[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â April 9th, 2014

Tor Weekly News                                          April 9th, 2014

Welcome to the fourteenth issue of Tor Weekly News in 2014, the weekly
newsletter that covers whatâs happening in the Tor community.

The Heartbleed Bug and Tor

OpenSSL bug CVE-2014-0160 [1], also known as the Heartbleed bug [2],
âallows anyone on the Internet to read the memory of systems protected
by the vulnerable versions of the OpenSSL softwareâ, potentially
enabling the compromise of information including âuser names and
passwords, instant messages, emails, and business critical documents and
communicationâ. Tor is one of the very many networking programs that use
OpenSSL to communicate over the Internet, so within a few hours of the
bugâs disclosure Roger Dingledine posted [3] a security advisory
describing how it affects different areas of the Tor ecosystem.

âThe short version is: upgrade your opensslâ [4]. Tor Browser users
should upgrade as soon as possible to the new 3.5.4 release [5], which
includes OpenSSL 1.0.1g, fixing the vulnerability. âThe browser itself
does not use OpenSSLâhowever, this release is still considered an
important security update, because it is theoretically possible to
extract sensitive information from the Tor client sub-processâ, wrote
Mike Perry.

Those using a system Tor should upgrade their OpenSSL version and
manually restart their Tor process. For relay operators, âbest practice
would be to update your OpenSSL package, discard all the files in keys/
in your DataDirectory, and restart your Tor to generate new keysâ, and
for hidden service administrators, âto move to a new hidden-service
address at your convenienceâ. Clients, relays, and services using an
older version of OpenSSL, including Tails, are not affected by this bug.

For mobile devices, Nathan Freitas called [6] for immediate testing of
Orbot 13.0.6-beta-3, which not only upgrades OpenSSL but also contains a
fix for the transproxy leak described by Mike Perry two weeks ago [7],
in addition to smaller fixes and improvements from 13.0.6-beta-1 [8] and
subsequently. You can obtain a copy of the .apk file directly from the
Guardian Projectâs distribution page [9].

Ultimately, âif you need strong anonymity or privacy on the Internet,
you might want to stay away from the Internet entirely for the next few
days while things settle.â Be sure to read Rogerâs post in full for a
more detailed explanation if you are unsure what this bug might mean for

  [1]: https://www.openssl.org/news/vulnerabilities.html#2014-0160
  [2]: http://heartbleed.com/
  [3]: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
  [4]: https://lists.torproject.org/pipermail/tor-talk/2014-April/032602.html
  [5]: https://blog.torproject.org/blog/tor-browser-354-released
  [6]: https://lists.mayfirst.org/pipermail/guardian-dev/2014-April/003383.html
  [7]: https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
  [8]: https://lists.mayfirst.org/pipermail/guardian-dev/2014-April/003375.html
  [9]: https://guardianproject.info/releases/

A hall of Tor mirrors

Users the world over are increasingly aware of Torâs leading reputation
as a well-researched and -developed censorship circumvention tool â and,
regrettably, so are censorship authorities. Events such as last monthâs
(short-lived) disruption of access to the main Tor Project website from
some Turkish internet connections [10] have reaffirmed the need for
multiple distribution channels that users can turn to during a
censorship event in order to acquire a copy of the Tor Browser, secure
their browsing, and beat the censors. One of the simplest ways of
ensuring this is to make a copy of the entire website and put it
somewhere else.

Recent days have seen the establishment of a large number of new Tor
website mirrors, for which thanks must go to Max Jakob Maass [11], Ahmad
Zoughbi [12], Darren Meyer [13], Piratenpartei Bayern [14], Bernd
Fix [15], Florian Walther [16], the Electronic Frontier Foundation (on a
subdomain formerly housing the Tor Projectâs official site) [17], the
Freedom of the Press Foundation [18], Caleb Xu [19], George
Kargiotakis [20], and Tobias Markus [21], as well as to all the mirror
operators of longer standing [22].

If youâd like to participate in the effort to render blocking of the Tor
website even more futile, please see the instructions for running a
mirror [23], and then come to the tor-mirrors mailing list [24] to
notify the community!

 [10]: https://www.eff.org/deeplinks/2014/03/when-tor-block-not-tor-block
 [11]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000497.html
 [12]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000499.html
 [13]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000500.html
 [14]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000501.html
 [15]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000505.html
 [16]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000506.html
 [17]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000507.html
 [18]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000508.html
 [19]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000509.html
 [20]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000510.html
 [21]: https://lists.torproject.org/pipermail/tor-mirrors/2014-April/000512.html
 [22]: https://www.torproject.org/getinvolved/mirrors
 [23]: https://www.torproject.org/docs/running-a-mirror
 [24]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors

Mission Impossible: Hardening Android for Security and Privacy

On the Tor Blog, Mike Perry posted [25] another large and comprehensive
hacking guide, this time describing âthe installation and configuration
of a prototype of a secure, full-featured, Android telecommunications
device with full Tor support, individual application firewalling, true
cell network baseband isolation, and optional ZRTP encrypted voice and
video support.â The walkthrough covers hardware selection and setup,
recommended software, Google-free backups, and disabling the built-in
microphone of a Nexus 7 tablet (with a screwdriver).

As it stands, following this guide may require a certain level of
patience, but as Mike wrote, âit is our hope that this work can be
replicated and eventually fully automated, given a good UI, and rolled
into a single ROM or ROM addon package for ease of use. Ultimately,
there is no reason why this system could not become a full fledged off
the shelf product, given proper hardware support and good UI for the
more technical bits.â

Mike has already added to and improved parts of the guide following
contributions from users in the comments beneath the post. If you would
like to work (or already are working) at the cutting-edge of research
into mobile device security and usability, take a look at Mikeâs
suggestions for future work at the bottom of the guide, and please
share your ideas with the community.

 [25]: https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

More monthly status reports for March 2014

The wave of regular monthly reports from Tor project members for the
month of March continued, with submissions from Arlo Breault [26], Colin
Childs [27], George Kadianakis [28], Michael Schloh von Bennewitz [29],
Philipp Winter [30], and Kevin Dyer [31].

Arturo Filastà reported on behalf of the OONI team [32], while Mike
Perry did likewise for the Tor Browser team [33].

 [26]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000497.html
 [27]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000499.html
 [28]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000500.html
 [29]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000501.html
 [30]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000502.html
 [31]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000503.html
 [32]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000496.html
 [33]: https://lists.torproject.org/pipermail/tor-reports/2014-April/000498.html

Miscellaneous news

David Goulet announced [34] the seventh release candidate for Torsocks
2.0.0 [35], the updated version of the wrapper for safely using network
applications with Tor. âNothing major, fixes and some code refactoring
went inâ, said David. Please review, test, and report any issues you

 [34]: https://lists.torproject.org/pipermail/tor-dev/2014-April/006649.html
 [35]: https://gitweb.torproject.org/torsocks.git

Nathan Freitas posted [36] a brief analysis of the role played by Orbot
in the recent Turkish internet service disruption: âit might be good to
think about Turkeyâs Twitter block as a âcensorship-liteâ event, not
unlike the UK or Indonesia, and then figure out how we can encourage
more adoption.â

 [36]: https://lists.torproject.org/pipermail/tor-talk/2014-April/032574.html

Jann Horn drew attention [37] to a potential issue caused by some Tor
relays sending out globally-sequential IP IDs. Roger Dingledine
linked [38] to an academic paper connected with the same question, while
Daniel Bilik suggested [39] one method of preventing this from happening
on FreeBSD. Exactly how significant this issue is (or is not) for the
Tor network is very much an open question; further research into which
operating systems it affects, and how it might be related to known
attacks against anonymity, would be very welcome.

 [37]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004199.html
 [38]: https://lists.torproject.org/pipermail/tor-relays/2014-April/004206.html
 [39]: https://lists.torproject.org/pipermail/tor-relays/2014-April/004207.html

As part of their current campaign [40] to fund usable encryption tools
(including Tor) for journalists, the Freedom of the Press Foundation
published [41] a blog post on the âlittle-knownâ Tails operating system,
featuring quotes from three of the journalists most prominently
associated with the recent Snowden disclosures (Laura Poitras, Glenn
Greenwald, and Barton Gellman) attesting to the important role Tails has
played in their ability to carry out their work. If youâre impressed by
what you read, please donate to the campaign â or become a Tails
contributor [42]!

 [40]: https://pressfreedomfoundation.org/bundle/encryption-tools-journalists#donate
 [41]: https://pressfreedomfoundation.org/blog/2014/04/help-support-little-known-privacy-tool-has-been-critical-journalists-reporting-nsa
 [42]: https://tails.boum.org/contribute/index

Two Tor-affiliated projects â the Open Observatory of Network
Interference and Tails â have each submitted a proposal to this yearâs
Knight News Challenge [43]. The OONI proposal [44] involves further
developing the ooni-probe software suite and deploying it in countries
around the world, as well as working on analysis and visualization of
the data gathered, in collaboration with the Chokepoint Project [45];
while Tailsâ submission [46] proposes to âimprove Tails to limit the
impact of security flaws, isolate critical applications, and provide
same-day security updatesâ. Voting is limited to the Knight Foundationâs
trustees, but feel free to read each submission and leave your comments
for the developers.

 [43]: https://www.newschallenge.org
 [44]: https://www.newschallenge.org/challenge/2014/submissions/global-internet-monitoring-project
 [45]: https://chokepointproject.net/
 [46]: https://www.newschallenge.org/challenge/2014/submissions/improve-tails-to-limit-the-impact-of-security-flaws-isolate-critical-applications-and-provide-same-day-security-updates

Robert posted [47] a short proposal for âa prototype of a
next-generation Tor control interface, aiming to combine the strengths
of both the present control protocol and the state-of-the-art
librariesâ. The idea was originally destined for this yearâs GSoC
season, but in the end Robert opted instead to âget some feedback and
let the idea evolve.â

 [47]: https://lists.torproject.org/pipermail/tor-dev/2014-April/006627.html

After the end of the Tails logo contest [48] last week, sajolida
announced [49] that the winner will be declared by April 9th, after a
week of voting by the most active Tails contributors.

 [48]: https://tails.boum.org/blueprint/logo/
 [49]: https://mailman.boum.org/pipermail/tails-dev/2014-April/005390.html

Following last weekâs progress on the Tor website redesign campaign,
William Papper presented [50] a functioning beta version [51] of the new
download page that he and a team of contributors have been building.
Have a look, and let the www-team list [52] know what works and what

 [50]: https://lists.torproject.org/pipermail/www-team/2014-April/000301.html
 [51]: http://wpapper.github.io/tor-download-web/
 [52]: https://lists.torproject.org/cgi-bin/mailman/listinfo/www-team

Michael Schloh von Bennewitz began work on a guide [53] to configuring a
virtual machine for building the Tor Browser Bundle, and another [54] to
building with Gitian.

 [53]: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/VMSetup
 [54]: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/BuildingWithGitian

Tor help desk roundup

Tor Browser users often try to set a proxy when they donât need to.
Many users think they can circumvent website bans or get additional
security by doing this. Discussion on clarifying the tor-launcher
interface is taking place on the bug tracker [55].

 [55]: https://bugs.torproject.org/11405

News from Tor StackExchange

Torâs StackExchange did its second site self-evaluation [56]. Users were
asked to review ten questions and their respective answers. This should
help to improve the site's overall quality.

The question âWhy does GnuPG show the signature of Erinn Clark as not
trusted?â [57] got the best rating. When a user verified the downloaded
copy of Tor Browser Bundle, GnuPG showed Erinnâs signature as
not-trusted. Jens Kubieziel explained the trust model of GnuPG in his
answer, and gapz referred to the handbook [58].

The following questions need better answers: âHow to validate
certificates?â [59]; âWhy does Atlas sometimes show a different IP
address from https://check.torproject.org?â; [60]; âSite login does not
persistâ [61]; and âMy Atlas page is blankâ [62].

If you know good answers to these questions, please help the users of
Tor StackExchange.

 [56]: https://meta.tor.stackexchange.com/q/196/88
 [57]: https://tor.stackexchange.com/q/1573/88
 [58]: http://gnupg.org/gph/en/manual/x334.html
 [59]: https://tor.stackexchange.com/q/1584/88
 [60]: https://tor.stackexchange.com/q/1439/88
 [61]: https://tor.stackexchange.com/q/1536/88
 [62]: https://tor.stackexchange.com/q/1587/88

Upcoming events

Apr  9 19:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006616.html
Apr  9 20:00 UTC | Tails contributors meeting
                 | #tails-dev, irc.oftc.net
                 | https://mailman.boum.org/pipermail/tails-dev/2014-March/005267.html
Apr 10 10:00 EDT | Andrew speaking at F.ounders NYC
                 | New York City, New York, USA
                 | http://f.ounders.com/
Apr 11 11:00 EDT | Roger speaking at George Mason University
                 | Washington, DC, USA
                 | http://today.gmu.edu/64330/
Apr 11 17:00 UTC | Pluggable transports online meeting
                 | #tor-dev, irc.oftc.net
Apr 11 18:00 UTC | Tor Browser online meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tbb-dev/2014-March/000026.html
Apr 11 20:30 CDT | Kelley at Women in Cyber Security Conference
                 | Nashville, Tennessee, USA
                 | http://www.csc.tntech.edu/wicys/

This issue of Tor Weekly News has been assembled by harmony, Matt Pagan,
qbi, Lunar, Roger Dingledine, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [63], write down your
name and subscribe to the team mailing list [64] if you want to
get involved!

 [63]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [64]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to