[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â October 1st, 2014



========================================================================
Tor Weekly News                                        October 1st, 2014
========================================================================

Welcome to the thirty-ninth issue in 2014 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

Tor 0.2.4.24 and 0.2.5.8-rc are out
-----------------------------------

Roger Dingledine announced [1] new releases in both the stable and the
alpha branches of the core Tor software. Clients accessing hidden
services should experience faster and more robust connections as they
will now send the correct rendezvous point address. âThey used to send
the wrong address, which would still work some of the time because they
also sent the identity digest of the rendezvous point, and if the hidden
service happened to try connecting to the rendezvous point from a relay
that already had a connection open to it, the relay would reuse that
connectionâ. This fix also prevents the endianness [2] of the clientâs
system from being leaked to the hidden service.

The only other changes in these releases are an update of the geoip
databases and the location of the gabelmoo directory authority [3]. As
usual, you can download the source code from the Tor distribution
directory [4].

  [1]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034937.html
  [2]: https://en.wikipedia.org/wiki/Endianness
  [3]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034898.html
  [4]: https://www.torproject.org/dist/

Tor Browser 3.6.6 and 4.0-alpha-3 are out
-----------------------------------------

Mike Perry announced two new releases by the Tor Browser team. Tor
Browser 3.6.6 [5] includes a workaround for the bug [6] that has
sometimes been preventing the browser window from opening after an
apparently successful connection to the Tor network; it also stops
intermediate SSL certificates from being written to disk. In addition to
these fixes, Tor Browser 4.0-alpha-3 [7] resolves a number of issues to
do with the upcoming Tor Browser updater, including the mistaken upgrade
of non-English Tor Browsers to the English-language version. As this bug
is only fixed in the new release, users upgrading from 4.0-alpha-2 will
still experience this issue during the process. Furthermore, âmeek
transport users will need to restart their browser a second time after
upgrade if they use the in-browser updater. We are still trying to get
to the bottom of this issue [8]â, wrote Mike.

Both releases also include important Firefox security updates, so all
users should upgrade as soon as possible. See Mikeâs announcements for
full details, and get your copy from the project page [9] or the
distribution directory [10].

  [5]: https://blog.torproject.org/blog/tor-browser-366-released
  [6]: https://bugs.torproject.org/10804
  [7]: https://blog.torproject.org/blog/tor-browser-40-alpha-3-released
  [8]: https://bugs.torproject.org/13247
  [9]: https://www.torproject.org/projects/torbrowser.html
 [10]: https://www.torproject.org/dist/torbrowser/

Tails 1.1.2 is out
------------------

The second point release in the Tails 1.1.x series was put out [11] by
the Tails team, âmainly to fix a serious flaw in the Network Security
Services (NSS) library used by Firefox and other products that allows
attackers to create forged RSA certificates. Before this release, users
on a compromised network could be directed to sites using a fraudulent
certificate and mistake them for legitimate sites.â

Other packages affected by recently-disclosed security flaws and updated
in this version include APT, bash, and GnuPG, so all Tails users should
make sure to upgrade as soon as possible. If you have a running copy of
Tails, you can make use of the incremental upgrades system; otherwise,
head to the download page [12] for more information.

 [11]: https://tails.boum.org/news/version_1.1.2/
 [12]: https://tails.boum.org/download/index

obfs4 is ready for general deployment: bridge operators needed!
---------------------------------------------------------------

Pluggable transports [13], the circumvention techniques which allow
users to access the Tor network from censored areas by disguising the
fact that the Tor protocol is being used, are about to take another step
forward with the release of obfs4, and Yawning Angel sent out [14] a
brief discussion of this new protocol.

obfs4 offers a number of developments over the obfs3 and ScrambleSuit
protocols, until now the most sophisticated pluggable transports in use
on the Tor network. Like ScrambleSuit, obfs4 improves on obfs3 to
âprovide resilience against active attackers and to disguise flow
signaturesâ [15], while a safer and more efficient key-exchange process
than ScrambleSuitâs should make it impossible for attackers to launch
man-in-the-middle attacks based on the client/bridge shared secret.

Like its predecessors in the obfsproxy series, obfs4 is a bridge-based
transport, meaning that volunteers are needed to operate relays running
an implementation of the new protocol before users can take advantage of
it. The current implementation, obfs4proxy, is now available to download
either as source code [16] or as a package from Debianâs unstable
repositories [17]. Those who want to try browsing over the new protocol
can download Yawningâs experimental Tor Browsers [18], and if youâre
willing to run an obfs4 bridge, please see Yawningâs message for all the
relevant details â âquestions, comments, and bridges appreciatedâ!

 [13]: https://www.torproject.org/docs/pluggable-transports
 [14]: https://lists.torproject.org/pipermail/tor-relays/2014-September/005372.html
 [15]: https://gitweb.torproject.org/pluggable-transports/obfs4.git/blob/refs/heads/master:/doc/obfs4-spec.txt
 [16]: https://gitweb.torproject.org/pluggable-transports/obfs4.git
 [17]: https://packages.debian.org/sid/obfs4proxy
 [18]: https://people.torproject.org/~yawning/volatile/tor-browser-obfs4-20140926/

Miscellaneous news
------------------

Anthony G. Basile announced [19] the release of version 20140925 of
tor-ramdisk, the micro Linux distribution whose only purpose is to host
a Tor server in an environment that maximizes security and privacy. This
release includes updates to Tor, BusyBox, OpenSSL, and the Linux kernel.

 [19]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034950.html

As part of the current push to better understand hidden services and
their use on the Tor network, Roger Dingledine asked [20] relay
operators who are âcomfortable compiling Tor from gitâ and who âwant to
help investigate what fraction of Tor network load comes from hidden
service useâ to check out the new hs-stats git branch. This version
âwill collect per-thirty-minute statistics about number of circuits and
number of cells your relay sees that have to do with exiting, with
hidden services, with circuits where you're not the final hop, and a
fourth none-of-the-above categoryâ, which can then be posted to the
appropriate ticket on the bug tracker [21] or sent to Roger directly.

 [20]: https://lists.torproject.org/pipermail/tor-relays/2014-September/005352.html
 [21]: https://bugs.torproject.org/13192

Yawning Angel sent [22] a âfriendly reminderâ to ScrambleSuit bridge
operators, asking them to upgrade to tor-0.2.5.x if they havenât
already: âIf you are running a ScrambleSuit bridge with tor-0.2.4.x, it
is useless. Users that happen to be served your ScrambleSuit bridge will
not be able to connect, because the password is missingâ.

 [22]: https://lists.torproject.org/pipermail/tor-relays/2014-September/005344.html

Mike Perry asked [23] relay operators, particularly those running exit
relays, to contribute information about the âhardware, CPU cores, and
uplinkâ of their servers, and how much these cost per month, in order to
âput together some estimates on bounds of the current value and cost of
the capacity of the Tor network as it is, and use that to generate some
rough guestimates on what it would cost to grow itâ.

 [23]: https://lists.torproject.org/pipermail/tor-relays/2014-September/005335.html

In response to the possible integration of Tor as a âprivate browsing
modeâ by a major browser vendor, Andrew Lewman kicked off [24] a
discussion of ways in which the Tor network might be scaled up to
accommodate âhundreds of millionsâ of extra users.

 [24]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007533.html

Tor help desk roundup
---------------------

In Firefox, it is possible to drag a URL from the Navigation Toolbar to
the Desktop in order to create a shortcut to a website, and the help
desk has been asked why this functionality is disabled in Tor Browser. A
Desktop shortcut to a URL, when clicked, would be opened by the
operating systemâs default browser, not by Tor Browser. Permitting this
behavior would open the door to confusion as to whether or not a user
was visiting a link over Tor, and would violate the âProxy Obedienceâ
requirement of the Tor Browser design [25].

 [25]: https://www.torproject.org/projects/torbrowser/design/#proxy-obedience

News from Tor StackExchange
---------------------------

Tor StackExchange has started its site self-evaluation for September
2014 [26]. Ten questions were selected [27] and youâre asked to review
them. Are they good or is there room for improvement? Please have a look
at the questions and rate them.

 [26]: https://meta.tor.stackexchange.com/q/221/88
 [27]: http://tor.stackexchange.com/review/site-eval

Jens Kubieziel noted that users mix up the terms Tor, Tor Browser and
torbrowser-launcher [28], so he explained each of them to users of the
Q&A page.

 [28]: https://tor.stackexchange.com/q/4192/88

Upcoming events
---------------

 Oct 01 13:30 UTC | little-t tor development meeting
                  | #tor-dev, irc.oftc.net
                  |
 Oct 03 17:00 CET | OONI development meeting
                  | #ooni, irc.oftc.net
                  |
 Oct 03 21:00 CET | Tails contributors meeting
                  | #tails-dev, irc.indymedia.org/h7gf2ha3hefoj5ls.onion
                  | https://mailman.boum.org/pipermail/tails-project/2014-September/000037.html
                  |
 Oct 06 18:00 UTC | Tor Browser online meeting
                  | #tor-dev, irc.oftc.net
                  |
 Oct 06 08:30 PDT | Roger @ ISCI â1984+30â panel
                  | UC Berkeley, California, USA
                  | http://www.icsi.berkeley.edu/icsi/events/2014/10/1984-plus-30
                  |
 Oct 23 10:10 CET | Andrew @ Broadband World Forum
                  | Amsterdam, Netherlands
                  | http://broadbandworldforum.com/agenda/day-3/#81301


This issue of Tor Weekly News has been assembled by harmony, qbi, Lunar,
Matt Pagan, dope457, and Yawning Angel.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [29], write down your
name and subscribe to the team mailing list [30] if you want to
get involved!

 [29]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [30]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk