The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-10-25T16:05:33Zhttps://gitlab.torproject.org/tpo/core/tor/-/issues/28084Proposed "Best Practices" for running Tor public network services2023-10-25T16:05:33ZGeorgeProposed "Best Practices" for running Tor public network servicesProposed Best Practices for Tor Public Services
including directory authorities and bandwidth scanners
In an effort to work towards standardized and current "best practices" for Tor public network infrastructure, this document servers a...Proposed Best Practices for Tor Public Services
including directory authorities and bandwidth scanners
In an effort to work towards standardized and current "best practices" for Tor public network infrastructure, this document servers as a starting point. Configuring and maintaining high-uptime internet public services is not a skill anyone is born with, but comes from experience and instruction. Input and updates are vital.
* Single-Purpose Servers
The most important rule for all Tor public services is that the servers should be configured and maintained for a single-purpose. These are critical servers for the network and millions of users, and extraneous functions can not only deprecate the operation, but provides a large footprint of possible vulnerabilities.
* Bare Metal over Virtualized
When there's a choice between a "bare metal" versus a virtual solution such as VPS or a cloud instance, opt for the former. Actual server hardware provides lower-level access to the system than any virtualized system. Virtualized systems are sharing various resources, such as processors, entropy sources and so on.
* Multiple IPs
Multiple IPs are useful to separate remote access via SSHD(8) from the publicly listening services.
* Operating System and Application Options
Stable versions of both the operating system and applications should be chosen over snapshot or current branches, as the former should require less attention and provide more stability. Tor public network services are not playgrounds to tinker with new software versions. The best operating system to use is the one the administrator is most comfortable with.
* Full-Disk Encryption (FDE)
FDE is an important aspect of security in the event an adversary takes physical control of the server. For a remote server, some type of console access may be required for FDE password.
* System Partitioning
Separate partition for the relevant service, in some cases this would be the
${TOR_DATA_DIR}. There are two benefits. First, distinct mount(8) options can be enforced to enhance security such as removing the ability to execute binaries (-o noexec). Second, in the event that the partition reaches full capacity, the server should remain accessible as it's separate from the main operating system's partitions. A minimum partition size should be pre-determined.
directory authority:
bandwidth scanner:
bridge directory authority: current partition utilization is 228Mb
* Time Synchronization
Reasonably accurate time is critical. All operating systems contain some sort of time-syncing daemon, such as NTPD. Accurate time should not be scheduled with tools like rdate, which perform periodic hard resets of time. Accurate time allows for easier correlation in troubleshooting any issues between remote servers. Setting time to UTC makes this task simpler between systems on different time zones.
* SSHD(8) and SSH(1)
SSHD should be configured with strong security knobs including the most current asymmetric encryption (ED25519 currently), public/private keypair authentication, with a password-secured private key. SSHD keypairs should periodically be replaced. Consider using tested two-factor authentication, such as YubiKey. By default, ssh(1) should notify you if host keys change. Turn off any non-essential sshd(8) knobs, such as "AllowAgentForwarding" and "X11Forwarding".
* SSHD(8) Host Keys
The SSHD(8) host keys are another critical authenticity measure. A list of host keys should be maintained, and in the event host key's change, other relevant parties should be notified immediately. Print out a hard copy of any relevant servers' host keys.
* .Onion SSHD
Running a separate tor instance with SSHD as a hidden or .onion service provides a quiet entryway into the server more difficult to locate for most adversaries.
* Ports/Packages over Source
Third-party packages/ports should be installed from the operating systems' packages/ports system which eases future upgrades. Installing from source means upgrades may leave residual files, and is more difficult to script.
* Minimize Ports/Packages
Post-install packages/ports should be kept to a bare minimum. In most cases, the base operating system utilities should be preferred over third-party packages.
* torrc Configuration
The specific torrc file should be provided, and configuration changes, if necessary, need to be communicated clearly. Only the minimum options should be included in the torrc.
* User Configuration
Separate users should be employed when possible to provide least-privilege. A regular, non-privileged user with sudo-type access should be the main remote management login. Any local scripts run via cron(8) should be run as separate, non-privileged users without a login shell (eg, /sbin/nologin). The root user's crontab(1) should not be used for Tor-related server functions if possible.
* Data Backups
Regular backups are vital, particularly for the ${TOR_DATA_DIR} which includes the server's fingerprint and keys. Backups should be stored remotely in a secure location.
* Backup Hardware
A cold, offline hardware backup server is strongly recommended. While the backup server might not have all the current data, it should be fully capable of quickly syncing once connected.
* DNS
DNS can be a tool to mitigate certain security problems. PTR records should be set to assist in determining the authenticity of a remote server. In the case that SSL/TLS is used, CAA records should also be configured. DNSSec should be employed for better verification of DNS queries. Servers might consider running a local DNS caching server if lookups are a required part of the system's requirements
* IPv6
IPv6 should be configured for the server. IPv6 is slowly being integrated into the Tor infrastructure, and maintaining functional IPv6 means developers can test code without server administrators playing catch-up.
* daily(8)
Daily operating system reports should be configured whether part of the base system, scripted or added as a third-party package. A regular check on system operation and health, including RAID disk status and packet throughput is important for maintaining server uptime.
* Remote Monitoring
Remote monitoring is vital for knowing when services are unavailable. Systems which require a listening agent, such as Nagios, should not be used, as they increase possible vulnerability footprints. There are lighter monitoring systems, such as Sysmon (xxxxx) which don't require any local configuration on the monitored device. With Sysmon, for instance, particular IP/port combinations can be checked at set intervals for responsiveness, with an alert delivered by email.
* Know Your Upstream Provider(s)
Relations with provider and upstream is critical, most obviously in instances where cold backup hardware needs to be swapped out with failing current hardware. Additionally, in the event of dealing with hardware seizure, DDOS attacks, etc. coordination with provider can be the critical ingredient.
* Backup Administrators and Mentoring
In most cases a single administrator is responsible for each network service. Carefully selected secondary administrators should be mentored in an effort to extend knowledge of building and maintaining high-uptime Tor services. Such person should be considered well-trusted, and it's also an opportunity to diversify Tor's administrators to more women and other less-represented groups.https://gitlab.torproject.org/tpo/web/manual/-/issues/150[Tor Browser 13 release] Update Tor Browser user manual2023-10-19T23:06:08ZGus[Tor Browser 13 release] Update Tor Browser user manualMain ticket to manage all modifications for the Tor Browser 13 release.Main ticket to manage all modifications for the Tor Browser 13 release.Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsebanamebanam@torproject.orgebanamebanam@torproject.orghttps://gitlab.torproject.org/tpo/web/community/-/issues/326Clarify the section about using privileged ports2023-10-16T16:36:05ZharpiaClarify the section about using privileged ports<!--
* Use this issue template for suggesting new docs or updates to existing docs.
-->
### Problem to solve
In step number 5, we have instructions for using privileged ports
> If you decide to use a fixed obfs4 port smaller than 1024....<!--
* Use this issue template for suggesting new docs or updates to existing docs.
-->
### Problem to solve
In step number 5, we have instructions for using privileged ports
> If you decide to use a fixed obfs4 port smaller than 1024...
And it continues with
> To work around systemd hardening...
which is still talking about privileged ports. But visually, these paragraphs don't seem to be related. See how it renders:
![Screenshot_2023-10-14_at_21-16-06_Tor_Project_Debian___Ubuntu](/uploads/bd8165250bc43d9c9ee4f98b651c0f36/Screenshot_2023-10-14_at_21-16-06_Tor_Project_Debian___Ubuntu.png)
I'm not using a privileged port, but because of the structure of this document, for a while I thought I had to configure systemd!
### Further details
Link to the page: https://community.torproject.org/relay/setup/bridge/debian-ubuntu/
Link to the source: https://gitlab.torproject.org/tpo/web/community/-/blob/main/content/relay/setup/bridge/debian-ubuntu/contents.lr
I'm running Firefox 118.0.2 (64-bit) on Linux
### Proposal
<!-- Further specifics for how can we solve the problem. -->
I couldn't edit the page myself, as I don't recognize the syntax of these files. It looks a bit like Markdown, but it's different.GusGushttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40886Update README with instructions for Arch linux2023-10-03T15:38:27ZDan BallardUpdate README with instructions for Arch linuxI'm using Arch linux now, so there's a lot of packages to install to run RBM, I think I've collected them allI'm using Arch linux now, so there's a lot of packages to install to run RBM, I think I've collected them allDan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40898Add doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templates2023-10-03T15:38:12ZboklmAdd doc from tor-browser-spec/processes/ReleaseProcess to gitlab issue templatesWith tor-browser-spec#40049 we're going to remove
`tor-browser-spec/processes/ReleaseProcess`. Before doing that we should
add anything from that file not yet in the issue templates.With tor-browser-spec#40049 we're going to remove
`tor-browser-spec/processes/ReleaseProcess`. Before doing that we should
add anything from that file not yet in the issue templates.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40880The README doesn't include some dependencies needed for building incrementals2023-10-03T15:38:11ZPier Angelo VendrameThe README doesn't include some dependencies needed for building incrementalsIt seems we're missing at least `libxml-libxml-perl`, but possibly also `libxml-writer-perl` and `libparallel-forkmanager-perl`.
```
$ make mullvadbrowser-incrementals-release
git submodule update --init
./rbm/rbm build release --step u...It seems we're missing at least `libxml-libxml-perl`, but possibly also `libxml-writer-perl` and `libparallel-forkmanager-perl`.
```
$ make mullvadbrowser-incrementals-release
git submodule update --init
./rbm/rbm build release --step update_responses_config --target release --target create_unsigned_incrementals --target mullvadbrowser
tools/update-responses/download_missing_versions release
Can't locate XML/LibXML.pm in @INC (you may need to install the XML::LibXML module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.32.1 /usr/local/share/perl/5.32.1 /usr/lib/x86_64-linux-gnu/perl5/5.32 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.32 /usr/share/perl/5.32 /usr/local/lib/site_perl) at tools/update-responses/download_missing_versions line 20.
BEGIN failed--compilation aborted at tools/update-responses/download_missing_versions line 20.
make: *** [Makefile:501: mullvadbrowser-incrementals-release] Error 2
```
/cc @boklmDan BallardDan Ballardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40615Consider adding a readme to the fonts directory2023-10-03T15:38:05ZPier Angelo VendrameConsider adding a readme to the fonts directoryWe could add a readme.txt to the font directory, in which we explain users that they aren't supposed to add fonts on their own, sum up the risk, and link some FAQ page.We could add a readme.txt to the font directory, in which we explain users that they aren't supposed to add fonts on their own, sum up the risk, and link some FAQ page.Sponsor 131 - Phase 2 - Privacy Browserhttps://gitlab.torproject.org/tpo/community/l10n/-/issues/40034add some content from https://wiki.localizationlab.org/index.php/Tor to our l...2023-09-27T15:24:29Zemmapeeladd some content from https://wiki.localizationlab.org/index.php/Tor to our l10n wikiI see some content hosted there could/should be maintained by us. We could maintain:
https://wiki.localizationlab.org/index.php/Tor#Style_Guide
(there is some more material to add to each language)
Also maybe the priorities list. Or an...I see some content hosted there could/should be maintained by us. We could maintain:
https://wiki.localizationlab.org/index.php/Tor#Style_Guide
(there is some more material to add to each language)
Also maybe the priorities list. Or an explanation of each of the translation resources.emmapeelemmapeelhttps://gitlab.torproject.org/tpo/community/team/-/issues/93Onion Services PoW feature release strategy2023-09-25T16:04:26ZSilvio RhattoOnion Services PoW feature release strategyRelease strategy on the [PoW](tpo/core/tor#40634) protection:
* [x] Draft [Q&A][] for ext. inquiries (cc @rhatto).
* [x] Write the docs (handled on tpo/web/community#312).
* [x] Write a [call for ~testers~ operators](https://pad.riseup....Release strategy on the [PoW](tpo/core/tor#40634) protection:
* [x] Draft [Q&A][] for ext. inquiries (cc @rhatto).
* [x] Write the docs (handled on tpo/web/community#312).
* [x] Write a [call for ~testers~ operators](https://pad.riseup.net/p/powcallfortesters) for a forum post (how/where to test, submitting feedback etc) (audience: Onion Service operators). Consider using the [Conjure one](https://forum.torproject.net/t/call-for-testers-help-the-tor-project-to-test-conjure-on-tor-browser-alpha/7815) as a template.
* [x] Write a blog post to be released along with the stable; involve Comms team (cc @pavel).
* [x] Final fact check with the larger team.
* [x] Publish the [blog post][].
* [x] Publish the [forum post][].
* [x] Publish an additional ~forum post~ [wiki page][] with the full [Q&A][].
Feedback collection ([moved to another ticket](tpo/community/team#95)):
* [~] Report back ~"For Network Health Team" (via forum post comments and issues).
* [~] Update the [Support Portal](https://support.torproject.org/) with the questions most asked by users (instead of just including everything from the Q&A, which would increase the number of strings to translate).
[Q&A]: https://pad.riseup.net/p/powqna
[blog post]: https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/
[forum post]: https://forum.torproject.org/t/proof-of-work-pow-defense-for-onion-service-is-released/8887
[wiki page]: https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQSilvio RhattoSilvio Rhatto2023-08-23https://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/142Ensure deployment instructions and install example include the steps for a no...2023-09-21T10:34:49ZjugaEnsure deployment instructions and install example include the steps for a non root userAfter meskio has explained me how things are deployed, we should facilitate the deployment for a non root user at https://gitlab.torproject.org/tpo/tpa/team/-/issues/41046.After meskio has explained me how things are deployed, we should facilitate the deployment for a non root user at https://gitlab.torproject.org/tpo/tpa/team/-/issues/41046.jugajugahttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/51Update license and copyright2023-09-21T10:34:49ZGeorg KoppenUpdate license and copyrightWe should think about which license we actually want for onbasca (in particular as it borrows ideas/code from sbws) and update the copyright notice, too. It should include at least TPI in addition to @juga.We should think about which license we actually want for onbasca (in particular as it borrows ideas/code from sbws) and update the copyright notice, too. It should include at least TPI in addition to @juga.onbasca: 1.0jugajugahttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40090Add links to all specs available on collector page2023-09-19T09:32:05ZGeorg KoppenAdd links to all specs available on collector pageWhile trying to review collector#40016 I was hunting down references for all the specs involved. It turns out they are all over the place and it's hard to keep track of them. On collector.html we link to some of those specs, which is goo...While trying to review collector#40016 I was hunting down references for all the specs involved. It turns out they are all over the place and it's hard to keep track of them. On collector.html we link to some of those specs, which is good. However, we should collect the links to all the missing specs and add them there, too, so we have at least one canonical place where all specs are just one click away.
Oh, and while we are at it we should replace those old gitweb links.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/core/tor/-/issues/26591doc/ missing in build directory for out-of-tree builds2023-09-15T11:42:09ZTracdoc/ missing in build directory for out-of-tree builds**autoconf** allows building tor outside the source directory using `--srcdir=DIR`.
In that case, _doc/_ is not copied or symlinked from source to build directory, causing pages to be unnesseccarily regenerated using **rst2man**.
Would ...**autoconf** allows building tor outside the source directory using `--srcdir=DIR`.
In that case, _doc/_ is not copied or symlinked from source to build directory, causing pages to be unnesseccarily regenerated using **rst2man**.
Would it be possible to adjust the _configure_ stage to account for this?
Specifically, this would allow complete out-of-tree builds at least on OpenBSD, where where the following quirk is required after _configure_ and before _build_ stage to enable separation without **py-docutils** as additional build dependency:
```
pre-build:
ln -sf ${WRKSRC}/doc/ ${WRKBUILD}/
```
**Trac**:
**Username**: knhttps://gitlab.torproject.org/tpo/community/l10n/-/issues/40094Localize materials into Arabic, Chinese, Farsi & Swahili2023-09-06T15:45:21ZGabagaba@torproject.orgLocalize materials into Arabic, Chinese, Farsi & SwahiliIn the context of [sponsor 134](https://gitlab.torproject.org/groups/tpo/-/milestones/45#tab-issues) localize the following materials:
- [ ] [the Tor Project’s main website](https://hosted.weblate.org/projects/tor/tpo-web/) (torproject...In the context of [sponsor 134](https://gitlab.torproject.org/groups/tpo/-/milestones/45#tab-issues) localize the following materials:
- [ ] [the Tor Project’s main website](https://hosted.weblate.org/projects/tor/tpo-web/) (torproject.org)
- [x] Arabic: <img src="https://hosted.weblate.org/widgets/tor/ar/tpo-web/svg-badge.svg" alt="Translation status" />
- [x] Chinese: <img src="https://hosted.weblate.org/widgets/tor/zh_Hans/tpo-web/svg-badge.svg" alt="Translation status" />
- [ ] Persian: <img src="https://hosted.weblate.org/widgets/tor/fa/tpo-web/svg-badge.svg" alt="Translation status" />
- [x] Swahili: <img src="https://hosted.weblate.org/widgets/tor/sw/tpo-web/svg-badge.svg" alt="Translation status" />
- [x] censorship circumvention portals (gettor and bridges.torproject.org) - bridges is not available for translation yet
- [x] Arabic: <img src="https://hosted.weblate.org/widgets/tor/ar/gettor-website/svg-badge.svg" alt="Translation status" />
- [x] Chinese: <img src="https://hosted.weblate.org/widgets/tor/zh_Hans/gettor-website/svg-badge.svg" alt="Translation status" />
- [x] Persian: <img src="https://hosted.weblate.org/widgets/tor/fa/gettor-website/svg-badge.svg" alt="Translation status" />
- [x] Swahili: <img src="https://hosted.weblate.org/widgets/tor/sw/gettor-website/svg-badge.svg" alt="Translation status" />
- [x] the [Tor Browser manual](https://hosted.weblate.org/projects/tor/tor-browser-user-manual/)
- [x] Arabic: <img src="https://hosted.weblate.org/widgets/tor/ar/tor-browser-user-manual/svg-badge.svg" alt="Translation status" />
- [x] Chinese: <img src="https://hosted.weblate.org/widgets/tor/zh_Hans/tor-browser-user-manual/svg-badge.svg" alt="Translation status" />
- [x] Persian: <img src="https://hosted.weblate.org/widgets/tor/fa/tor-browser-user-manual/svg-badge.svg" alt="Translation status" />
- [x] Swahili: <img src="https://hosted.weblate.org/widgets/tor/sw/tor-browser-user-manual/svg-badge.svg" alt="Translation status" />
- [x] our [support portal](https://hosted.weblate.org/projects/tor/support-portal/)
- [x] Arabic: <img src="https://hosted.weblate.org/widgets/tor/ar/support-portal/svg-badge.svg" alt="Translation status" />
- [x] Chinese: <img src="https://hosted.weblate.org/widgets/tor/zh_Hans/support-portal/svg-badge.svg" alt="Translation status" />
- [x] Persian: <img src="https://hosted.weblate.org/widgets/tor/fa/support-portal/svg-badge.svg" alt="Translation status" />
- [x] Swahili: <img src="https://hosted.weblate.org/widgets/tor/sw/support-portal/svg-badge.svg" alt="Translation status" />
_Farsi translations will be done by Localization Lab, paid by Tor._
_Chinese, Arabic and Swahili will be done by Localization Lab, paid by IRI._Sponsor 134: Localizing Tor tools and documentation into Arabic, Chinese, and Swahiliemmapeelemmapeel2023-08-11https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32922New cross-browser fingerprinting method2023-09-01T01:40:59ZTracNew cross-browser fingerprinting methodThis isnt really an enhancement, but is everyone here aware of this new cross-browser fingerprinting method? Have there been any tests of the current Tor Browser's resistance to this?
----------------------------
http://uniquemachine....This isnt really an enhancement, but is everyone here aware of this new cross-browser fingerprinting method? Have there been any tests of the current Tor Browser's resistance to this?
----------------------------
http://uniquemachine.org/
#
https://arstechnica.com/information-technology/2017/02/now-sites-can-fingerprint-you-online-even-when-you-use-multiple-browsers/
http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf
----------------------------
If already discussed elsewhere, redirect to relevant ticket.
I tested the uniquemachine.org webpage on the Tor Browser on a computer running Windows10 and it got stuck on 'fingerprinting GPU' and the display of graphics - probably due to webGL disabled but i cant be sure.
In terms of defenses to this:
- Disabling javascript is the obvious. webGL is already disabled by default in the Tor Browser, so all ok there ?
- disabling the microphone is another measure. i cant see that Windows10 has the option to disable speakers aside from turning the volume down to 0 for all apps, or for just for the Tor Browser.
- Is running the Tor Browser in a virtual machine kind of overkill to be completely sure of preventing this (and other) cross-browser fingerprinting?
**Trac**:
**Username**: thelamperhttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/98Donor FAQ bugs/suggestions RE: bank transfer2023-08-24T04:26:31ZmattlavDonor FAQ bugs/suggestions RE: bank transferFrom [this ticket](https://rt.torproject.org/Ticket/Display.html?id=270570):
===========================================
Dear torproject team,
I want to donate using eu bank transfer. I looked at your FAQ and found
some "bugs" that m...From [this ticket](https://rt.torproject.org/Ticket/Display.html?id=270570):
===========================================
Dear torproject team,
I want to donate using eu bank transfer. I looked at your FAQ and found
some "bugs" that make this harder. Therefore I want to suggest some
improvements to the faq, to make donating easier. I hope this way you
might get more donations to make tor even better.
TLDR: Proposals:
1) Fix the link "EU Bank Transfer" in
https://donate.torproject.org/donor-faq section 3 so that it points the
user to the IBAN directly
2) Add clearer wording that the listed IBAN is the one to use for donations.
3) Besides the IBAN tell the donors which reference to use in the bank
transfer (or make clear that the reference does not matter if none is
needed)
Details: Motivation/My experience with the faq site:
I visited your donation side https://donate.torproject.org because I wanted to donate with eu bank transfer. I found your faq and the section "3. How else can I donate to the Tor Project?". But clicking in "EU Bank Transfer" only brings me to the top of the page. (The link is https://donate.torproject.org/donor-faq/#eu-bank-transfer, the anchor seems to be broken).
So it is quite hard to find the correct way to donate. After reading the whole faq I found section "15. Is my donation tax-deductible?" which mentions the Renewable Freedom Foundation and a IBAN. But the wording is not really clear: It talks about tax-deductible donations, but does not say "this is the IBAN to use for donations to us". Additionally it confused me that there is no Reference given that should be used, like "donation torproject", which I would expect here to be needed so the Renewable Freedom Foundation can find out to whom I want to donate.
===========================================
Assigning this to @smith for now; as mentioned in the ticket, these suggestions are probably wise to implement now, and also to keep in mind as we establish Open Collective as our fiscal sponsor in Europe.al smithal smithhttps://gitlab.torproject.org/tpo/web/community/-/issues/312User documentation related to the upcoming Onion Services PoW protection2023-08-16T12:23:06ZSilvio RhattoUser documentation related to the upcoming Onion Services PoW protectionCreate user documentation related to the upcoming Onion Services PoW protection (tpo/core/tor!702):
* [x] Sync with Network and Applications Team to coordinate this documentation with C Tor and Tor Browser releases implementing this fea...Create user documentation related to the upcoming Onion Services PoW protection (tpo/core/tor!702):
* [x] Sync with Network and Applications Team to coordinate this documentation with C Tor and Tor Browser releases implementing this feature.
* [x] Check the torspec, man page and the [onion-pow-example](https://gitlab.torproject.org/beth/onion-pow-example).
* [x] Test the feature. Moved to tpo/onion-services/onion-support#229.
* [x] Write/update the documentation:
* [x] Client side: what the users should know, need to do and possible issues (like PoW on low-end mobile devices) (this may go to a different ticket, possibly related to the Tor Browser manual). Being handled at tpo/community/team#93.
* [x] Handle tpo/core/torspec!153 and tpo/core/torspec!155.
* [x] Server side: steps to implement the PoW defense by Onion Service Operators at the [Onion service DoS guidelines][] page (tpo/web/community!313).
[Onion service DoS guidelines]: https://community.torproject.org/onion-services/advanced/dos/
References:
* [Tor Browser build with PoW support](https://gitlab.torproject.org/beth/tor-browser-build/-/tree/torbrowser-with-pow?ref_type=heads)
* [onion-pow-example](https://gitlab.torproject.org/beth/onion-pow-example)
/cc @gusSilvio RhattoSilvio Rhatto2023-08-16https://gitlab.torproject.org/tpo/web/community/-/issues/316[Onion Services] Featured onions - EFF, Certbot, SSD2023-08-10T17:28:54ZGus[Onion Services] Featured onions - EFF, Certbot, SSDA little bit late to the party, but hey, let's add these new onions to the #featured-onions list:
```
Today, we’re announcing .onion addresses for eff.org and two of its affiliated projects: Certbot, an EFF-developed tool for automatica...A little bit late to the party, but hey, let's add these new onions to the #featured-onions list:
```
Today, we’re announcing .onion addresses for eff.org and two of its affiliated projects: Certbot, an EFF-developed tool for automatically obtaining and renewing TLS certificates for websites, and Surveillance Self-Defense, which provides resources and guidance for individuals and organizations to protect themselves from surveillance and other security threats.
```
https://www.eff.org/deeplinks/2023/04/eff-now-has-tor-onions
```
eff.org
iykpqm7jiradoeezzkhj7c4b33g4hbgfwelht2evxxeicbpjy44c7ead.onion
certbot.eff.org
5yl6j7al5iwjn3kltayvumj5d25agnq4t6rznkvphossoqyzb3batwid.onion
ssd.eff.org
y7yea4pmqqtznb33qiugvysyn2bob5v62e4pvoadoibrwkq3tsddjeyd.onion
```https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/23webtunnel bridge doesn't need to set "PublishServerDescriptor 1" in torrc2023-08-09T09:25:06ZRoger Dingledinewebtunnel bridge doesn't need to set "PublishServerDescriptor 1" in torrcThe WebTunnel README suggests to set
```
PublishServerDescriptor 1
```
That's the default value, i.e. I don't think that line is needed for anything or changes anything.
Does something break without it? If not we could simplify the ins...The WebTunnel README suggests to set
```
PublishServerDescriptor 1
```
That's the default value, i.e. I don't think that line is needed for anything or changes anything.
Does something break without it? If not we could simplify the instructions a little bit.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/24webtunnel README doesn't have a "build the server" step2023-08-09T08:23:27ZRoger Dingledinewebtunnel README doesn't have a "build the server" stepThe WebTunnel README says to cp the server file to your bridge server, but doesn't say how to get or build the server file.
Shel suggested (in person) that you could get the server file from gitlab's CI, e.g. from https://gitlab.torproj...The WebTunnel README says to cp the server file to your bridge server, but doesn't say how to get or build the server file.
Shel suggested (in person) that you could get the server file from gitlab's CI, e.g. from https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/jobs/310087/artifacts/browse/build/amd64-linux/
But the more expected model is that people should either install a webtunnel package from their operating system, or build it themselves.
At the bottom of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/blob/main/release/build.sh is the command line instruction for building webtunnel server-side:
```
go build -ldflags="-s -w" -o "build/$GOARCH-$GOOS/server" gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/main/server
```
So we should think about integrating that line into the README for people who aren't installing via docker or operating system package.meskiomeskio@torproject.orgmeskiomeskio@torproject.org