[TWN team] Recent changes to the wiki pages

Wed Jun 17 14:20:06 UTC 2015

===========================================================================
=== https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews/2015/24 ===
===========================================================================

version 10
Author: harmony
Date:   2015-06-17T13:35:16+00:00

   --

--- version 9
+++ version 10
@@ -17,6 +17,11 @@
 
  1. Tor 0.2.6.9 is out
  2. Tor Browser 4.5.2 and 5.0a2 are out
+ 3. The future of GetTor and uncensorable software distribution
+ 4. Great progress on Orfox browser
+ 5. A persistent Tor state for Tails?
+ 6. Miscellaneous news
+ 7. Upcoming events
 
 Tor 0.2.6.9 is out
 ------------------
@@ -127,6 +132,43 @@
  [XXX]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-June/004446.html
  [XXX]: https://dev.guardianproject.info/projects/orfox-private-browser/news
 
+A persistent Tor state for Tails?
+---------------------------------
+
+The Tails team is discussing the possibility of making Tor’s state persist
+across sessions in the anonymous live operating system. As the team writes
+on the relevant blueprint page [XXX], such a change would have several
+benefits: not only would Tor’s bootstrap process be faster and more efficient,
+but it would enable Tails to take advantage of the “entry guards” concept [XXX],
+without which Tails users are more likely to select a malicious entry node
+at some point over the course of their activity. Moreover, the fact that
+Tails selects a new entry node on every boot, while Tor Browser does not,
+allows an adversary to determine whether a user who remains on one network
+(their home or place of work, for example) is using Tails or not. This would
+also be solved by a persistent Tor state.
+
+However, this change does of course have some drawbacks. For one thing,
+although entry guards in Tails would help defend against end-to-end
+correlation attacks, they enable a certain kind of fingerprinting: if a user
+makes a connection to an entry guard from their home, and an adversary later
+observes a connection to the same guard from an event or meeting-place that the
+user is suspected of attending, the adversary can draw a conclusion about the
+user’s geographical movement. This violates one of Tails’ threat model principles,
+which the team calls “AdvGoalTracking”. There are ways that Tails could request
+location information from the user in order to maintain different entry guards
+for different locations, but too many requests for information might bamboozle
+Tails users into accidentally worsening their own security, especially if they do
+not understand the threat model behind the requests, or it does not apply to them.
+
+What is needed, then, is a balance between “defaults that suit the vast majority
+of use-cases […] for Tails’ target audience” and helping “users with different
+needs to avoid becoming less safe ‘thanks’ to this new feature”. The discussion
+continues on the tails-dev mailing list [XXX].
+
+ [XXX]: https://tails.boum.org/blueprint/persistent_Tor_state/
+ [XXX]: https://www.torproject.org/docs/faq#EntryGuards
+ [XXX]: https://mailman.boum.org/pipermail/tails-dev/2015-June/009095.html
+
 Miscellaneous news
 ------------------
 

version 9
Author: harmony
Date:   2015-06-17T12:55:59+00:00

   --

--- version 8
+++ version 9
@@ -111,6 +111,22 @@
  [XXX]: https://tails.boum.org/blueprint/bootstrapping/extension/
  [XXX]: https://github.com/glamrock/satori
 
+Great progress on Orfox browser
+-------------------------------
+
+Nathan Freitas, of mobile device security specialists the Guardian Project,
+reported [XXX] on the status of Orfox, the Android-compatible Tor Browser build.
+“The goal is to get as close to the ‘real Tor Browser’ while taking into
+account the new, unique issues we face on Android”, he wrote. Amogh Pradeep,
+former Google Summer of Code student and now intern at the Guardian Project,
+has made significant progress getting the software to build, and you can
+follow his regular updates on the Orfox development blog [XXX]. “We expect to
+have an alpha out this week”, wrote Nathan, “but feel free to jump in on testing
+of the posted builds, and file bugs or feature requests as you find them”.
+
+ [XXX]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-June/004446.html
+ [XXX]: https://dev.guardianproject.info/projects/orfox-private-browser/news
+
 Miscellaneous news
 ------------------
 

version 8
Author: harmony
Date:   2015-06-17T12:45:28+00:00

   --

--- version 7
+++ version 8
@@ -81,9 +81,35 @@
 instant messaging and Twitter).
 
 However, it might also be time for a more radical change in the way
-GetTor works. ...
+GetTor works. An official distributor application or browser add-on,
+available through channels like the OS X or Google Chrome app stores,
+could automate Tor Browser downloads, as well as the vital but unintuitive
+process of verifying the signature to ensure the software has not
+been tampered with. Israel offered two suggestions for the inner
+workings of such a distributor: one involving a fixed (but potentially
+blockable) backend API with which the distributor communicates, and one
+in which a more complex distributor is capable of helping the user download
+the required software from several different sources.
+
+Some related projects are already underway: the Tails team is discussing
+the possibility of its own browser add-on for ISO download and
+verification [XXX], while Griffin Boyce pointed [XXX] to his own Satori
+project, a distributor application that offers torrent files and
+content-delivery network (CDN) links. The discussion over the possible
+GetTor distributor’s relationship with these projects is still to be had.
+
+“I would really love to hear your comments about this idea, my work at
+Summer of Privacy might change depending on this discussion”, writes
+Israel. It’s clear that forcing users to depend on “single points of
+failure” for their software is bad news all round, so if you have worthwhile
+ideas to add to this discussion, feel free to take them to the tor-dev
+mailing list thread.
 
  [XXX]: https://www.torproject.org/projects/gettor
+ [XXX]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-June/008949.html
+ [XXX]: https://tails.boum.org/blueprint/bootstrapping/extension/
+ [XXX]: https://github.com/glamrock/satori
 
 Miscellaneous news
 ------------------



-- 
Your friendly TWN monitoring script

      In case of malfunction, please reach out for lunar at torproject.org
          or for the worst cases, tell weasel at torproject.org to kill me.
