Sponsor 19

Censorship, denial-of-service, research.

Title: Addressing Denial of Service Attacks on Free and Open Communication on the Internet

Safe communication on the internet requires many components to come together at once: (1) a robust and highly scaled communications infrastructure that protects communications metadata (i.e. Tor); (2) mechanisms to get around blocking or censorship of connections between users and this privacy network; (3) suitable packages designed for the computing environments of real users, with an emphasis on usability and user experience; and (4) awareness of the changing landscape of threats, and adaptive user education about these threats.

With these components in mind, we will focus on six areas of work. Note that each of these areas is itself an open-ended research field, so while we want to make substantial progress on each of them, there will always be more follow-up work to do on each of them.


August 2018 through May 2019.


Tor Task 1: defend the Tor network itself Tor is a free-software anonymizing overlay network that helps people around the world use the internet in safety. Tor’s 8000 volunteer relays carry over 100Gbit/s of traffic for several million users each day. This deployed network and diverse user base provides a great foundation, but we must make it stronger. We will:

(a) foster diversity and sustainability in relay locations and relay operators,

(b) react as needed to denial of service attacks on the Tor network itself, and

(c) proactively identify and resolve DoS vulnerabilities, making use of existing research collabo-rations to achieve a stronger network and improve robustness to unknown DoS vectors.

Tor Task 2: design and deploy better pluggable transports that work in actively censored regimes Currently, domain fronting systems like meek work in most or all denied countries, but domain fronting scales poorly both in terms of bandwidth and monetary cost. The most promising of the next generation of PTs is Snowflake, which builds on Flash Proxy to use in-browser webrtc to make “Google Hangout” style connections to volunteer web browsers, who then bridge the connections on to the Tor network. We will:

(a) research and design the missing parts of Snowflake, and build a prototype,

(b) make Tor Browser releases that integrate this prototype,

(c) confirm that it does indeed work in denied countries,

(d) get some pluggable transports, including Snowflake, working on Android too, since an increas-ing percentage of the world is moving from desktop to mobile, and

(e) start research and development on something to follow Snowflake so we’re prepared if attackers become willing to block or degrade the webrtc protocol.

Tor Task 3: build capacity and strengthen the research community Just about every major security conference these days has a paper analyzing, attacking, or improv-ing Tor. While ten years ago the field of anonymous communications was mostly theoretical, with researchers speculating that a given design should or shouldn’t work, Tor now provides an actual deployed testbed. Tor has become the gold standard for anonymous communications research, which in turn triggered an explosion of academic pluggable transport designs. We will:

(a) collaborate with members of the PETS research community to continue operation of the Tor Research Safety Board (a group of researchers who study Tor, and who want to minimize privacy risks while fostering a better understanding of the Tor network and its users), with the output being a growing set of real-world case studies on how to safely and ethically conduct experiments on the live Tor network and users.

Tor Task 4: consider more use cases than just web browsing Smartphone users want privacy and censorship circumvention for more than just web browsing. Millions of people use chat and social media applications, create and share media files like images and video, and more. In fact, if Tor’s performance penalties are most visible for latency-sensitive applications like web browsing, we would be wise to explore secure messaging and other asyn-chronous applications. We will:

(a) make sure the prototypes and tools from Task two work with Youtube and/or other popular services, and

(b) do a needs assessment for what other applications are popular among users behind censorship, and how well we can serve them, considering both safety and usability. The first challenge is to understand what would actually be useful to build. Options to consider include designing a video sharing service that integrates characteristics of SecureDrop or Globaleaks, or adding an “upload resume” or “parallel upload” helper to Tor Browser so users can upload chunks at a time and not have to start over when the network fails.

Tor Task 5: understand Tor’s client performance on limited and/or intermittent connections, and network performance while under attack Several factors contribute to making Tor connections less efficient than a direct connection to the final destination, and while a big part of that difference can be explained by how much capacity is available at the Tor relays (see Task one), some of these performance factors are particularly acute on bad network connections. At the same time, we need to better understand how load on the network itself, including adversarially-induced or targeted load, can impact all parts of the system. We will:

(a) consider and analyze the end-to-end performance and congestion of Tor clients behind bad network connections (high-latency, low-bandwidth, some packet loss, etc), (b) design ways to get around these limitations, for example with the “resume” feature mentioned above, or by having clients stripe their connections and/or circuits over multiple Snowflakes for better performance and better robustness, and (c) study the behavior of Tor clients and Tor relays under various denial of service attacks, and design countermeasures to tolerate the attacks and/or gracefully degrade service.

Tor Task 6: build a network measurement feedback loop so we know what’s working and what should work This feedback loop will be critical to letting us adapt Tor Browser and our other apps in response to changes on the internet. We will:

(a) ramp up our OONI-style censorship measurement tests in denied areas, so we can confirm that various protocols like webrtc do work right now, and so we can get rapid and robust notifications when that changes,

(b) figure out how to conduct more comprehensive tests too: not just “does webrtc work?” but “does Tor Browser using Snowflake work?”, and

(c) maintain and grow our Tor Metrics data sets, which provide historical and ongoing Tor network data and performance statistics for the broader research community.

Open Tickets

Ticket Summary Component Status Owner
#3781 Write a spec for GetTor Applications/GetTor needs_review kaner
#5211 Discuss other ways for the bridge authority to run bridge reachability tests Core Tor/Tor assigned
#7144 Implement Bridge Guards and other anti-enumeration defenses Core Tor/Tor needs_revision
#9316 BridgeDB should export statistics Obfuscation/BridgeDB assigned dgoulet
#9332 Implement whitelisting of (email_address, gpg_key_id) pairs for encrypted, automated email bridge distribution Obfuscation/BridgeDB assigned
#10802 Getting bridges only for port 80,443 Obfuscation/BridgeDB assigned
#10831 Captchas are not accessible for blind users Obfuscation/BridgeDB assigned
#11330 Create a Hash Ring For Each Allowed Domain in the Email Distributor Obfuscation/BridgeDB assigned
#11966 "Bootstrapped 20%: Asking for networkstatus consensus" is a lie for bridge users Core Tor/Tor needs_revision
#12030 Create a DatabaseManager for interacting with BridgeDB's database backends Obfuscation/BridgeDB assigned
#12089 BridgedDB can be forced to email arbitrary email addresses Obfuscation/BridgeDB assigned
#12505 Refactor BridgeDB's hashrings Obfuscation/BridgeDB assigned
#12506 Separate BridgeDB databases from distributors Obfuscation/BridgeDB assigned
#12507 Automate BridgeDB documentation builds Obfuscation/BridgeDB assigned
#12537 Perhaps BridgeDB should supply decoys Obfuscation/BridgeDB assigned
#12627 canonicalFromSMTP is not what we think it should be Obfuscation/BridgeDB assigned
#12802 BridgeDB needs Nagios checks for the Email Distributor Obfuscation/BridgeDB assigned dgoulet
#12807 Implement an anonymous credential system for BridgeDB's Social Distributor Obfuscation/BridgeDB assigned
#12957 Translation instruction about accesskey should be improved. Obfuscation/BridgeDB assigned
#13727 BridgeDB should not distribute Tor Browser's default bridges Obfuscation/BridgeDB assigned
#14453 Implement statistics gathering for number of Bridges-per-Transport in BridgeDB Obfuscation/BridgeDB assigned
#15404 BridgeDB's email localisation isn't working Obfuscation/BridgeDB assigned
#15457 Separate bridgedb.txrecaptcha into another package Obfuscation/BridgeDB assigned
#15967 Separate BridgeDB's CAPTCHA into another service Obfuscation/BridgeDB assigned
#16670 BridgeDB should be capable of verifying Ed25519 signatures Obfuscation/BridgeDB assigned
#17548 shows outdated keys Obfuscation/BridgeDB assigned
#17626 BridgeDB's email distributor doesn't work if the "get help" text is quoted Obfuscation/BridgeDB assigned
#18076 Bridges email inconsistent + not receiving emails Obfuscation/BridgeDB assigned
#19001 Tor Browser with Snowflake Obfuscation/Snowflake new
#19332 Add a BridgeDB module Metrics/CollecTor new metrics-team
#19774 could use a favicon Obfuscation/BridgeDB assigned antonela
#19839 BridgeDB website: In firefox page shows titles in English and text in the language preferred by the user Obfuscation/BridgeDB needs_information traumschule
#19997 BridgeDB's get-tor-exits script doesn't account for IPv6 Obfuscation/BridgeDB assigned
#20813 Start producing snowflakes Obfuscation/Snowflake new
#21314 snowflake-client needs to stop using my network when I'm not giving it requests Obfuscation/Snowflake new
#21814 Reduce binary size for client-only tor Core Tor/Tor new
#22755 Use stem to create test descriptors Obfuscation/BridgeDB assigned
#23043 leekspin's except/error code handling in is strange Obfuscation/BridgeDB assigned
#23251 Parsing a networkstatus-bridges with flags only causes BridgeDB to hang Obfuscation/BridgeDB assigned
#23333 Leekspin bug hunting Obfuscation/BridgeDB assigned
#23521 detect if clock skew is probably really time zone misconfiguration Core Tor/Tor new
#23565 document signs of client clock skew to ease troubleshooting Community/Tor Support assigned catalyst
#23839 Testing Framework for Censorship Circumvention Applications/Tor Browser new tbb-team
#23888 Creating a Snowflake WebExtension addon Obfuscation/Snowflake new
#24367 Changing pluggable transports (during start-up) in Tor Browser is broken Core Tor/Tor new
#24607 CAPTCHAs on BridgeDB seem to be getting more difficult Obfuscation/BridgeDB assigned
#25061 Relays consider it a bootstrapping failure if they can't extend for somebody else's circuit Core Tor/Tor assigned catalyst
#25430 Turkey cant access Obfuscation/BridgeDB assigned
#25483 Windows reproducible build of snowflake Obfuscation/Snowflake assigned sukhbir
#25528 When ClientTransportPlugin is missing, tor connects directly to bridge addresses, even if they have a transport name Core Tor/Tor new
#25593 Broker needs better resilience against DoS Obfuscation/Snowflake new
#25595 Test suite for Snowflake on various NAT topologies Obfuscation/Snowflake new
#25601 Multiplex - one snowflake proxy should be able to support multiple clients Obfuscation/Snowflake new
#25681 Defend against flooding of the broker by low bandwidth snowflakes Obfuscation/Snowflake new
#25713 "DisableNetwork is set" log message in Tor Browser scares/confuses users Core Tor/Tor new
#25899 Only run retry_dns() and check_dns_honesty() on exits Core Tor/Tor needs_revision dgoulet
#26154 Remove apt-get update from BridgeDB's .travis.yml to avoid SHA1 signature error Obfuscation/BridgeDB assigned dgoulet
#26348 Guard against large reads Obfuscation/Snowflake new
#26542 Distribute IPv6 bridges though Obfuscation/BridgeDB assigned
#26543 Provide a language switcher menu on BridgeDB Obfuscation/BridgeDB assigned
#26673 Record download times of smaller file sizes from partial completion times Metrics/Onionperf assigned metrics-team
#26920 Deploy Marionette as a Pluggable Transport Applications/Tor Browser new tbb-team
#26923 Intent to create Pluggable Transport: HTTPS proxy Obfuscation/Pluggable transport new
#27104 report intermediate status when building application circuits Core Tor/Tor assigned catalyst
#27308 report bootstrap phase when we actually start, not just unblock something Core Tor/Tor assigned catalyst
#27691 reset bootstrap progress when enough things change Core Tor/Tor new
#27984 bridgedb verifyHostname doesn't check subjectAltName extension Obfuscation/BridgeDB assigned
#28015 Brainstorm improved ux for orgs that want to give bridges to their people Applications/Tor Browser new tbb-team
#28018 Improve accuracy and usefulness of information reported to controllers about bootstrap status Core Tor/Tor assigned catalyst
#28091 Port GetTor to python3 Applications/GetTor needs_revision traumschule
#28232 Revive GetTor Applications/GetTor assigned
#28234 Update GetTor documentation Applications/GetTor merge_ready traumschule
#28281 outline of high-level bootstrap tracker abstractions Core Tor/Tor assigned catalyst
#28391 Make BridgeDB website mirrorable Obfuscation/BridgeDB assigned
#28496 Consider dropping yahoo from the bridgedb email domains Obfuscation/BridgeDB assigned dgoulet
#28526 Document how NGOs can run private obfs4 bridges, and get some doing it Community/Tor Support assigned ggus
#28529 Confirm that the strange onionoo flood is resolved Metrics/Analysis new metrics-team
#28531 Publish a snapshot of what PTs are needed for successful Tor use in each country Community/Outreach new alison
#28533 bridgesdb: replace the message to mail support with a link to the documentation Obfuscation/BridgeDB assigned
#28555 Assess methodology for modern privcount Tor user counts Metrics/Analysis new metrics-team
#28556 Detect other installed circumvention tools and offer them as transports Applications/Tor Browser new tbb-team
#28655 If a bridge supports obfs4, don't give out its other flavors Obfuscation/BridgeDB assigned dgoulet
#28672 Android reproducible build of Snowflake Obfuscation/Snowflake new
#28679 Bridge connections on startup Core Tor/Tor new
#28848 Document Snowflake broker implementation Obfuscation/Snowflake needs_review ahf
#28849 Handle dormant mode in process library and for PT's Core Tor/Tor new
#28925 distinguish PT vs proxy for real in bootstrap tracker Core Tor/Tor assigned catalyst
#28928 update control-spec.txt for new bootstrap phases Core Tor/Tor needs_review catalyst
#28930 consider reordering PT/proxy phases Core Tor/Tor assigned ahf
#28940 Add support for LOG to goptlib Obfuscation/Pluggable transport merge_ready dcf
#28942 Evaluate pion WebRTC Obfuscation/Snowflake new
#29024 Add pluggable-transport support to Chutney Core Tor/Chutney new
#29096 Run Moat using ptadapter Obfuscation/BridgeDB assigned
#29111 Optional heartbeat message from PT's Obfuscation/Pluggable transport new
#29114 Extended ORPort and TransportControlPort spec (#196) is "Finished" but not "Closed" Core Tor/Tor new
#29205 Look into using Firefox for the WebRTC implementation Obfuscation/Snowflake new
#29206 New design for client -- proxy protocol for Snowflake Obfuscation/Snowflake assigned
#29207 New design for broker -- proxy protocol for snowflakes Obfuscation/Snowflake new
#29229 Does anybody notice if the bridge auth goes away? Obfuscation/BridgeDB assigned dgoulet
#29249 Assessment of moat for bridges Obfuscation/BridgeDB new sysrqb
#29258 What is the IPv6 story with Snowflake Obfuscation/Snowflake new
#29259 Ensure high test coverage for Snowflake Obfuscation/Snowflake new
#29260 Should Snowflake proxies have a way to identify themselves to the broker Obfuscation/Snowflake new
#29262 Look into the network layer of WebRTC Obfuscation/Snowflake new
#29267 CI for pluggable transports Obfuscation new
#29269 Evaluation of bridge statistics Obfuscation/BridgeDB accepted nickm
#29272 Assess Marionette for interation with Tor Obfuscation/Pluggable transport new
#29273 Document BridgeDB infrastructure Obfuscation/BridgeDB assigned dgoulet
#29274 Get developers using new PT alphas Obfuscation/Pluggable transport new
#29275 Get default bridges checked for reachability by OONI Obfuscation/Pluggable transport new
#29277 Look into getting default Tor bridges scanned by external reachability tests Obfuscation/Pluggable transport assigned cohosh
#29278 Assess HTTP proxy Obfuscation/Pluggable transport new
#29279 Reach out to NGOs about obfs4 Obfuscation/Obfsproxy assigned cohosh
#29280 Use Chutney for CI Core Tor/Tor new
#29282 Assess leekspin Core Tor/Leekspin new
#29283 Make PTs go dormant Obfuscation/Pluggable transport new
#29285 Improve the PT spec and how PTs interface with Tor Obfuscation/Pluggable transport new
#29286 Maintain obfs4 proxy Obfuscation/Obfsproxy new
#29287 Have backup PT in pipeline Obfuscation/Pluggable transport new
#29288 Look into Salmon Obfuscation/Pluggable transport new
#29293 New Design for client -- broker protocol for Snowflake Obfuscation/Snowflake new
#29296 Look into alternatives for distributing bridge info to clients Obfuscation/Pluggable transport new
#29297 Add any necessary metrics to verify if obfs4 is working or not Obfuscation/Obfsproxy new
#29481 Cleanup bridgedb.conf Obfuscation/BridgeDB new sysrqb
#29483 Use systemd init script for BridgeDB Obfuscation/BridgeDB assigned dgoulet
#29484 Update the requirements.txt and freeze them on release Obfuscation/BridgeDB assigned dgoulet
#29489 Set up automated local testing environment for Snowflake Obfuscation/Snowflake assigned cohosh
#29490 Chutney fails (sometimes?) when tor is built with --enable-coverage Core Tor/Tor new
#29491 Chutney fails when Tor is built with --enable-nss Core Tor/Tor new

Closed Tickets

Ticket Summary Component Status Owner
#12806 Create Debian package for BridgeDB Obfuscation/BridgeDB closed
#15522 Write Protobufs for any BridgeDB data which must be sent over a network or IPC channel Obfuscation/BridgeDB closed
#16671 Design a new Bridge Distributor for Tor Browser Obfuscation/BridgeDB closed
#22775 Implement Hyphae Obfuscation/BridgeDB closed
#22776 Implement the remaining cryptographic protocols for Hyphae Obfuscation/BridgeDB closed
#22777 Implement a backend HTTP server for Hyphae's credentials Obfuscation/BridgeDB closed
#25502 Report intermediate PT bootstrapping status Core Tor/Tor closed ahf
#27827 Reproducibility issue of the snowflake osx64 build Obfuscation/Snowflake closed tbb-team
#28179 Handle output from PT processes with the event loop Core Tor/Tor closed ahf
#28180 Signal mechanism from PT processes to Tor Core Tor/Tor closed dgoulet
#28181 spec: Add to pt-spec.txt control messages going back to main process (tor) Core Tor/Tor closed dgoulet
#28182 spec: Add to control-spec.txt some pluggable transport events Core Tor/Tor closed dgoulet
#28936 Use Travis CI for goptlib.git repositories on Github Obfuscation/Pluggable transport closed dcf
#29284 Deploy Marionette as a PT Obfuscation/Pluggable transport closed asn
#29426 proxy-go instances not available Obfuscation/Snowflake closed

Last modified 3 months ago Last modified on Dec 4, 2018, 10:25:42 PM