The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-11-10T00:05:28Zhttps://gitlab.torproject.org/tpo/web/support/-/issues/211Add question "Why are v3 onion addresses so long?"2023-11-10T00:05:28ZGusAdd question "Why are v3 onion addresses so long?"
```
Since v3 onion services contain full public keys, they are secure against enumeration attacks. Also, the length makes the keys secure against collision attacks.
The v2 protocol has the following issues that v3 keys solve:
An adver...
```
Since v3 onion services contain full public keys, they are secure against enumeration attacks. Also, the length makes the keys secure against collision attacks.
The v2 protocol has the following issues that v3 keys solve:
An adversary who runs a relay on the Tor network can slowly learn a list of all the v2 onion services, via the v2 HSDir system.
An adversary who can factor 1024-bit RSA keys can impersonate a v2 onion service.
An adversary who can generate around 2^40 RSA keys can expect to generate two that correspond to the same onion address (a collision attack).
(There are other attacks against the v2 protocol as well that aren’t related to the keys.)
We'd like to keep using shorter addresses, but we can’t build a secure protocol that way.
```https://gitlab.torproject.org/tpo/network-health/team/-/issues/67Update status-site wiki pages related to recent network-experiments changes2022-02-28T14:17:59ZGeorg KoppenUpdate status-site wiki pages related to recent network-experiments changesI should
1. fix errors in the current doc I found while testing my patches
2. add content related specifically to our network experiment changes
3. add content about the emerging review/merge policy (see: https://gitlab.torproject.org/tp...I should
1. fix errors in the current doc I found while testing my patches
2. add content related specifically to our network experiment changes
3. add content about the emerging review/merge policy (see: https://gitlab.torproject.org/tpo/tpa/status-site/-/merge_requests/8#note_2739184)Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/40016Write a spec for unsanitised bridge descriptor formats2022-03-01T17:35:40ZIsis LovecruftWrite a spec for unsanitised bridge descriptor formatsThe only places this is documented is [in BridgeDB's docs](https://pythonhosted.org/bridgedb/descriptors.html) and a bit [in Stem's docs](https://stem.torproject.org/api/descriptor/networkstatus.html#stem.descriptor.networkstatus.Bridg...The only places this is documented is [in BridgeDB's docs](https://pythonhosted.org/bridgedb/descriptors.html) and a bit [in Stem's docs](https://stem.torproject.org/api/descriptor/networkstatus.html#stem.descriptor.networkstatus.BridgeNetworkStatusDocument).https://gitlab.torproject.org/tpo/web/support/-/issues/209Suggest troubleshooting tips for Tor Browser for Android2021-12-06T17:48:30ZMoseSuggest troubleshooting tips for Tor Browser for AndroidI'd like to suggest some simple and easy tips for Android users to debug crashes and other Tor Browser issues without too much fuss. Often when an app crashes, the only information the user is given is a message like "Tor Browser has sto...I'd like to suggest some simple and easy tips for Android users to debug crashes and other Tor Browser issues without too much fuss. Often when an app crashes, the only information the user is given is a message like "Tor Browser has stopped." These tips are intended to help users provide more detailed bug reports. This is in reference to https://blog.torproject.org/comment/291677#comment-291677
Another commenter suggested adding a section about Android to the support page ["How do I view Tor Browser message log?"](http://rzuwtpc4wb3xdzrj3yeajsvm3fkq4vbeubm2tdxaqruzzzgs5dwemlad.onion/tbb/tbb-21/index.html). Additionally, the [feedback template](http://rzuwtpc4wb3xdzrj3yeajsvm3fkq4vbeubm2tdxaqruzzzgs5dwemlad.onion/misc/bug-or-feedback/index.html) should probably link to that page to make it easier to find. However this information may fit better under [Tor Mobile](http://rzuwtpc4wb3xdzrj3yeajsvm3fkq4vbeubm2tdxaqruzzzgs5dwemlad.onion/tormobile/). If we had this information on a support page somewhere, developers could easily point users to it when they report a crash or ask for help (see for example this [comment](https://blog.torproject.org/comment/291586#comment-291586)).
### Tips
#### Scoop
There is an app available on f-droid known as [Scoop](https://f-droid.org/en/packages/taco.scoop/) which monitors the Android syslog and displays a notification when it detects an app crash. It also captures a stack trace of the app that crashed, which users can copy and include with a bug report. I've had success using it with a number of apps including Tor Browser.
Scoop's UI is easy to use, however initial setup does require use of a terminal app or adb, as described in the [instructions](https://web.archive.org/web/20210427172207/https://github.com/TacoTheDank/Scoop/wiki). It does not require root.
#### Logcat
The Lineage OS project has a [tutorial](https://web.archive.org/web/20210604125212/https://wiki.lineageos.org/how-to/logcat) on using logcat. This method requires root and either adb or a terminal. There are GUI apps for viewing logcat as well (however these also require root).
#### Other ideas (more research and testing needed)
##### Browser console
- Is there a way to open the browser console in Fenix?
- Probably accessible via remote debugging (see below) regardless
##### Mozilla developer tools (remote debugging)
- Tor Browser for Android has an option in the settings UI to enable USB debugging, although I haven't tried it.
- You must enable USB debugging on the device in Android developer settings menu as well as Fenix/TB4A settings. Does not require root. Does not require adb or android tools on desktop, only Firefox or Tor Browser on desktop.
- ```about:debugging``` cannot be opened in Tor Browser for Android, and there is no UI option for WiFi debugging.
- Probably limited to high-level issues, e.g. sites not displaying properly. Unsure of its usefulness in diagnosing crashes.
- Might be too involved for the average user just wanting to report a bug.
- See https://discourse.mozilla.org/t/is-android-debugging-still-working/51681/2https://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/14Update all docs2023-11-13T16:21:44ZjugaUpdate all docsonbasca: 1.0jugajugahttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/6Add docstrings2023-03-17T11:19:27ZjugaAdd docstringsonbasca: 1.0https://gitlab.torproject.org/tpo/network-health/team/-/issues/57Set up a template for and write instructions about how to "register" network ...2022-02-28T14:17:56ZGeorg KoppenSet up a template for and write instructions about how to "register" network experimentsExperiments on the Tor network are getting popular and we start collecting them on our status page as one way of informing users/operators about them. We should write a template for that and general instructions on what to do to get this...Experiments on the Tor network are getting popular and we start collecting them on our status page as one way of informing users/operators about them. We should write a template for that and general instructions on what to do to get this going smoothly.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/network-health/team/-/issues/54Clarify our policy on secrecy vs. transparency2024-03-05T15:25:44ZGeorg KoppenClarify our policy on secrecy vs. transparencyWe have a bunch of areas in bad-relay land where we opted for (partial) secrecy compared to our default transparency (e.g. when listing [the rejected fingerprints](https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-fi...We have a bunch of areas in bad-relay land where we opted for (partial) secrecy compared to our default transparency (e.g. when listing [the rejected fingerprints](https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Rejected-fingerprints-found-in-attacks) per month in our wiki or when developing scanners or parts of them in private repo).
We'd benefit from written down the general policy on secrecy vs. transparency that explains how we drew and draw the line in different network-health areas (such as those two above).https://gitlab.torproject.org/tpo/network-health/team/-/issues/53Rewrite non-malicious bad relay criteria to take non-exit nodes into account2023-06-14T16:57:20ZGeorg KoppenRewrite non-malicious bad relay criteria to take non-exit nodes into accountRight now we [focus](https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-rejecting-bad-relays#misconfigured-exit-relays) our non-malicious bad relay criteria on exit relays.
However,
```
Any other criteria that wo...Right now we [focus](https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Criteria-for-rejecting-bad-relays#misconfigured-exit-relays) our non-malicious bad relay criteria on exit relays.
However,
```
Any other criteria that would give a safe but not fully functional experience for Tor users
```
clearly applies to non-exit nodes, too. Thus, we should rewrite the respective section taking both relay types into account.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/web/support/-/issues/207Answer the Tor + VPN question better2023-11-08T02:30:16ZemmapeelAnswer the Tor + VPN question betterAt https://support.torproject.org/faq/faq-5/ we have a link to https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN which should be replaced as trac is not longer updated.At https://support.torproject.org/faq/faq-5/ we have a link to https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN which should be replaced as trac is not longer updated.https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/8Create and document our commit workflow2023-04-11T18:29:51ZCecylia BocovichCreate and document our commit workflowAt the moment, each project has been maintained slightly differently, but with the branch changes we're taking the opportunity to document and consolidate our workflows on each of these projects. They don't all need to be handled the sam...At the moment, each project has been maintained slightly differently, but with the branch changes we're taking the opportunity to document and consolidate our workflows on each of these projects. They don't all need to be handled the same, but we should definitely document the different workflows and point out projects that have exceptions. This workflow should include the following:
- which repositories to push to and where our mirrors are pointing
- do we introduce merge commits or do we rebase branches before merging?
- do we use the gitlab interface or merge things locally?
- how many reviews do we need and who maintains/has access to which repository?
- we had some discussion over on #7 about signing commits
- which projects have releases and what is the release workflow?
This is generally a good idea, and something we should work into our workflow. Let's use this ticket to document a proposal for different workflows. Again, some repositories for our team are maintained by people outside TPI so the focus should be on documentation and best practices, not necessarily in making everything the same.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/7Set up gitolite <--> gitlab mirrors2022-03-01T17:19:09ZCecylia BocovichSet up gitolite <--> gitlab mirrorsSince our branch name change in #6, we'll have to update our mirrors and we might as well be consistent this time.
I'm proposing a one way mirror from Gitlab to git.tpo because it means we can use the gitlab merge feature. This would ma...Since our branch name change in #6, we'll have to update our mirrors and we might as well be consistent this time.
I'm proposing a one way mirror from Gitlab to git.tpo because it means we can use the gitlab merge feature. This would make git.tpo mostly read only except for the repositories that have not yet been migrated to gitlab.
However, I'm open to feedback. My only strong preference is that we're consistent.https://gitlab.torproject.org/tpo/web/support/-/issues/203add explanation about disabled Master Password, on support portal or ideally ...2023-11-13T13:44:30Zemmapeeladd explanation about disabled Master Password, on support portal or ideally in tor browser itselfA user entered today on the irc asking how could they add a master password to the Tor Browser. It seems a common doubt for new users.
Proposal:
- Maybe it will be good to have an official explanation on our Support portal about why the...A user entered today on the irc asking how could they add a master password to the Tor Browser. It seems a common doubt for new users.
Proposal:
- Maybe it will be good to have an official explanation on our Support portal about why there is no master password in Tor Browser?
From the Tor Browser Design Draft (https://2019.www.torproject.org/projects/torbrowser/design/):
We disable the password saving functionality in the browser as part of our Disk Avoidance requirement. However, since users may decide to re-enable disk history records and password saving, we also set the signon.autofillForms preference to false to prevent saved values from immediately populating fields upon page load. Since JavaScript can read these values as soon as they appear, setting this preference prevents automatic linkability from stored passwords.
(we should write a more simple answer)https://gitlab.torproject.org/tpo/ux/research/-/issues/40Add a persona who uses a public computer2023-08-08T18:55:10ZcypherpunksAdd a persona who uses a public computerFrom the blog:
https://blog.torproject.org/comment/291342#comment-291342
https://blog.torproject.org/comment/291422#comment-291422
> [The commenter] then said, "this could be a problem in a public computer, when many persons want to use...From the blog:
https://blog.torproject.org/comment/291342#comment-291342
https://blog.torproject.org/comment/291422#comment-291422
> [The commenter] then said, "this could be a problem in a public computer, when many persons want to use same account." It sounds like a kiosk or an Internet café. That is an interesting new persona to study, Community Team!! (to Gus, et al.) Usually though, public computers are configured for a guest account and/or to automatically log out after a period of time and delete the guest account's files.
It could be any shared device. A neighbor's laptop, phone, etc. If the device is public, then it isn't managed by a neighbor but by an administrator.
I guess this issue should be moved to tpo/ux/research. I wrote it in tpo/web/community because cypherpunks such as myself are not allowed to post in ux/research.https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40286Add Burmese as supported language in Windows installer2022-12-22T10:52:50ZMatthew FinkelAdd Burmese as supported language in Windows installerThis should be added in tbb-windows-installer, but I'm not sure a patch will be accepted right now.This should be added in tbb-windows-installer, but I'm not sure a patch will be accepted right now.https://gitlab.torproject.org/tpo/web/support/-/issues/181Add to FAQ section "Is it worth upgrading my Tor Relay"2023-11-13T05:22:53ZBurnleydevAdd to FAQ section "Is it worth upgrading my Tor Relay"Saw this question **"Is it worth upgrading my Tor Relay"** on reddit.com/r/Tor. It's worth adding it to the FAQ section to help others.Saw this question **"Is it worth upgrading my Tor Relay"** on reddit.com/r/Tor. It's worth adding it to the FAQ section to help others.https://gitlab.torproject.org/tpo/web/community/-/issues/193Past GSOC projects don't appear, but there is an empty section for them.2023-04-22T07:32:26ZemmapeelPast GSOC projects don't appear, but there is an empty section for them.at the bottom of https://community.torproject.org/gsoc/ there is a section only consisting of:
Past Projects
Here are some successful projects which have been implemented in the past by Google Summer of Code and Outreachy participants
...at the bottom of https://community.torproject.org/gsoc/ there is a section only consisting of:
Past Projects
Here are some successful projects which have been implemented in the past by Google Summer of Code and Outreachy participants
But the past projects are not there anymore.https://gitlab.torproject.org/tpo/web/community/-/issues/188[content][types of relays] Mentions to unexisting section are confusing2022-01-20T19:12:23Zemmapeel[content][types of relays] Mentions to unexisting section are confusingIn the page https://community.torproject.org/relay/types-of-relays/ , in the Exit relay section, we mention the 'legal considerations section' twice.
One is linked to https://community.torproject.org/relay/community-resources , but the ...In the page https://community.torproject.org/relay/types-of-relays/ , in the Exit relay section, we mention the 'legal considerations section' twice.
One is linked to https://community.torproject.org/relay/community-resources , but the other is unlinked, and there are no sections called 'legal considerations'.
> Exit relays have the greatest legal exposure and liability of all the relays. For example, if a user downloads copyrighted material while using your exit relay, you, the operator may receive a DMCA notice. Any abuse complaints about the exit will go directly to you (via your hoster, depending on the WHOIS records). Generally, most complaints can be handled pretty easily through template letters, which we'll discuss further in the **legal considerations section**.
> Because of the legal exposure that comes with running an exit relay, you should not run a Tor exit relay from your home. Ideal exit relay operators are affiliated with some institution, like a university, a library, a hackerspace or a privacy related organization. An institution can not only provide greater bandwidth for the exit, but is better positioned to handle abuse complaints or the rare law enforcement inquiry.
> If you are considering running an exit relay, please read the **section on legal considerations** for exit relay operators.
We should rephrase, mention the current name of the section, and also add a link where there is none.https://gitlab.torproject.org/tpo/core/tor/-/issues/40340Man tor - Option `ClientTransportPlugin` should move from `GENERAL OPTIONS` t...2023-04-03T16:38:12ZcypherpunksMan tor - Option `ClientTransportPlugin` should move from `GENERAL OPTIONS` to `CLIENT OPTIONS`For tor-0.4.6.0-alpha-dev.
ChangeLog :
```
o Documentation (man tor):
- Move option `ClientTransportPlugin` from `GENERAL OPTIONS` to `CLIENT OPTIONS`. Closes issue #40XXX
```
Output of `git diff HEAD` :
```
diff --git a/doc/...For tor-0.4.6.0-alpha-dev.
ChangeLog :
```
o Documentation (man tor):
- Move option `ClientTransportPlugin` from `GENERAL OPTIONS` to `CLIENT OPTIONS`. Closes issue #40XXX
```
Output of `git diff HEAD` :
```
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt
index f5dd1ec..308bf2d 100644
--- a/doc/man/tor.1.txt
+++ b/doc/man/tor.1.txt
@@ -334,20 +334,6 @@ forward slash (/) in the configuration file and on the command line.
as a float value. This is an advanced option; you generally shouldn't have
to mess with it. (Default: -1)
-[[ClientTransportPlugin]] **ClientTransportPlugin** __transport__ socks4|socks5 __IP__:__PORT__::
-**ClientTransportPlugin** __transport__ exec __path-to-binary__ [options]::
- In its first form, when set along with a corresponding Bridge line, the Tor
- client forwards its traffic to a SOCKS-speaking proxy on "IP:PORT".
- (IPv4 addresses should written as-is; IPv6 addresses should be wrapped in
- square brackets.) It's the
- duty of that proxy to properly forward the traffic to the bridge. +
- +
- In its second form, when set along with a corresponding Bridge line, the Tor
- client launches the pluggable transport proxy executable in
- __path-to-binary__ using __options__ as its command-line options, and
- forwards its traffic to it. It's the duty of that proxy to properly forward
- the traffic to the bridge. (Default: none)
-
[[ConnLimit]] **ConnLimit** __NUM__::
The minimum number of file descriptors that must be available to the Tor
process before it will start. Tor will ask the OS for as many file
@@ -1178,6 +1164,21 @@ The following options are useful only for clients (that is, if
controller request). If true, multicast DNS hostnames for machines on the
local network (of the form *.local) are also rejected. (Default: 1)
+[[ClientTransportPlugin1]] **ClientTransportPlugin** __transport__ socks4|socks5 __IP__:__PORT__ +
+
+[[ClientTransportPlugin2]] **ClientTransportPlugin** __transport__ exec __path-to-binary__ [options]::
+ In its first form, when set along with a corresponding Bridge line, the Tor
+ client forwards its traffic to a SOCKS-speaking proxy on "IP:PORT".
+ (IPv4 addresses should written as-is; IPv6 addresses should be wrapped in
+ square brackets.) It's the
+ duty of that proxy to properly forward the traffic to the bridge. +
+ +
+ In its second form, when set along with a corresponding Bridge line, the Tor
+ client launches the pluggable transport proxy executable in
+ __path-to-binary__ using __options__ as its command-line options, and
+ forwards its traffic to it. It's the duty of that proxy to properly forward
+ the traffic to the bridge. (Default: none)
+
[[ClientUseIPv4]] **ClientUseIPv4** **0**|**1**::
If this option is set to 0, Tor will avoid connecting to directory servers
and entry nodes over IPv4. Note that clients with an IPv4
```Tor: 0.4.8.x-freezeAlexander Færøyahf@torproject.orgAlexander Færøyahf@torproject.orghttps://gitlab.torproject.org/tpo/community/relays/-/issues/16Review and incorporate Torservers.net abuse templates to the relay documentation2022-03-16T20:23:36ZGusReview and incorporate Torservers.net abuse templates to the relay documentationBrabo let us know that:
The torservers.net wiki which hosts https://www.torservers.net/wiki/abuse/templates which https://community.torproject.org/relay/community-resources/tor-abuse-templates/ links to will go defunct at some point in ...Brabo let us know that:
The torservers.net wiki which hosts https://www.torservers.net/wiki/abuse/templates which https://community.torproject.org/relay/community-resources/tor-abuse-templates/ links to will go defunct at some point in the future. It may be good to see which templates are useful to add to the tor project template set.