[TWN team] Recent changes to the wiki pages
Lunar
lunar at torproject.org
Fri May 22 00:20:05 UTC 2015
===========================================================================
=== https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews/2015/20 ===
===========================================================================
version 2
Author: harmony
Date: 2015-05-21T23:46:33+00:00
write
--- version 1
+++ version 2
@@ -6,80 +6,274 @@
{{{
========================================================================
-Tor Weekly News May 20th, 2015
+Tor Weekly News May 22nd, 2015
========================================================================
Welcome to the twentieth issue in 2015 of Tor Weekly News, the weekly
-newsletter that covers what’s happening in the XXX Tor community.
-
-Feature XXX
------------
-
-Feature 1 with cited source [XXX]
-
- [XXX]:
-
-Monthly status reports for XXX month 2015
------------------------------------------
-
-The wave of regular monthly reports from Tor project members for the
-month of XXX has begun. XXX released his report first [XXX], followed
-by reports from name 2 [XXX], name 3 [XXX], and name 4 [XXX].
-
- [XXX]:
- [XXX]:
- [XXX]:
- [XXX]:
+newsletter that covers what’s happening in the aleatoric [XXX] Tor
+community.
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008821.html
+
+Contents
+--------
+
+ 1. Tor 0.2.6.8 is out
+ 2. Tor Browser 4.5.1 and 5.0a1 are out
+ 3. Fixing the Tor network’s bandwidth measurement system
+ 4. Stopping onion service DoS attacks by limiting connections
+ 5. What is the value of anonymous communication?
+ 6. Miscellaneous news
+ 7. This week in Tor history
+ 8. Upcoming events
+
+Tor 0.2.6.8 is out
+------------------
+
+Nick Mathewson announced [XXX] a new release in the current stable
+branch of the core Tor software. Tor 0.2.6.8 stops directory authorities
+from giving the HSDir flag to relays without a DirPort configured, which
+was causing accessibility problems [XXX] for some hidden services. It
+also fixes a bug [XXX] that could have allowed a Tor client to crash an
+onion service in a very small number of cases where the service was
+making use of Tor’s “client authorization” feature.
+
+If you are running one of the Tor network’s nine directory authorities,
+you should upgrade as soon as possible. If you aren’t one of those
+people, no urgent action is required.
+
+ [XXX]: https://blog.torproject.org/blog/tor-0268-released
+ [XXX]: https://bugs.torproject.org/15850
+ [XXX]: https://bugs.torproject.org/15823
+
+Tor Browser 4.5.1 and 5.0a1 are out
+-----------------------------------
+
+Mike Perry announced new releases by the Tor Browser team in both the
+stable and alpha series. Tor Browser 4.5.1 [XXX] relaxes the
+“first-party isolation” system slightly, in order to solve some
+usability issues affecting websites that host their content on several
+subdomains. In addition, NoScript’s ClearClick anti-clickjacking feature
+is disabled, as it had been causing frequent false positives, especially
+on pages serving captchas.
+
+In addition to those fixes, Tor Browser 5.0a1 [XXX] includes several new
+privacy-preserving features. The automatic window-resizing feature from
+4.5a4 is reintroduced here, and JavaScript’s ability to take precise
+timings of some activities has been limited, in order to defend against
+browser fingerprinting attacks.
+
+See Mike’s announcements for full changelogs, download instructions, and
+advice on reporting any issues you experience. Both releases include
+important security updates to Firefox, so please upgrade as soon as you
+can!
+
+ [XXX]: https://blog.torproject.org/blog/tor-browser-451-released
+ [XXX]: https://blog.torproject.org/blog/tor-browser-50a1-released
+
+Fixing the Tor network’s bandwidth measurement system
+-----------------------------------------------------
+
+When setting up a Tor relay, operators are asked to state the amount
+of traffic their relay can handle, the so-called “advertised bandwidth”.
+In the earliest versions of the Tor network, the directory
+authorities [XXX] used this advertised value directly when creating the
+consensus [XXX], which made it very easy for malicious operators
+to lie about the capacity of their relays in order to gain visibility of
+a large amount of Tor traffic; this in turn would have enabled attacks
+on client anonymity [XXX].
+
+In 2009, therefore, Mike Perry introduced the “bandwidth authority” (or
+“bwauth”) scripts as part of his TorFlow suite of tools [XXX]. Computers
+that are configured to run as bwauths regularly scan the relays that
+make up the Tor network to see if the bandwidth they advertise
+corresponds to their real capacity. If not, the consensus will adjust
+the advertised bandwidth up or down to reflect the measurements taken by
+the bwauths; this adjusted value is the “consensus weight”.
+
+At least, that’s how it should work. For some time, the bwauth scripts
+have been unmaintained, leading to problems for their operators, and
+more recently they appear to have broken in a way that is hard to
+diagnose. As nusenu pointed out [XXX], a significant number of Tor
+relays are now unmeasured, which means that the Tor network’s available
+bandwidth is not being used in the most efficient way.
+
+In the short term, work is underway to patch up the bwauth scripts so
+that they can once again scan all the relays in the network: Tom Ritter
+announced [XXX] that new bwauths have been brought online to provide the
+necessary measurements, and the scripts are being investigated to see if
+differences between consensuses are causing scanners to miss some
+relays.
+
+A more permanent fix, however, might involve a total rewrite of the
+bwauth scripts if, as Roger Dingledine suggested [XXX], the design
+itself is flawed. Tor Project contributor Aaron Gibson will hopefully be
+addressing this issue as part of an upcoming fellowship with OTF, and a
+number of other research groups are also working towards a more robust
+design for the bandwidth measurement system.
+
+Be sure to sign up to the tor-relays mailing list [XXX] for further
+information. Thanks to all relay operators for their patience while the
+problem-solving continues!
+
+ [XXX]: https://metrics.torproject.org/about.html#directory-authority
+ [XXX]: https://metrics.torproject.org/about.html#consensus
+ [XXX]: http://freehaven.net/anonbib/#bauer:wpes2007
+ [XXX]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007003.html
+ [XXX]: https://blog.torproject.org/blog/torflow-node-capacity-integrity-and-reliability-measurements-hotpets
+ [XXX]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007003.html
+ [XXX]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007006.html
+ [XXX]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
+
+Stopping onion service DoS attacks by limiting connections
+----------------------------------------------------------
+
+George Kadianakis published an experimental workaround [XXX] for onion
+services affected by a newly-discovered denial-of-service attack [XXX].
+“In this attack”, as George explained, “the adversary forces a hidden
+service to create thousands of connections to its underlying application
+(e.g. the webserver), which overwhelms both Tor and the underlying
+application”.
+
+Onion service operators who want to test the fix will need to recompile
+their Tor from a special git branch, then configure the new settings in
+their torrc file to set an upper limit on the number of TCP connections
+a client can make. “Let us know if this works for you, by sending an
+email to this list, or commenting on the trac ticket. If it works for
+people, we might incorporate it in a Tor release soon”, wrote George.
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008838.html
+ [XXX]: https://bugs.torproject.org/16052
+
+What is the value of anonymous communication?
+---------------------------------------------
+
+Researchers at Drexel University in Philadelphia are investigating the
+ways in which Tor users “write blog posts, edit Wikipedia articles,
+contribute to open source projects on GitHub, post on discussion forums,
+comment on news articles, Tweet, write reviews, and many other things”
+as part of their online activity, and whether or not they are inhibited
+by obstacles such as captchas, IP blacklists, or other blocking
+mechanisms, as Kate Krauss explained on the Tor blog [XXX].
+
+According to Professor Rachael Greenstadt, one of the co-authors: “By
+understanding the contributions that Tor users make, we can help make a
+case for the value of anonymity online”.
+
+One of the biggest threats to Tor’s success, as Roger Dingledine wrote
+last year [XXX], is the “siloing” of the Internet caused by the “growing
+number of websites [that] treat users from anonymity services
+differently”, so it’s more important than ever to demonstrate the many
+contributions to online projects made by Tor users.If you are a Tor user
+and don’t mind sharing your experiences of using Tor to communicate
+anonymously online, please see Kate’s post for more information on how
+to participate in the study.
+
+ [XXX]: https://blog.torproject.org/blog/study-what-value-anonymous-communication
+ [XXX]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users
Miscellaneous news
------------------
-Item 1 with cited source [XXX].
-
-Item 2 with cited source [XXX].
-
-Item 3 with cited source [XXX].
-
- [XXX]:
- [XXX]:
- [XXX]:
-
-Tor help desk roundup
----------------------
-
-Summary of some questions sent to the Tor help desk.
-
-News from Tor StackExchange
----------------------------
-
-Text with cited source [XXX].
-
- [XXX]:
-
-Easy development tasks to get involved with
--------------------------------------------
-
-Text with cited source [XXX].
-
- [XXX]:
+Damian Johnson put out a new release [XXX] of Stem [XXX], the Tor
+controller library in Python. Stem 1.4 brings another increase in the
+speed of document parsing (now that descriptors are not validated by
+default), and includes support for Tor’s new “ephemeral onion
+service” and descriptor handling features [XXX]. See Damian’s
+announcement for the full changelog.
+
+ [XXX]: https://blog.torproject.org/blog/stem-release-14
+ [XXX]: https://stem.torproject.org/
+ [XXX]: https://stem.torproject.org/tutorials/over_the_river.html#ephemeral-hidden-services
+
+Alec Muffett, the lead engineer behind Facebook’s onion service,
+contributed some notes on his experiences [XXX] to a thread about
+serving the same site as both an onion service and a regular website.
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-talk/2015-May/037840.html
+
+Jesse Victors, one of the students participating in the first-ever Tor
+Summer of Code [XXX], explained in greater detail [XXX] his proposal for
+“OnioNS”, a method of creating human-memorable yet secure addresses for
+onion services.
+
+ [XXX]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008826.html
+
+Colin C. sent out the Tor Help Desk report for April [XXX].
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-reports/2015-May/000827.html
+
+Thanks to Matt Hoover [XXX] and spriver [XXX] for running mirrors of the
+Tor Project website and software archive!
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-mirrors/2015-May/000882.html
+ [XXX]: https://lists.torproject.org/pipermail/tor-mirrors/2015-May/000888.html
+
+Micah Lee discovered a bug [XXX] that is causing OnionShare, the onion
+service-based file-sharing application, to crash the entire Tor process
+when run using Tails [XXX].
+
+ [XXX]: https://bugs.torproject.org/16106
+ [XXX]: https://mailman.boum.org/pipermail/tails-dev/2015-May/008840.html
+
+Martin Florian discussed [XXX] the problems caused by onion services that
+change their IP address during operation, such as those hosted on mobile
+devices. “Some logic needs to be included for forgetting about
+rendevouz points that have failed once…Am I on the right track? Is this
+a good idea? And how do I forget about RPs?”
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008841.html
This week in Tor history
------------------------
-Text with cited source [XXX].
-
- [XXX]:
+A year ago this week [XXX], Anders Andersson wondered [XXX] about the
+problems that Tor would face if the .onion top-level domain (TLD) were
+to be sold by ICANN for public registration, in the same way as the
+large number of new “generic” TLDs. This question had already been the
+subject of a submission [XXX] to the Internet Engineering Task Force
+co-authored by the Tor Project’s Jacob Appelbaum, arguing that the
+.onion suffix should be one of several TLDs set aside for special use by
+peer-to-peer software.
+
+This week, Jacob and Facebook’s Alec Muffett submitted another
+Internet-draft [XXX] to the IETF, specifically requesting the
+registration of .onion as a special-use TLD now that it is in wide use.
+If it is approved, the .onion suffix will be reserved for use by Tor,
+ensuring that no conflicts arise later which might break the onion
+service naming system or enable attacks on users.
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-news/2014-May/000046.html
+ [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-May/032974.html
+ [XXX]: https://tools.ietf.org/id/draft-grothoff-iesg-special-use-p2p-names-02.txt
+ [XXX]: https://www.ietf.org/id/draft-appelbaum-dnsop-onion-tld-01.txt
Upcoming events
---------------
-Jul XX-XX | Event XXX brief description
- | Event City, Event Country
- | Event website URL
- |
-Jul XX-XX | Event XXX brief description
- | Event City, Event Country
- | Event website URL
+ May 25 18:00 UTC | Tor Browser meeting
+ | #tor-dev, irc.oftc.net
+ |
+ May 25 18:00 UTC | OONI development meeting
+ | #ooni, irc.oftc.net
+ |
+ May 26 18:00 UTC | little-t tor patch workshop
+ | #tor-dev, irc.oftc.net
+ |
+ May 27 02:00 UTC | Pluggable transports/bridges meeting
+ | #tor-dev, irc.oftc.net
+ |
+ May 27 13:30 UTC | little-t tor development meeting
+ | #tor-dev, irc.oftc.net
+ |
+ Jun 03 19:00 UTC | Tails contributors meeting
+ | #tails-dev, irc.oftc.net
+ | https://mailman.boum.org/pipermail/tails-project/2015-May/000206.html
+ |
+ Jun 30 - Jul 02 | Many Tor people @ 15th Privacy Enhancing Technologies Symposium
+ | Philadelphia, USA
+ | https://petsymposium.org/2015/
This issue of Tor Weekly News has been assembled by XXX, XXX, and
--
Your friendly TWN monitoring script
In case of malfunction, please reach out for lunar at torproject.org
or for the worst cases, tell weasel at torproject.org to kill me.
More information about the news-team
mailing list