The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-08-23T19:53:08Zhttps://gitlab.torproject.org/tpo/core/tor/-/issues/2667Exits should block reentry into the tor network2023-08-23T19:53:08ZMike PerryExits should block reentry into the tor networkWith proposal 110, we blocked the ability of Tor clients to use the Tor protocol for an unbounded amplification attack to destroy the Tor network. However, we still have not completely prevented this attack. It is still possible to tunne...With proposal 110, we blocked the ability of Tor clients to use the Tor protocol for an unbounded amplification attack to destroy the Tor network. However, we still have not completely prevented this attack. It is still possible to tunnel tor over tor by using exits to connect back to other tor nodes. This property can still be used to execute the unbounded amplification attack on the Tor network, or just on the tor directory authorities.
One fix for this would be to add code to exit nodes to implicitly add all of the IP + ORport combinations of all other relays to their exit policy reject lines, or otherwise block this connection at some other level.David Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.orghttps://gitlab.torproject.org/tpo/web/community/-/issues/176[Onion services] Add one more featured .onion site2021-03-25T15:07:32ZGus[Onion services] Add one more featured .onion siteWe used to have 3 featured .onion site [here](https://community.torproject.org/onion-services/), but one was removed and the space is not empty.
I believe we have some good candidates to add there.We used to have 3 featured .onion site [here](https://community.torproject.org/onion-services/), but one was removed and the space is not empty.
I believe we have some good candidates to add there.GusGushttps://gitlab.torproject.org/tpo/ux/research/-/issues/29Usability Testing - Tor Onboarding - Costa Rica2021-05-05T15:47:39ZNahUsability Testing - Tor Onboarding - Costa Rica# Usability Testing Plan
This research is funded by the Internews - Feedback Collection Funding Pool 2021.
## Purpose of test and research questions
Understand the main problems someone would have while trying to install, configure and ...# Usability Testing Plan
This research is funded by the Internews - Feedback Collection Funding Pool 2021.
## Purpose of test and research questions
Understand the main problems someone would have while trying to install, configure and use Tor Browser. Additionally, understand their first reaction toward TB compared to their experience with other browsers.
## Participants
9 participants from Costa Rica
### Recruitment criteria
The Funding Pool goal is to collect feedback from local communities. And so, this research is focused at a specific feminist community. Almost all participants are organizers of said community, but there are also other participants from similar organizations.
## Protocol
### Method
This is an exploratory, unmoderated test, and will be run remotely.
### Test environment, equipment and logistics
We will be testing the Tor Browser. But as this is a remote study, people will use their own setup/computer (desktop/laptop).
## Task(s)
1. Search for Tor Browser and install it in your computer.
2. Run TB for the first time.
3. Visit different news and video sites that you normally use.
### Scenario
A friend recommended you to use Tor to access the Internet.
### Success criteria for each task:
| ID | Task |
| ------ | ------ |
1.1 | Be able to find Tor Browser.
1.2 | Be able to install it correctly.
2.1 | Be able to configure TB correctly.
2.2 | (Open) Understand why is necessary to configure it.
3.1 | (Open) Understand if they see any problems accessing sites they normally use.
3.2 | (Open) Understand how different is this experience to their normal use of internet (other browsers).
3.3 | (Open) Understand at first glance if they would use TB in their day to day, and why.
## Session Outline and timing
### 1.Introduction to the session (5\')
El objetivo de esta investigación es poner a prueba el diseño de Tor. Es decir: no evaluamos a las personas participantes, sino cómo está construido el navegador. Así que agradecemos total honestidad en todo el proceso.
El tiempo que tomará terminar los ejercicios depende de su conexión a internet, ya que es necesario descargar el navegador, pero esperemos que no dure más de 25 min.
Muchas gracias por su tiempo y espacio. :)
### 2. Introductory Context (3\')
1. ¿Cuáles navegadores tiene instalados en su computadora (laptop/desktop)?
- Chrome o Chromium
- Firefox
- Safari
- Opera
- Vivaldi
- Brave
- Internet Explorer
- Tor Browser
2. ¿Cuáles usa en el día a día?
- Chrome o Chromium
- Firefox
- Safari
- Opera
- Vivaldi
- Brave
- Internet Explorer
- Tor Browser
3. ¿Ha usado el navegador Tor antes?
- Si
- No
### 3. Tasks (20\')
**Instalación**
Escenario: Una conocida le recomendó usar Tor para navegar en internet.
Actividad: Busque el navegador e instálelo en su computadora.
1. ¿Tuvo algún problema al buscar el navegador?
- Si (¿cuál?)
- No
2. ¿Tuvo algún problema instalando Tor Browser?
- Sí (¿cuál?)
- No
**Primer uso**
Actividad: Corra por primera vez el navegador.
0. Si tiene instalado Tor Browser, salte a la siguiente sección.
1. ¿Tuvo algún problema configurando el navegador?
- Sí (¿cuál?)
- No
2. ¿Es claro porqué es necesario configurar el navegador? ¿por qué?
- Sí
- No
**Uso del navegador**
Actividad: Visite distintos sitios que conoce de noticias y videos.
1. ¿Tuvo algún problema al ver los sitios?
2. ¿Qué tan diferente es Tor al navegador que normalmente usa?
3. ¿Usaría Tor en su día a día? ¿por qué?
- Sí
- No
**Fin**
¡Muchísimas gracias por su tiempo y honestidad!josernitoshola@josernitos.comjosernitoshola@josernitos.com2021-05-31https://gitlab.torproject.org/tpo/core/tor/-/issues/40444Connect Prop#324 using ProtoVer and Prop#332 ntor handshake2022-02-22T21:01:38ZMike PerryConnect Prop#324 using ProtoVer and Prop#332 ntor handshakeWe need to write code that enables the congestion control code only if FlowCtrl=2 ProtoVer is present, and the circuit handshake from [Prop 332](https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/332-ntor-v3-with-extra-...We need to write code that enables the congestion control code only if FlowCtrl=2 ProtoVer is present, and the circuit handshake from [Prop 332](https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/332-ntor-v3-with-extra-data.md) agrees that the consensus says that congestion control is enabled.
Here's a checklist of properties to make sure we hit:
* [x] Congestion control is off by default (cc_alg=0 by default)
* [x] Onion Service Descriptor can list equivalent of FlowCtrl=2 Protover
* [x] Client does not attempt negotiation unless Exit or Onion Service lists FlowCtrl=2 and consensus says cc_alg != 0
* [x] If exit sees cc_alg=0, but it got a negotiation attempt, it replies with a nack, and both endpoints MUST free their congestion control object (to use the old fixed sendme code).
* [x] Negotiate the 'sendme_inc' value to agree using Prop#332 (formerly called cc_circwindow_inc).
* [x] Send 'cc_xon_rate' for future drop cell enforcement of XON/XOFF ratelimits
* [x] One-sided (non-negotiated) bounds limits on consensus parameters wrt each other (See Prop#324 Section 6.5)
See https://gitlab.torproject.org/tpo/core/tor/-/issues/40377 for previous discussions about negotiation.
Cc: @nickm @dgouletTor: 0.4.7.x-freezeMike PerryMike Perry2021-09-15https://gitlab.torproject.org/tpo/web/tpo/-/issues/132Add a security.txt file to torproject.org2023-02-17T20:00:09ZteorAdd a security.txt file to torproject.orgsecurity.txt files give people the information they need to contact Tor when they find a security issue.
It's an IETF draft, and Google has done it, so maybe we should too:
https://securitytxt.org/
We can use the existing information a...security.txt files give people the information they need to contact Tor when they find a security issue.
It's an IETF draft, and Google has done it, so maybe we should too:
https://securitytxt.org/
We can use the existing information at:
https://www.torproject.org/about/contact#security
And we might want to:
* add a PGP key file
* add a signature
* maybe add a policy or acknowledgements when we decide how they workhttps://gitlab.torproject.org/tpo/web/newsletter/-/issues/12Add December 2020 newsletter2020-12-22T13:28:40ZGusAdd December 2020 newsletterGusGushttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/66Creating a community wiki hub/repository2021-03-26T19:42:27ZBarkin SimsekCreating a community wiki hub/repositoryHi,
I have a proposal for improving the current wiki chaos:
I think we are missing a lot by not having a central and public wiki like the one in Trac. There were very many non-technical wiki pages about various meetings, opinions, proj...Hi,
I have a proposal for improving the current wiki chaos:
I think we are missing a lot by not having a central and public wiki like the one in Trac. There were very many non-technical wiki pages about various meetings, opinions, projects built by the community, etc. that helped to develop and engage the Tor community. I was even browsing the Trac wikis in my free time to find interesting pages, and I was learning a lot.
Now, wiki pages are scattered across different repositories, and one cannot easily browse these pages. I'm not proposing to put all wiki pages back into a single repository on GitLab, but creating a dedicated official "community repository/project" for hosting wiki pages created by the community. Ideally, this dedicated repository should be editable by anyone with a GitLab account (like the Trac's public wiki pages). For example, if I hate Cloudflare blocking Tor and let people know about this, I should be able to create a wiki page about my arguments in the dedicated repository. Yes, I could do the same thing in my personal repository, but you know, who cares about my personal repositories and reads wiki pages in them. So, this repo would serve as a "community wiki hub" and provide some sort of visibility & organization.
The dedicated repository can also be useful for indexing wiki pages in other repositories. People can create wiki pages in the dedicated repository that point people to other wiki pages in other repos. Next time when someone asks "where is the X wiki page on GitLab?", the dedicated repo can be the first place to check to find the right pointer.
Finally, wiki.torproject.org would point to this dedicated repo. Currently, it points to the Trac wiki.Gabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/web/support/-/issues/173[Tor Browser Homepage] Parentheses missing in definition2021-04-05T19:56:37Zkulsoom.zahrakulsoomzahra24@gmail.com[Tor Browser Homepage] Parentheses missing in definition![WhatsApp_Image_2021-04-02_at_7.04.38_PM](/uploads/9b4bac612f120fc2d00de9c731c281a2/WhatsApp_Image_2021-04-02_at_7.04.38_PM.jpeg)
> a 501(c)3 US nonprofit
Parentheses around 3 are missing on the [homepage](https://www.torproject.o...![WhatsApp_Image_2021-04-02_at_7.04.38_PM](/uploads/9b4bac612f120fc2d00de9c731c281a2/WhatsApp_Image_2021-04-02_at_7.04.38_PM.jpeg)
> a 501(c)3 US nonprofit
Parentheses around 3 are missing on the [homepage](https://www.torproject.org/) but are present on [Google Play Store](https://play.google.com/store/apps/details?id=org.torproject.torbrowser) definition. We should add them on the homepage too.kulsoom.zahrakulsoomzahra24@gmail.comkulsoom.zahrakulsoomzahra24@gmail.comhttps://gitlab.torproject.org/tpo/web/support/-/issues/179[Verify sig] Replace 'program'2021-04-06T13:32:04Zkulsoom.zahrakulsoomzahra24@gmail.com[Verify sig] Replace 'program'The [how can I verify TB's signature](https://support.torproject.org/tbb/#how-to-verify-signature) says
![WhatsApp_Image_2021-04-05_at_6.16.38_PM](/uploads/291ba6c8b273e6845545c985ca16e951/WhatsApp_Image_2021-04-05_at_6.16.38_PM.jpeg)
...The [how can I verify TB's signature](https://support.torproject.org/tbb/#how-to-verify-signature) says
![WhatsApp_Image_2021-04-05_at_6.16.38_PM](/uploads/291ba6c8b273e6845545c985ca16e951/WhatsApp_Image_2021-04-05_at_6.16.38_PM.jpeg)
i think we can replace 'program' with Browser, because we are explicitly answering how to verify Tor Browser download.kulsoom.zahrakulsoomzahra24@gmail.comkulsoom.zahrakulsoomzahra24@gmail.comhttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/22After Dec 31, remove mask and add stickers pack2021-01-12T22:05:52ZGusAfter Dec 31, remove mask and add stickers packInstead of $50, sticker pack will be $25.Instead of $50, sticker pack will be $25.GusGushttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/23Add a Dogecoin Wallet Address to the Donate Page2021-06-28T20:08:15ZSusanAdd a Dogecoin Wallet Address to the Donate PageHey @gus,
Can you add the following wallet address for Dogecoin to the crypto currency donate page?
`DJwRnafcjDbzqWM5vsCphuyQuTc2QB3a8F`
Thanks,
SueHey @gus,
Can you add the following wallet address for Dogecoin to the crypto currency donate page?
`DJwRnafcjDbzqWM5vsCphuyQuTc2QB3a8F`
Thanks,
SueGusGushttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/24Review and improve donation user journeys2023-12-05T22:00:25ZdonutsReview and improve donation user journeysGrants, Fundraising & UX are reviewing the current donor user journeys with an aim to redesign our donation forms/processes in 2021. This ticket is to track documentation produced from this effort and suggested UX improvements to donate....Grants, Fundraising & UX are reviewing the current donor user journeys with an aim to redesign our donation forms/processes in 2021. This ticket is to track documentation produced from this effort and suggested UX improvements to donate.tpo.org.
This project will consider:
- Current user flows and pain points, including potential improvements to both the UX and stability (i.e. frequency of bugs) of our forms
- Behind-the-scenes touch-points and integrations, including potential efficiency savings from reducing the amount of manual admin (i.e. cost to serve)
- Testing our content and messaging with prospective and existing donors
- Conducting user or A/B testing in a privacy-preserving manner
- Any other opportunities to ethically optimize conversions in-keeping with the spirit of design at Tor (i.e. no dark-patterns)Redesign donate.torproject.orgdonutsdonuts2021-05-21https://gitlab.torproject.org/tpo/web/donate-static/-/issues/26Produce wireframes and tech spec for new donate templates2023-12-05T22:00:26ZdonutsProduce wireframes and tech spec for new donate templatesWireframe the new donate experience based on the flows outlined in https://gitlab.torproject.org/tpo/web/donate-static/-/issues/24, and include annotations outlining technical/back-end functionality where appropriate.
**Todo list:**
- ...Wireframe the new donate experience based on the flows outlined in https://gitlab.torproject.org/tpo/web/donate-static/-/issues/24, and include annotations outlining technical/back-end functionality where appropriate.
**Todo list:**
- [x] Prepare wireframes for internal review on **Wednesday 19th May**
- [x] Apply feedback and send to Openflows for external review on **Friday 21st May**Redesign donate.torproject.orgdonutsdonuts2021-05-20https://gitlab.torproject.org/tpo/tpa/team/-/issues/29400Set up a Gitlab instance2020-07-01T15:12:03ZLinus Nordberglinus@torproject.orgSet up a Gitlab instanceWe are going to evaluate Gitlab as a replacement for trac, gitweb.tpo, git-rw.tpo, github.com.
This ticket tracks the progress of the setup of a Gitlab service.
cf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019Brussels...We are going to evaluate Gitlab as a replacement for trac, gitweb.tpo, git-rw.tpo, github.com.
This ticket tracks the progress of the setup of a Gitlab service.
cf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#gitlabservice
1. [x] #33922 hardware requirements and planning
2. [x] #29402 VM creation
3. [x] #29401 LDAP group
4. [x] #32730 migration from dip
5. [x] #30857 migration from trac, phase I: tickets
Postponed post-launch:
* https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/49 monitoring
* https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/36 Phase II: git migration policies.
* other issues with gitlab are in https://gitlab.torproject.org/tpo/tpa/gitlab/-/issueshttps://gitlab.torproject.org/tpo/tpa/team/-/issues/34304new gnt-fsn node (fsn-node-07)2020-07-02T13:54:27Zanarcatnew gnt-fsn node (fsn-node-07)need to create one last ganeti node to replace kvm5 (legacy/trac#33084)need to create one last ganeti node to replace kvm5 (legacy/trac#33084)HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40024document puppet more and alternatives to monorepo2020-07-07T19:26:46Zanarcatdocument puppet more and alternatives to monorepoi particularly want to go through and summarize:
* [x] #29387, #29663, #30770 - [alternative deployment options](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#proposed-solution)
* [x] #31226 - [validation hooks](htt...i particularly want to go through and summarize:
* [x] #29387, #29663, #30770 - [alternative deployment options](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#proposed-solution)
* [x] #31226 - [validation hooks](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#validating-puppet-code)
* [x] [LDAP integration](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#ldap-integration) and [lookups](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#ldap-lookups)
* [x] [lookup mechanisms](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#getting-information-from-other-nodes) (Hiera's `lookup()`, Puppet's `puppetdb_query()`, puppetdbquery's `query_nodes()`, LDAP and exported resources (!!))
* [x] external data sources ([Nagios](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#nagios-integration), [let's encrypt certs](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#lets-encrypt-tls-certificates), [auto-ca certs](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#internal-auto-ca-tls-certificates), hopefully didn't miss anything)
* [x] [disaster recovery](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#disaster-recovery) (hope really really hard that backups work)
* [x] [add a glossary](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#glossary)
* [x] [install procedures](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#installation)
* [x] [design overview](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#design)
* [x] [git-subrepo review](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/howto/puppet/#subrepo)
I particularly did some research on the first item in the list and
need to braindump this.
Update: the list above contains direct links to the sections that have
been added or improved.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/33314RT spams TPA with bounces2022-09-06T17:04:26ZanarcatRT spams TPA with bouncesSince I fixed the root aliases everywhere, we seem to be getting spam mail bounced back to the tpa alias, from the root@rude email account.
It seems that this mail was previously being delivered locally to the `nobody` mailbox, which is...Since I fixed the root aliases everywhere, we seem to be getting spam mail bounced back to the tpa alias, from the root@rude email account.
It seems that this mail was previously being delivered locally to the `nobody` mailbox, which is now a whopping 630MB:
```
root@rude:/var/mail# ls -al /var/mail/*
-rw-rw---- 1 amavis mail 5688 May 4 2016 /var/mail/amavis
-rw-rw---- 1 nobody mail 660486247 Feb 12 21:46 /var/mail/nobody
-rw-rw---- 1 rtmailarchive mail 28174 Sep 1 2016 /var/mail/rtmailarchive
```
Since legacy/trac#32283 was deployed, that has stopped growing but instead we're all getting spammed with that junk, which isn't much of an improvement. But at least those problems will have to get fixed.
The first problem is messages in the form:
> From: rt@rt.torproject.org
> Subject: Failed attempt to create a ticket by email, from <email>
>
> <email> attempted to create a ticket via email in the queue help-es; you
might need to grant 'Everyone' the CreateTicket right.
We got 23 such emails since the alias was fixed, and this will probably just keep going forever.
I reported this as a bug in the upstream forum, in:
https://forum.bestpractical.com/t/rt-4-4-too-noisy-with-denied-users/34749
I also filed this as a bug in Debian:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951272
and filed a patch in:
https://github.com/bestpractical/rt/pull/291
That latter patch is directly applied on rude right now, with:
```
wget -O ~anarcat/PR-291-no-err-on-deny.patch https://patch-diff.githubusercontent.com/raw/bestpractical/rt/pull/291.patch
cd /usr/share/request-tracker4
patch -p1 < ~anarcat/PR-291-no-err-on-deny.patch
service apache2 restart
```
just skip the `t/` chunk.
I'll wait and see what feedback I get from upstream and Debian before deciding what to do with this in the long term. Options include:
1. blocking users at the MTA level - requires TPA operation which we'd like to avoid, we want to train RT admins to be autonomous
2. patch the bug in Debian and follow that process to get rude updated in the long term
3. hotfix the Debian package in our archive
we also need to decide what to do about that 600M mail archive... i'll probably just delete it once i'm happy with our solution.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40016rude should be upgraded to buster(Debian 10)2021-02-04T15:29:37Zweasel (Peter Palfrader)rude should be upgraded to buster(Debian 10)anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/34424backport invoke and fabric to debian buster and update invoke in debian testing2020-09-14T16:21:43Zanarcatbackport invoke and fabric to debian buster and update invoke in debian testingWe rely on newer features of Fabric in our configuration that are not present in Debian buster. upload a backport to the official Debian backports.We rely on newer features of Fabric in our configuration that are not present in Debian buster. upload a backport to the official Debian backports.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40026Disable email outage notifications to anti-censorship-alerts@2020-09-28T20:25:37ZPhilipp Winterphw@torproject.orgDisable email outage notifications to anti-censorship-alerts@Our Nagios setup is sending email alerts to the anti-censorship-alerts@ list. Can we please disable that? In particular, we are getting email alerts for gettor-01 and polyanthum.Our Nagios setup is sending email alerts to the anti-censorship-alerts@ list. Can we please disable that? In particular, we are getting email alerts for gettor-01 and polyanthum.anarcatanarcat