Sponsor 19

Project Title: Addressing Denial of Service Attacks on Free and Open Communication on the Internet

Project Period: August 15, 2018 - May 31, 2019

Project Goals/Activities

Safe communication on the internet requires many components to come together at once: (1) a robust and highly scaled communications infrastructure that protects communications metadata (i.e. Tor); (2) mechanisms to get around blocking or censorship of connections between users and this privacy network; (3) suitable packages designed for the computing environments of real users, with an emphasis on usability and user experience; and (4) awareness of the changing landscape of threats, and adaptive user education about these threats.

With these components in mind, we will focus on six areas of work. Note that each of these areas is itself an open-ended research field, so while we want to make substantial progress on each of them, there will always be more follow-up work to do on each of them.

Tor Task 1: defend the Tor network itself Tor is a free-software anonymizing overlay network that helps people around the world use the internet in safety. Tor’s 8000 volunteer relays carry over 100Gbit/s of traffic for several million users each day. This deployed network and diverse user base provides a great foundation, but we must make it stronger. We will:

(a) foster diversity and sustainability in relay locations and relay operators,

(b) react as needed to denial of service attacks on the Tor network itself, and

(c) proactively identify and resolve DoS vulnerabilities, making use of existing research collabo-rations to achieve a stronger network and improve robustness to unknown DoS vectors.

Tor Task 2: design and deploy better pluggable transports that work in actively censored regimes Currently, domain fronting systems like meek work in most or all denied countries, but domain fronting scales poorly both in terms of bandwidth and monetary cost. The most promising of the next generation of PTs is Snowflake, which builds on Flash Proxy to use in-browser webrtc to make “Google Hangout” style connections to volunteer web browsers, who then bridge the connections on to the Tor network. We will:

(a) research and design the missing parts of Snowflake, and build a prototype,

(b) make Tor Browser releases that integrate this prototype,

(c) confirm that it does indeed work in denied countries,

(d) get some pluggable transports, including Snowflake, working on Android too, since an increas-ing percentage of the world is moving from desktop to mobile, and

(e) start research and development on something to follow Snowflake so we’re prepared if attackers become willing to block or degrade the webrtc protocol.

Tor Task 3: build capacity and strengthen the research community Just about every major security conference these days has a paper analyzing, attacking, or improv-ing Tor. While ten years ago the field of anonymous communications was mostly theoretical, with researchers speculating that a given design should or shouldn’t work, Tor now provides an actual deployed testbed. Tor has become the gold standard for anonymous communications research, which in turn triggered an explosion of academic pluggable transport designs. We will:

(a) collaborate with members of the PETS research community to continue operation of the Tor Research Safety Board (a group of researchers who study Tor, and who want to minimize privacy risks while fostering a better understanding of the Tor network and its users), with the output being a growing set of real-world case studies on how to safely and ethically conduct experiments on the live Tor network and users.

Tor Task 4: consider more use cases than just web browsing Smartphone users want privacy and censorship circumvention for more than just web browsing. Millions of people use chat and social media applications, create and share media files like images and video, and more. In fact, if Tor’s performance penalties are most visible for latency-sensitive applications like web browsing, we would be wise to explore secure messaging and other asyn-chronous applications. We will:

(a) make sure the prototypes and tools from Task two work with Youtube and/or other popular services, and

(b) do a needs assessment for what other applications are popular among users behind censorship, and how well we can serve them, considering both safety and usability. The first challenge is to understand what would actually be useful to build. Options to consider include designing a video sharing service that integrates characteristics of SecureDrop or Globaleaks, or adding an “upload resume” or “parallel upload” helper to Tor Browser so users can upload chunks at a time and not have to start over when the network fails.

Tor Task 5: understand Tor’s client performance on limited and/or intermittent connections, and network performance while under attack Several factors contribute to making Tor connections less efficient than a direct connection to the final destination, and while a big part of that difference can be explained by how much capacity is available at the Tor relays (see Task one), some of these performance factors are particularly acute on bad network connections. At the same time, we need to better understand how load on the network itself, including adversarially-induced or targeted load, can impact all parts of the system. We will:

(a) consider and analyze the end-to-end performance and congestion of Tor clients behind bad network connections (high-latency, low-bandwidth, some packet loss, etc), (b) design ways to get around these limitations, for example with the “resume” feature mentioned above, or by having clients stripe their connections and/or circuits over multiple Snowflakes for better performance and better robustness, and (c) study the behavior of Tor clients and Tor relays under various denial of service attacks, and design countermeasures to tolerate the attacks and/or gracefully degrade service.

Tor Task 6: build a network measurement feedback loop so we know what’s working and what should work This feedback loop will be critical to letting us adapt Tor Browser and our other apps in response to changes on the internet. We will:

(a) ramp up our OONI-style censorship measurement tests in denied areas, so we can confirm that various protocols like webrtc do work right now, and so we can get rapid and robust notifications when that changes,

(b) figure out how to conduct more comprehensive tests too: not just “does webrtc work?” but “does Tor Browser using Snowflake work?”, and

(c) maintain and grow our Tor Metrics data sets, which provide historical and ongoing Tor network data and performance statistics for the broader research community.

Project Tracking

Open Tickets

Ticket Summary Component Status Owner
#25899 Only run retry_dns() and check_dns_honesty() on exits Core Tor/Tor new
#29136 PT_LOG and PT_STATUS event fields unspecifed Core Tor/Tor needs_revision atagar

Closed Tickets

Ticket Summary Component Status Owner
#1593 Implement test (-t switch) functionality Applications/GetTor closed kaner
#8542 More options on how to get the bundles Applications/GetTor closed
#12806 Create Debian package for BridgeDB Circumvention/BridgeDB closed
#14744 Automate upload of latest Tor Browser to cloud services Applications/GetTor closed
#15522 Write Protobufs for any BridgeDB data which must be sent over a network or IPC channel Circumvention/BridgeDB closed
#16671 Design a new Bridge Distributor for Tor Browser Circumvention/BridgeDB closed
#18076 Bridges email inconsistent + not receiving emails Circumvention/BridgeDB closed
#20473 Fix Chutney Nodes that don't bootstrap Core Tor/Chutney closed teor
#21305 Client gets into an unrecoverable connect / close loop Circumvention/Snowflake closed cohosh
#22132 Chutney should avoid waiting for set times: wait for conditions instead Core Tor/Chutney closed nickm
#22775 Implement Hyphae Circumvention/BridgeDB closed
#22776 Implement the remaining cryptographic protocols for Hyphae Circumvention/BridgeDB closed
#22777 Implement a backend HTTP server for Hyphae's credentials Circumvention/BridgeDB closed
#24367 Changing pluggable transports (during start-up) in Tor Browser is broken Core Tor/Tor closed nickm
#25430 Turkey cant access Circumvention/BridgeDB closed
#25502 Report intermediate PT bootstrapping status Core Tor/Tor closed ahf
#26154 Remove apt-get update from BridgeDB's .travis.yml to avoid SHA1 signature error Circumvention/BridgeDB closed phw
#26348 Guard against large reads Circumvention/Snowflake closed cohosh
#27827 Reproducibility issue of the snowflake osx64 build Circumvention/Snowflake closed tbb-team
#27912 Add travis CI for the Chutney repository Core Tor/Chutney closed teor
#27947 Chutney's owning controller process code compares strings with ints Core Tor/Chutney closed teor
#28018 Improve accuracy and usefulness of information reported to controllers about bootstrap status Core Tor/Tor closed catalyst
#28091 Port GetTor to python3 Applications/GetTor closed traumschule
#28152 Gettor code refactor with Python Twisted Applications/GetTor closed hiro
#28179 Handle output from PT processes with the event loop Core Tor/Tor closed ahf
#28180 Signal mechanism from PT processes to Tor Core Tor/Tor closed dgoulet
#28181 spec: Add to pt-spec.txt control messages going back to main process (tor) Core Tor/Tor closed dgoulet
#28182 spec: Add to control-spec.txt some pluggable transport events Core Tor/Tor closed dgoulet
#28234 Update GetTor documentation Applications/GetTor closed traumschule
#28281 outline of high-level bootstrap tracker abstractions Core Tor/Tor closed catalyst
#28655 If a bridge supports obfs4, don't give out its other flavors Circumvention/BridgeDB closed phw
#28848 Document Snowflake broker implementation Circumvention/Snowflake closed ahf
#28925 distinguish PT vs proxy for real in bootstrap tracker Core Tor/Tor closed catalyst
#28928 update control-spec.txt for new bootstrap phases Core Tor/Tor closed catalyst
#28936 Use Travis CI for goptlib.git repositories on Github Circumvention/Pluggable transport closed dcf
#28940 Add support for LOG to goptlib Circumvention/Pluggable transport closed dcf
#29024 Add pluggable-transport support to Chutney Core Tor/Chutney closed nickm
#29229 Does anybody notice if the bridge auth goes away? Circumvention/BridgeDB closed dgoulet
#29263 prop289: add bidirectional data transfers to chutney Core Tor/Chutney closed nickm
#29273 Document BridgeDB infrastructure Circumvention/BridgeDB closed dgoulet
#29278 Assess HTTP proxy Circumvention/Pluggable transport closed phw
#29280 Use Chutney in Tor's CI Core Tor/Tor closed teor
#29284 Deploy Marionette as a PT Circumvention/Pluggable transport closed asn
#29297 Write reachability tests to verify if obfs4 is working or not Archived/Obfsproxy closed cohosh
#29426 proxy-go instances not available Circumvention/Snowflake closed
#29481 Cleanup bridgedb.conf and bridgedb.crontab Circumvention/BridgeDB closed sysrqb
#29483 Use systemd init script for BridgeDB Circumvention/BridgeDB closed dgoulet
#29489 Set up automated local testing environment for Snowflake Circumvention/Snowflake closed cohosh
#29562 APPCRASH of tor.exe on Windows when PT bootstrap is cancelled Core Tor/Tor closed ahf
#29618 Chutney doesn't use python3 if a "python2" binary exists, and fails if it uses python3 anyway. Core Tor/Chutney closed nickm
#29670 Could not create SOCKS args string Core Tor/Tor closed nickm
#29729 Work out which networks to run in Chutney's CI Core Tor/Chutney closed teor
#29748 Let tolerate some number of failures Core Tor/Chutney closed nickm
#29761 Track chutney CI failures, and tweak the allow failures settings Core Tor/Chutney closed teor
#29762 Update the README for new features Core Tor/Chutney closed teor
#29874 torrc no longer accepts space in executable paths Core Tor/Tor closed ahf
#29875 Going from obfs4 to snowflake using the Tor Network Settings from the Torbutton doesn't work Core Tor/Tor closed nickm
#29876 get_proxy_type() may be wrong when unused PT configured Core Tor/Tor closed
#29976 rework bootstrap reporting to use pubsub Core Tor/Tor closed catalyst
#30006 Monitor "aliveness" of default bridges in Tor Browser Applications/Quality Assurance and Testing closed phw
#30008 Remove unused FIFO copy paste code from snowflake client Circumvention/Snowflake closed
#30058 Chutney bootstrap-network script uses the wrong network flavour Core Tor/Chutney closed teor
#30059 Update chutney's README Core Tor/Chutney closed teor
#30063 Add unit tests to chutney, and run them in Travis Core Tor/Chutney closed teor
#30064 Chutney often fails because Tor hasn't bootstrapped yet Core Tor/Chutney closed teor
#30065 Add shellcheck tests to chutney Core Tor/Chutney closed teor
#30066 Write a script that tests chutney's major features on the specified network and tor version Core Tor/Chutney closed
#30125 Port server's log sanitization to client, broker, and proxy-go Circumvention/Snowflake closed cohosh
#30224 Add the tor versions for bridge-distribution-request Core Tor/Tor closed teor
#30258 Snowflake proxy stops working during browsing session Circumvention/Snowflake closed cohosh
#30279 Test IPv6-only v3 onion services in Chutney's CI, once homebrew tor stable supports them Core Tor/Chutney closed teor
#30331 obfs4_bridgeline.txt file should contain complete bridge line Circumvention/Pluggable transport closed
#30455 Improve documentation for chutney warnings in "make test-network-all" Core Tor/Tor closed teor
#30459 Let chutney tell Tor whether a network is supported Core Tor/Chutney closed nickm
#30472 Implement a mechanism for PT reachability testing Circumvention/Pluggable transport closed phw
#30820 Show the correct macOS tor versions in chutney's CI Core Tor/Chutney closed teor

Last modified 5 months ago Last modified on Jun 4, 2020, 2:35:50 PM