The Tor Project has been busy with the rustification of their offering for quite some time now.

If you have used Tor Browser, you know what it does. Anonymous browsing through encrypted relay chains. The network itself has been running since the early 2000s. All of it is built on C.

But that C codebase is an issue. It is known to have buffer overflows, use-after-free bugs, and memory corruption vulnerabilities. That is why they introduced Arti, a Rust rewrite of Tor that tackles these flaws by leveraging the memory safety of the programming language.

A new release of Arti just dropped last week, so let's check it out!

We begin with the main highlight of this release, the rollout of the circuit timeout rework that was laid out in proposal 368. Tor currently uses something called Circuit Dirty Timeout (CDT). It is a single timer that controls when your connection circuits become unavailable and when they close down.

Unfortunately, it is predictable. Someone monitoring traffic can spot these patterns and potentially track your activity. Arti 1.8.0 fixes this by implementing usage-based timeouts with separate timers. One handles when circuits accept new connections. Another closes idle circuits at random times instead of fixed intervals.

This should reduce the risk of fingerprinting from predictable timeout behavior.

Next up is the new experimental arti hsc ctor-migrate command that lets onion service operators migrate their restricted discovery keys from the C-based Tor to Arti's keystore.

These keys handle client authorization for onion services. The command transfers them over without requiring operators to do the manual legwork. The release also delivers improvements for routing architecture, protocol implementation, directory cache support, and OR port listener configuration.

You can go through the changelog to learn more about the Arti 1.8.0 release.

Via: Sam Bent

Suggested Read 📖: Is Helium the Browser Brave Was Meant to Be?