tor-dev October 2013

tor-dev@lists.torproject.org

62 participants
78 discussions

Pluggable transport biweekly meeting - Friday Oct 11
by vmonmoonshine＠gmail.com 11 Oct '13

11 Oct '13

Just a gentle reminder that the PT meeting is today in few hours: Friday - Oct 11 at CEST: 18:00 BST (Summer GMT): 17:00 UTC: 16:00 EST: 12:00 MNT: 10:00 PST: 9:00 @ #tor-dev on irc.oftc.net asn is going to moderate the session. (I have a very slow connection but I'll try to join) See you all there, Vmon

1 0

[Otter/Boisterous] WebChat report
by Colin C. 11 Oct '13

11 Oct '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The Boisterous Otter project requires us to offer assistance to users through instant messaging. Current plan: use an XMPP server allowing anonymous connections from a web interface on one side, and have the support team use an authorized account for each language. The full report is viewable on the wiki at https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Boisterous…. (Thanks to Lunar & Erinn for assisting with this) - -- - -Phoul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJSV320AAoJEJ01Zvx7KO7YOgwQALmsJsnyVRUQ07CiqmxI+zle dNsROZvnNvhfPyza5McBjxckXQ5fD5tgCL5TMxzkBD3ICFQgZWByrX/bMN2ZFfx0 nh12TCs64TvMFAXnTVKRopBYfkas/uSs3PhM4vnPULJ+mDbFoMNKXkJP42s7jkGK D3q2+2k/yR9mu9IVLI9agKppR/L1Yq/lPzt9DFo0YZyIrI0nNrn9hFMCGQKuCl0u S40DWXXtUXn1a0qg4mFKGurrVua7ZvMeLqmZExhLMY8AnFBP40ELP0mmM0KkQg1F kW0ijmybEMcPwKsWltTNzwHj8pg7dLjD19/ZrVMjIhjinap0XDqcyjqJD3T1J4KE ti0+wZ7wXRfjJs6eA0otfu6xfF5JGYvOd9KniN567aPxjCVb2s1Gm60zA1PGQwAe npT3WTm4z02SHThEeS4NPJi1Vvt0WLGlHo6v5p0Fr+/g1dYqEmTK+6+kAHk+e2CS OXSvJ16rj7kncLMf9SImvbk0+nojC9qT/jgJQm4IBgxzSq+TVNwn463JpCdpCI6m wfqxAAqy3V+ZjG+KxZTrxRST/s5rdhKi+iiZUzgqx0SC/hEqWEoId+2q3DPyb69h exBV0eUE0XsHKi12qySOef7BfQXO2q15cdUcu+9VzqULcwP+xKd5NziVDMWd95fj skzK8xFSm4Epdpp65VWI =CISa -----END PGP SIGNATURE-----

1 0

[Otter/Cute] What's Cute in APAF
by Michele Orrù 10 Oct '13

10 Oct '13

Dear Team, For completeness' sake I am attaching to this email the report I wrote last week in order to summarize what the project APAF is about, and what there is in common between it and the Otter/Cute proposal. Eventually, feel free to add it to the trac page. After reading ["Cute" design and challenges], though, I think the report lacks an exhaustive description of APAF's threat model. In APAF's documentation, the only document vaguely resembling a threat model is embarassingly poor in terms of content[0]. If still possible, I would like to remedy writing a more detailed one during this week-end, maybe really pentesting the application with your help this time. Does this sound visible to you? ["Cute" design and challenges] <https://trac.torproject.org/projects/tor/attachment/wiki/org/sponsors/Otter…> [0] <http://apaf.readthedocs.org/en/latest/threat_model.html> -- mi.

2 1

Otter-related outreach, training & documentation meeting is at 1530h Pacific on Tuesday 2013-10-15
by Tom Lowenthal 10 Oct '13

10 Oct '13

It'll be in #tor-dev. If you want to be in the `to` field for future emails, announcements, and so on (rather than just reading them on `tor-dev` or `tor-assistants`), you should add your name, IRC nick, and email to the [Buoyant wiki page](https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Buoy…. -Tom On 8 October 2013 16:20, Tom Lowenthal <me(a)tomlowenthal.com> wrote: > People of Earth, heed my call! > > Based on feedback that Boisterous Otters has too much to do, and on > the fact that current Boisterous meetings are using their full time on > only half the topics, we're splitting Boisterous into two components. > > The first component is going to stick with the name Boisterous, and > deals with the first two activities: the helpdesk, and l10n. If you're > already working on these things, nothing is changing for you, and you > may be able to stop reading this right here. > > The second component is picking up the name **Buoyant**, and will deal > with the remaining activities: > * written materials on general communications security > * short videos multi-language training videos > * outreach to Iranians and the Iranian diaspora > * social-media, radio, and television outreach. > * training, and train-the-trainer work > > If that sounds like your cup of tea, kettle of fish, or flagon of ale, > then you should come help us get started by filling in this [Doodle][] > **by Wednesday afternoon** so that I can plan a meeting at the end of > this week or the beginning of next. Please fill out the Doodle if > you're definitely coming, and plan to be part of the core effort. If > you just want to show up to spectate or lend a hand, there's no RSVP > needed. > > I plan to look at the Doodle around 1700-1900h Pacific tomorrow, and > I'll use whatever it says then to try and pick the best time. I'll > send the time out to tor-dev, bcc-ing everyone who's expressed an > interest or answered the poll. That's 24 hours to give me your > availability, but only about 16 hours between when I send out the time > and the first possible meeting slot, so check your mail tomorrow > evening Pacific. > > If you have any specific suggestions about venue, format, or other > running *of the meeting*, and you plan to be there, please reply > publicly or privately before I send out the scheduling meeting. If you > have specific plans about how to git'er done, you can either email me, > or bcc me on a tor-dev-bound email with an appropriately-ottery > subject line. Do note, however, that other folks may not be able to > read your suggestions if you send them less than 12 hours before the > meeting. I'll try to read them anyway, but that's only out of the > kindness of my heart. > > Questions on a postcard please, > -Tom > > [Doodle]: http://doodle.com/pm5cfunbcwuyrwh6

1 0

Pushed HS proposals on git
by George Kadianakis 10 Oct '13

10 Oct '13

Hey Nick, I pushed the recent HS proposals to my torspec git repo. You can find them on branch 'hs_experimentation' at https://git.torproject.org/user/asn/torspec.git . My next step would be to write the anti-enumeration crypto part of xxx-hs-id-keys-and-onion-leaking.txt (as I started doing with c8b7e40). Feel free to work on them. Maybe send me an IRC message before you start touching them so that we don't do change the same areas of the spec.

1 0

[ACTION REQUESTED] Cute Otters hidden services publishing meeting request &c. [due Friday Morning]
by Tom Lowenthal 09 Oct '13

09 Oct '13

Hello cute pals. We didn't have a meeting today due to scheduling. If you think you want to work on making point-click-publish hidden services a reality, and hidden services better in general, then this is what you should do: 1. [Note down when you're free next week.][1] 2. Add your name, IRC nick and email to the [Cute wiki page][2]. 3. Read [Sina's proposal][3]. I'm planning to read [this Doodle][1] and send out updates on Friday morning (Pacific). If you haven't filled it out by then, I won't be able to account for your preferences. Please fill out the doodle only if you think that I need to consider your availability before scheduling the meeting. If you just want to spectate, no RSVP is needed, you can just lurk in #tor-dev. Please make sure that you only fill out times that you can actually make it. Future emails about Cute Otters will be sent `to` the email addresses listed on the [Cute wiki page][2], `cc`'ing `tor-dev` and `tor-assistants`. If you want to get messages "to" you, you should add yourself to the team listing on the [Cute wiki page][2]. Sina has produced an [outline of the publishing system][3] we're planning to build. You should read it, help him improve it, and come to the meeting next week prepared. That's all for now, -Tom [1]: http://doodle.com/wqr9phdck23mac7u [2]: https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Cute [3]: https://lists.torproject.org/pipermail/tor-dev/2013-October/005558.html

1 0

[30-minute reminder] Cute Otters hidden services and publishing meeting at 1500h Pacific in #tor-dev
by Tom Lowenthal 09 Oct '13

09 Oct '13

See you soon.

1 0

[ACTION REQUESTED] Attentive Otter IM bundle: meeting scheduling; team signup [due Friday]
by Tom Lowenthal 09 Oct '13

09 Oct '13

Please read your other mail or the [wiki][2] for a status update. In addition, I would like you to do the following two things: 1. [Tell me about your availability][1] to meet next week. 2. Add your name, preferred email, and IRC nick to the appropriate section of the [Attentive Otter wiki page][2]. For maximum effectiveness, you should before about 1530h Friday, since that's when I'll send out the meeting invite. If you haven't filled the Doodle out, I won't account for your availability. If you haven't added your details, you'll need to read `tor-dev` or `tor-assistants` to find out when the meeting is. [1]: http://doodle.com/g7xq4e2x8pgf7vda [2]: https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive

1 0

Attentive Otter: Analysis of Instantbird/Thunderbird
by Mike Perry 09 Oct '13

09 Oct '13

This outline was a collaborative effort between me and Sukhbir Singh. Code and package URLs: Packages: http://instantbird.com/download-all.html Nightlies: http://nightly.instantbird.im/ Instantbird Code: http://hg.instantbird.org Thunderbird Code: https://github.com/mozilla/releases-comm-central FAQ: http://instantbird.com/faq.html Instantbird Overview: + Cross-platform (Windows, OS X, Linux). + Based on XUL+XPCOM (specifically Thunderbird). + Many existing Thunderbird addons should be easy to port. + Periodically syncs its codebase with Thunderbird: - https://bugzilla.mozilla.org/show_bug.cgi?id=920801 + Thunderbird can be used as combined secure Chat+Email communications software. + One piece of software for all secure communications is a usability win + Leveraging the work done on TorBirdy, we can distribute Instantbird and Tor (and related components) in a single package, or as a combined addon. + Use Tor Launcher as the controller (sukhe recently added Thunderbird support) + Will allow seamless zero-configuration Tor usage for normal case, and will share Tor Browser's future Pluggable Transport support with no additional effort. + See the TorBirdy manual for more information: https://trac.torproject.org/projects/tor/wiki/torbirdy#TorBirdywithTorandTo… + Good protocol support: Currently Instantbird supports by default: AIM, Bonjour, Facebook Chat, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MSN, MySpaceIM, Netsoul, Odnoklassniki, QQ, Simple, Twitter, VKontakte, XMPP, Yahoo and Yahoo JAPAN. + Supports "portable version". + InstantBird is available in 14 languages; Thunderbird is available in ~65 + Clean and easy to use interface. + We are amassing a fair amount of in-house expertise with Mozilla/XPCOM, which we can use for code review, UI design, etc. + Can also leverage our existing relationship with Mozilla to share workload Security Properties: * Currently based on libpurple, but Mozilla is working to replace libpurple with pure JS implementations (due to both licensing and code quality/security issues with libpurple). Instantbird nightlies have this code but it must be enabled via about:config. Seems to work. + http://clokep.blogspot.com/2013/10/yahoo-protocol-google-summer-of-code.html + http://lxr.instantbird.org/instantbird/source/chat/protocols/ + http://lxr.instantbird.org/instantbird/source/chat/protocols/xmpp/ - No OTR support yet + OTR support tickets: https://bugzilla.instantbird.org/show_bug.cgi?id=877 https://bugzilla.mozilla.org/show_bug.cgi?id=779052 + For a stopgap/prototype: We can use the js-ctypes wrapper of libotr along with the message observer API + Example observer API use w/ rot13: http://hg.instantbird.org/addons/file/tip/rot13 + JS-Ctypes wrapper for native libotr: http://gitorious.org/fireotr/fireotr/blobs/master/chrome/content/otr_wrappe… + The ctypes wrapper can be converted to an XPCOM wrapper later. + According to sshagarwal #maildev on irc.mozilla.org, Mozilla is also working towards implementing all of the primitives needed for OTR (and OTR itself) in NSS. These are listed in this comment: https://bugzilla.mozilla.org/show_bug.cgi?id=779052#c17 + We could also rely on the ctypes wrapper until native support is available, and possibly skip an XPCOM libotr wrapper entirely. + Solid proxy support. JS XMPP implementation allows you to omit DNS SRV and since everything goes through nsIChannels, proxy support is easy to verify and audit. + Messaging window is jailed to type=content (unlike cryptocat) and is additionally XSS filtered immediately prior to display: https://mxr.mozilla.org/comm-beta/source/chat/modules/imContentSink.jsm Summary of Goals Met: Release a secure, portable chat program that sends all traffic over Tor: + Yes. Can be used with a wide variety of chat networks: + Yes, even without libpurple Uses off-the-record encryption of conversations by default: - Not yet, but support is coming, and it's not too hard to deploy a stopgap French, Spanish, and Arabic support: * Partly yes. Full support for French and Spanish, but Instandbird has no translations for Farsi or Arabic (however Thunderbird does support these locales and can also be used as a chat client). -- Mike Perry

3 2

Attentive Otter IM bundle update
by Tom Lowenthal 09 Oct '13

09 Oct '13

We had a meeting as scheduled at 1100h Pacific. We broadly agreed that: * we don't want to use Pidgin/libpurple * we have a mild preference for Instantbird. We have some open questions about Instantbird: 1. What sort of attack surface does Instantbird present, compared to -- say -- a browser. 2. What's the timeline for Instantbird implementing OTR, and how are they going about it. Our current plan is to go for a more thorough investigation of Instantbird, and work out what we'd need to do to take Instantbird and produce Tor Messenger, and what roadblocks stand in our way. We were unable to find a lead for this project during the meeting. Afterwards, Arlo volunteered to put together such a plan, and possibly even execute it. Arlo has committed to putting that plan together by the end of the weekend. If we allow Monday morning to read and digest Arlo's work, we should reconvene some time on Monday afternoon, Tuesday, or Wednesday next week. [Let me know when you're free.][1] I've decided to send out updates to both tor-dev and tor-assistants, as well as to the individual addresses of folks who are interested. I'm committed to using the string "Otter" and "Attentive" in the subject line. If you want to get those emails, please [edit the wiki page][2] to add that info. I've only put my info there for now, so please edit it if you want to get personal attention in future emails. What you should do now: 1. Please [tell me about your availability][1] to meet next week. 2. Please add your name, preferred email, and IRC nick to the appropriate section of the [Attentive Otter wiki page][2]. [1]: http://doodle.com/g7xq4e2x8pgf7vda [2]: https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive On 9 October 2013 09:04, Tom Lowenthal <me(a)tomlowenthal.com> wrote: > Hello hello, > > This is your roughly 60-minute reminder that we'll be comparing > proposals for the IM browser bundle on #tor-dev in about an hour. For > your reference, and to brush up on the research that everyone > valiantly did, the analyses are: > > *[Purple](https://lists.torproject.org/pipermail/tor-dev/2013-October/005544.html) > *[xmpp-client](https://lists.torproject.org/pipermail/tor-dev/2013-October/005546.html) > *[Instantbird](https://lists.torproject.org/pipermail/tor-dev/2013-October/005555.html) > > That's all for now. > -Tom

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev October 2013