Arti is our ongoing project to create a next-generation Tor client in
Rust. Now we’re announcing the latest release, Arti 1.1.5.
In the past months,
our efforts have been divided between onion services
and work on a new RPC API
(a successor to C Tor’s “control port”)
that will give applications a safe and powerful way
to work with Arti
without having to write their code in Rust
or link Arti as a library (unless they want to).
For onion services this month,
we have continued work on our protocol infrastructure
to support the cryptographic handshakes and protocols
used for onion services,
and begun design work on a key management system
for onion services.
Our RPC code is still in an “infrastructure-only” state:
the backend has progressed significantly,
and now includes an object-reference system
we’ll use to enforce security
via a capability-style design,
but as of yet it supports no useful functionality.
(We expect to land initial functionality this month.)
For information on the general shape of our design,
see the work-in-progress specification document.
Finally, this release also fixes a security issue:
there was a bug in our SOCKS code
that could be exploited to cause a denial-of-service attack
against an Arti client.
We are classifying this as a low-severity issue,
since exploiting it would require the attacker to have
access to localhost.
Thanks to Jakob Lell for reporting this issue;
it is tracked as TROVE-2023-001.
There have been many smaller changes as well;
for those, please see the CHANGELOG.
For more information on using Arti, see our top-level README, and the
documentation for the arti binary.
Thanks to everyone who has contributed to this release, including
Alexander Færøy, Jakob Lell, Jim Newsome, Saksham Mittal, and Trinity
Pointard.
Finally, our deep thanks to Zcash Community Grants for funding the
development of Arti!