Commit d84a97fb authored by Roger Dingledine's avatar Roger Dingledine
Browse files

finish poking at the changelog

parent 47122d1d
Loading
Loading
Loading
Loading
+28 −21
Original line number Diff line number Diff line
Changes in version 0.2.4.8-alpha - 2013-01-14
  Tor 0.2.4.8-alpha introduces directory guards to reduce user enumeration
  risks, adds a new stronger and faster circuit handshake, and offers
  stronger and faster link encryption when both sides support it.
  o Major features:
    - Preliminary support for directory guards (proposal 207): when
      possible, clients now use their entry guards for non-anonymous
      directory requests. This can help prevent client enumeration. Note
      that this behavior only works when we have a usable consensus
      directory: and when options about what to download are more or
      less standard. Resolves ticket 6526.
    - Tor servers and clients now support a better CREATE/EXTEND cell
      directory, and when options about what to download are more or less
      standard. In the future we should re-bootstrap from our guards,
      rather than re-bootstrapping from the preconfigured list of
      directory sources that ships with Tor. Resolves ticket 6526.
    - Tor relays and clients now support a better CREATE/EXTEND cell
      format, allowing the sender to specify multiple address, identity,
      and handshake types. Implements Robert Ransom's proposal 200;
      closes ticket 7199.
@@ -16,7 +21,7 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
    - Tor now supports a new circuit extension handshake designed by Ian
      Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original
      circuit extension handshake, later called "TAP", was a bit slow
      (especially on the server side), had a fragile security proof, and
      (especially on the relay side), had a fragile security proof, and
      used weaker keys than we'd now prefer. The new circuit handshake
      uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman
      function, making it significantly more secure than the older
@@ -35,30 +40,31 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
      Implements proposal 216; closes ticket 7202.
  o Major features (better link encryption):
    - Servers can now enable the ECDHE TLS ciphersuites when available
      and appropriate. These ciphersuites let us negotiate forward-
      secure TLS secret keys more safely and more efficiently than with
      our previous use of Diffie-Hellman modulo a 1024-bit prime.
      By default, public servers prefer the (faster) P224 group, and
      bridges prefer the (more common) P256 group; you can override this
      with the TLSECGroup option.
    - Relays can now enable the ECDHE TLS ciphersuites when available
      and appropriate. These ciphersuites let us negotiate forward-secure
      TLS secret keys more safely and more efficiently than with our
      previous use of Diffie-Hellman modulo a 1024-bit prime. By default,
      public relays prefer the (faster) P224 group, and bridges prefer
      the (more common) P256 group; you can override this with the
      TLSECGroup option.
      Enabling these ciphers was a little tricky, since for a long time,
      clients had been claiming to support them without actually doing
      so, in order to foil fingerprinting. But with the client-side
      implementation of proposal 198 in 0.2.3.17-beta, clients can now
      match the ciphers from recent Firefox versions *and* list the
      ciphers they actually mean, so servers can believe such clients
      ciphers they actually mean, so relays can believe such clients
      when they advertise ECDHE support in their TLS ClientHello messages.
      This feature requires clients running 0.2.3.17-beta or later,
      and requires both sides to be running OpenSSL 1.0.0 or later
      with ECC support. OpenSSL 1.0.1, with the compile-time option
      "enable-ec_nistp_64_gcc_128", is highly recommended. Implements
      the server side of proposal 198; closes ticket 7200.
      "enable-ec_nistp_64_gcc_128", is highly recommended.
      Implements the relay side of proposal 198; closes ticket 7200.
  o Major bugfixes:
    - Avoid crashing when, as a node without IPv6-exit support, a
    - Avoid crashing when, as a relay without IPv6-exit support, a
      client insists on getting an IPv6 address or nothing. Fixes bug
      7814; bugfix on 0.2.4.7-alpha.
@@ -68,13 +74,14 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
      upon the number of hop-RTTs that a particular circuit type
      undergoes. Additionally, launch intro circuits in parallel
      if they timeout, and take the first one to reply as valid.
    - Work correctly on unix systems where EAGAIN and EWOULDBLOCK are
      separate error codes--or at least, don't break for that reason.
    - Work correctly on Unix systems where EAGAIN and EWOULDBLOCK are
      separate error codes; or at least, don't break for that reason.
      Fixes bug 7935. Reported by "oftc_must_be_destroyed".
    - Update to the January 2 2013 Maxmind GeoLite Country database.
  o Minor features (testing):
    - Add benchmarks for DH (1024-bit multiplicative group) and ECDH
      (P-256) diffie-hellman handshakes to src/or/bench.
      (P-256) Diffie-Hellman handshakes to src/or/bench.
    - Add benchmark functions to test onion handshake performance.
  o Minor features (path bias detection):
@@ -103,7 +110,7 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
      makes us more resilient to ambient circuit failure without any
      detection capability loss.
  o Minor bugfixes:
  o Minor bugfixes (log messages):
    - Rate-limit the "No circuits are opened. Relaxed timeout for a
      circuit with channel state open..." message to once per hour to
      keep it from filling the notice logs. Mitigates bug 7799 but does

changes/geoip-jan2013

deleted100644 → 0
+0 −3
Original line number Diff line number Diff line
  o Minor features:
    - Update to the January 2 2013 Maxmind GeoLite Country database.