[tor-talk] Tor Weekly News — April 8th, 2015
Harmony
harmony01 at riseup.net
Wed Apr 8 20:51:24 UTC 2015
========================================================================
Tor Weekly News April 8th, 2015
========================================================================
Welcome to the fourteenth issue in 2015 of Tor Weekly News, the weekly
newsletter that covers what’s happening in the Tor community.
Tor 0.2.5.12 and 0.2.6.7 are out
--------------------------------
Roger Dingledine announced [1] new releases in both the stable and alpha
series of the core Tor software. Tor 0.2.5.12 and 0.2.6.7 both contain
fixes for two security bugs that could be used either to crash onion
services, or clients trying to visit onion services. The releases also
make it harder for attackers to overwhelm onion services by launching
lots of introductions. For full details, please see the release
announcement.
The bugs fixed in these releases are not thought to affect the anonymity
of Tor clients or onion services. However, they could be annoying if
exploited, so onion service operators should upgrade as soon as
possible, while Tor Browser users will be updated with the upcoming Tor
Browser stable release.
[1]: https://blog.torproject.org/blog/tor-02512-and-0267-are-released
Tor Summer of Privacy — apply now!
----------------------------------
Some of Tor’s most active contributors and projects got their start
thanks to Google’s Summer of Code [2], in which the Tor Project has
successfully participated for a number of years. This year, Google have
decided to focus on encouraging newer, smaller projects, so rather than
miss out on the benefits of this kind of intense coding program, Tor is
launching its own Summer of Privacy, as Kate Krauss announced on the Tor
blog [3].
The format is the same as before: students have the opportunity to work
on new or existing open-source privacy projects, with financial
assistance from the Tor Project and expert guidance from some of the
world’s most innovative privacy and security engineers.
If that appeals to you (or someone you know), then see Kate’s
announcement and the official TSoP page [4] for more information on the
program and how to apply. Applications close on the 17th of this month,
so don’t leave it too late!
[2]: https://developers.google.com/open-source/soc/?csw=1
[3]: https://blog.torproject.org/blog/tor-summer-privacy-apply-now-0
[4]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
Should onion services disclose how popular they are?
----------------------------------------------------
Even on the non-private web, it is not possible by default to determine
how popular a certain website is. Search engines and third-party
tracking toolbars might be able to estimate the number of visitors a
website gets, but otherwise the information is only available to the
site’s operators or to groups who are able to measure DNS requests (as
well as anyone in a position to eavesdrop on those two).
On the tor-dev mailing list, George Kadianakis posted a detailed
exploration [5] of this issue considered from the perspective of Tor
onion services. If improvements and additions to the onion service
design would as a side effect give an observer an idea of how popular a
certain service is, should this be considered a security risk?
Some of the arguments put forward for the inclusion of
popularity-leaking features are that they enable the collection of
useful statistics; that they allow further optimization of the onion
service design; and that concealing onion service popularity might not
be necessary or even possible.
On the other hand, disclosing popularity might help an adversary decide
where to aim its attacks; it may not actually offer significant
performance or research benefits; and it may surprise onion service
users and operators who assume that onionspace popularity is no easier
to discover than on the non-private web.
“I still am not 100% decided here, but I lean heavily towards the
‘popularity is private information and we should not reveal it if we can
help it’ camp, or maybe in the ‘there needs to be very concrete positive
outcomes before even considering leaking popularity’”, writes George.
“Hence, my arguments will be obviously biased towards the negatives of
leaking popularity. I invite someone from the opposite camp to
articulate better arguments for why popularity-hiding is something worth
sacrificing.”
Please see George’s analysis for in-depth explanations of all these
points and more, and feel free to contribute with your own thoughts.
[5]: https://lists.torproject.org/pipermail/tor-dev/2015-April/008597.html
More monthly status reports for March 2015
------------------------------------------
The wave of regular monthly reports from Tor project members for the
month of March continued, with reports from Georg Koppen [6] (for work
on Tor Browser), David Goulet [7] and George Kadianakis [8] (working on
onion services), Griffin Boyce [9] (with news on secure software
distribution, onion service setup, and Tails), Sherief Alaa [10] (with
updates about support and Arabic localization), Leiah Jansen [11]
(working on communication and graphic design), Sebastian Hahn [12]
(improving testability and fixing website issues), and Sukhbir
Singh [13] (for work on TorBirdy and Tor Messenger).
Mike Perry reported on behalf of the Tor Browser team [14], while George
Kadianakis did so for SponsorR work [15], Israel Leiva for the GetTor
project [16], and Colin C. for the Tor help desk [17].
[6]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000789.html
[7]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000790.html
[8]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000794.html
[9]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000791.html
[10]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000792.html
[11]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000795.html
[12]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000799.html
[13]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000801.html
[14]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000793.html
[15]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000796.html
[16]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000797.html
[17]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000798.html
Miscellaneous news
------------------
Nathan Freitas announced [18] version 15 beta 1 of Orbot, which is
“functionality complete”. “The main area for testing is using the Apps
VPN mode while switching networks and/or in bad coverage, as well as
using it in combination with Meek or Obfs4, for example. Also, the
implementation is bit different between Android 4.x and 5.x, so please
report any difference you might see there.”
[18]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-April/004298.html
Nathan also shared [19] Amogh Pradeep’s analysis of the network calls
made in the latest version of the Firefox for Android source code, “to
get our Orfox effort started again”.
[19]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-April/004300.html
This week in Tor history
------------------------
A year ago this week, Nathan Freitas reported [20] that the number of
Orbot users in Turkey had quadrupled in the previous month, after an
order by the Turkish government to block access to several popular
social media websites led to a surge in Tor connections [21]. This
week, the same thing happened (albeit more briefly) [22], leading to
another increase in Tor use within Turkey [23].
The best time to prepare for these censorship events is before they
happen — and that includes letting people around you know what they
should do to ensure their freedom of expression remains uninterrupted.
Show them the Tor animation [24] and Tor brochures [25], help them
install Tor Browser [26] and Orbot [27], and teach them how to configure
their social media applications to connect over Tor [28]. If you make a
habit of browsing over Tor, you may not even have to take any notice
when things get blocked!
[20]: https://lists.torproject.org/pipermail/tor-talk/2014-April/032574.html
[21]: https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-relay-country&start=2014-01-08&end=2014-04-08&country=tr&events=off
[22]: https://twitter.com/guardianproject/status/585114389826502656
[23]: https://metrics.torproject.org/userstats-bridge-country.html?graph=userstats-bridge-country&start=2015-03-15&end=2015-04-08&country=tr
[24]: https://blog.torproject.org/blog/releasing-tor-animation
[25]: https://blog.torproject.org/blog/spread-word-about-tor
[26]: https://www.torproject.org/projects/torbrowser.html
[27]: https://guardianproject.info/apps/orbot/
[28]: https://guardianproject.info/2012/05/02/orbot-your-twitter/
Upcoming events
---------------
Apr 09 15:00 UTC | SponsorO support and documentation meeting
| #tor-project, irc.oftc.net
|
Apr 13 18:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tbb-dev/2015-March/000248.html
|
Apr 13 18:00 UTC | OONI development meeting
| #ooni, irc.oftc.net
|
Apr 14 18:00 UTC | little-t tor patch workshop
| #tor-dev, irc.oftc.net
|
Apr 16 - 18 | Roger @ 2015 German-American Frontiers of Engineering Symposium
| Potsdam, Germany
| http://www.naefrontiers.org/Symposia/GAFOE/21649/44840.aspx
|
Apr 24 | Roger @ CTIC Privacy Conference
| University of Pennsylvania Law School
| https://www.law.upenn.edu/newsevents/calendar.php#event_id/48977/view/event
This issue of Tor Weekly News has been assembled by Harmony, nicoo, and
Roger Dingledine.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [29], write down your
name and subscribe to the team mailing list [30] if you want to
get involved!
[29]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[30]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
More information about the tor-talk
mailing list