GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Commit 4b312f3d authored by Pili Guerra's avatar Pili Guerra
Browse files

Add project ideas

parent 1a9bffd6
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 1
---
languages:
python
javascript
---
mentors:
GeKo
arma
---
difficulty: medium
---
title: Cloudflare CAPTCHA Monitoring
---
subtitle:
This project should implement a mechanism to track the rate that Cloudflare fronted webpages return CAPTCHAs to Tor users over time.
---
body:
# Problem
A large number of Tor users report getting hit by infinite CAPTCHA loops when visiting webpages fronted by Cloudflare. This makes them feel punished for using Tor to protect their privacy and prevents them from legitimately accessing websites.
# Proposal
For this project we would like to track in practice how often Cloudflare fronted webpages return CAPTCHAs to Tor clients.
Our proposed approach consists of:
1. Setting up a very simple static webpage to be fronted by Cloudflare
2. Write a web client to periodically fetch this static webpage via Tor and record how often a CAPTCHA is returned
3. Record and graph CAPTCHA vs real page rates
4. Using the pre-existing architecture, run a second client that does not fetch this webpage via Tor. This will allow us to contrast and compare how Cloudflare responds to Tor Browser vs other browsers.
5. Track and publish these details publicly
There are two interesting metrics to track over time:
- the fraction of exit relays that are getting hit with CAPTCHAs, and
- the chance that a Tor client, choosing an exit relay in the normal weighted faction, will get hit by a CAPTCHA.
Then there are other interesting patterns to look for:
- Are certain IP addresses punished consistently and others never punished?
- Is whether you get a CAPTCHA much more probabilistic and transient?
- Does that pattern change over time?
# Resources
There is pre-existing research by the Berkeley ICSI group which includes these sorts of checks:
- https://www.freehaven.net/anonbib/#differential-ndss2016
- https://www.freehaven.net/anonbib/#exit-blocking2017
For the original ticket and discussion, please see ticket [#33010](http://bugs.torproject.org/33010)
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 2
---
languages:
python
ansible
---
org: Tor
---
mentors:
cohosh
hiro
---
difficulty:
---
title: Implement new distribution methods for GetTor
---
subtitle:
This project should implement a feature to distribute Tor Browser downloads through Telegram or Facebook messenger.
---
body:
# Problem
Tor Browser ships with a few different anti-censorship tools to allow people free and open access to Internet content. However, some places censor Tor Browser downloads, making it difficult for users to install it in the first place.
# Proposal
[GetTor](https://gettor.torproject.org/) is a system for distributing Tor Browser using alternative methods such as email or Twitter to send users authenticated links to Tor Browser binaries.
We are looking to expand the ways in which GetTor distributes Tor Browser binaries to make it easier for people to download and install Tor Browser. This project would consist in implementing a feature in GetTor to distribute Tor Browser downloads through Telegram and/or Facebook messenger.
# Resources
- GetTor repo on github: https://github.com/torproject/gettor
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 3
---
languages:
Python
Docker
PythonQt5
---
mentors:
hiro
asn
---
difficulty: medium
---
title: Onion Tool Box
---
subtitle:
Myonion is a developer tool box, providing a command line interface and a GUI to configure and deploy existing services via .onion. The idea behind myonion is to make onion services accessible to developers that might be interested to innovate in the privacy space, building applications that are designed for privacy and security.
---
body:
# Problem
It is not necessarily difficult to use onion services, but it might be tricky to configure a web service to be offered via .onion so that it doesn’t leak sensitive information.
There are detailed [guides](https://riseup.net/en/security/network-security/tor/onionservices-best-practices) available for users that would like to offer a web application via .onion and some tools have been developed to help service operators: discover known misconfiguration or [vulnerabilities](https://onionscan.org/) or deploy an [onion site](https://github.com/alecmuffett/eotk).
Involving a wider developer community can help creating a better image of Tor and onion services, replacing the “dark net” narrative with the secure and private web one.
Onion services can also be relevant to all those people interested in the “zero-trust” strategy. The concept behind zero-trust is to adopt strategies and tools to help prevent data breaches by eliminating the concept of trust from an organization’s network architecture, with the principle of never trust, always verify.
Ultimately myonion is about creating a better experience for onion services developers and operators and therefore fostering a more legitimate onion service ecosystem.
# Proposal
Myonion is a developer tool box, providing a command line interface and a GUI to configure and deploy existing services via .onion. A minimal prototype for myonion already [exists](https://github.com/hiromipaw/myonion).
Someone that may want to run an onion service can use the myonion wrapper app to start a .onion from their computer and sharea static website or a web application.
Myonion can also be used to deploy the resulting configured app to a defined set of cloud providers.
Myonion provides a way to build and deploy onion ready applications, allowing developers to build and test web applications and easily share them with others, bundling the code and configuration in a lightweight, portable Docker container application that runs the same everywhere.
The experience for developers will be similar to using other industry solutions, like the [Docker desktop app](https://www.docker.com/products/docker-desktop).
Developers using myonion are provided with pre-defined and customizable application templates, with corresponding configuration and a test set, eliminating error-prone manual setup and known onion service configuration mistakes.
The resulting application is therefore deployable via a set of endpoint management tools to known providers. Providing a way to deploy onion services at scale.
# Resources
- Myonion repo on github: https://github.com/hiromipaw/myonion
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 4
---
languages: React
---
org: OONI
---
mentors:
Federico Ceratto
Arturo Filastò
---
difficulty: Medium
---
title: OONI Explorer Advanced Search
---
subtitle:
OONI Explorer is an open data resource on internet censorship around the world. This project is about enriching the OONI Explorer search functionality with the ability to visualize an analysis of metadata pertaining to filtered measurements.
---
body:
# Background
OONI Explorer is an open data resource on internet censorship around the world. This project is about enriching the OONI Explorer search functionality with the ability to visualize an analysis of metadata pertaining to filtered measurements.
# Proposal
This project is about enriching the OONI Explorer search functionality with the ability to visualize an analysis of metadata pertaining to filtered measurements.
This would involve adding the ability to filter on multiple axis: country, ASN, time range, anomaly, confirmed, failure, domain or input, citizenlab category code.
The results would then be presented in an aggregate form, such as showing:
- The total measurement count
- The anomaly vs total ratio
- Confirmed vs total
- Failure vs total
These results could then be presented as a table or some other charts, such as a heatmat.
Some other more detailed, drill-down views could also be implemented.
A potential applicant should also have some prior design experience
# Resources
- OONI Explorer repo on github: https://github.com/ooni/explorer
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 5
---
languages: Golang
---
org: OONI
---
mentors:
Simone Basso
Arturo Filastò
---
difficulty: low-high
---
title: OONI Probe network experiments
---
subtitle:
OONI Probe is a free software project that aims to uncover internet censorship around the world. As part of this project you would be working on researching and developing new OONI Probe network experiments.
---
body:
# Background
The Open Observatory of Network Interference (OONI) is a free software project which aims to empower decentralized efforts in increasing transparency of internet censorship around the world.
We develop free and open source software, called OONI Probe, that users can run to measure:
- Blocking of websites;
- Blocking of instant messaging apps (WhatsApp, Facebook Messenger and Telegram);
- Blocking of censorship circumvention tools (such as Tor);
- Presence of systems (middleboxes) in your network that might be responsible for censorship and/or surveillance;
- Speed and performance of your network.
By running OONI Probe, users can collect data that can potentially serve as evidence of internet censorship since it shows how, when, where, and by whom it is implemented.
# Proposal
*Prerequisites:* Knowledge of network programming
As part of this project you would be working on researching and developing new OONI Probe network experiments. These experiments would be integrated inside of probe-engine and could eventually make their way into the OONI Probe desktop client.
The GSoC project is only about researching and implementing a working test in probe-engine, not the UI and client integration of the test.
# Resources
- OONI Probe repo on github: https://github.com/ooni/probe-engine
- [Ideas for new experiments](https://github.com/ooni/probe-engine/issues?q=is%3Aopen+is%3Aissue+label%3A%22new+experiment%22)
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 6
---
languages:
Golang
Java
Android
---
org: OONI
---
mentors:
Simone Basso
Arturo Filastò
---
difficulty: Medium
---
title: Privacy aware geo lookup
---
subtitle:
The idea for this project is to research a way to do a GPS based location lookup which resolves the location of the user to a granularity which is useful for qualifying measurements, but that doesn’t compromise users safety and privacy.
---
body:
# Problem
When looking at OONI Probe measurements we often face a challenge in properly understanding what country (or more granular location) they are telling us things about.
Often times the location information (since it's based on geoip) is inaccurate, because the underlying GeoIP database we used was old.
On the other hand we also have a responsibility to protect user privacy to the extent that it's possible and therefore we don't collect IPs or store location information that is more granular than country level.
# Proposal
*Prerequisites:* familiarity with Android development and aptitude for research
The idea for this project is to research a way to do a GPS based location lookup which resolves the location of the user to a granularity which is useful for qualifying measurements, but that doesn’t compromise users safety and privacy.
# Resources
- OONI Probe engine repo on github: https://github.com/ooni/probe-engine
For the original ticket and discussion, please see ticket [249](https://github.com/ooni/probe-engine/issues/249)
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 7
---
languages:
javascript
CSS
HTML
Python
---
mentors:
hiro
---
difficulty: medium
---
title: Privacy Friendly Web
---
subtitle:
The scope of this project is creating a open-source community-driven browsable list of patterns and release a css/js framework that web developers can extend and use in their work.
---
body:
# Problem
Security concerned web users take conscious steps to limit the amount of data they share with the websites visited and third party services.
There are a number of security enhancing tools available. Some come in the form of browser extensions and javascript blockers, others are full fledged web browsers designed with providing extra security to their users.
One of these is the Tor Browser. The Tor Browser was designed to provide privacy while surfing the web and defend users against both network and local forensic adversaries. There are two main categories of requirements that have been considered: Security Requirements, and Privacy Requirements.
Security Requirements are the minimum properties in order for a browser to be able to support Tor and similar privacy proxies safely. Privacy requirements are primarily concerned with reducing linkability: the ability for a user's activity on one site to be linked with their activity on another site without their knowledge or explicit consent.
# Proposal
Websites can work seamlessly with the Tor Browser and other privacy enhancing browsers and tools if they adopt a series of respectful and ethical patterns.
The Tor Browser is in fact, based on Mozilla's Extended Support Release (ESR) Firefox branch. We have a series of patches against this browser to enhance privacy and security. Browser behavior is additionally augmented through the Torbutton extension, and we also change a number of Firefox preferences from their defaults.
The Tor Project has developed over the years a set of web development guidelines that allow websites to work with security enhanced browsers without causing any or minimal functionality destruption to their users. These guidelines have been shaped in an internal styleguide that has been adopted across all torproject.org websites.
We are now formalizing these web development patterns and some security concerns that need to be considered when developing websites for users surfing the web with security enhanced browsers and tools. The scope of this project is creating a open-source community-driven browsable list of patterns and release a css/js framework that web developers can extend and use in their work.
# Resources
- Tor Project [styleguide](https://styleguide.torproject.org/)
- Styleguide repo on github: https://github.com/torproject/styleguide
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 8
---
languages:
---
org: Tor
---
mentors:
cohosh
ahf
---
difficulty:
---
title: Implementing Salmon as a bridge distribution mechanism
---
subtitle:
This project entails implementing Salmon, a bridge distribution mechanism that partitions and distributes bridges using reputation to give well-behaved users access to "better" bridges and add a penalty when their bridges get censored.
---
body:
# Problem
Bridges are Tor relays that are not publicly listed and therefore allow access to the Tor network in places where access to the public Tor relays, and therefore access to the Tor network, is blocked. Many users rely on bridges, or anti-censorship proxies, to connect to the Tor network. However, when censors learn this information, the bridges quickly become blocked and can no longer be used. We need a way of distributing bridge information to users so that they are able to connect without these bridges being discovered by the censors.
# Proposal
Our goal is to distribute bridges to users in censored regions when they need them, while also limiting the amount of bridge information that is leaked to censors. This project entails implementing Salmon, a bridge distribution mechanism that partitions and distributes bridges using reputation to give well-behaved users access to "better" bridges and add a penalty when their bridges get censored.
# Resources
- Original Paper: [Salmon: Robust Proxy Distribution for
Censorship Circumvention](https://petsymposium.org/2016/files/papers/Salmon__Robust_Proxy_Distribution_for_Censorship_Circumvention.pdf)
- Salmon Project on github: https://github.com/SalmonProject
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 9
---
languages:
Android
---
org: Tor
---
mentors:
cohosh
---
difficulty:
---
title: Snowflake proxy on Android
---
subtitle:
This project entails implementing a Snowflake proxy app that will run on Android and relay a user's Tor traffic to the Tor network in the background.
---
body:
# Background
[Snowflake](https://snowflake.torproject.org/) is a circumvention system in which volunteers can run proxies to help users connect to the Tor network. Users make WebRTC connections to the proxies, who then relay this data to a Snowflake bridge and then on to the Tor network. The advantage of using WebRTC is that Snowflake proxies can frequently change IP address or operate behind a NAT. At the moment, we have implemented the Snowflake proxy code as a web extension or a web badge, but we have not yet implemented a proxy that will run smoothly on Android.
# Proposal
This project entails implementing a Snowflake proxy app that will run on Android and relay a user's Tor traffic to the Tor network in the background. There is an implementation component as well as an exploration and testing component while we figure out how to achieve good performance from a background application without using too much of the volunteer proxy's data or resources.
# Resources
- [Snowflake](https://snowflake.torproject.org/)
- Snowflake repo: https://gitweb.torproject.org/pluggable-transports/snowflake.git/
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 12
---
languages:
C
Python
Golang
Rust
---
mentors:
asn
dgoulet
---
difficulty: medium/hard
---
title: tor-keygen
---
subtitle:
The scope of this project is to write an application that generates cryptographic keys for Tor relays, dirauths and onion services.
---
body:
# Problem
# Proposal
Prerequisites: Understanding of Tor protocol and tor codebase
# Resources
- https://trac.torproject.org/projects/tor/ticket/18098
- https://trac.torproject.org/projects/tor/ticket/14389
- https://github.com/torproject/tor/blob/e34d963c4453ceac7ff378ce0044d10461980c8e/src/app/main/main.c#L1282
- Original tor-keygen repo on github: https://github.com/haxxpop/torkeygen
\ No newline at end of file
_model: project
---
_template: layout.html
---
html: two-columns-page.html
---
active: True
---
section: GSoC
---
section_id: gsoc
---
color: primary
---
key: 10
---
languages:
C
---
mentors:
teor
ahf (to be confirmed)
---
difficulty: Medium
---
title: Improve Tor Relay IPv6 Support
---
subtitle:
Tor helps people stay safe on the internet, by keeping their internet use secure and anonymous. More Tor clients are running on IPv6-only or dual-stack networks. But only 20% of Tor’s available relay bandwidth supports IPv6. We want to automate relay IPv6 address discovery and reachability checks, so that it is easier for relay operators to run IPv6 relays.
---
body:
The Tor Project will be improving tor relay IPv6 support in 2020.
Students may choose to focus on:
* designing and implementing tor relay IPv6 features,
* tor relay IPv6 testing, or
* diagnosing and fixing bugs in tor's IPv6 code.
## Prerequisites