========================================================================
Tor Weekly News April 2nd, 2014
========================================================================
Welcome to the thirteenth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tor Project website redesign takes two steps forward
----------------------------------------------------
Andrew Lewman put out two calls for help with the ongoing Tor Project
website redesign: one for the sponsor pageÂ[1], and another for the
download areaÂ[2]. Both were immediately met with proposals and design
suggestions from the www-team mailing list: Olssy produced two
mock-upsÂ[3] of the sponsorship page as possible models for further
work, while William Papper and Lance Tuller have been working on a
repositoryÂ[4] for the download page, with comments from other list
members on topics such as the use of Javascript and possible layout
decisions.
If youâd like to give the website redesign further momentum, please see
the dedicated project page on the wikiÂ[5] for open tickets and advice
on how to contribute, then come to the www-team mailing listÂ[6] and
join in!
[1]:Âhttps://lists.torproject.org/pipermail/www-team/2014-March/000238.html
[2]:Âhttps://lists.torproject.org/pipermail/www-team/2014-March/000249.html
[3]:Âhttp://tor.harrytuttle.net/
[4]:Âhttps://github.com/wpapper/tor-download-web
[5]:Âhttps://trac.torproject.org/projects/tor/wiki/Website
[6]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/www-team
QR codes for bridge addresses
-----------------------------
Since most pocket computers (sometimes called âphonesâ) and laptops
began incorporating cameras, QR codesÂ[7] have become a ubiquitous way
to enter short sequences of data into our devices. URLs are the
canonical example, but the process also works for Bitcoin addresses or
OpenPGP fingerprintsÂ[8].
Bridges are the standard tool for circumventing filters that prevent
access to the Tor network. Users currently enter bridge addresses in Tor
by copy/pasting from the BridgeDB web pageÂ[9] or auto-responder email.
But manually giving IP addresses and fingerprints to Orbot on
keyboard-less devices is an error-prone process.
QR codes might be a solution to this problem. They could also enable
peer-to-peer exchange among friends, or circumvention strategies
involving IPv6 addresses and paper. According to Isis Lovecruft, adding
QR codes to the BridgeDB web interface would be easyÂ[10]. Would any
reader feel like hacking OrbotÂ[11] or the Tor LauncherÂ[12] Firefox
extension (see relevant documentationÂ[13] and APIÂ[14])?
[7]:Âhttps://en.wikipedia.org/wiki/QR_code
[8]:Âhttp://web.monkeysphere.info/monkeysign/
[9]:Âhttps://bridges.torproject.org/
[10]:Âhttps://bugs.torproject.org/11345
[11]:Âhttps://bugs.torproject.org/5096
[12]:Âhttps://gitweb.torproject.org/tor-launcher.git
[13]:Âhttps://developer.mozilla.org/en-US/docs/WebRTC/taking_webcam_photos
[14]:Âhttps://developer.mozilla.org/en-US/docs/Web/API/Navigator.getUserMedia
Client identification in hidden service applications
----------------------------------------------------
Applications behind hidden services currently cannot easily
differentiate between client connections. Tor will make a different
local TCP connection for each connections it receives, but the software
is unable to tell if they are coming from the same circuit. Harry
SeventyOne feltÂ[15] the latter would be useful to enable applications
for diagnostic log analysis, identifying traffic trends, rate-limiting
or temporarily blocking operations coming from the same client.
Harry sent a very rough patchÂto the Tor development mailing which
enables circuit distinction by using a different source IP address from
the IPv4 localhost pool (127.0.0.0/8) for each circuit. Nick Mathewson
liked the ideaÂ[16] and gave several comments about the preliminary
patch. Hopefully this work will make the life of hidden service
operators easier in the future.
[15]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006576.html
[16]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006610.html
Monthly status reports for March 2014
-------------------------------------
The wave of regular monthly reports from Tor project members for the
month of March has begun. Georg Koppen released his report firstÂ[17],
followed by reports from Pearl CrescentÂ[18], Damian JohnsonÂ[19],
Sherief AlaaÂ[20], Nick MathewsonÂ[21], Matt PaganÂ[22], LunarÂ[23], and
Karsten LoesingÂ[24].
Lunar also reported help desk statisticsÂ[25].
[17]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000487.html
[18]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000488.html
[19]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000489.html
[20]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-April/000490.html
[21]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-April/000491.html
[22]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-April/000492.html
[23]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-April/000494.html
[24]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-April/000495.html
[25]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-April/000493.html
Miscellaneous news
------------------
An extensive guide to hacking on Tor Browser was postedÂ[26] to the Tor
Projectâs wiki by Mike Perry. Among other things, it covers the
browserâs build instructions, design principles and testing procedures,
as well as a summary of how browser team members organize and
communicate. If youâd like to get involved in Tor Browser development,
please take a look!
[26]:Âhttps://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking
Nicholas Hopper followed upÂ[27,28] on George Kadianakisâ research on
switching to a single guard. He used Aaron Johnsonâs TorPS simulator to
find out the âtypicalâ bandwidth for a client. The conclusions match
Georgeâs: a single guard and a bandwidth cutoff of 2 Mbit/s would
improve over the current situation. George subsequently sent an initial
draft proposalÂ[29] to start the formal process.
[27]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006563.html
[28]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006575.html
[29]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006570.html
BridgeDB version 1.6 was deployed on March 26thÂ[30]. Thanks to Isis
Lovecruft, users should now be able to solve the CAPTCHA againÂ[31]. A
custom solution is now used instead of Googleâs reCAPTCHA services which
will give more flexibility in the future.
[30]:Âhttps://gitweb.torproject.org/bridgedb.git/commit/f266f32
[31]:Âhttps://bugs.torproject.org/10809
John Brooks presentedÂ[32] Torsion, âa ready-to-use hidden service
instant messaging clientâ. âIâm looking for people to try it out,
validate my ideas and implementation, and help plan the futureâ, wrote
John. You can consult the design documentation and build instructions on
GithubÂ[33]; please share your comments with the community!
[32]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-March/032476.html
[33]:Âhttps://github.com/special/torsion
Martin Weinelt sharedÂ[34] a pluginÂ[35] that generates graphs in the
Munin network monitoring toolÂ[36] from data provided by Tor, using
StemÂ[37]. âAt the moment it supports a connection graph, getting its
data from orconn-status. More graphs are possible, but not yet
implemented. Ideas are welcome,â wrote Martin.
[34]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-March/004168.html
[35]:Âhttps://github.com/mweinelt/munin-tor
[36]:Âhttp://munin-monitoring.org/
[37]:Âhttps://stem.torproject.org/
Amid the ongoing censorship of internet services in Turkey, there were
reports that the Tor Projectâs website was unavailable over connections
supplied by some Turkish ISPsÂ[38]. Feel free to try one of the
mirrorsÂ[39]!
[38]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-March/032487.html
[39]:Âhttps://www.torproject.org/getinvolved/mirrors.html
Karsten Loesing publishedÂ[40] a draft of a guideÂ[41] to running a blog
over a Tor hidden service using the Jekyll static site generatorÂ[42].
âThe intended audience are bloggers who can handle a terminal window but
who donât know the typical pitfalls of securely setting up a web server
over a hidden serviceâ, he wrote. However, the guide is in its first
stages, and âmay contain severe problems harming your privacy!â Feedback
on its content, wording, and layout would be greatly appreciated.
[40]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006602.html
[41]:Âhttp://csxeeumg5ynu2rk7.onion/
[42]:Âhttp://jekyllrb.com/
Yawning Angel calledÂ[43] for help with testing obfsclient 0.0.2Â[44], a
C++ implementation of the obfs3 and ScrambleSuit pluggable transports:
âThis is mostly a bug fix release that addresses issues found in
testing/actual useÂ[â] Questions, comments, feedback appreciated as
always.â
[43]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006592.html
[44]:Âhttps://github.com/Yawning/obfsclient/archive/v0.0.2.tar.gz
Michael Rogers has been âworking on a messaging app that uses Tor hidden
services to provide unlinkability (from the point of view of a network
observer) between users and their contactsâ. But as âusers know who
their contacts areâ, the mutual anonymity provided by hidden services is
not a requirement. Michael askedÂ[45] how hidden services performance
could be improved for this use case.
[45]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006572.html
On the Tor Blog, Sukhbir Singh postedÂ[46] a round-up of the various
methods by which users can download and run the Tor Browser, covering
download mirrors, GetTor, bridge address distribution, and pluggable
transports usage. If youâre having trouble acquiring or using a copy of
the Tor Browser, please look here for links and guidance.
[46]:Âhttps://blog.torproject.org/blog/ways-get-tor-browser-bundle
Mike Perry discoveredÂ[47] âthat the Linux kernel appears to have a leak
in how it applies transproxy rules to the TCP CLOSE_WAIT shutdown
condition under certain circumstancesâ. Be sure to look at Mikeâs email
if you use Torâs TransProxy feature. velope later improvedÂ[48] the
original mitigating firewall rule.
[47]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
[48]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
As part of the ongoing project to rewrite the Tor Weather service,
Sreenatha Bhatlapenumarthi and Karsten Loesing collaboratedÂ[49] to
produce a Python script that enables it to determine whether or not
relay operators have fulfilled the requirementsÂ[50] for a free Tor
T-shirt.
[49]:Âhttps://bugs.torproject.org/9889
[50]:Âhttps://www.torproject.org/getinvolved/tshirt
Lukas Erlacher announced the avaibility of OnionPyÂ[51], âa Python
wrapper for OnionOO with support for transparently caching OnionOO
replies in memcachedâ. It should be useful to the on-going rewrite of
the Tor Weather serviceÂ[52].
[51]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006603.html
[52]:Âhttps://weather.torproject.org/
The deadline for submissions to the Tails logo contest passed on March
31st; you can review all of the proposed designs, from the minimalist to
the psychedelic, on the Tails websiteÂ[53].
[53]:Âhttps://tails.boum.org/blueprint/logo/
Tor help desk roundup
---------------------
The help desk often gets confusing reports that after being directed to
download the latest Tor Browser version by a flashing TorBrowserButton,
users still sometimes see a message that their Tor Browser is out of
date. This happens when the new Tor Browser version was installed over
the previous one. Fortunately the underlying bugÂ[54] will be fixed in
the next Tor Browser release. We recommend extracting each Tor Browser
update to an empty directory rather than overwriting the old one, to
prevent similar unexpected behaviors. The longer-term solution for
issues like this is an auto-updating Tor BrowserÂ[55].
[54]:Âhttps://bugs.torproject.org/11242
[55]:Âhttps://bugs.torproject.org/4234
News from Tor StackExchange
---------------------------
saurav wanted to know the total bandwidth of all guard nodes in the
current networkÂ[56]. gacar pointed to the bandwidth.csv fileÂ[57] and
explained the format of the file.
[56]:Âhttps://tor.stackexchange.com/q/1824/88
[57]:Âhttps://metrics.torproject.org/stats/bandwidth.csv
Torâs StackExchange site is doing a self-evaluationÂ[58]. If you have an
account, please log in and evaluate the questions as well as their
answers. It helps to improve the answers and the site in general.
Furthermore, if you happen to visit the site, check the list of
unanswered questionsÂ[59]. If you know an answer, please share your
knowledge with the people.
[58]:Âhttps://tor.stackexchange.com/review/site-eval
[59]:Âhttps://tor.stackexchange.com/unanswered
Upcoming events
---------------
April 1-4 | Civil Rights Defendersâ Days
| Stockholm, Sweden
| http://defendersdays.civilrightsdefenders.org/
|
Apr 2 19:00 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-March/006616.html
|
Apr 4 17:00 UTC | Pluggable transports online meeting
| #tor-dev, irc.oftc.net
|
Apr 4 18:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tbb-dev/2014-March/000026.html
|
Apr 9 20:00 UTC | Tails contributors meeting
| #tails-dev, irc.oftc.net
| https://mailman.boum.org/pipermail/tails-dev/2014-March/005267.html
|
Apr 10 10:00 EDT | Andrew speaking at F.ounders NYC
| New York City, New York, USA
| http://f.ounders.com/
This issue of Tor Weekly News has been assembled by Lunar, harmony,
David Fifield, Matt Pagan, qbi and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[60], write down your
name and subscribe to the team mailing listÂ[61] if you want to
get involved!
[60]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[61]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk