========================================================================
Tor Weekly News November 13th, 2013
========================================================================
Welcome to the twentieth issue of Tor Weekly News, the weekly newsletter
that covers what is happening in the Tor community.
First beta release of Tor Browser Bundle 3.0
--------------------------------------------
The Tor Browser BundleÂ[1] is the Tor Projectâs flagship product: an
easy and straightforward way to browse the web with anonymity and
privacy.
With previous Tor Browser Bundles, users had to interact with two
different applications, Vidalia and the browser itself. Vidalia was
responsible for handling and configuring the tor daemon, and the
browser had no knowledge of the connection status and other details.
The result was confusing error messages, and mismatched user
expectations.
With the 3.0 series of Tor Browser Bundle, the browser is directly
responsible for configuring and handling the tor daemon. Users only see
one single application. Itâs clearer that only the browser will go
through the Tor network. Starting and stopping the browser will take
care of starting and stopping torÂâ no extra steps are required.
Mike Perry, Kathleen Brade, Mark Smith, Georg Koppen, among others, are
working hard to perfect many other usability and technical improvements
that are part of Tor Browser Bundle 3.0 which has now reached the âbetaâ
stage.
The new 3.0beta1 releaseÂ[2] is based on Firefox 17.0.10esr for security
updatesÂ[3], and contains several other small improvements and
corrections.
Current users of the 3.0 alpha series should update. Others should give
it a tryÂ[4]!
[1] https://www.torproject.org/projects/torbrowser.html
[2] https://blog.torproject.org/blog/tor-browser-bundle-30beta1-released
[3] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox17.0.10
[4] https://archive.torproject.org/tor-package-archive/torbrowser/3.0b1/
A critique of website traffic fingerprinting attacks
----------------------------------------------------
For a new blog postÂ[5], Mike Perry took the time to reflect on
fingerprinting attacks on website traffic. These are attacks âwhere the
adversary attempts to recognize the encrypted traffic patterns of
specific web pages without using any other information. In the case of
Tor, this attack would take place between the user and the Guard node,
or at the Guard node itself.â
In the post, Mike lays down three distinct types of adversary that could
mount fingerprinting attacks: partial blocking of Tor, identification of
visitors of a set of targeted pages, and identification of all web pages
visited by a user.
In theory, such attacks could pose devastating threats to Tor users.
But in practice, âfalse positives matterâ together with other factors
that affect the classification accuracy. Mike gives a comprehensive
introduction to these issues before reviewing five research papers
published between 2011 and 2013. Each of them are summarized together
with their shortcomings.
Mike concludes that âdefense work has not been as conclusively studied
as these papers have claimed, and that defenses are actually easier than
is presently assumed by the current body of literature.â He encourages
researchers to re-evaluate existing defenses âsuch as HTTPOSÂ[6], SPDY
and pipeline randomization, Guard node adaptive paddingÂ[7], and Traffic
MorphingÂ[8]â, and to think about âthe development of additional
defensesâ. Mike ends his post by mentioning that some new defenses can
also be dual purpose and help with end-to-end correlation attacks.
[5] https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks
[6] http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf
[7] https://bugs.torproject.org/7028
[8] http://freehaven.net/anonbib/cache/morphing09.pdf
The âbananaphoneâ pluggable transport
-------------------------------------
Pluggable transportsÂ[9] is how Tor traffic can be transformed from a
client to a bridge in order to hide it from Deep Packet Inspection
filters.
Improving upon the initial work of Leif RygeÂ[10], David Stainton has
been working on the new âbananaphoneâ pluggable transport for
obfsproxyÂ[11]. The latter implements âreverse hash encodingâ,
described by Leif Ryge as âa steganographic encoding scheme which
transforms a stream of binary data into a stream of tokens (e.g.,
something resembling natural language text) such that the stream can be
decoded by concatenating the hashes of the tokens.â
For a concrete example, that means that using Project Gutenbergâs Don
QuixoteÂ[12] as corpus, one can encode âmy little poneyâ into âlock
whisper: yellow tremendous, again suddenly breathing. masterâs faces;
fees, beheld convinced there calmâ and back again!
While itâs probably not going to be the most compact pluggable
transport, âbananaphoneâ looks like a promising project.
[9] https://www.torproject.org/docs/pluggable-transports.html
[10] https://github.com/leif/bananaphone
[11] https://github.com/david415/obfsproxy/tree/david-bananaphone
[12] http://www.gutenberg.org/cache/epub/29468/pg29468.txt
Miscellaneous news
------------------
Christian Grothoff, Matthias Wachs and Hellekin Wolf are working on
getting special-use domain names for P2P networks reservedÂ[13]
according to RFC 6761Â[14]: âthe goal is to reserve .onion, .exit, .i2p,
.gnu and .zkey (so that they donât become ordinary commercial TLDs at
some point)â.
[13] https://lists.torproject.org/pipermail/tor-talk/2013-November/031001.html
[14] https://tools.ietf.org/html/rfc6761
The Tails team has released their report on Tails activity during the
month of OctoberÂ[15]. Things are happening on many fronts, have a look!
[15] https://lists.torproject.org/pipermail/tor-reports/2013-November/000383.html
Andrea Shepard has been working on new scheduler code for Tor. Its goal
is to remove the limitation that âwe can only see one channel at a time
when making scheduling decisions.â Balancing between circuits without
opening new attack vectors is tricky, Andrea is asking for comments on
potential heuristicsÂ[16].
[16] https://lists.torproject.org/pipermail/tor-dev/2013-November/005761.html
Justin Findlay has recreated some of the website diagramsÂ[17] in the
versatile SVG format.
[17] https://lists.torproject.org/pipermail/tor-dev/2013-November/005762.html
Roger asked the communityÂ[18] to create a âTor, king of anonymityâ
graphic for his presentations. Griffin Boyce made a âqueen of anonymityâ
pictureÂ[19], Lazlo Westerhof crowned the onionÂ[20] and Matt Pagan
did the full Tor logoÂ[21].
[18] https://lists.torproject.org/pipermail/tor-talk/2013-November/031001.html
[19] http://i.imgur.com/PmuFz4n.jpg
[20] http://i.imgur.com/vYZSu6Q.png
[21] http://i.imgur.com/2yIMmcQ.png
David Fifield released the new Pluggable Transports Tor Browser
BundleÂ[22] version 2.4.17-rc-1-pt2 based on Tor Browser Bundle
2.4.17-rc-1. The only change from the previous release of the pluggable
transport bundle is a workaroundÂ[23] that makes transports resume
working on Mac OS X Mavericks.
[22] https://blog.torproject.org/blog/pluggable-transports-bundles-2417-rc-1-pt2-firefox-17010esr
[23] https://bugs.torproject.org/10030#comment:20
Tor help desk round-up
----------------------
Recently users have been writing the help desk asking for assistance
verifying the signature on their Tor Browser Bundle package. These users
said they found the instructions on the official Tor Project pageÂ[24]
confusing. One person reported being unsure of how to open a terminal on
their computer. Another person did not know how to save the package
signature onto the Desktop. Yet another person reported they were able
to verify the signature only after discovering that their GnuPG program
was named gpg2.exe rather than gpg.exe. A ticket on improving the
signature verification page has been openedÂ[25].
One user mentioned wanting to use the Tor Browser Bundle as their
default browser but being unable to do so because their online bank
required Java. Java is disabled in the Tor Browser Bundle because it can
bypass the browser proxy settings and leak the clientâs real IP address
over the network.
[24] https://torproject.org/docs/verifying-signatures.html
[25] https://bugs.torproject.org/10073
Upcoming events
---------------
Nov 18 | Damian Johnson and Lee Colleton @ TA3M-Seattle #3
| Seattle, Washington, USA
| https://wiki.openitp.org/events:techno-activism_3rd_mondays:seattle
|
Nov 20 | Torâs New Offices â Open House
| Cambridge, Massachusetts
| https://blog.torproject.org/events/tors-new-cambridge-offices-open-house
|
Dec 27-30 | Tor @ 30th Chaos Communication Congress
| Hamburg, Germany
| https://events.ccc.de/congress/2013/
This issue of Tor Weekly News has been assembled by Lunar, dope457,
David Stainton, sqrt2, and Roger Dingledine.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[26], write down your name
and subscribe to the team mailing listÂ[27] if you want to get involved!
[26] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[27] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk