[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor is out

This is the fifth development snapshot for the 0.1.2.x series. It enables
write limiting by default, makes NT services more convenient and more
correct, includes better detection for misbehaving DNS on servers,
and a bunch of other features and bugfixes. It also ships with the new
Vidalia 0.0.10 release.


Changes in version - 2007-01-06
  o Major features:
    - Enable write limiting as well as read limiting. Now we sacrifice
      capacity if we're pushing out lots of directory traffic, rather
      than overrunning the user's intended bandwidth limits.
    - Include TLS overhead when counting bandwidth usage; previously, we
      would count only the bytes sent over TLS, but not the bytes used
      to send them.
    - Support running the Tor service with a torrc not in the same
      directory as tor.exe and default to using the torrc located in
      the %appdata%\Tor\ of the user who installed the service. Patch
      from Matt Edman.
    - Servers now check for the case when common DNS requests are going to
      wildcarded addresses (i.e. all getting the same answer), and change
      their exit policy to reject *:* if it's happening.
    - Implement BEGIN_DIR cells, so we can connect to the directory
      server via TLS to do encrypted directory requests rather than
      plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
      config options if you like. This still needs more debugging before
      people other than developers should try it.

  o Minor features (config and docs):
    - Start using the state file to store bandwidth accounting data:
      the bw_accounting file is now obsolete. We'll keep generating it
      for a while for people who are still using
    - Try to batch changes to the state file so that we do as few
      disk writes as possible while still storing important things in
      a timely fashion.
    - The state file and the bw_accounting file get saved less often when
      the AvoidDiskWrites config option is set.
    - Make PIDFile work on Windows (untested).
    - Add internal descriptions for a bunch of configuration options:
      accessible via controller interface and in comments in saved
      options files.
    - Reject *:563 (NNTPS) in the default exit policy. We already reject
      NNTP by default, so this seems like a sensible addition.
    - Clients now reject hostnames with invalid characters. This should
      avoid some inadvertent info leaks. Add an option
      AllowNonRFC953Hostnames to disable this behavior, in case somebody
      is running a private network with hosts called @, !, and #.
    - Add a maintainer script to tell us which options are missing
      documentation: "make check-docs".
    - Add a new address-spec.txt document to describe our special-case
      addresses: .exit, .onion, and .noconnnect.

  o Minor features (DNS):
    - Ongoing work on eventdns infrastructure: now it has dns server
      and ipv6 support. One day Tor will make use of it.
    - Add client-side caching for reverse DNS lookups.
    - Add support to tor-resolve tool for reverse lookups and SOCKS5.
    - When we change nameservers or IP addresses, reset and re-launch
      our tests for DNS hijacking.

  o Minor features (directory):
    - Authorities now specify server versions in networkstatus. This adds
      about 2% to the side of compressed networkstatus docs, and allows
      clients to tell which servers support BEGIN_DIR and which don't.
      The implementation is forward-compatible with a proposed future
      protocol version scheme not tied to Tor versions.
    - DirServer configuration lines now have an orport= option so
      clients can open encrypted tunnels to the authorities without
      having downloaded their descriptors yet. Enabled for moria1,
      moria2, tor26, and lefkada now in the default configuration.
    - Directory servers are more willing to send a 503 "busy" if they
      are near their write limit, especially for v1 directory requests.
      Now they can use their limited bandwidth for actual Tor traffic.
    - Clients track responses with status 503 from dirservers. After a
      dirserver has given us a 503, we try not to use it until an hour has
      gone by, or until we have no dirservers that haven't given us a 503.
    - When we get a 503 from a directory, and we're not a server, we don't
      count the failure against the total number of failures allowed
      for the thing we're trying to download.
    - Report X-Your-Address-Is correctly from tunneled directory
      connections; don't report X-Your-Address-Is when it's an internal
      address; and never believe reported remote addresses when they're
    - Protect against an unlikely DoS attack on directory servers.
    - Add a BadDirectory flag to network status docs so that authorities
      can (eventually) tell clients about caches they believe to be

  o Minor features (controller):
    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
    - Reimplement GETINFO so that info/names stays in sync with the
      actual keys.
    - Implement "GETINFO fingerprint".
    - Implement "SETEVENTS GUARD" so controllers can get updates on
      entry guard status as it changes.

  o Minor features (clean up obsolete pieces):
    - Remove some options that have been deprecated since at least
      0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
      SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
      to set log options.
    - We no longer look for identity and onion keys in "identity.key" and
      "onion.key" -- these were replaced by secret_id_key and
      secret_onion_key in 0.0.8pre1.
    - We no longer require unrecognized directory entries to be
      preceded by "opt".

  o Major bugfixes (security):
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.
    - When generating bandwidth history, round down to the nearest
      1k. When storing accounting data, round up to the nearest 1k.
    - When we're running as a server, remember when we last rotated onion
      keys, so that we will rotate keys once they're a week old even if
      we never stay up for a week ourselves.

  o Major bugfixes (other):
    - Fix a longstanding bug in eventdns that prevented the count of
      timed-out resolves from ever being reset. This bug caused us to
      give up on a nameserver the third time it timed out, and try it
      10 seconds later... and to give up on it every time it timed out
      after that.
    - Take out the '5 second' timeout from the connection retry
      schedule. Now the first connect attempt will wait a full 10
      seconds before switching to a new circuit. Perhaps this will help
      a lot. Based on observations from Mike Perry.
    - Fix a bug on the Windows implementation of tor_mmap_file() that
      would prevent the cached-routers file from ever loading. Reported
      by John Kimble.

  o Minor bugfixes:
    - Fix an assert failure when a directory authority sets
      AuthDirRejectUnlisted and then receives a descriptor from an
      unlisted router. Reported by seeess.
    - Avoid a double-free when parsing malformed DirServer lines.
    - Fix a bug when a BSD-style PF socket is first used. Patch from
      Fabian Keil.
    - Fix a bug in that prevented clients from asking
      to resolve an address at a given exit node even when they ask for
      it by name.
    - Servers no longer ever list themselves in their "family" line,
      even if configured to do so. This makes it easier to configure
      family lists conveniently.
    - When running as a server, don't fall back to when no
      nameservers are configured in /etc/resolv.conf; instead, make the
      user fix resolv.conf or specify nameservers explicitly. (Resolves
      bug 363.)
    - Stop accepting certain malformed ports in configured exit policies.
    - Don't re-write the fingerprint file every restart, unless it has
    - Stop warning when a single nameserver fails: only warn when _all_ of
      our nameservers have failed. Also, when we only have one nameserver,
      raise the threshold for deciding that the nameserver is dead.
    - Directory authorities now only decide that routers are reachable
      if their identity keys are as expected.
    - When the user uses bad syntax in the Log config line, stop
      suggesting other bad syntax as a replacement.
    - Correctly detect ipv6 DNS capability on OpenBSD.

  o Minor bugfixes (controller):
    - Report the circuit number correctly in STREAM CLOSED events. Bug
      reported by Mike Perry.
    - Do not report bizarre values for results of accounting GETINFOs
      when the last second's write or read exceeds the allotted bandwidth.
    - Report "unrecognized key" rather than an empty string when the
      controller tries to fetch a networkstatus that doesn't exist.

Attachment: signature.asc
Description: Digital signature