[TWN team] Recent changes to the wiki pages
Lunar
lunar at torproject.org
Wed Jun 17 14:20:06 UTC 2015
===========================================================================
=== https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews/2015/24 ===
===========================================================================
version 10
Author: harmony
Date: 2015-06-17T13:35:16+00:00
--
--- version 9
+++ version 10
@@ -17,6 +17,11 @@
1. Tor 0.2.6.9 is out
2. Tor Browser 4.5.2 and 5.0a2 are out
+ 3. The future of GetTor and uncensorable software distribution
+ 4. Great progress on Orfox browser
+ 5. A persistent Tor state for Tails?
+ 6. Miscellaneous news
+ 7. Upcoming events
Tor 0.2.6.9 is out
------------------
@@ -127,6 +132,43 @@
[XXX]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-June/004446.html
[XXX]: https://dev.guardianproject.info/projects/orfox-private-browser/news
+A persistent Tor state for Tails?
+---------------------------------
+
+The Tails team is discussing the possibility of making Tor’s state persist
+across sessions in the anonymous live operating system. As the team writes
+on the relevant blueprint page [XXX], such a change would have several
+benefits: not only would Tor’s bootstrap process be faster and more efficient,
+but it would enable Tails to take advantage of the “entry guards” concept [XXX],
+without which Tails users are more likely to select a malicious entry node
+at some point over the course of their activity. Moreover, the fact that
+Tails selects a new entry node on every boot, while Tor Browser does not,
+allows an adversary to determine whether a user who remains on one network
+(their home or place of work, for example) is using Tails or not. This would
+also be solved by a persistent Tor state.
+
+However, this change does of course have some drawbacks. For one thing,
+although entry guards in Tails would help defend against end-to-end
+correlation attacks, they enable a certain kind of fingerprinting: if a user
+makes a connection to an entry guard from their home, and an adversary later
+observes a connection to the same guard from an event or meeting-place that the
+user is suspected of attending, the adversary can draw a conclusion about the
+user’s geographical movement. This violates one of Tails’ threat model principles,
+which the team calls “AdvGoalTracking”. There are ways that Tails could request
+location information from the user in order to maintain different entry guards
+for different locations, but too many requests for information might bamboozle
+Tails users into accidentally worsening their own security, especially if they do
+not understand the threat model behind the requests, or it does not apply to them.
+
+What is needed, then, is a balance between “defaults that suit the vast majority
+of use-cases […] for Tails’ target audience” and helping “users with different
+needs to avoid becoming less safe ‘thanks’ to this new feature”. The discussion
+continues on the tails-dev mailing list [XXX].
+
+ [XXX]: https://tails.boum.org/blueprint/persistent_Tor_state/
+ [XXX]: https://www.torproject.org/docs/faq#EntryGuards
+ [XXX]: https://mailman.boum.org/pipermail/tails-dev/2015-June/009095.html
+
Miscellaneous news
------------------
version 9
Author: harmony
Date: 2015-06-17T12:55:59+00:00
--
--- version 8
+++ version 9
@@ -111,6 +111,22 @@
[XXX]: https://tails.boum.org/blueprint/bootstrapping/extension/
[XXX]: https://github.com/glamrock/satori
+Great progress on Orfox browser
+-------------------------------
+
+Nathan Freitas, of mobile device security specialists the Guardian Project,
+reported [XXX] on the status of Orfox, the Android-compatible Tor Browser build.
+“The goal is to get as close to the ‘real Tor Browser’ while taking into
+account the new, unique issues we face on Android”, he wrote. Amogh Pradeep,
+former Google Summer of Code student and now intern at the Guardian Project,
+has made significant progress getting the software to build, and you can
+follow his regular updates on the Orfox development blog [XXX]. “We expect to
+have an alpha out this week”, wrote Nathan, “but feel free to jump in on testing
+of the posted builds, and file bugs or feature requests as you find them”.
+
+ [XXX]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-June/004446.html
+ [XXX]: https://dev.guardianproject.info/projects/orfox-private-browser/news
+
Miscellaneous news
------------------
version 8
Author: harmony
Date: 2015-06-17T12:45:28+00:00
--
--- version 7
+++ version 8
@@ -81,9 +81,35 @@
instant messaging and Twitter).
However, it might also be time for a more radical change in the way
-GetTor works. ...
+GetTor works. An official distributor application or browser add-on,
+available through channels like the OS X or Google Chrome app stores,
+could automate Tor Browser downloads, as well as the vital but unintuitive
+process of verifying the signature to ensure the software has not
+been tampered with. Israel offered two suggestions for the inner
+workings of such a distributor: one involving a fixed (but potentially
+blockable) backend API with which the distributor communicates, and one
+in which a more complex distributor is capable of helping the user download
+the required software from several different sources.
+
+Some related projects are already underway: the Tails team is discussing
+the possibility of its own browser add-on for ISO download and
+verification [XXX], while Griffin Boyce pointed [XXX] to his own Satori
+project, a distributor application that offers torrent files and
+content-delivery network (CDN) links. The discussion over the possible
+GetTor distributor’s relationship with these projects is still to be had.
+
+“I would really love to hear your comments about this idea, my work at
+Summer of Privacy might change depending on this discussion”, writes
+Israel. It’s clear that forcing users to depend on “single points of
+failure” for their software is bad news all round, so if you have worthwhile
+ideas to add to this discussion, feel free to take them to the tor-dev
+mailing list thread.
[XXX]: https://www.torproject.org/projects/gettor
+ [XXX]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-June/008949.html
+ [XXX]: https://tails.boum.org/blueprint/bootstrapping/extension/
+ [XXX]: https://github.com/glamrock/satori
Miscellaneous news
------------------
--
Your friendly TWN monitoring script
In case of malfunction, please reach out for lunar at torproject.org
or for the worst cases, tell weasel at torproject.org to kill me.
More information about the news-team
mailing list