinting of Tor Browser

Hidden services Entry guard security

All the things (Paul)

User profiling on the Web

How to work better with academia to get results

General redirect: We need to update the research proposal/qualification process

How to get research into Tor

Tor lacks standardized way to

Figure out what you need to work on Get stuff incorporated into dev roadmap

Requirements and process are unclear (and potentially arbitrary) Currently: Ask Nick, convince Roger

Not clear path Not scalable Things can die/drop Too ad hoc Can miss out on benefits of researchers' valuable efforts

Hurdle to dev team qualifying

No time No funding for this sort of thing Just who volunteers to take it on/has time

Shari is working on getting more people into dev team

Especially for big-scope project (like Kisst)

Would a written process be helpful?

Paul: Maybe a webpage or text file that says:

Do you have some reasearch that you think is relevant? Here's how to determine if it's relevant Here's what you'll need to be able to answer before you come to us

Defined contact channels

Can't ALWAYS be Roger Contact page doesn't route helpfully

Scorecarding criteria for what's a good project

Resources available? Funding available? Aligned? Conceptual, in production, in use? Can you provide maintenance support? (probably nobody will ever say yes) Can you go in on joint funding w/ Tor

Proposal Qualification Models

Heilmeyer criteria Research safety board (safety in the course of the research, not in the course of when it's implemented, is better) TAILS: Please contact us before you do your research. Cass has a list of potential qualification criteria (from grants perspective) will attach to wiki page in a couple of weeks.

Will vetting process lower the barrier to code adoption?

How is maintenance funded?

Predicated on funding diversification: Foundations tend to be less deliverable-fixated

Who should vet new projects?

Someone who's very tightly integrated in tor team, knows what we're building and why Must work closely with PM, know what's going on internally, too Ideally, a funded, dedicated gatekeeper George? (Has done it, might be good candidate for future position)

Open research projects

Assigning the Guard Flag Changing use of network How Tor Circuit should be used Fingerprinting

Gatekeeping function might be helpful for Tor

Won't harm academics: won't necessarily kill research projects, will only say whether Tor will support with resources Beats no response at all (proposal goes into the void)

What steps will be required for anything released in Tor?

Documentation Testing ???

Easy case: EndTor

Simple, contained, obsoleted old code, not 10MM lines of code, solved a problem

Hard case: How to do statistics (heavyweight scheme proposal)

Hard to maintain, hard to qualify, hard to integrate, not clear answer to recognized problem

Whole conversation a little ironic, because Tor is well-documented, so anyone can experiment if they really want to.

But how to get completed (or in progress) research into the "official" Tor development roadmap is still an open question

Last modified 10 months ago Last modified on Mar 27, 2017, 4:41:05 PM