The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-03-17T19:41:28Zhttps://gitlab.torproject.org/tpo/core/torspec/-/issues/84make (retroactive) proposal for DoS subsystem2022-03-17T19:41:28ZRoger Dingledinemake (retroactive) proposal for DoS subsystemIn legacy/trac#24902, dgoulet speaks of a ddos-design.txt document.
But there is no actual proposal for the overall DoS subsystem.
If we have the document around, and we just never published it, this is a great chance to notice, clean ...In legacy/trac#24902, dgoulet speaks of a ddos-design.txt document.
But there is no actual proposal for the overall DoS subsystem.
If we have the document around, and we just never published it, this is a great chance to notice, clean it up a bit, and call it proposal three-hundred-and-something. (And then maybe turn some of it into one of the spec files if that makes sense, but, one step at a time here. :)
Motivated by this month's tor-dev thread where all we have to show for the DoS subsystem design is a trac ticket number and a changelog entry.https://gitlab.torproject.org/tpo/web/support/-/issues/295Please document Tor Browser environment variables2023-11-07T07:49:10ZMatt PaganPlease document Tor Browser environment variablesIt's not uncommon for users to want Tor Browser to use their already running system Tor. Doing this requires familiarity with the TOR_SKIP_LAUNCH environment variable. Rather than only documenting one or some of the env variables, they s...It's not uncommon for users to want Tor Browser to use their already running system Tor. Doing this requires familiarity with the TOR_SKIP_LAUNCH environment variable. Rather than only documenting one or some of the env variables, they should all be documented in one place. Users should be able to visit a single document, FAQ entry, or wiki page where they can read the functionality of
TOR_SKIP_LAUNCH
TOR_FORCE_NET_CONFIG
TOR_CONFIGURE_ONLY
TOR_CONTROL_HOST
TOR_CONTROL_PORT
TOR_CONTROL_PASSWD
TOR_CONTROL_COOKIE_AUTH_FILE
TOR_SOCKS_HOST
TOR_SOCKS_PORT
TOR_TRANSPROXY
and how to set each. (Did I miss any?)https://gitlab.torproject.org/tpo/network-health/team/-/issues/201Create bandwidth authority specification2023-12-11T09:56:45ZGeorg KoppenCreate bandwidth authority specificationWe have:
* https://research.torproject.org/techreports/torflow-2009-08-07.pdf
* https://gitlab.torproject.org/tpo/network-health/torflow/-/blob/main/NetworkScanners/BwAuthority/README.spec.txt
* https://gitlab.torproject.org/tpo/network...We have:
* https://research.torproject.org/techreports/torflow-2009-08-07.pdf
* https://gitlab.torproject.org/tpo/network-health/torflow/-/blob/main/NetworkScanners/BwAuthority/README.spec.txt
* https://gitlab.torproject.org/tpo/network-health/torflow/-/blob/main/NetworkScanners/BwAuthority/README.BwAuthorities
* https://gitlab.torproject.org/tpo/network-health/torflow/-/blob/main/README
* https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/bandwidth-file-spec.txt
We should create a single "bandwidth authority spec" including data from those documents and the current implementations.jugajugahttps://gitlab.torproject.org/tpo/network-health/team/-/issues/199Clarify the bandwidth authority spec to include client and server/service paths2022-03-11T18:19:35ZteorClarify the bandwidth authority spec to include client and server/service pathsIt's unclear whether the "average stream capacity regardless of path" includes the path from the client to the entry, and the exit to the internet server. Pragmatically, in the current design, it has to include client and internet server...It's unclear whether the "average stream capacity regardless of path" includes the path from the client to the entry, and the exit to the internet server. Pragmatically, in the current design, it has to include client and internet server. (Or, in the case of onion services, client and service.)
I don't know if this affects our design at all, but it should be clarified in the spec.https://gitlab.torproject.org/tpo/web/support/-/issues/292Add a page/FAQ about bad Tor Browsers2022-06-02T20:38:03ZPier Angelo VendrameAdd a page/FAQ about bad Tor BrowsersWe are reviewing Tor Browser docs, and we would like to have this page about [fake Tor Browser](https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Bad_TorBrowsers) moved to support pages.
We think that users are not like...We are reviewing Tor Browser docs, and we would like to have this page about [fake Tor Browser](https://gitlab.torproject.org/tpo/applications/tor-browser/-/wikis/Bad_TorBrowsers) moved to support pages.
We think that users are not likely finding it in the TB Wiki.
I think it would be worth telling also that Chrome extensions that route traffic through Tor are not as good as Tor Browser because they do not help in decreasing fingerprinting.GusGushttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/109Decide what labels to use for this project2022-03-16T07:03:55ZjugaDecide what labels to use for this projectonbasca: 1.0https://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/107Move all or part of the documentation about Tor and the bandwidth scanner2023-12-11T09:51:28ZjugaMove all or part of the documentation about Tor and the bandwidth scannerI've writing documentation in https://onbasca.readthedocs.io/ that i didn't know where else could go.
Some of it might be useful only for me but some might be useful for other people and should be in Tor project domain.I've writing documentation in https://onbasca.readthedocs.io/ that i didn't know where else could go.
Some of it might be useful only for me but some might be useful for other people and should be in Tor project domain.jugajugahttps://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/68document how to test the bridgedb service from the outside2023-01-24T18:56:41Zanarcatdocument how to test the bridgedb service from the outsideas TPA, we sometimes have to look into this service and try to figure out "hey, did we break anything here?"
in our [service list](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service) for bridgedb, there's a link to the [bridgedb...as TPA, we sometimes have to look into this service and try to figure out "hey, did we break anything here?"
in our [service list](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/service) for bridgedb, there's a link to the [bridgedb survival guide](https://gitlab.torproject.org/tpo/anti-censorship/team/-/wikis/Survival-Guides/BridgeDB-Survival-Guide) as the documentation portal. because that page doesn't follow the [service template](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/template), it doesn't have a "monitoring and testing" which should document:
```
<!-- describe how this service is monitored and how it can be tested -->
<!-- after major changes like IP address changes or upgrades. describe -->
<!-- CI, test suites, linting, how security issues and upgrades are -->
<!-- tracked -->
```
typically, I try to test the service with this command:
```
mail -s test -r anarcat@example.com -- bridges@bridges-test.torproject.org < /dev/null
```
... if i want to relay to my local DKIM-signing. if i just want to send mail directly, i have also tried:
```
swaks -t bridges@bridges-test.torproject.org -s bridges.torproject.org -f anarcat@torproject.org
```
so it would be great to have that documented somewhere.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/web/community/-/issues/260dead link in fedora bridge setup guide2022-06-03T17:58:29Ztrinity-1686adead link in fedora bridge setup guidesomeone on IRC reported [the link here](https://gitlab.torproject.org/tpo/web/community/-/blob/main/content/relay/setup/bridge/fedora/contents.lr#L12) points to [nothing](https://community.torproject.org/relay/setup/bridge/fedora/updates...someone on IRC reported [the link here](https://gitlab.torproject.org/tpo/web/community/-/blob/main/content/relay/setup/bridge/fedora/contents.lr#L12) points to [nothing](https://community.torproject.org/relay/setup/bridge/fedora/updates).
A correct target could be [`/relay/setup/guard/fedora/updates/`](https://community.torproject.org/relay/setup/guard/fedora/updates/)https://gitlab.torproject.org/tpo/web/community/-/issues/259What happens to bad relays - outdated2023-05-11T18:39:05ZcypherpunksWhat happens to bad relays - outdatedThe page https://community.torproject.org/relay/community-resources/bad-relays/ lists three things that can happen with bad relays: BadExit, Invalid and Reject. As of now, relay cannot be made Invalid (since proposal 272), but can (or no...The page https://community.torproject.org/relay/community-resources/bad-relays/ lists three things that can happen with bad relays: BadExit, Invalid and Reject. As of now, relay cannot be made Invalid (since proposal 272), but can (or not yet? should be clarified) become MiddleOnly.https://gitlab.torproject.org/tpo/web/manual/-/issues/115New link needed about Entry guards in Managing Identities2022-07-09T04:29:33ZemmapeelNew link needed about Entry guards in Managing IdentitiesIn https://tb-manual.torproject.org/managing-identities/ we say:
```
For more information about Guards, consult the [FAQ](https://www.torproject.org/docs/faq#EntryGuards) and Support Portal.
```
But https://www.torproject.org/docs/faq#...In https://tb-manual.torproject.org/managing-identities/ we say:
```
For more information about Guards, consult the [FAQ](https://www.torproject.org/docs/faq#EntryGuards) and Support Portal.
```
But https://www.torproject.org/docs/faq#EntryGuards leads me to support.torproject.org homepage.
We should replace that link, maybe we already have the Entry Guard FAQ somewhere in support.tpo.championquizzerchampionquizzer@torproject.orgchampionquizzerchampionquizzer@torproject.orghttps://gitlab.torproject.org/tpo/web/support/-/issues/290Update instructions to reflect the use of new signing subkey2023-06-14T20:07:31ZcypherpunksUpdate instructions to reflect the use of new signing subkeyIn the "Verifying the signature" section on https://support.torproject.org/tbb/how-to-verify-signature/, subkey `EB774491D9FF06E2` is still shown in the example output to validate the signature, whereas `E53D989A9E2D47BF` is the actual ...In the "Verifying the signature" section on https://support.torproject.org/tbb/how-to-verify-signature/, subkey `EB774491D9FF06E2` is still shown in the example output to validate the signature, whereas `E53D989A9E2D47BF` is the actual subkey used to do the actual signing by now.
I do understand that the commands are not to be taken literal, but aim to describe the general approach, however, gpg signing is a sensitive topic, and confusing enough as it is for new users, updating the instructions might help to prevent some unnecessary doubt.https://gitlab.torproject.org/tpo/web/community/-/issues/257[relays] Change 'centos-rhel' link2023-01-18T18:27:20ZGus[relays] Change 'centos-rhel' linkGeKo noted that this URL don't mention OpenSuse and so people can't end up missing the OpenSuse instructions: https://community.torproject.org/relay/setup/guard/centos-rhel/updates/
We should change this URL to guard/rpm/updates or guar...GeKo noted that this URL don't mention OpenSuse and so people can't end up missing the OpenSuse instructions: https://community.torproject.org/relay/setup/guard/centos-rhel/updates/
We should change this URL to guard/rpm/updates or guard/centos-rhel-opensuse/updates.GusGushttps://gitlab.torproject.org/tpo/web/community/-/issues/256[Relays] Create an OpenSuse relay page2023-01-18T18:32:14ZGus[Relays] Create an OpenSuse relay pageWe already have instructions for running a bridge in OpenSuse. We should create a page for running a relay: https://community.torproject.org/relay/setup/guard/
https://community.torproject.org/relay/setup/bridge/opensuse/We already have instructions for running a bridge in OpenSuse. We should create a page for running a relay: https://community.torproject.org/relay/setup/guard/
https://community.torproject.org/relay/setup/bridge/opensuse/https://gitlab.torproject.org/tpo/web/support/-/issues/288Add Onion-Location to the glossary2023-11-06T21:18:57ZemmapeelAdd Onion-Location to the glossaryThere for sure are more updates needed, but I think at least this term, spelled maybe as 'Onion Location', has a place in the Glossary.
My idea is to have a brief introduction with links to deeper docs.
Anyone wants to volunteer a defi...There for sure are more updates needed, but I think at least this term, spelled maybe as 'Onion Location', has a place in the Glossary.
My idea is to have a brief introduction with links to deeper docs.
Anyone wants to volunteer a definition?https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/30Build a comprehensible Onion Service checklist/documentation2024-03-21T11:55:56ZSilvio RhattoBuild a comprehensible Onion Service checklist/documentation# Tasks
* [x] Create a wiki page for a public Onion Service checklist/documentation.
Done as [Service-Checklist][].
* [x] Move part (if not all) of this documentation to the the [Onion Service
"portal"][], to the [upcoming D...# Tasks
* [x] Create a wiki page for a public Onion Service checklist/documentation.
Done as [Service-Checklist][].
* [x] Move part (if not all) of this documentation to the the [Onion Service
"portal"][], to the [upcoming Developer Portal][], to separate page, or to
the [ecosystem docs web checklist][]. Moved to the latter.
* [ ] Write a comprehensible and public Onion Service checklist/documentation.
* [ ] Split or tag items as "must have", "nice to have", "could have" or something
in the line of the [MoSCoW method][].
[Service-Checklist]: https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/Service-Checklist
[upcoming Developer Portal]: https://gitlab.torproject.org/groups/tpo/-/milestones/23
[Onion Service "portal"]: https://community.torproject.org/onion-services
[ecosystem docs web checklist]: https://gitlab.torproject.org/tpo/onion-services/portal/-/blob/main/docs/apps/web/checklist.md
[MoSCoW method]: https://en.wikipedia.org/wiki/MoSCoW_method
# Contents
Documentation might including topics like:
* [ ] Setting up:
* [ ] Example with [Apache](https://httpd.apache.org) (and remark about UNIX sockets not being supported).
* [ ] Example with [NGINX](https://www.nginx.com/) (TCP and UNIX sockets).
* [ ] Example with [lighttpd](https://www.lighttpd.net) (and note about UNIX sockets support).
* [ ] Example with [Caddy](https://caddyserver.com/) (does it support UNIX sockets?).
* [ ] Best practices:
* [ ] The slightly outdated but very good [Riseup documentation about Hosting Onion Services](https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices).
* [ ] Relay security checklist (if exists), since the Onion Service checklist could be built atop of more general checklists about running a Tor node (but with the warning that no relay should run along the Onion Service instance).
* [ ] See existing and legacy docs like the [legacy OperationalSecurity page](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/OperationalSecurity).
* [ ] Making sure the system clock is synchronized.
* [ ] Setup the Onion Location header (for sites accessible also from outside the Tor network).
* [ ] Encrypted backup of .onion keys.
* [ ] Consider **NOT** to use single mode/non-anonymous Onion Services
(`HiddenServiceSingleHopMode` and `HiddenServiceNonAnonymousMode`) if
distinct sites are hosted in the same provider/virtual machine and if relating
each other is a concern. Like, suppose many distinct sites have their onions at
the same place. Using single mode would mean it's easy to determine that these
sites have their .onions hosted in the same location. By default
`HiddenServiceSingleHopMode` and `HiddenServiceNonAnonymousMode` are not set,
but depending on the tooling used to deploy this might not be the case.
* [Where to put the onion service webserver socket](https://gitlab.torproject.org/tpo/web/community/-/issues/180).
* [ ] Optional/Advanced:
* [ ] Load balancing:
* [ ] Introduction (reusing part of the existing [Onionspray](https://tpo.pages.torproject.net/onion-services/onionspray/) documentation about load balancing: [introduction](https://tpo.pages.torproject.net/onion-services/onionspray/guides/balance/) and [topologies](https://tpo.pages.torproject.net/onion-services/onionspray/guides/balance/topologies/)).
* [ ] Setting up [Onionbalance](https://gitlab.torproject.org/tpo/onion-services/onionbalance):
* [ ] Consider that using Onionbalance is also a measure for protecting the
main Onion Service keys, as compromised backends would not expose the
main keys. Check upcoming [security analysis](https://gitlab.torproject.org/tpo/onion-services/onionbalance/-/issues/25) for details.
* [ ] Configure [Vanguards](https://github.com/mikeperry-tor/vanguards) on each backend.
* [ ] Vanity address generation (using [mkp224o](https://github.com/cathugger/mkp224o) or other compatible tools)?
* [ ] Setup HTTPS with valid x509 certificates (and automatic HTTP -> HTTPS
connection upgrade, like with automatic HTTP-to-HTTPS redirection and/or
the HSTS header).
* [ ] Setup Onion Names (HTTPS Everywhere patch, or [whatever is on it's place](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40458#note_2777495)).
* [ ] Onion v3 auth (current unsupported by Onionbalance, [see tpo/core/onionbalance#5](https://gitlab.torproject.org/tpo/core/onionbalance/-/issues/5)).
* [ ] [Alt-Svc Header](https://blog.cloudflare.com/cloudflare-onion-service/) (as an alternative or compliment to the `Onion-Location` header).
* [ ] Performance:
* [ ] Assets: consider to provide image, video and other assets optimally
compressed to alleviate bandwidth comsumption in the Onion Service. While
this is a general recommendation for any site, this can be of special
importance for Onion Services. It might be worth checking browser support for
storage-efficient formats (see tpo/applications/tor-browser#41664 for a
discussion example).
* [ ] Risk analysis:
* [ ] De-anonymization:
* [ ] [This great analysis from Vanguards](https://github.com/mikeperry-tor/vanguards/blob/master/README_SECURITY.md).
* [ ] Detecting/correlating online/offline patterns.
* [ ] Server fingerprinting.
* [ ] Metrics:
* [ ] Using the MetricsPort (and/or a web panel):
* [ ] Locally (as usually recommended).
* [ ] Or through an [authenticated
.onion](https://community.torproject.org/onion-services/advanced/client-auth/)
to enable remote monitoring? Which plugin could be used by Prometheus to fetch
data from such a service? [Example Prometheus
configuration](https://github.com/prometheus/blackbox_exporter/issues/264).https://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/84Document number of threads configuration depending on the machine available b...2022-03-03T11:41:08ZjugaDocument number of threads configuration depending on the machine available bandwidthFor instance, how many threads can we have when the machine available bandwidth is 100Mbps or 1Gbps.
Based on what we talked in https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsNetworkTeam/Notes/SBWSRoadmap#QuestionsFor instance, how many threads can we have when the machine available bandwidth is 100Mbps or 1Gbps.
Based on what we talked in https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsNetworkTeam/Notes/SBWSRoadmap#Questionsonbasca: 1.1https://gitlab.torproject.org/tpo/web/community/-/issues/255[slides] text overflows out of the slide2022-05-06T01:39:43Zemmapeel[slides] text overflows out of the slideThe text on the presentation overflows very easily, and does not let you read the last phrase.
See for example:
![overflow.cleaned](/uploads/3aef8e2a1cbad8da0706b153efc3accb/overflow.cleaned.png)The text on the presentation overflows very easily, and does not let you read the last phrase.
See for example:
![overflow.cleaned](/uploads/3aef8e2a1cbad8da0706b153efc3accb/overflow.cleaned.png)https://gitlab.torproject.org/tpo/web/support/-/issues/287[Censorship] Point to the 'snowflake' tag (on Tor forum) in the entry 'What i...2022-04-25T17:49:28Zchampionquizzerchampionquizzer@torproject.org[Censorship] Point to the 'snowflake' tag (on Tor forum) in the entry 'What is Snowflake'Since we have some quality posts on the forum now, we are experimenting sorting articles on the forum with specific [tags](https://meta.discourse.org/t/a-comprehensive-guide-to-discourse-tags/121041). We have now created one for '[snowfl...Since we have some quality posts on the forum now, we are experimenting sorting articles on the forum with specific [tags](https://meta.discourse.org/t/a-comprehensive-guide-to-discourse-tags/121041). We have now created one for '[snowflake](https://forum.torproject.net/tag/snowflake
)' and I believe we can point users to that from the Support FAQGusGushttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40102Several devices on the same network ?2022-03-01T15:55:27ZcypherpunksSeveral devices on the same network ?Hi !
I got in touch with you once with that question :
- Is it possible to install Snowflake on all the devices connected to the same local network ? (Ex : On a family, on 2 PCs)
Your answer :
- Mmm, it's not recommended.
My request :
...Hi !
I got in touch with you once with that question :
- Is it possible to install Snowflake on all the devices connected to the same local network ? (Ex : On a family, on 2 PCs)
Your answer :
- Mmm, it's not recommended.
My request :
- To know if your answer is still relevant
- Whatever, can you write in the Wiki/website FAQ, etc. ?
Thank you ! Tons of love. :) ♥