[tor-talk] Tor Weekly News — July 30th, 2014

Lunar lunar at torproject.org
Wed Jul 30 14:11:58 UTC 2014


========================================================================
Tor Weekly News                                          July 30th, 2014
========================================================================

Welcome to the thirtieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.3 is out
------------------------

A new pointfix release for the 3.6 series of the Tor Browser is out [1].
Most components have been updated and a couple of small issues fixed.
Details are available in the release announcement.

The release fixes import security updates [2] from Firefox. Be sure to
upgrade [3]! Users of the experimental meek [4] bundles have not been
forgotten [5].

   [1]: https://blog.torproject.org/blog/tor-browser-363-released
   [2]: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.7
   [3]: https://www.torproject.org/download/download-easy.html
   [4]: https://trac.torproject.org/projects/tor/wiki/doc/meek
   [5]: https://people.torproject.org/~dcf/pt-bundle/3.6.3-meek-1/

New Tor stable and alpha releases
---------------------------------

Two new releases of Tor are out. The new 0.2.5.6-alpha release [6]
“brings us a big step closer to slowing down the risk from guard
rotation, and fixes a variety of other issues to get us closer to a
release candidate”.

Once directory authorities have upgraded, they will “assign the Guard
flag to the fastest 25% of the network”. Some experiments showed that
“for the current network, this results in about 1100 guards, down from
2500.”

The complementary change to moving the number of entry guards down to
one [7] is the introduction of two new consensus parameters.
NumEntryGuards and NumDirectoryGuards will respectively set the number
of entry guards and directory guards that clients will use. The default
for NumEntryGuards is currently three, but this will allow a reversible
switch to one in a near future.

Several important fixes have been backported to the stable branch in the
0.2.4.23 release [8]. Source packages are available at the regular
location [9]. Binary packages have already landed in Debian [10,11] and
the rest should follow shortly.

   [6]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034180.html
   [7]: https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/236-single-guard-node.txt
   [8]: https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html
   [9]: https://www.torproject.org/dist/
  [10]: https://tracker.debian.org/news/560607
  [11]: https://tracker.debian.org/news/560611

Security issue in Tails 1.1 and earlier
---------------------------------------

Several vulnerabilities have been discovered in I2P which is shipped in
Tails 1.1 and earlier [12]. I2P [13] is an anonymous overlay network
with many similarities to Tor. There was quite some confusion around the
disclosure process of this vulnerability. Readers are encouraged to read
what the Tails team has written about it [14].

Starting I2P in Tails normally requires a click on the relevant menu
entry. Once started, the security issues can lead to the deanonymization
of a Tails user who visits a malicious web page. As a matter of
precaution, the Tails team recommends removing the “i2p” package each
time Tails is started.

I2P has fixed the issue in version 0.9.14 [15]. It is likely to be
included in the next Tails release, but the team is also discussing [16]
implementing more in-depth protections that would be required in order
to keep I2P in Tails.

  [12]: https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/
  [13]: https://geti2p.net/
  [14]: https://tails.boum.org/news/On_0days_exploits_and_disclosure/
  [15]: https://geti2p.net/en/blog/post/2014/07/26/0.9.14-Release
  [16]: https://mailman.boum.org/pipermail/tails-dev/2014-July/006459.html

Reporting bad relays
--------------------

“Bad” relays are malicious, misconfigured, or otherwise broken Tor
relays. As anyone is free to volunteer bandwidth and processing power to
spin up a new relay, users can encounter such bad relays once in a
while. Getting them out of everyone’s circuits is thus important.

Damian Johnson and Philipp Winter have been working on improving and
documenting [17] the process of reporting bad relays. “While we do
regularly scan the network for bad relays, we are also dependent on the
wider community to help us spot relays which don’t act as they should”
wrote [18] Philipp.

When observing unusual behaviors, one way to learn about the current
exit relay before reporting it is to use the Check [19] service. This
method can be inaccurate and tends to be a little bit cumbersome. The
good news is that Arthur Edelstein is busy integrating [20] more
feedback on Tor circuits being used directly into the Tor Browser.

  [17]: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
  [18]: https://blog.torproject.org/blog/how-report-bad-relays
  [19]: https://check.torproject.org/
  [20]: https://trac.torproject.org/projects/tor/ticket/8641#comment:12

Miscellaneous news
------------------

The Tor Project, Inc. has completed its standard financial audit for the
year 2013 [21]. IRS Form 990 [22], Massachusetts Form PC [23], and the
Financial Statements [24] are now available for anyone to review.
Andrew Lewman explained: “we publish all of our related tax documents
because we believe in transparency. All US non-profit organizations are
required by law to make their tax filings available to the public on
request by US citizens. We want to make them available for all.”

  [21]: https://blog.torproject.org/blog/transparency-openness-and-our-2013-financials
  [22]: https://www.torproject.org/about/findoc/2013-TorProject-Form990.pdf
  [23]: https://www.torproject.org/about/findoc/2013-TorProject-FormPC.pdf
  [24]: https://www.torproject.org/about/findoc/2013-TorProject-FinancialStatements.pdf

CJ announced [25] the release of orWall [26] (previously named
Torrific), a new Android application that “will force applications
selected through Orbot while preventing unchecked applications to have
network access”.

  [25]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034006.html
  [26]: https://orwall.org/

The Thali project [27] aims to use hidden services to host web content.
As part of the effort, they have written a cross-platform Java
library [28]. “The code handles running the binary, configuring it,
managing it, starting a hidden service, etc.” wrote [29] Yaron Goland.

  [27]: http://www.thaliproject.org/mediawiki/index.php?title=Main_Page
  [28]: https://github.com/thaliproject/Tor_Onion_Proxy_Library
  [29]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034046.html

Gareth Owen released [30] a Java-based Tor research framework [31]. The
goal is to enable researchers to try things out without having to deal
with the full tor source. “At present, it is a fully functional client
with a number of examples for hidden services and SOCKS. You can build
arbitrary circuits, build streams, send junk cells, etc.” wrote Gareth.

  [30]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007232.html
  [31]: https://github.com/drgowen/tor-research-framework

Version 0.2.3 of BridgeDB [32] has been deployed. Among other
changes [33], owners of riseup.net email accounts can now request
bridges through email [34].

  [32]: https://bridges.torproject.org/
  [33]: https://gitweb.torproject.org/bridgedb.git/blob/2a6d5463:/CHANGELOG
  [34]: https://bugs.torproject.org/11139#comment:15

The first candidate for Orbot 14.0.5 has been released. “This update
includes improved management of the background processes, the ability to
easily change the local SOCKS port (to avoid conflicts on some Samsung
Galaxy and Note devices), and the fancy new notification dialog, showing
your current exit IPs and country” wrote [35] Nathan Freitas.

  [35]: https://lists.mayfirst.org/pipermail/guardian-dev/2014-July/003667.html

While working on guard nodes, George Kadianakis realized that “the data
structures and methods of the guard nodes code are not very robust”.
Nick Mathewson and George have been busy trying to come up with better
abstractions [36]. More brains working on the problem would be welcome!

  [36]: https://bugs.torproject.org/12595

Mike Perry posted [37] “a summary of the primitives that Marc Juarez
aims to implement for his Google Summer of Code project on prototyping
defenses for Website Traffic Fingerprinting and follow-on research”. Be
sure to have a look if you want to help prevent website fingerprint
attacks.

  [37]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007246.html

A new draft proposal “for making all relays also be directory servers
(by default)” has been submitted [38] by Matthew Finkel. Among the
motivations, Matthew wrote: “In a network where every router is a
directory server, the profiling and partitioning attack vector is
reduced to the guard (for clients who use them), which is already in a
privileged position for this. In addition, with the increased set size,
relay descriptors and documents are more readily available and it
diversifies the providers.” This change might make the transition to a
single guard safer. Feedback welcome!

  [38]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007247.html

Noah Rahman reported [39] on the progress of the Stegotorus Google
Summer of Code project.

  [39]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007248.html

Tor help desk roundup
---------------------

A number of Iranian Tor users have reported that Tor no longer works out
of the box in Iran, and the Tor Metrics portal shows a corresponding
drop in the number of directly-connecting users there [40]. Collin
Anderson investigated the situation and reported that the
Telecommunication Company of Iran had begun blocking the Tor network by
blacklisting connections to Tor’s directory authorities [41]. Tor users
can circumvent this block by getting bridges from BridgeDB [42] and
entering the bridge addresses they receive into their Tor Browser.

  [40]: https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2014-04-30&end=2014-07-28&country=ir&events=on#userstats-relay-country
  [41]: https://bugs.torproject.org/12727
  [42]: https://bridges.torproject.org/

Upcoming events
---------------

 Aug. 1 16:00 UTC  | Pluggable transports online meeting
                   | #tor-dev, irc.oftc.net
                   |
 Aug. 3 19:00 UTC  | Tails contributors meeting
                   | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-July/000000.html
                   |
 August 18         | Roger @ FOCI ’14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/foci14
                   |
 August 20-22      | Roger @ USENIX Security Symposium ’14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/usenixsecurity14


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
harmony, and Philipp Winter.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [43], write down your
name and subscribe to the team mailing list [44] if you want to
get involved!

  [43]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [44]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140730/ac1e1623/attachment.sig>


More information about the tor-talk mailing list