[tor-talk] Tor Weekly News â November 5th, 2014

[Harmony <harmony01@xxxxxxxxxx>]

========================================================================
Tor Weekly News                                       November 5th, 2014
========================================================================

Welcome to the forty-fourth issue in 2014 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

Tor 0.2.6.1-alpha is out
------------------------

Following last weekâs stabilization of Tor 0.2.5.x, Nick Mathewson
announced [1] the first alpha release in the Tor 0.2.6.x series.
Quoting the changelog, this version âincludes numerous code cleanups and
new tests, and fixes a large number of annoying bugs. Out-of-memory
conditions are handled better than in 0.2.5, pluggable transports have
improved proxy support, and clients now use optimistic data for
contacting hidden services.â Support for some very old compilers that do
not understand the C99 programming standard, systems without threading
support, and the Windows CE operating system has also been dropped.

âThis is the first alpha release in a new series, so expect there to be
bugs.â If you want to test it out, you can find the source code in the
distribution directory [2].

  [1]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035390.html
  [2]: https://dist.torproject.org/

Tor Browser 4.0.1 is out
------------------------

Mike Perry announced [3] a bugfix release by the Tor Browser team.  This
version disables DirectShow [4], which was causing the Windows build of
Tor Browser to crash when visiting many websites [5]. This is not a
security release, but Windows users who have experienced this issue
should upgrade.

Please see Mikeâs post for the changelog, and download your copy from
the project page [6].

  [3]: https://blog.torproject.org/blog/tor-browser-401-released
  [4]: https://en.wikipedia.org/wiki/DirectShow
  [5]: https://bugs.torproject.org/13443
  [6]: https://www.torproject.org/projects/torbrowser.html

Facebook, hidden services, and HTTPS certificates
-------------------------------------------------

Facebook, one of the worldâs most popular websites, surprised the
Internet by becoming the most prominent group so far to set up a Tor
hidden service [7]. Rather than connecting through an exit relay,
Facebook users can now interact with the social network without their
traffic leaving the Tor network at all until it reaches its destination.

Soon after the service was announced, some in the Tor community
expressed concern over the implications of its unusually memorable
.onion address [8]. Had Facebook somehow mustered the computing power to
brute-force hidden service keys at will? Alec Muffett, one of the lead
engineers behind the project, clarified [9] that in fact âwe just did
the same thing as everyone else: generated a bunch of keys with a fixed
lead prefix (âfacebookâ) and then went fishing looking for good onesâ,
getting âtremendous luckyâ in the process. Those concerned by how easy
this seems, added Nick Mathewson [10], âmight want to jump in on
reviewing and improving proposal 224 [11], which includes a brand-new,
even less usable, but far more secure, name formatâ.

âWhy would you want to use Facebook over Tor?â remains a
frequently-asked (and -misunderstood) question, so Roger Dingledine took
to the Tor blog [12] to address this and related issues. âThe key point
here is that anonymity isnât just about hiding from your destination.
Thereâs no reason to let your ISP know when or whether youâre visiting
Facebook. Thereâs no reason for Facebookâs upstream ISP, or some agency
that surveils the Internet, to learn when and whether you use Facebook.
And if you do choose to tell Facebook something about you, thereâs still
no reason to let them automatically discover what city youâre in today
while you do it.â Not only that, but Facebook is now taking advantage of
the special security properties that hidden services provide, including
strong authentication (letting users be confident that they are talking
to the right server, and not to an impostor) and end-to-end encryption
of their data.

This last point generated some confusion, since Facebook have also
acquired an HTTPS certificate for their hidden service, which might seem
like an unnecessary belt-and-suspenders approach to security. This has
been the subject of âfeisty discussionsâ in the Internet security
community, with many points for and against: on the one hand, users have
been taught that âhttps is necessary and http is scary, so it makes
sense that users want to see the string âhttpsâ in front ofâ URLs, while
on the other, âby encouraging people to pay Digicert weâre reinforcing
the certificate authority business model when maybe we should be
continuing to demonstrate an alternative.â

Please see Rogerâs post for a fuller discussion of all these points and
more, and feel free to contribute your own thoughts on the tor-talk
mailing list [13]. If you experience problems with the service, please
contact Facebook support rather than the Tor help desk; as Alec wrote in
the announcement, âwe expect the service to be of an evolutionary and
slightly flaky natureâ, as it is an âexperimentâ â hopefully an
experiment that will, as Roger suggested, âhelp to continue opening
peopleâs minds about why they might want to offer a hidden service, and
help other people think of further novel uses for hidden services.â

  [7]: https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237
  [8]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035403.html
  [9]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035413.html
 [10]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035416.html
 [11]: https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/224-rend-spec-ng.txt
 [12]: https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs
 [13]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Monthly status reports for October 2014
---------------------------------------

The wave of regular monthly reports from Tor project members for the
month of October has begun. Juha Nurmi released his report first [14],
followed by reports from Georg Koppen [15], Sherief Alaa [16], Pearl
Crescent [17], Lunar [18], Harmony [19], Sukhbir Singh [20], Colin
C. [21], Leiah Jansen [22], Nick Mathewson [23], Arlo Breault [24], Noel
Torres [25], and George Kadianakis [26].

Lunar reported on behalf of the help desk [27], Arturo Filastà for the
OONI team [28], and Mike Perry for the Tor Browser team [29].

 [14]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000677.html
 [15]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000678.html
 [16]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000679.html
 [17]: https://lists.torproject.org/pipermail/tor-reports/2014-October/000680.html
 [18]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000682.html
 [19]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000683.html
 [20]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000684.html
 [21]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000685.html
 [22]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000687.html
 [23]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000688.html
 [24]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000689.html
 [25]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000690.html
 [26]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000691.html
 [27]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000681.html
 [28]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000686.html
 [29]: https://lists.torproject.org/pipermail/tor-reports/2014-November/000692.html

Miscellaneous news
------------------

Mike Perry updated [30] the Tor Browser design document [31] to cover
Tor Browser version 4.0 â âFeedback welcome! Patches are even more
welcomer!â

 [30]: https://lists.torproject.org/pipermail/tbb-dev/2014-October/000148.html
 [31]: https://www.torproject.org/projects/torbrowser/design/

Israel Leiva sent out an update [32] on the progress of the GetTor
redevelopment project.

 [32]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007700.html

David Fifield distributed [33] a graph [34] of âthe number of
simultaneous relay users for every country, one country per rowâ.

 [33]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007697.html
 [34]: https://people.torproject.org/~dcf/graphs/relays-all.pdf

David also sent out a summary [35] of the costs incurred by the meek
pluggable transport, which have increased significantly following its
incorporation into the latest stable Tor Browser and the consequent
âexplosionâ in use.

 [35]: https://lists.torproject.org/pipermail/tor-dev/2014-November/007716.html

Esfandiar Mohammadi announced [36] the MATor project [37] and
accompanying paper. MATor is a tool that âassesses the influence of
Torâs path selection on a userâs anonymityâ; âsince MATor is an ongoing
project, we would appreciate your opinion about the approach in
general.â

 [36]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007692.html
 [37]: http://www.infsec.cs.uni-saarland.de/projects/anonymity-guarantees/mator.html

Tor help desk roundup
---------------------

The help desk has been asked if Tor Browser acts as a relay by default.
Tor Browserâs Tor by default acts only as a client, and not as a bridge
relay, exit relay, or relay. Additionally, this is unlikely to change in
the future [38]. 

 [38]: https://www.torproject.org/docs/faq#EverybodyARelay

Upcoming events
---------------

  Nov 03 - 07      | Roger @ WPES and CCS
                   | Phoenix, Arizona, USA
                   | https://www.cylab.cmu.edu/news_events/events/wpes2014/
                   | http://www.sigsac.org/ccs/CCS2014/
                   |
  Nov 05 16:00 UTC | Pluggable transports meeting
                   | #tor-dev, irc.oftc.net
                   |
  Nov 06 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
                   | https://lists.torproject.org/pipermail/tor-dev/2014-November/007714.html
                   |
  Nov 07 17:00 CET | OONI development meeting
                   | #ooni, irc.oftc.net
                   |
  Nov 10 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
                   |
  Nov 11 17:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
Karsten Loesing, and Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [39], write down your
name and subscribe to the team mailing list [40] if you want to
get involved!

 [39]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [40]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk