Sponsor 19

Project Title: Addressing Denial of Service Attacks on Free and Open Communication on the Internet

Project Period: August 15, 2018 - May 31, 2020

Project Goals/Activities

Safe communication on the internet requires many components to come together at once: (1) a robust and highly scaled communications infrastructure that protects communications metadata (i.e. Tor); (2) mechanisms to get around blocking or censorship of connections between users and this privacy network; (3) suitable packages designed for the computing environments of real users, with an emphasis on usability and user experience; and (4) awareness of the changing landscape of threats, and adaptive user education about these threats.

With these components in mind, we will focus on six areas of work. Note that each of these areas is itself an open-ended research field, so while we want to make substantial progress on each of them, there will always be more follow-up work to do on each of them.

Tor Task 1: defend the Tor network itself Tor is a free-software anonymizing overlay network that helps people around the world use the internet in safety. Tor’s 8000 volunteer relays carry over 100Gbit/s of traffic for several million users each day. This deployed network and diverse user base provides a great foundation, but we must make it stronger. We will:

(a) foster diversity and sustainability in relay locations and relay operators,

(b) react as needed to denial of service attacks on the Tor network itself, and

(c) proactively identify and resolve DoS vulnerabilities, making use of existing research collabo-rations to achieve a stronger network and improve robustness to unknown DoS vectors.

Tor Task 2: design and deploy better pluggable transports that work in actively censored regimes Currently, domain fronting systems like meek work in most or all denied countries, but domain fronting scales poorly both in terms of bandwidth and monetary cost. The most promising of the next generation of PTs is Snowflake, which builds on Flash Proxy to use in-browser webrtc to make “Google Hangout” style connections to volunteer web browsers, who then bridge the connections on to the Tor network. We will:

(a) research and design the missing parts of Snowflake, and build a prototype,

(b) make Tor Browser releases that integrate this prototype,

(c) confirm that it does indeed work in denied countries,

(d) get some pluggable transports, including Snowflake, working on Android too, since an increas-ing percentage of the world is moving from desktop to mobile, and

(e) start research and development on something to follow Snowflake so we’re prepared if attackers become willing to block or degrade the webrtc protocol.

Tor Task 3: build capacity and strengthen the research community Just about every major security conference these days has a paper analyzing, attacking, or improv-ing Tor. While ten years ago the field of anonymous communications was mostly theoretical, with researchers speculating that a given design should or shouldn’t work, Tor now provides an actual deployed testbed. Tor has become the gold standard for anonymous communications research, which in turn triggered an explosion of academic pluggable transport designs. We will:

(a) collaborate with members of the PETS research community to continue operation of the Tor Research Safety Board (a group of researchers who study Tor, and who want to minimize privacy risks while fostering a better understanding of the Tor network and its users), with the output being a growing set of real-world case studies on how to safely and ethically conduct experiments on the live Tor network and users.

Tor Task 4: consider more use cases than just web browsing Smartphone users want privacy and censorship circumvention for more than just web browsing. Millions of people use chat and social media applications, create and share media files like images and video, and more. In fact, if Tor’s performance penalties are most visible for latency-sensitive applications like web browsing, we would be wise to explore secure messaging and other asyn-chronous applications. We will:

(a) make sure the prototypes and tools from Task two work with Youtube and/or other popular services, and

(b) do a needs assessment for what other applications are popular among users behind censorship, and how well we can serve them, considering both safety and usability. The first challenge is to understand what would actually be useful to build. Options to consider include designing a video sharing service that integrates characteristics of SecureDrop or Globaleaks, or adding an “upload resume” or “parallel upload” helper to Tor Browser so users can upload chunks at a time and not have to start over when the network fails.

Tor Task 5: understand Tor’s client performance on limited and/or intermittent connections, and network performance while under attack Several factors contribute to making Tor connections less efficient than a direct connection to the final destination, and while a big part of that difference can be explained by how much capacity is available at the Tor relays (see Task one), some of these performance factors are particularly acute on bad network connections. At the same time, we need to better understand how load on the network itself, including adversarially-induced or targeted load, can impact all parts of the system. We will:

(a) consider and analyze the end-to-end performance and congestion of Tor clients behind bad network connections (high-latency, low-bandwidth, some packet loss, etc), (b) design ways to get around these limitations, for example with the “resume” feature mentioned above, or by having clients stripe their connections and/or circuits over multiple Snowflakes for better performance and better robustness, and (c) study the behavior of Tor clients and Tor relays under various denial of service attacks, and design countermeasures to tolerate the attacks and/or gracefully degrade service.

Tor Task 6: build a network measurement feedback loop so we know what’s working and what should work This feedback loop will be critical to letting us adapt Tor Browser and our other apps in response to changes on the internet. We will:

(a) ramp up our OONI-style censorship measurement tests in denied areas, so we can confirm that various protocols like webrtc do work right now, and so we can get rapid and robust notifications when that changes,

(b) figure out how to conduct more comprehensive tests too: not just “does webrtc work?” but “does Tor Browser using Snowflake work?”, and

(c) maintain and grow our Tor Metrics data sets, which provide historical and ongoing Tor network data and performance statistics for the broader research community.

Project Tracking

Open Tickets

Ticket Summary Component Status Owner
#1593 Implement test (-t switch) functionality Applications/GetTor needs_review kaner
#3781 Write a spec for GetTor Applications/GetTor assigned
#3980 gettor should deliver checksums of our packages Applications/GetTor assigned
#5211 Discuss other ways for the bridge authority to run bridge reachability tests Core Tor/Tor assigned
#7144 Implement Bridge Guards and other anti-enumeration defenses Core Tor/Tor new
#7349 Obfsbridges should be able to "disable" their ORPort Core Tor/Tor new
#9316 BridgeDB should export statistics Obfuscation/BridgeDB assigned dgoulet
#9332 Implement whitelisting of (email_address, gpg_key_id) pairs for encrypted, automated email bridge distribution Obfuscation/BridgeDB assigned
#10692 GetTor needs official two-factor-enabled dropbox and google accounts Applications/GetTor reopened
#10802 Getting bridges only for port 80,443 Obfuscation/BridgeDB assigned
#10831 Captchas are not accessible for blind users Obfuscation/BridgeDB assigned
#11330 Create a Hash Ring For Each Allowed Domain in the Email Distributor Obfuscation/BridgeDB assigned
#11966 "Bootstrapped 20%: Asking for networkstatus consensus" is a lie for bridge users Core Tor/Tor needs_revision
#12030 Create a DatabaseManager for interacting with BridgeDB's database backends Obfuscation/BridgeDB assigned
#12089 BridgedDB can be forced to email arbitrary email addresses Obfuscation/BridgeDB assigned
#12505 Refactor BridgeDB's hashrings Obfuscation/BridgeDB assigned
#12506 Separate BridgeDB databases from distributors Obfuscation/BridgeDB assigned
#12507 Automate BridgeDB documentation builds Obfuscation/BridgeDB assigned
#12537 Perhaps BridgeDB should supply decoys Obfuscation/BridgeDB assigned
#12627 canonicalFromSMTP is not what we think it should be Obfuscation/BridgeDB assigned
#12802 BridgeDB needs Nagios checks for the Email Distributor Obfuscation/BridgeDB assigned dgoulet
#12807 Implement an anonymous credential system for BridgeDB's Social Distributor Obfuscation/BridgeDB assigned
#12957 Translation instruction about accesskey should be improved. Obfuscation/BridgeDB assigned
#13727 BridgeDB should not distribute Tor Browser's default bridges Obfuscation/BridgeDB assigned
#14453 Implement statistics gathering for number of Bridges-per-Transport in BridgeDB Obfuscation/BridgeDB assigned
#14744 Automate upload of latest Tor Browser to cloud services Applications/GetTor assigned
#15404 BridgeDB's email localisation isn't working Obfuscation/BridgeDB assigned
#15457 Separate bridgedb.txrecaptcha into another package Obfuscation/BridgeDB assigned
#15967 Separate BridgeDB's CAPTCHA into another service Obfuscation/BridgeDB assigned
#16564 Add a line to bridge descriptors specifying they're bridges? Core Tor/Tor assigned
#16670 BridgeDB should be capable of verifying Ed25519 signatures Obfuscation/BridgeDB assigned
#17214 Check integrity of uploaded files periodically Applications/GetTor assigned
#17425 Improve GetTor Signature Section Applications/GetTor assigned
#17548 shows outdated keys Obfuscation/BridgeDB assigned
#17626 BridgeDB's email distributor doesn't work if the "get help" text is quoted Obfuscation/BridgeDB assigned
#19001 Tor Browser with Snowflake Obfuscation/Snowflake new
#19332 Add a BridgeDB module Metrics/CollecTor new metrics-team
#19693 Portuguese (pt_PT) translation to GetTor Applications/GetTor assigned emmapeel
#19774 could use a favicon Obfuscation/BridgeDB assigned antonela
#19839 BridgeDB website: In firefox page shows titles in English and text in the language preferred by the user Obfuscation/BridgeDB needs_information traumschule
#19997 BridgeDB's get-tor-exits script doesn't account for IPv6 Obfuscation/BridgeDB assigned
#20116 Get @get_tor twitter account verified Applications/GetTor new
#20770 Support Tor Browser Alpha Applications/GetTor assigned
#20813 Start producing snowflakes Obfuscation/Snowflake new
#21314 snowflake-client needs to stop using my network when I'm not giving it requests Obfuscation/Snowflake new
#21315 publish some realtime stats from the broker? Obfuscation/Snowflake new
#21814 Reduce binary size for client-only tor Core Tor/Tor new
#22664 Check for existing bundles in dropbox and handle them accordingly Applications/GetTor assigned
#22755 Use stem to create test descriptors Obfuscation/BridgeDB assigned
#23251 Parsing a networkstatus-bridges with flags only causes BridgeDB to hang Obfuscation/BridgeDB assigned
#23521 detect if clock skew is probably really time zone misconfiguration Core Tor/Tor new
#23565 document signs of client clock skew to ease troubleshooting Community/Tor Support assigned catalyst
#23839 Testing Framework for Censorship Circumvention Applications/Tor Browser new tbb-team
#23888 Creating a Snowflake WebExtension addon Obfuscation/Snowflake new
#24367 Changing pluggable transports (during start-up) in Tor Browser is broken Core Tor/Tor assigned
#24607 CAPTCHAs on BridgeDB seem to be getting more difficult Obfuscation/BridgeDB assigned
#25061 Relays consider it a bootstrapping failure if they can't extend for somebody else's circuit Core Tor/Tor assigned catalyst
#25429 Need something better than client's `checkForStaleness` Obfuscation/Snowflake assigned cohosh
#25483 Windows reproducible build of snowflake Obfuscation/Snowflake assigned sukhbir
#25528 When ClientTransportPlugin is missing, tor connects directly to bridge addresses, even if they have a transport name Core Tor/Tor new
#25593 Broker needs better resilience against DoS Obfuscation/Snowflake new
#25595 Test suite for Snowflake on various NAT topologies Obfuscation/Snowflake new
#25601 Multiplex - one snowflake proxy should be able to support multiple clients Obfuscation/Snowflake new
#25681 Defend against flooding of the broker by low bandwidth snowflakes Obfuscation/Snowflake new
#25713 "DisableNetwork is set" log message in Tor Browser scares/confuses users Core Tor/Tor new
#25899 Only run retry_dns() and check_dns_honesty() on exits Core Tor/Tor needs_revision dgoulet
#26348 Guard against large reads Obfuscation/Snowflake new
#26425 Add functionality to set SNI for client connections Core Tor/Tor needs_information
#26542 Distribute IPv6 bridges though Obfuscation/BridgeDB assigned
#26543 Provide a language switcher menu on BridgeDB Obfuscation/BridgeDB assigned
#26673 Record download times of smaller file sizes from partial completion times Metrics/Onionperf assigned metrics-team
#26920 Deploy Marionette as a Pluggable Transport Applications/Tor Browser new tbb-team
#26923 Intent to create Pluggable Transport: HTTPS proxy Obfuscation/Pluggable transport new
#27104 report intermediate status when building application circuits Core Tor/Tor assigned catalyst
#27308 report bootstrap phase when we actually start, not just unblock something Core Tor/Tor assigned catalyst
#27330 @get_tor on twitter not responding Applications/GetTor assigned
#27691 reset bootstrap progress when enough things change Core Tor/Tor new
#27984 bridgedb verifyHostname doesn't check subjectAltName extension Obfuscation/BridgeDB assigned
#28015 Brainstorm improved ux for orgs that want to give bridges to their people Applications/Tor Browser new tbb-team
#28018 Improve accuracy and usefulness of information reported to controllers about bootstrap status Core Tor/Tor assigned catalyst
#28091 Port GetTor to python3 Applications/GetTor needs_revision traumschule
#28152 Gettor code refactor with Python Twisted Applications/GetTor needs_review hiro
#28231 Provide more Gettor distribution methods Applications/GetTor assigned
#28232 Revive GetTor Applications/GetTor assigned
#28233 Translate GetTor messages Applications/GetTor assigned
#28234 Update GetTor documentation Applications/GetTor merge_ready traumschule
#28284 Arabic version for Gettor Applications/GetTor assigned
#28339 Log handling in gettor Applications/GetTor needs_review
#28391 Make BridgeDB website mirrorable Obfuscation/BridgeDB assigned
#28496 Consider dropping yahoo from the bridgedb email domains Obfuscation/BridgeDB assigned dgoulet
#28526 Document how NGOs can run private obfs4 bridges, and get some doing it Community/Tor Support assigned ggus
#28529 Confirm that the strange onionoo flood is resolved Metrics/Analysis new metrics-team
#28531 Publish a snapshot of what PTs are needed for successful Tor use in each country Community/Outreach new alison
#28533 bridgesdb: replace the message to mail support with a link to the documentation Obfuscation/BridgeDB assigned phw
#28555 Assess methodology for modern privcount Tor user counts Metrics/Analysis new metrics-team
#28556 Detect other installed circumvention tools and offer them as transports Applications/Tor Browser new tbb-team
#28655 If a bridge supports obfs4, don't give out its other flavors Obfuscation/BridgeDB needs_review phw
#28672 Android reproducible build of Snowflake Obfuscation/Snowflake new
#28679 Bridge connections on startup Core Tor/Tor new
#28803 Integrate building pluggable transports for Android into tor-browser-build Applications/Tor Browser needs_revision tbb-team
#28849 Handle dormant mode in process library and for PT's Core Tor/Tor new
#28930 consider reordering PT/proxy phases Core Tor/Tor assigned ahf
#28942 Evaluate pion WebRTC Obfuscation/Snowflake new
#29024 Add pluggable-transport support to Chutney Core Tor/Chutney new
#29096 Run Moat using ptadapter Obfuscation/BridgeDB assigned
#29111 Optional heartbeat message from PT's Obfuscation/Pluggable transport new
#29112 PTs should pass user count events back to Tor Core Tor/Tor new
#29114 Extended ORPort and TransportControlPort spec (#196) is "Finished" but not "Closed" Core Tor/Tor new
#29136 PT_LOG and PT_STATUS event fields unspecifed Core Tor/Tor needs_revision atagar
#29184 Avoid giving out bridges that suffer from #28912 Obfuscation/BridgeDB new sysrqb
#29205 Look into using Firefox for the WebRTC implementation Obfuscation/Snowflake new
#29206 New design for client -- proxy protocol for Snowflake Obfuscation/Snowflake assigned cohosh
#29207 New design for broker -- proxy protocol for snowflakes Obfuscation/Snowflake new
#29245 Tor 0.4 eventually hits "Delaying directory fetches: No running bridges" after some period of inactivity with bridges Core Tor/Tor new
#29249 Assessment of moat for bridges Obfuscation/BridgeDB new sysrqb
#29258 What is the IPv6 story with Snowflake Obfuscation/Snowflake new
#29259 Ensure high test coverage for Snowflake Obfuscation/Snowflake new
#29260 Should Snowflake proxies have a way to identify themselves to the broker Obfuscation/Snowflake assigned cohosh
#29262 Look into the network layer of WebRTC Obfuscation/Snowflake new
#29267 CI for pluggable transports Obfuscation new
#29269 Evaluation of bridge statistics Obfuscation/BridgeDB accepted nickm
#29272 Assess Marionette for interation with Tor Obfuscation/Pluggable transport new
#29274 Get developers using new PT alphas Obfuscation/Pluggable transport new
#29275 Get default bridges checked for reachability by OONI Obfuscation/Pluggable transport new
#29277 Look into getting default Tor bridges scanned by external reachability tests Obfuscation/Pluggable transport assigned phw
#29278 Assess HTTP proxy Obfuscation/Pluggable transport new
#29279 Reach out to NGOs to test obfs4 reachability Obfuscation/Obfsproxy assigned cohosh
#29280 Use Chutney in Tor's CI Core Tor/Tor needs_revision
#29282 Assess leekspin Core Tor/Leekspin new
#29283 Make PTs go dormant Obfuscation/Pluggable transport new
#29285 Improve the PT spec and how PTs interface with Tor Obfuscation/Pluggable transport new
#29286 Maintain obfs4 proxy Obfuscation/Obfsproxy new
#29287 Have backup PT in pipeline Obfuscation/Pluggable transport new
#29288 Look into Salmon Obfuscation/Pluggable transport new
#29293 New Design for client -- broker protocol for Snowflake Obfuscation/Snowflake new
#29296 Look into alternatives for distributing bridge info to clients Obfuscation/Pluggable transport new
#29484 Update the requirements.txt and freeze them on release Obfuscation/BridgeDB assigned dgoulet
#29490 Chutney fails (sometimes?) when tor is built with --enable-coverage Core Tor/Tor new
#29491 Chutney fails when Tor is built with --enable-nss Core Tor/Tor new
#29686 filenames conflict on case-insensitive filesystems Obfuscation/BridgeDB new sysrqb
#29689 Make Tor's consistent with chutney's Core Tor/Tor assigned teor
#29690 Add a comment to chutney's, reminding us to copy changes to tor's Core Tor/Chutney assigned
#29729 Work out which networks to run in Chutney's CI Core Tor/Chutney needs_review teor
#29734 Broker should receive country stats information from Proxy and Client Obfuscation/Snowflake needs_revision cohosh
#29736 Use WebSocket protocol to communicate between snowflake proxies and broker Obfuscation/Snowflake assigned ahf
#29741 Work out how to fail chutney travis jobs when the tor repository is out of date or missing Core Tor/Chutney new
#29863 Add disk space monitoring for snowflake infrastructure Obfuscation/Snowflake needs_review
#29875 Going from obfs4 to snowflake using the Tor Network Settings from the Torbutton doesn't work Core Tor/Tor assigned
#29876 get_proxy_type() may be wrong when unused PT configured Core Tor/Tor new
#29956 Test pluggable transport transitions while Tor is running, using Chutney Core Tor/Chutney new
#29976 rework bootstrap reporting to use pubsub Core Tor/Tor assigned catalyst
#30008 Remove unused FIFO copy paste code from snowflake client Obfuscation/Snowflake new
#30048 Write a bwfile creation and validation test for chutney Core Tor/Chutney new
#30049 Work out how to test mixed-version chutney networks in Tor's CI Core Tor/Tor new
#30060 Work out how (and where) to test chutney's coverage of tor Core Tor/Tor new
#30066 Write a script that tests chutney's major features on the specified network and tor version Core Tor/Chutney assigned
#30070 Add a chutney feature that prints the tor version Core Tor/Chutney new
#30071 --data fails on python 3 Core Tor/Chutney new
#30152 Monitor anti-censorship infrastructure Obfuscation new
#30153 Add a command to chutney and that prints the default option values Core Tor/Chutney new
#30154 Use the built-in unittest module for chutney's unit tests Core Tor/Chutney new
#30155 If we are still using the shell to launch tests, have a separate script for each test Core Tor/Chutney new
#30183 Consider using --offline by default, to improve stability Core Tor/Chutney new
#30208 Add missing features to Chutney's CI and test script Core Tor/Chutney new
#30212 Add extra chutney networks to Tor's CI Core Tor/Tor new
#30224 Add the tor versions for bridge-distribution-request Core Tor/Tor needs_review teor
#30247 Understand GetTor usage Applications/GetTor assigned

Closed Tickets

Ticket Summary Component Status Owner
#8542 More options on how to get the bundles Applications/GetTor closed
#12806 Create Debian package for BridgeDB Obfuscation/BridgeDB closed
#15522 Write Protobufs for any BridgeDB data which must be sent over a network or IPC channel Obfuscation/BridgeDB closed
#16671 Design a new Bridge Distributor for Tor Browser Obfuscation/BridgeDB closed
#18076 Bridges email inconsistent + not receiving emails Obfuscation/BridgeDB closed
#20473 Fix Chutney Nodes that don't bootstrap Core Tor/Chutney closed teor
#21305 Client gets into an unrecoverable connect / close loop Obfuscation/Snowflake closed cohosh
#22132 Chutney should avoid waiting for set times: wait for conditions instead Core Tor/Chutney closed nickm
#22775 Implement Hyphae Obfuscation/BridgeDB closed
#22776 Implement the remaining cryptographic protocols for Hyphae Obfuscation/BridgeDB closed
#22777 Implement a backend HTTP server for Hyphae's credentials Obfuscation/BridgeDB closed
#25430 Turkey cant access Obfuscation/BridgeDB closed
#25502 Report intermediate PT bootstrapping status Core Tor/Tor closed ahf
#26154 Remove apt-get update from BridgeDB's .travis.yml to avoid SHA1 signature error Obfuscation/BridgeDB closed phw
#27827 Reproducibility issue of the snowflake osx64 build Obfuscation/Snowflake closed tbb-team
#27912 Add travis CI for the Chutney repository Core Tor/Chutney closed teor
#27947 Chutney's owning controller process code compares strings with ints Core Tor/Chutney closed teor
#28179 Handle output from PT processes with the event loop Core Tor/Tor closed ahf
#28180 Signal mechanism from PT processes to Tor Core Tor/Tor closed dgoulet
#28181 spec: Add to pt-spec.txt control messages going back to main process (tor) Core Tor/Tor closed dgoulet
#28182 spec: Add to control-spec.txt some pluggable transport events Core Tor/Tor closed dgoulet
#28281 outline of high-level bootstrap tracker abstractions Core Tor/Tor closed catalyst
#28848 Document Snowflake broker implementation Obfuscation/Snowflake closed ahf
#28925 distinguish PT vs proxy for real in bootstrap tracker Core Tor/Tor closed catalyst
#28928 update control-spec.txt for new bootstrap phases Core Tor/Tor closed catalyst
#28936 Use Travis CI for goptlib.git repositories on Github Obfuscation/Pluggable transport closed dcf
#28940 Add support for LOG to goptlib Obfuscation/Pluggable transport closed dcf
#29229 Does anybody notice if the bridge auth goes away? Obfuscation/BridgeDB closed dgoulet
#29273 Document BridgeDB infrastructure Obfuscation/BridgeDB closed dgoulet
#29284 Deploy Marionette as a PT Obfuscation/Pluggable transport closed asn
#29297 Write reachability tests to verify if obfs4 is working or not Obfuscation/Obfsproxy closed cohosh
#29426 proxy-go instances not available Obfuscation/Snowflake closed
#29481 Cleanup bridgedb.conf and bridgedb.crontab Obfuscation/BridgeDB closed sysrqb
#29483 Use systemd init script for BridgeDB Obfuscation/BridgeDB closed dgoulet
#29489 Set up automated local testing environment for Snowflake Obfuscation/Snowflake closed cohosh
#29562 APPCRASH of tor.exe on Windows when PT bootstrap is cancelled Core Tor/Tor closed ahf
#29618 Chutney doesn't use python3 if a "python2" binary exists, and fails if it uses python3 anyway. Core Tor/Chutney closed nickm
#29748 Let tolerate some number of failures Core Tor/Chutney closed nickm
#29761 Track chutney CI failures, and tweak the allow failures settings Core Tor/Chutney closed teor
#29762 Update the README for new features Core Tor/Chutney closed teor
#29874 torrc no longer accepts space in executable paths Core Tor/Tor closed ahf
#30006 Monitor "aliveness" of default bridges in Tor Browser Applications/Quality Assurance and Testing closed phw
#30058 Chutney bootstrap-network script uses the wrong network flavour Core Tor/Chutney closed teor
#30059 Update chutney's README Core Tor/Chutney closed teor
#30063 Add unit tests to chutney, and run them in Travis Core Tor/Chutney closed teor
#30064 Chutney often fails because Tor hasn't bootstrapped yet Core Tor/Chutney closed teor
#30065 Add shellcheck tests to chutney Core Tor/Chutney closed teor
#30125 Port server's log sanitization to client, broker, and proxy-go Obfuscation/Snowflake closed cohosh

Last modified 12 days ago Last modified on Apr 10, 2019, 9:11:55 PM