May 2008 Progress Report

by phobos | June 25, 2008

Tor 0.2.0.26-rc (released May 13) fixes a major security vulnerability caused by a bug in Debian's OpenSSL packages. All users running any 0.2.0.x version should upgrade, whether they're running Debian or not.
http://archives.seul.org/or/talk/May-2008/msg00048.html

Vidalia 0.1.3 (released May 25) adds a hidden service configuration UI designed and implemented by Domenik Bork, as well as a few other bugfixes.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.3/CHAN…

The Tor Browser Bundle 1.0.2 (released May 3) and 1.0.3 (released May 16) include upgraded versions of Tor, Vidalia, Torbutton, and Firefox.

We added three new part-time developers in May. We hired Matt Edman as a part-time employee at the beginning of May, to work on Vidalia maintenance, bugfixes, and new features. We also are funding Karsten Loesing to work on making hidden service rendezvous and interaction faster, and Peter Palfrader to work on lowering the overhead of directory requests, especially during bootstrap, which should directly improve the experience for Tor users on modems or cell phones.

Google has agreed to give us some funding to work on auto-update for Windows. Our plan is for Vidalia to look at the majority-signed network status consensus to decide when to update and to what version (Tor already lists what versions are considered safe, in each network status document). We should actually do the update via Tor if possible, for additional privacy, and we need to make sure to check package signatures to ensure package validity. Last, we need to give the user an interface for these updates, including letting her opt to migrate from one major Tor version to the next.

We continued enhancements to the Chinese and Russian Tor website translations. Vidalia also added a Turkish translation.

From the Vidalia 0.1.3 ChangeLog:
"If we're running Tor >= 0.2.0.13-alpha, then check the descriptor annotations for each descriptor before deciding to do a geoip lookup on its IP address. If the annotations indicate it is a special purpose descriptor (e.g., bridges), then don't do the lookup at all."

"Remove the 'Run Tor as a Service' checkbox. Lots of people seem to be clicking it even though they don't really need to, and we end up leaving them in a broken state after a reboot."

"Only display the running relays in the big list of relays to the left of the network map. Listing a big pile of unavailable relays is not particularly useful, and just clutters up the list."

We worked toward a Torbutton 1.2.0rc1 release candidate, which will include support for Firefox 3 along with a huge pile of privacy-related bugfixes.

We spent much of the first half of May dealing with a surprise massive security vulnerability in a crypto library that comes with Debian:
http://archives.seul.org/or/announce/May-2008/msg00000.html

You can read a more detailed explanation of the effects of the flaw here:
https://ocewjwkdco.tudasnich.de/blog/debian-openssl-flaw%3A-what-does-it-me…

Part of dealing with the flaw meant doing some quick design work so we could let new Tor users be safe without making it so old Tor users were cut off from the network:
https://sedvblmbog.tudasnich.de/svn/trunk/doc/spec/proposals/136-legacy-keys…

Sometime in late June or early July we will disable this workaround, meaning all the 0.2.0.x users who haven't upgraded yet will be cut off.

We are preparing for the Tor gathering at the Privacy Enhancing Technologies Symposium in Leuven in July. This is looking like it will be the largest physical gathering of Tor developers ever -- main developers attending include Roger Dingledine, Nick Mathewson, Jacob Appelbaum, Mike Perry, Matt Edman, Steven Murdoch, and Karsten Loesing; Tor researchers include Paul Syverson and Ian Goldberg; and we'll have 5 of our 7 Google Summer of Code students there as well.
https://ocewjwkdco.tudasnich.de/events/roger%2C-nick%2C-steven%2C-matt%2C-k…
http://petsymposium.org/2008/program.php

The upcoming TBB release in June will include optional instant messaging support via Pidgin + Off-The-Record Messaging; replace the startup batch script with an actual application (named RelativeLink), so TBB now has a helpful Tor icon rather than an ugly batch file icon; and optionally support using WinRAR to produce a self-extracting split bundle.

We now have a more thorough set of TBB build instructions:
https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/INSTALL

We also documented the build and deploy process for a new TBB version:
https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/DEPLOYMENT

We finished integrating a UPnP library into Vidalia. This feature allows users who want to set up a Tor relay but don't want to muck with manual port forwarding on their router/firewall to just click a button and have Vidalia interact with their router/firewall automatically. This approach won't work in all cases, but it should work in at least some. The upcoming Vidalia 0.1.4 (scheduled for June) release has folded the UPnP library and GUI changes into the main Vidalia tree, along with a "test" button to try speaking UPnP at the local router and tell the user whether it worked; these features will be available by default in the 0.2.0.x stable release.

We spent May hunting for a better online translation option, since Launchpad (intended to be used for Vidalia translation) has an ugly interface and can't handle our file formats well, and Babelzilla (intended to be used for Torbutton translation) artificially limited the number of concurrent translators we could have.

In early June we hit upon Pootle, which is a translation server that we host, as opposed to a shared web service that other organizations host. We've set up a test server at http://translation.torproject.org/ and imported strings for Vidalia, Torbutton, and Torcheck. We hope to have a lot more to show here in June.

Comments

Please note that the comment area below has been archived.

June 25, 2008

Permalink

How do I make sure tor is encrypted from my computer to the internet?

June 25, 2008

Permalink

I sure hope some Tor developers will be attending DefCon this year, considering panels like this one:

de-Tor-iorate Anonymity

Nathan Evans
Ph.D Student, University of Denver
Christian Grothoff

Feel safe and comfortable browsing the Internet with impunity because you are using Tor? Feel safe no more! We present an attack on the Tor network that means that the bad guys could find out where you are going on the Internet while using Tor. This presentation goes over the design decisions that have made this attack possible, as well as show results from a Tor network that reveals the paths that data travels when using Tor. This method can make using the Tor network no more secure than using a simple open web proxy. We go over the attack in detail, as well as possible solutions for future versions of Tor.

Nathan Evans is a Ph.D student and the University of Denver working in the areas of security, privacy, anonymity, and performance in P2P networks. While he seems to be running around trying to break all the networks his intentions are to improve the current state of affairs wrt security. Previous work includes Routing in the Dark: Pitch Black (presented at Defcon 15) and work on evaluating various P2P systems published in the German magazine IX.

Christian Grothoff is an assistant professor of computer science at the University of Denver. He earned his PhD in computer science from UCLA in expressive type systems for object-oriented languages. His research interests include compilers, programming languages, software engineering, networking and security. He also is the primary author and maintainer of GNUnet, GNU's peer-to-peer framework.

Tor seems to be for people well versed in computer lore. We poor, downtrodden, much-despised ignorami don't seem to be catered for anywhere. Should I just go away and play Freecell instead?

I got Tor running to my delight, despite having change the nice simple SeaMonkey to Firefox. But now I can't google, links don't work, you know the tune. I'm not an idiot, just an intelligent person who doesn't know much about computers. Evidently I've missed out something elementary. I tried to read the advice but to my horror, I couldn't understand half of that either.

I shall be sorry but not upset if you think Tor is a step too far for me.

September 15, 2008

In reply to phobos

Permalink

Since my old Torpark wasn't working, I thought I would install the newest Tor (Vidalia), and it doesn't work. Once I enable the Tor Button, links can be clicked, but nothing happens. I downloaded the bundle and installed it without changes. I've gone through setup/preferences a few times to check and uncheck things, but so far it's all no good. I downloaded the Win32 bundle for XP (0.2.0.31).

July 06, 2008

Permalink

Since upgrading to the latest Vidalia (0.0.16) with tor (0.1.2.19) on MAC OS 10.4.11 and Firefox 2.0.0.15, the tor button stopped working well as it was before. Clicking it does most of the time not work to change the status. Now that China blocks tor it does not make it easier to figure out why. Any clue?
From Beijing / China

July 28, 2008

Permalink

Hi there.

Can anyone please tell me how it can be that I have to wait up to 4!! minutes for quite a few webpages to be loaded completely? And more often I have to wait at least 1-2 minutes.
And I don´t talk abouet pages that are covered with pictures, videos, flash, etc., since I have this stuff blocked by a firefox plugin.
This is far away from "surfing the web"!
My firefox version is 2.0.0.16., I use Tor 0.1.2.19 with Vidala 0.0.16 and Qt 4.3.2, which all came in a Vidalia-bundle.
And, I have a 12meg conection.

Thank you in advance.

Cheers

Mouse

.. for Google/Scroogle: http://wiki.noreply.org/noreply/TheOnionRouter/FireFoxTorPerf

Probably the most helpful tips are the torrc options that page mentions. Of those:

* CircuitBuildTimeout 5
* KeepalivePeriod 60
* NumEntryGuards 8

seem to help the most. Things sometimes can still get slow even then, but those options make the "New Identity" button kick you out a much faster circuit for future connections.

August 18, 2008

Permalink

Hi
I have downloaded the latest version of TOR from your website. However, every time I launch, it keeps asking for a "password". I went into Advance setting to disable this feature, but it still keeps asking for this password. Nothing I do is working. I've even tried downloading the unstable versions of TOR and I get the same password request.

Is this a Bug? I never had this issue with your older version.

I am running Windows XP.

tx

December 03, 2008

Permalink

Help! Using brand-new Mac but want to be sure before I download Firefox that the Torbutton will work, or is there a similar option for Safari users? Any tips or advice appreciated as this is all new to me. Thanks!

December 04, 2008

Permalink

I've installed the Vidalia bundle on my Intel Mac using OS 10.5.5 with Firefox 3.0.4 and the Tor Button just does not want to show up in Firefox .... does it not work on FF 3.0.4???

Thanks!

January 15, 2009

Permalink

Hello I downloaded Vidalia bundle and it did not work so I downloaded Torbutton extension incombined it work however one without the other did not, shouldnt it have work seprate too? whats going on? also "view network" does not give me full control

BTW am using firefox 2.0.0.17. Windows XP My pc does not run on SP1 or SP2 could this be the problem? if your wondering I crash three times when I downloaded the SP 1,2 get back to me soon hurry!

vidalia-bundle includes torbutton already. View network is just for viewing the network so you can see where your traffic is traveling through which circuits. I don't know what control you were hoping to have from View Network.

The patch level of Winxp shouldn't matter to the vidalia-bundle.

August 12, 2009

Permalink

I'm using Internet Explorer 8.
TOR is installed and working. I'm wondering can my firewall see my dns results.
Can my company filtering system
see if i searched for "red shoes" at google.com?

I read that the dns or the keywords in searches and web sites are resolved on the tor network, not on the local machine, which the firewall would see. Is this accurate?

I'm not sure if IE8 leaks DNS when setup with a socks proxy. The only real way to find out is to use wireshark to watch for dns traffic exiting the network interface. Another way to find out is to see if Tor's log complain about only receiving an IP address, not a hostname.

If IE 8 is working correctly, then your local network should only see ssl traffic.

August 26, 2009

Permalink

oTwo question:
1. How does TOR hide datastreams from your ISP when it all has to be routed through them unencrypted, where it can be analyzed by packet sniffers

2. How does TOR ensure that a secret government computer is not used as a relay (or worse) an exit relay pointing straight at you?

1) the datastreams are wrapped in ssl between your client and all relays, so anyone watching just sees ssl traffic. I suggest reading https://sedvblmbog.tudasnich.de/overview.html.en#thesolution

2) We don't and can't. We encourage people to use secure protocols through Tor. The risk of an exit relay going evil isn't much different than someone sitting in your favorite coffee shop recording all your traffic over the free wifi. This explains it in more detail, https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdrop…