tor-dev June 2016

tor-dev@lists.torproject.org

64 participants
53 discussions

Improving PT documentation on website
by George Kadianakis 06 Jun '16

06 Jun '16

Hello Nima, I see you said this on IRC yesterday while referring to the pluggable transport docs: "I'm gonna be working on some of these documentations this month. do you have any suggestions on how we can improve them?" I agree that this is extremely high priority right now and I'm very glad to see you working on it. I feel that this is far more important than designing new protocols at this point. The way I see it, our main issues with PTs at this point is documentation and UX. I imagine you are talking about https://www.torproject.org/docs/pluggable-transports.html.en and maybe also the wiki page: https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports Some thoughts: - With regards to the pluggable-transports.html.en page: -- we should cleanup the PT list in the website. only include deployed PTs. maybe even remove list entirely and move it to wiki. if that page is only for users, they don't need to know info about each PT. -- add some sort of intuitive diagram similar to: https://www.torproject.org/images/obfsproxy_diagram.png -- link to the new video as well -- IMO we need a PT logo to give PTs a visual identity. When I wrote those pages, I used the moustached-onion logo. Do we have a better one? - We also need up-to-date instructions on how to setup obfsbridges. -- Maybe we need https://www.torproject.org/projects/obfsproxy.html.en but for obfs4 -- Here are the instructions that need to be updated: https://www.torproject.org/projects/obfsproxy-debian-instructions.html.en#i… https://www.torproject.org/projects/obfsproxy-instructions.html.en#instruct… -- (but obfs5 is coming soon as well... PT deployment startegy not very good.) - The wiki page is also quite bloated by now, and it's unclear what the audience is. -- The wiki page should also have links to user/bridge instructions, since that's where most people end up looking. -- It might be worth cleaning it up, or splitting it in multiple pages. especially so since we link it from the main PT page. I'm not very good with UX and web design stuff, but the above list would be the things I would start addressing first... Let me know what you think!

1 0

[GSoC 2016] Exitmap Improvements Project - Status Report #1
by Mridul Malpotra 05 Jun '16

05 Jun '16

Hey everyone! Here a few points from my initial 2 weeks at working on Exitmap improvements project. 1. Gone through the Exitmap code base and understood the working. Primarily identified the Tor Browser actions that can be replaced for better automation. 2. Currently there is a simple HTTP header that is being used for a simple GET request. As suggested in the proposal, using Selenium seems like the right choice. I have read about the RC and WebDriver and have decided to go forward with the latter as it allows for programmable actions as supported by the Firefox browser and also has Python support, allowing for better integration with the existing scanner. 2a. Studied the basics of the Selenium Webdriver and learnt simple browser automation techniques on Firefox - interaction with the webpage and other pool of actions. 2b. Ported basic actions to Tor Browser. Facing some issues with integration which I hope to rectify in a day or two and push. Next two weeks will involve: 1. Integrating randomized actions on Tor Browser with Exitmap. Creating a pool of possible ways to interact with the web service to make it difficult for the malicious Exit node to suspect scanner activity. 2. Add test cases to added interactions and observe changes in scanner output from the initial simple usage of urllib2 actions and assert the changes. I apologize for the delay in submitting my first report. Cheers! Mridul (mtyamantau) ============================= PGP keyID: 0xb716e33ab6d0a653

3 2

Getting error while making a build
by AKASH DAS 04 Jun '16

04 Jun '16

I am getting the following error while running make fetch :- Can't exec "hg": No such file or directory at rbm/lib/RBM.pm line 406. Error: Error cloning https://hg.mozilla.org/releases/mozilla-esr45/ make: *** [fetch] Error 1 any help would be appreciable.

2 1

[GSoC16] Expand Nyx - Status Report 1
by Sambuddha Basu 04 Jun '16

04 Jun '16

Hi everyone, This is the first status report for the 'Expand Nyx' project for GSoC 2016. I have been working on the following things: * Load events dynamically from Tor for event selection. For selecting the events, the users can `check` any event. The dialog box remembers previously selected events and includes Tor runlevels and Nyx runlevels along with the Tor events. * The event descriptions have been added to Stem. The event descriptions will be leveraged into Nyx in the future patches. * Added unit tests for the event selection dialog box[1] Next up, I will be working on adding the event descriptions along with the event selection dialog box. Hope everyone has a fun weekend! Sambuddha [1]: https://gitweb.torproject.org/nyx.git/commit/?id=a976f7699c9ed63ca65c16da71…

1 0

Jacob Appelbaum's departure?
by Jacek Wielemborek 03 Jun '16

03 Jun '16

Hello, I heard on Hacker News that Tor Project announced that Jacob Appelbaum "Appelbaum stepped down from his position at The Tor Project". Why is that? HN users are theorizing about FBI's involvement: https://news.ycombinator.com/item?id=11831629 Does anybody know anything specific? Cheers, d33tah

2 1

adding smartcard support to Tor
by Razvan Dragomirescu 03 Jun '16

03 Jun '16

Hello, I am not sure if this has been discussed before or how hard it would be to implement, but I'm looking for a way to integrate a smartcard with Tor - essentially, I want to be able to host hidden service keys on the card. I'm trying to bind the hidden service to a hardware component (the smartcard) so that it can be securely hosted in a hostile environment as well as impossible to clone/move without physical access to the smartcard. I have Tor running on the USBArmory by InversePath ( http://inversepath.com/usbarmory.html ) and have a microSD form factor card made by Swissbit ( www.swissbit.com/products/security-products/overwiev/security-products-over… ) up and running on it. I am a JavaCard developer myself and I have developed embedded Linux firmwares before but I have never touched the Tor source. Is there anyone that is willing to take on a side project doing this? Would it be just a matter of configuring OpenSSL to use the card (I haven't tried that yet)? Thank you, Razvan -- Razvan Dragomirescu Chief Technology Officer Cayenne Graphics SRL

8 34

[GSOC 16] Ahmia status update #1
by Ismael R 03 Jun '16

03 Jun '16

Hi everyone, I'm working on ahmia.fi, the hidden service search engine and you're reading status update #1. During the last two weeks i've been working on several things: 1/ Settle on a new structure for ahmia source code. The official repository [1] contains all the code related to ahmia. Some of this code is deprecated (solr is not used anymore), documentation needed to be updated, so it needed a bit of cleanup anyway. A structure with two repositories was chosen: - ahmia-site [2] is going to contain the django website, configuration to use it in production (apache, nginx, uwsgi) and documentation on how to get the project running. - ahmia-crawler [3] is going to contain scrapy bots, configuration + documentation (elasticsearch, polipo) I tried to keep all past commits when creating these repositories. 2/ Update documentation See [2] and [3]. 3/ Start to refactor the django project The django project is going to be composed by two apps: - search is going to be the search engine frontend + future API endpoints - trends is going to be the statistics visualization frontend + future API endpoints Some logic is also going to move from the website source code to the indexer part of the search engine (ex: removal of fake/banned domains). You can see this work on the ahmia-site repository [2]. Note: The trends app is not yet done so it isn't visible online. 4/ Implement continuous integration with travis.CI Tests are going to be automatically run on travis.CI. I also consider to display test code coverage with coveralls.io but I fear about people focusing on improving the coverage percentage at all cost, which is not very good. This work is going to be pushed during the week-end. 5/ Start to write a proposal with details on how to improve search I have yet to write a much more readable document, but here are a couple ideas: - Regroup all data related to domains, stats, content into elasticsearch so when can use it for search or insights - What about a pagerank-like algorithm to estimate a webpage popularity instead of tor2web popularity ? - Improve search with human language thanks to elasticsearch [4] - Use static boosting with popularity (or pagerank) field [5] We have a meeting planned tuesday with all ahmia's contributors. I hope to have a clean proposal by then to discuss it with them. During the next two weeks, I plan to continue working on the same things. I want to finish 1/ to 4/ as quickly as possible to start working on search quality. See you in two weeks :) Ismael [1] https://github.com/ahmia/search [2] https://github.com/iriahi/ahmia-site [3] https://github.com/iriahi/ahmia-crawler [4] https://www.elastic.co/guide/en/elasticsearch/guide/current/languages.html [5] https://marcobonzanini.com/2015/06/22/tuning-relevance-in-elasticsearch-wit…

1 0

[GSOC16] Fingerprint Central - Status report n°1
by Pierre Laperdrix 03 Jun '16

03 Jun '16

Hi everyone, Here is my first status report for my GSOC project. 1 - Here is the link to the GitHub repo of the project: https://github.com/plaperdr/fp-central I have chosen the name "Fingerprint Central" for the project. I may change it in the future but I'm pretty satisfied with it for the moment. If someone has a great suggestion to replace it, don't hesitate to send it to me! I have also included on the main page a checklist for anyone to follow the progression of development. 2 - I took the time to build strong foundations for my project to support both current and future features. * To support addition and removal of fingerprinting tests, I have added a system that need two components: - a definition file where one gives all the information related to the test - the source code needed to execute the test With this system, I can manage tests dynamically and I can give information to the users on what is currently being run in the test suite. * To support different types of fingerprints and browsers, I plan to integrate a system to tag fingerprints. Instead of storing fingerprints in specific databases, I found that a tag system is a flexible way to deal with any changes and when statistics will be implemented, it will be easier to get numbers on relevant categories thanks to tags. Everything is explained in greater details in the "fingerprint" folder of the repo in the Readme files. I'd love to have feedback on it to know if I'm going in the right direction and if my project seems well structured. 3 - Everything that I'm planning to use is present in the Debian repositories except for the PyMongo support of Flask. This means that it may possible to use the Tor infrastructure to host the website. I'll see when I get closer to a first stable version what could be possible on that front. What's next? My focus for the next two weeks is mainly to add new tests (both standard and specific to the Tor browser) and to add support of MongoDB. I hope to have a page that collects fingerprints, stores them in Mongo and calculate statistics on them. That's it for me this week! Have a great week-end everyone, Pierre

1 0

[GSoC 2016] Orfox - Report 1
by Amogh Pradeep 03 Jun '16

03 Jun '16

Hey guys, This is my first status report for GSoC 2016. I’ve attended the tor browser meeting on IRC and done some organizational work there. We plan to now track Orfox specific tickets on trac [0] using the keyword “tbb-mobile”. We still have bugs on the TGP bug tracker [1] but plan to move slowly from there to trac. Currently, on the tor projects trac, we have mobile fingerprinting tickets. I’ve also had success in rebasing from orfox-tor-browser-38.5.0esr-5.5-2 to orfox-tor-browser-38.8.0esr-5.5-1 [2]. Between the time of writing the GSoC proposal and the start of the program, we rebased from orfox-tb_GECKO380esr_2015050513_RELBRANCH to orfox-tor-browser-38.5.0esr-5.5-2. And now we’ve successfully moved to 38.8.0. Here’s a temporary build if someone wants to check it out [3]. But the official one should be on FDroid pretty soon. Next up, ESR 45. Rebasing to 45 might be harder, but I will see how it goes. After which I plan on starting with the code audit. Thats it for now, just regular maintenance stuff, nothing fancy to report! Hope you guys have a nice weekend. Best, Amogh Pradeep amoghbl1(a)gmail.com [0] https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb… [1] https://dev.guardianproject.info/projects/orfox-private-browser/issues/ [2] https://github.com/amoghbl1/tor-browser/ [3] https://web.iiit.ac.in/~amoghbl1/Orfox-38.8.0.apk

1 0

[GSoC] CONIKS for Tor Messenger - 1st status report
by Huy Vu Quoc 02 Jun '16

02 Jun '16

Hi everyone, This is the first status report on the CONIKS for Tor Messenger project. This is what I have done so far: * Discussing with Arlo and Marcela about the account verification module. The proposal is described below. * Implementing the Merkle prefix tree module. The source code is under review and is available on github repo [1] * Submitting 2 patches for ctype-otr addon (pull #74 and #75 [2]) For now, I'm working on implementing the STR module as a part of Merkle tree module. This module would be moved into its own repo as a library, separated from the key server module, after others commented on the code. Next I plan to continue implementing the key server module (including the registration and key change operation). It also requires a prototype implementation of the account verification module. Besides, we also established the collaboration with engineers and PhD students from EPFL on developing the CONIKS server module. The source code of the CONIKS server module would be committed to its own repo [3], while other Tor Messenger specific modules would be committed to the repo of the project [4]. --- The account verification protocol is proposed as follows (credit to Arlo) - the user connects to an account - the client sends the registration request to a registration bot on the server - the client also signs the registered public key and sends it to the registration bot - the bot verifies the signature and registers the sending account with the public key The client sends the signed public key to the registration bot by using one of following methods: - send a direct message to the Twitter account of the bot (in case the account is a Twitter account) - send a private chat to the Jabber account of the bot (in case the account is a Jabber account) Best, Huy [1] https://github.com/coniks-sys/libconiks-server-go/pull/1 [2] https://github.com/arlolra/ctypes-otr/pulls [3] https://github.com/coniks-sys/libconiks-server-go/ [4] https://github.com/c633/tor-messenger-coniks

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-dev June 2016