========================================================================
Tor Weekly News October 23th, 2013
========================================================================
Welcome to the seventeenth issue of Tor Weekly News, the weekly
newsletter that covers what is happening in the guarding Tor community.
Torâs anonymity and guards parameters
-------------------------------------
In a lengthly blog postÂ[1], Roger Dingledine looked back on three
research papers published in the past year. Some of them have been
covered and most of the time misunderstood by the press. A good recap of
the research problems, what the findings mean and possible solutions
hopefully will help everyone understand better.
Introduced in 2005Â[2], entry guards were added to recognise that âsome
circuits are going to be compromised, but itâs better to increase your
probability of having no compromised circuits at the expense of also
increasing the proportion of your circuits that will be compromised if
any of them are.â Roger âoriginally picked âone or two monthsâ for guard
rotationâ but the initial parameters called for more in-depth
researchÂ[3].
That call was heard by âthe Tor research communityÂ[4], and itâs great
that Tor gets such attention. We get this attention because we put so
much effort into making it easyÂ[5] for researchers to analyze Tor.â In
his writing Roger highlights the finding of three papers. Two of them
published at WPES 2012 and Oakland 2013, and another upcoming at
CCS 2013.
These research efforts highlighted several issues in the way Tor handles
entry guards. Roger details five complementary fixes: using fewer
guards, keeping the same guards for longer, better handling of brief
unreachability of a guard, making the network bigger, and smarter
assignment of the guard flag to relays. Some will require further
research to identify the best solution. There are also other aspects
regarding systems which donât currently record guards such as Tails, how
pluggable transports could prevent attackers from recognising Tor users,
or enhancing measurements from the bandwidth authoritiesâ
The whole blog post is insightful and is a must read for everyone who
wishes to better understand some of Torâs risk mitigation strategies. It
is also full of little and big things where you could make a difference!
[1]Âhttps://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
[2]Âhttps://blog.torproject.org/blog/top-changes-tor-2004-design-paper-part-2
[3]Âhttps://blog.torproject.org/blog/research-problem-better-guard-rotation-parameters
[4]Âhttp://freehaven.net/anonbib/
[5]Âhttps://research.torproject.org/
Hidden Service research
-----------------------
George Kadianakis posted a list of items that need work in the Hidden
Service areaÂ[6]. Despite not being exhaustive, the list contains many
items that might help with upgrading the Hidden Service design, be it
around security, performance, guard issues or âpetnameâ systems.
Help and comments are welcome!
[6]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005637.html
Usability issues in existing OTR clients
----------------------------------------
The consensus after the first round of discussions and research done in
the prospect of providing a new secure instant-messaging Tor bundleÂ[7]
is to use Mozilla Instantbird at its core. Arlo Breault sent out a draft
planÂ[8] on how to do so.
Instantbird currently lacks a core feature to turn it into the Tor
Messenger: support for the OTRÂ[9] protocol for encrypted chat. Now is
thus a good time to gather usability issues in existing OTR clients.
Mike Perry kicked off the discussionÂ[10] by pointing out several
deficiencies regarding problems with multiple clients, key management
issues, and other sub-optimal behaviour.
Ian GoldbergÂâ original author of the pervasive OTR plugin for PidginÂâ
pointed outÂ[11] that at least one of the behaviour singled out by Mike
was âdone on purpose. The thing itâs trying to prevent is that Alice and
Bob are chatting, and Bob ends OTR just before Alice hits Enter on her
message. If Aliceâs client went to âNot privateâ instead of âFinishedâ,
Aliceâs message would be sent in the clear, which is undesirable.
Switching to âFinishedâ makes Alice have to actively acknowledge that
the conversation is no longer secure.â
This tradeoff is a good example of how designing usable and secure user
interfaces can be hard. Usability, in itself, is an often overlooked
security feature. Now is a good time to contribute your ideas!
[7]Âhttps://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive
[8]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005616.html
[9]Âhttps://otr.cypherpunks.ca/
[10]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005636.html
[11]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005640.html
Tor Help Desk Roundup
---------------------
The Tor Help Desk continues to be bombarded with help requests from
users behind university proxies who cannot use ORPort bridges or the
Pluggable Transports Browser to circumvent their networkâs firewall.
Although the cases are not all the same, bridges on port 443 or port 80
do not always suffice to circumvent such proxies.
Ubuntu 13.10 (Saucy Salamander) was released this week. One user
reported their Tor Browser Bundle behaving unusually after updating
their Ubuntu operating system. This issue was resolved by switching to
the Tor Browser Bundle 3. Another user asked when Tor APT repositories
would have packages for Saucy Salamander. Since then, packages for the
latest version of Ubuntu have been made available from the usual
deb.torproject.org.
Miscellaneous news
------------------
Tails has issued a call for testingÂ[12] of its upcoming 0.21 release.
The new version contains two security fixes regarding access to the Tor
control port and persistent settingsÂ[13] among other improvements and
package updatesÂ[14]. âTest wildly!â as the Tails team wrote.
[12]Âhttps://tails.boum.org/news/test_0.21-rc1/
[13]Âhttps://git-tails.immerda.ch/tails/plain/wiki/src/doc/first_steps/persistence/upgrade.mdwn?h=bugfix/safer-persistence
[14]Âhttps://git-tails.immerda.ch/tails/plain/debian/changelog?id=0.21-rc1
Andrew Lewman was invited to speak at SECURE Poland 2013Â[15] and sent a
report on his tripÂ[16] to Warsaw.
[15]Âhttp://www.secure.edu.pl/
[16]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000364.html
Tails developers are looking for Mac and PC hardware with UEFIÂ[17]. If
you have some spare hardware, please consider a donation!
[17]Âhttps://tails.boum.org/news/Mac_and_PC_UEFI_hardware_needed/
Ximin Luo has been the first to create a ticket with 5 digitsÂ[18] on
Tor tracker. At the current rate, ticket #20000 should happen by the end
of 2015â Or will the projectâs continued growth make this happen sooner?
[18]Âhttps://bugs.torproject.org/10000
Roger Dingledine reportedÂ[19] on his activities for September and
October. Arturo Filastà also reportedÂ[20] on his September.
[19]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000365.html
[20]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000366.html
Runa Sandvik continues her work on the new, more comprehensible Tor User
ManualÂ[21]. The first draft is already outÂ[22]. Please review and
contribute.
[21]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005649.html
[22]Âhttps://bugs.torproject.org/5811
Aaron published a branch with his work on a Tor exit scanner based on
OONIÂ[23].
[23]Âhttps://github.com/TheTorProject/ooni-probe/tree/feature/tor_test_template
Upcoming events
---------------
Oct 25 | Matt @ EPIC and Public Citizenâs CryptoParty
| Washington, DC, USA
| https://epic.org/events/cryptoparty/
|
Nov 04 | Workshop on Privacy in the Electronic Society
| Berlin, Germany
| http://wpes2013.di.unimi.it/
|
Nov 04-05 | 20th ACM Conference on Computer and Communications Security
| Berlin, Germany
| http://www.sigsac.org/ccs/CCS2013/
This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
dope457, George Kadianakis, Philipp Winter and velope.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[24], write down your name
and subscribe to the team mailing listÂ[25] if you want to get involved!
[24]Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[25]Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk