Tor and EFF are once again taking part in Google's Summer of
Code (GSOC). See
The Tor Project is in Google Summer of Code 2008! post or
Work on Tor this summer, get paid by Google.
The volunteer projects page has some great ideas. And the
deadline is rapidly approaching (March 31, 2008 at 5pm Pacific Time).
I've always been fascinated by client-side attacks that use the
web-browser as a launching pad. Although the networking aspect of
anonymity is interesting (and critically important!),
the application level attacks seem more
practical from a high-level point of view. There is an extremely
low barrier entry for an adversary to configure a Tor exit node
and start injecting malicious traffic.
Currently, Torbutton is the preferred Firefox plugin for
enabling and disabling the use of Tor from within the browser.
There has been a large amount of work going into improving the
anonymity profile for Firefox users. Ideally, an adversary
should not be able to unmask a user by profiling browser
attributes or forcing plugins to make direct network connections.
To this end, I've set up a Torbutton testing page that lists
several possible attacks. Many of these are fixed in the latest
development version of Torbutton. Unfortunately, some require
changes in the Firefox browser to achieve the more complete
anonymity that many users desire.
Note: this is primarily a resource for developers or researchers.
So, if you are a student who enjoys Firefox, JavaScript and
plugin hacking, the "Testing integration of Tor with web
browsers for our end users" topic
many be a good project to look at. There is
still a large amount of research to be done, especially focused on
the soon to be released Firefox 3 web-browser.