October 1, 2012 - August 31, 2013
- December 31, 2012
- March 31, 2013
- June 30, 2013
- August 31, 2013
- Design, testing, and deployment of pluggable transports.
- Implement additional pluggable transports that disguise Tor Bridge connections as other common forms of Internet traffic. To accomplish this, Tor will research, develop, test and deploy additional pluggable transports. Tor will also explore other obfuscation strategies in addition to, or in place of, the above. (Q4 2012 - Q3 2013) (George)
- Integrate obfuscated Bridges into the Bridge database. This will facilitate Tor users’ access to obfuscated Bridges. To accomplish this, Tor will 1. Automate Obfsproxy bridge reporting to bridge database. (Q1 2013 - Q3 2013) (George/Phillip) 1. Obfsproxy bridges will publish transports in extra-info descriptor. (George/Phillip) 1. Bridge database will learn to read obfs extra-info descriptor. (Aaron?) 1. Design distribution strategies that are appropriate for Obfsproxy bridges, and implement at least one such strategy.
- Implement a method for collecting metrics on growth and trends of Obfsproxy usage. This will consist of adding an out-of-band channel for Obfsproxy to inform Tor about metadata for each incoming connection and will consist of the following components: Determine a safe level of granularity for the reporting of usage statistics in order to preserve users’ anonymity. (Karsten) 1. Implement methods for gathering and sharing these data in the Obfsproxy codebase, and make additional, metrics-related changes to the Tor descriptor format. (Karsten)
- Global Help Desk. Tor Project will improve its current support system by implementing a new, free and open source help desk platform. Tor’s new help desk will achieve the following:
- Create user question and answer forums (likely structured on the Stack Exchange Network concept), that allow for user anonymity and pseudonymity. (TBD)
- Multi-language translation (prioritizing Arabic, Farsi, Mandarin Chinese, Vietnamese, Burmese, Russian, and Spanish) of the most popular threads from the user question and answer forum and of existing help and tutorial materials. (Runa)
- Continue supporting the use of a ticketing system for email requests. (Runa)
- Add support via live chat, Voice over IP (VoIP) and telephone. (Runa/Andrew)
- User support videos will also be created, maintained and improved, though the diversity of subjects addressed—and of languages into which these videos are to be translated or dubbed (subject to the priorities listed above)—will depend on the availability of remaining help desk funds. (Runa/Karen/Support)
- Tor Browser Improvements. Tor Project will replace its current Tor Browser architecture with one that is more efficient to maintain and better protects its users by being more adaptable to their evolving threat environment. Specifically, these improvements will consist of:
- General Usability. Tor Project will replace Tor Button with a custom build of Mozilla Firefox that offers the same defenses, but in a simpler and more stable manner. In addition, the Tor Project will address a set of existing high priority, usability-related Tor Browser issue tickets. The precise set of prioritized tickets will be identified through the initiative’s ongoing effort, with at least five bugs flagged during the first quarter (Q4 of 2012), and an additional five to 15 bugs identified throughout the project. (Mike and other browser hackers)
- Secure Update System. The Tor Project’s secure update mechanism (codenamed Thandy) is in fact relevant to most of the Tor distribution formats—and, for that matter, to various use-cases outside of secure updating (see below)—but is included here because the present agreement specifically addresses a full implementation of Thandy only within the Windows and OSX Tor Browser bundles, as they are most directly relevant to end-user security. That said, the server- and client-side work required to take Thandy from design prototype to full deployment will likely make other implementations (focused on Windows-based Bridge and Relay operators, for example) relatively trivial. 1. Repackage Tor Browser with an open-source, peer-reviewed beta secure update mechanism. This will make it easier for Windows and OS X users to stay current with both Tor- and Firefox-related security updates Research and deploy safe update key management practices 1. Implement a production secure update system repository Automate a component-oriented build system that better supports the system’s update methodology. 1. Implement a production secure update client in Tor Browser. This technology will also support a much-needed “micro-installer” distribution model, in which the lightweight update client, with a basic user interface, can be used to bootstrap the download of larger Tor components, as required by users.
- In-depth, digital forensics of TBB. This will help identify, document, and—where possible—remove traces that Tor Browser might leave on Windows, Linux or OS X computers from which it is run, either directly or from a flash memory device (TBD): 1. Analyze tor browser data leaks on Windows 7. 1. Analyze tor browser data leaks on Apple OS X. 1. Analyze tor browser data leaks on a standard Debian Linux computer. 1. Write a report of data leaks on all OSes analyzed, and propose mitigation steps.