[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â April 16th, 2014

Tor Weekly News                                         April 16th, 2014

Welcome to the fifteenth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

New beta version of Tor Browser 3.6

The second beta version of the next major Tor Browser releaseÂ[1] is
out. Version 3.6 main highlight is the seamless integration of pluggable
transportsÂ[2] in the browser.

The update is important to users already using version 3.6-beta1 as it
contains an updated OpenSSL to address potential client-side vectors for
CVE-2014-0160Â[3] (also known as âHeartbleedâ).

The new beta also features âa Turkish language bundle, experimental
Javascript hardening options, fixes for pluggable transport issues, and
a fix for improper update notification while extracting the bundle over
an already existing copy.â

Jump to the release announcement to know more. Enjoy the updateÂ[4] and
report any bug you may find.


Key rotation at every level

The âHeartbleedâ issue forces system administrators to consider private
keys of network-facing applications affected by the bug as compromised.
As Tor has no shortage of private keys in its designÂ[5], a serious
number of new keys has to be generated.

Roger Dingledine promptedÂ[6] relay operators to get new identity keys,
âespecially from the big relays, and weâll be happier tolerating a
couple of bumpy days while the network recoversâ. Switching to a new
relay identity key means that the relay is seen as newÂ[7] to the
authorities again: they will lose their Guard status and bandwidth
measurement. It seems that a number of operators followed the advice, as
the network lost around 1 Gbit/s of advertised capacity between April
7th and April 10thÂ[8].

For a brighter future if such massive RSA1024 relay key migration is
ever again in order, Nick Mathewson wrote proposal 230Â[9]. The proposal
describes a mechanism for relays to advertise their old identity to
directory authorities and clients.

Directory authorities can currently tie a relayâs nickname to its
identity key with the Named flag. That feature proved to be less helpful
than it seemed, and can subject its users to impersonation attacks. As
relays switch to new identity keys, those who keep the same name will
lose their Named flag for the next six months. So now seemsÂ[10] a good
time to âthrow out the Named and Unnamed flags entirelyâ. Sebastian Hahn
acted on the idea and started a draft proposalÂ[11].

How should potentially compromised relays which have not switched to a
new key be handled? On April 8th, grarpamp observedÂ[12] that more than
3000 relays had been restarted â hopefully to use the fixed version of
OpenSSL. It is unknown how many of those relays have switched to a new
key since. Andrea Shepard has been working on a surveyÂ[13] to identify
them. What is known though are relays that are unfortunately still
vulnerable. Sina Rabbani has set up a visible list for guards and
exitsÂ[14]. To protect Tor users, directory authority operators have
started to reject descriptors for vulnerable relaysÂ[15].

The identity keys for directory authorities are kept offline. But they
are used to certify medium-term signing keys. Roger Dingledineâs
analysisÂ[16] reports âtwo (moria1 and urras) of the directory
authorities were unaffected by the openssl bug, and seven were

At the time of writing, five of the seven affected authorities had new
signing keys. In the meantime, Nick and Andrea have been busy writing
code to prevent the old keys from being accepted by Tor clientsÂ[17].

Changing the relay identity keys of the directory authorities has not
been done so far âbecause current clients expect them to be at their
current IP:port:fingerprint and would scream in their logs and refuse to
connect if the relay identity key changesâ. The specification of the
missing piece of code to allow a smoother transition has been written by
Nick Mathewson in proposalÂ231Â[18].

Finally, hidden service operators are also generating new keysÂ[19].
Unfortunately, this forces every user of the service to update the
address in their bookmarks or configuration.

As Roger summarized it: âfun timesâ.


More monthly status reports for March 2014

The wave of regular monthly reports from Tor project members for the
month of March continued, with submissions from Andrew LewmanÂ[20],
Roger DingledineÂ[21], and Kelley MisataÂ[22].

Roger also sent out the report for SponsorFÂ[23], and the Tails team
reported on its progressÂ[24].


Miscellaneous news

CVE-2014-0160 prompted Anthony Basile to release version 20140409Â[25]
of Tor-ramdisk. OpenSSL has been updated and so has the kernel.
Upgrading is strongly recommended.


David Fifield released new browser bundles configured to use the
meekÂ[26] transport automatically. These bundles âuse a web browser
extension to make the HTTPS requests, so that the TLS layer looks like
FirefoxâÂâ because it is FirefoxÂ[27]. Meek is a promising censorship
circumvention solution, so please try them!


The Tails developers announcedÂ[28] that Tchouâs proposal is the winner
of the recent Tails logo contest: âin the coming days we will keep on
fine-tuning it and integrating it in time for Tails 1.0. So donât
hesitate to comment on it.â


Andrew Lewman reported on his week in StockholmÂ[29] for the Civil
Rights DefenderâsÂ[30] Defenderâs Days where he trained activists and
âlearned more about the situation in Moldova, Transnistria, Burma,
Vietnam, and Bahrainâ.


Andrew also updated the instructions for mirror operatorsÂ[31] wishing
to have their sites listed on the Tor Project website. Thanks to Andreas
ReichÂ[32], Sebastian M. BobreckiÂ[33], and Jeremy L. GaddisÂ[34] for
running new mirrors!


Arlo Breault announcedÂ[35] the release of BulbÂ[36], a Tor relay web
status dashboard. âThereâs not much to it yet, but I thought Iâd
shareÂ[â] Contributions welcome!â


Alan Shreve requestedÂ[37] feedback on âShroudâ, a proposal for âa new
system to provide public hidden servicesÂ[â] whose network location
cannot be determined (like Tor hidden services) but are accessible by
any client on the internetâ.


Tor help desk roundup

Users often ask for steps they can take to maximize their anonymity
while using Tor. Tips for staying anonymous when using Tor are visible
on the download pageÂ[38].


News from Tor StackExchange

Jack Gundo uses Windows 7 with the built-in firewall and wants to block
all traffic except Tor trafficÂ[39]. Guest suggested that on a
closed-source system one can never be sure that all traffic really is
blocked, so the original poster might be better off using a router which
does the job. Another possible solution is PeerBlock, which also allows
you to block all traffic from a machine.


Broot uses obfs3 to route OpenVPN traffic and canât get obfsproxy
runningÂ[40] because the latest version only implements SOCKS4. Yawning
Angel answered that version 0.2.7 of obfsproxy uses SOCKS5 and works
with OpenVPN. However there is a bug that needs to be worked


Upcoming events

Apr 16 19:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006616.html
Apr 18 18:00 UTC | Tor Browser online meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tbb-dev/2014-March/000026.html

This issue of Tor Weekly News has been assembled by Lunar, harmony,
Matt Pagan, qbi, Roger Dingledine, Karsten Loesing and the Tails team.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[42], write down your
name and subscribe to the team mailing listÂ[43] if you want to
get involved!


Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to