|
@@ -1,13 +1,18 @@
|
|
|
Changes in version 0.2.4.8-alpha - 2013-01-14
|
|
|
+ Tor 0.2.4.8-alpha introduces directory guards to reduce user enumeration
|
|
|
+ risks, adds a new stronger and faster circuit handshake, and offers
|
|
|
+ stronger and faster link encryption when both sides support it.
|
|
|
|
|
|
o Major features:
|
|
|
- Preliminary support for directory guards (proposal 207): when
|
|
|
possible, clients now use their entry guards for non-anonymous
|
|
|
directory requests. This can help prevent client enumeration. Note
|
|
|
that this behavior only works when we have a usable consensus
|
|
|
- directory: and when options about what to download are more or
|
|
|
- less standard. Resolves ticket 6526.
|
|
|
- - Tor servers and clients now support a better CREATE/EXTEND cell
|
|
|
+ directory, and when options about what to download are more or less
|
|
|
+ standard. In the future we should re-bootstrap from our guards,
|
|
|
+ rather than re-bootstrapping from the preconfigured list of
|
|
|
+ directory sources that ships with Tor. Resolves ticket 6526.
|
|
|
+ - Tor relays and clients now support a better CREATE/EXTEND cell
|
|
|
format, allowing the sender to specify multiple address, identity,
|
|
|
and handshake types. Implements Robert Ransom's proposal 200;
|
|
|
closes ticket 7199.
|
|
@@ -16,7 +21,7 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
|
|
|
- Tor now supports a new circuit extension handshake designed by Ian
|
|
|
Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original
|
|
|
circuit extension handshake, later called "TAP", was a bit slow
|
|
|
- (especially on the server side), had a fragile security proof, and
|
|
|
+ (especially on the relay side), had a fragile security proof, and
|
|
|
used weaker keys than we'd now prefer. The new circuit handshake
|
|
|
uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman
|
|
|
function, making it significantly more secure than the older
|
|
@@ -35,30 +40,31 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
|
|
|
Implements proposal 216; closes ticket 7202.
|
|
|
|
|
|
o Major features (better link encryption):
|
|
|
- - Servers can now enable the ECDHE TLS ciphersuites when available
|
|
|
- and appropriate. These ciphersuites let us negotiate forward-
|
|
|
- secure TLS secret keys more safely and more efficiently than with
|
|
|
- our previous use of Diffie-Hellman modulo a 1024-bit prime.
|
|
|
- By default, public servers prefer the (faster) P224 group, and
|
|
|
- bridges prefer the (more common) P256 group; you can override this
|
|
|
- with the TLSECGroup option.
|
|
|
+ - Relays can now enable the ECDHE TLS ciphersuites when available
|
|
|
+ and appropriate. These ciphersuites let us negotiate forward-secure
|
|
|
+ TLS secret keys more safely and more efficiently than with our
|
|
|
+ previous use of Diffie-Hellman modulo a 1024-bit prime. By default,
|
|
|
+ public relays prefer the (faster) P224 group, and bridges prefer
|
|
|
+ the (more common) P256 group; you can override this with the
|
|
|
+ TLSECGroup option.
|
|
|
|
|
|
Enabling these ciphers was a little tricky, since for a long time,
|
|
|
clients had been claiming to support them without actually doing
|
|
|
so, in order to foil fingerprinting. But with the client-side
|
|
|
implementation of proposal 198 in 0.2.3.17-beta, clients can now
|
|
|
match the ciphers from recent Firefox versions *and* list the
|
|
|
- ciphers they actually mean, so servers can believe such clients
|
|
|
+ ciphers they actually mean, so relays can believe such clients
|
|
|
when they advertise ECDHE support in their TLS ClientHello messages.
|
|
|
|
|
|
This feature requires clients running 0.2.3.17-beta or later,
|
|
|
and requires both sides to be running OpenSSL 1.0.0 or later
|
|
|
with ECC support. OpenSSL 1.0.1, with the compile-time option
|
|
|
- "enable-ec_nistp_64_gcc_128", is highly recommended. Implements
|
|
|
- the server side of proposal 198; closes ticket 7200.
|
|
|
+ "enable-ec_nistp_64_gcc_128", is highly recommended.
|
|
|
+
|
|
|
+ Implements the relay side of proposal 198; closes ticket 7200.
|
|
|
|
|
|
o Major bugfixes:
|
|
|
- - Avoid crashing when, as a node without IPv6-exit support, a
|
|
|
+ - Avoid crashing when, as a relay without IPv6-exit support, a
|
|
|
client insists on getting an IPv6 address or nothing. Fixes bug
|
|
|
7814; bugfix on 0.2.4.7-alpha.
|
|
|
|
|
@@ -68,13 +74,14 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
|
|
|
upon the number of hop-RTTs that a particular circuit type
|
|
|
undergoes. Additionally, launch intro circuits in parallel
|
|
|
if they timeout, and take the first one to reply as valid.
|
|
|
- - Work correctly on unix systems where EAGAIN and EWOULDBLOCK are
|
|
|
- separate error codes--or at least, don't break for that reason.
|
|
|
+ - Work correctly on Unix systems where EAGAIN and EWOULDBLOCK are
|
|
|
+ separate error codes; or at least, don't break for that reason.
|
|
|
Fixes bug 7935. Reported by "oftc_must_be_destroyed".
|
|
|
+ - Update to the January 2 2013 Maxmind GeoLite Country database.
|
|
|
|
|
|
o Minor features (testing):
|
|
|
- Add benchmarks for DH (1024-bit multiplicative group) and ECDH
|
|
|
- (P-256) diffie-hellman handshakes to src/or/bench.
|
|
|
+ (P-256) Diffie-Hellman handshakes to src/or/bench.
|
|
|
- Add benchmark functions to test onion handshake performance.
|
|
|
|
|
|
o Minor features (path bias detection):
|
|
@@ -100,14 +107,14 @@ Changes in version 0.2.4.8-alpha - 2013-01-14
|
|
|
point, to avoid roundoff error and other issues.
|
|
|
- Only record path bias information for circuits that have completed
|
|
|
*two* hops. Assuming end-to-end tagging is the attack vector, this
|
|
|
- makes us more resilient to ambient circuit failure without any
|
|
|
+ makes us more resilient to ambient circuit failure without any
|
|
|
detection capability loss.
|
|
|
|
|
|
- o Minor bugfixes:
|
|
|
+ o Minor bugfixes (log messages):
|
|
|
- Rate-limit the "No circuits are opened. Relaxed timeout for a
|
|
|
circuit with channel state open..." message to once per hour to
|
|
|
keep it from filling the notice logs. Mitigates bug 7799 but does
|
|
|
- not fix the underlying cause. Bugfix on 0.2.4.7-alpha.
|
|
|
+ not fix the underlying cause. Bugfix on 0.2.4.7-alpha.
|
|
|
- Avoid spurious warnings when configuring multiple client ports of
|
|
|
which only some are nonlocal. Previously, we had claimed that some
|
|
|
were nonlocal when in fact they weren't. Fixes bug 7836; bugfix on
|