[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â April 8th, 2015

Tor Weekly News                                          April 8th, 2015

Welcome to the fourteenth issue in 2015 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

Tor and are out

Roger Dingledine announced [1] new releases in both the stable and alpha
series of the core Tor software. Tor and both contain
fixes for two security bugs that could be used either to crash onion
services, or clients trying to visit onion services. The releases also
make it harder for attackers to overwhelm onion services by launching
lots of introductions. For full details, please see the release

The bugs fixed in these releases are not thought to affect the anonymity
of Tor clients or onion services. However, they could be annoying if
exploited, so onion service operators should upgrade as soon as
possible, while Tor Browser users will be updated with the upcoming Tor
Browser stable release.

  [1]: https://blog.torproject.org/blog/tor-02512-and-0267-are-released

Tor Summer of Privacy â apply now!

Some of Torâs most active contributors and projects got their start
thanks to Googleâs Summer of Code [2], in which the Tor Project has
successfully participated for a number of years. This year, Google have
decided to focus on encouraging newer, smaller projects, so rather than
miss out on the benefits of this kind of intense coding program, Tor is
launching its own Summer of Privacy, as Kate Krauss announced on the Tor
blog [3].

The format is the same as before: students have the opportunity to work
on new or existing open-source privacy projects, with financial
assistance from the Tor Project and expert guidance from some of the
worldâs most innovative privacy and security engineers.

If that appeals to you (or someone you know), then see Kateâs
announcement and the official TSoP page [4] for more information on the
program and how to apply. Applications close on the 17th of this month,
so donât leave it too late!

  [2]: https://developers.google.com/open-source/soc/?csw=1
  [3]: https://blog.torproject.org/blog/tor-summer-privacy-apply-now-0
  [4]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP

Should onion services disclose how popular they are?

Even on the non-private web, it is not possible by default to determine
how popular a certain website is. Search engines and third-party
tracking toolbars might be able to estimate the number of visitors a
website gets, but otherwise the information is only available to the
siteâs operators or to groups who are able to measure DNS requests (as
well as anyone in a position to eavesdrop on those two).

On the tor-dev mailing list, George Kadianakis posted a detailed
exploration [5] of this issue considered from the perspective of Tor
onion services. If improvements and additions to the onion service
design would as a side effect give an observer an idea of how popular a
certain service is, should this be considered a security risk?

Some of the arguments put forward for the inclusion of
popularity-leaking features are that they enable the collection of
useful statistics; that they allow further optimization of the onion
service design; and that concealing onion service popularity might not
be necessary or even possible.

On the other hand, disclosing popularity might help an adversary decide
where to aim its attacks; it may not actually offer significant
performance or research benefits; and it may surprise onion service
users and operators who assume that onionspace popularity is no easier
to discover than on the non-private web.

âI still am not 100% decided here, but I lean heavily towards the
âpopularity is private information and we should not reveal it if we can
help itâ camp, or maybe in the âthere needs to be very concrete positive
outcomes before even considering leaking popularityââ, writes George.
âHence, my arguments will be obviously biased towards the negatives of
leaking popularity. I invite someone from the opposite camp to
articulate better arguments for why popularity-hiding is something worth

Please see Georgeâs analysis for in-depth explanations of all these
points and more, and feel free to contribute with your own thoughts.

  [5]: https://lists.torproject.org/pipermail/tor-dev/2015-April/008597.html

More monthly status reports for March 2015

The wave of regular monthly reports from Tor project members for the
month of March continued, with reports from Georg Koppen [6] (for work
on Tor Browser), David Goulet [7] and George Kadianakis [8] (working on
onion services), Griffin Boyce [9] (with news on secure software
distribution, onion service setup, and Tails), Sherief Alaa [10] (with
updates about support and Arabic localization), Leiah Jansen [11]
(working on communication and graphic design), Sebastian Hahn [12]
(improving testability and fixing website issues), and Sukhbir
Singh [13] (for work on TorBirdy and Tor Messenger).

Mike Perry reported on behalf of the Tor Browser team [14], while George
Kadianakis did so for SponsorR work [15], Israel Leiva for the GetTor
project [16], and Colin C. for the Tor help desk [17].

  [6]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000789.html
  [7]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000790.html
  [8]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000794.html
  [9]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000791.html
 [10]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000792.html
 [11]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000795.html
 [12]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000799.html
 [13]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000801.html
 [14]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000793.html
 [15]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000796.html
 [16]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000797.html
 [17]: https://lists.torproject.org/pipermail/tor-reports/2015-April/000798.html

Miscellaneous news

Nathan Freitas announced [18] version 15 beta 1 of Orbot, which is
âfunctionality completeâ. âThe main area for testing is using the Apps
VPN mode while switching networks and/or in bad coverage, as well as
using it in combination with Meek or Obfs4, for example. Also, the
implementation is bit different between Android 4.x and 5.x, so please
report any difference you might see there.â

 [18]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-April/004298.html

Nathan also shared [19] Amogh Pradeepâs analysis of the network calls
made in the latest version of the Firefox for Android source code, âto
get our Orfox effort started againâ.

 [19]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-April/004300.html

This week in Tor history

A year ago this week, Nathan Freitas reported [20] that the number of
Orbot users in Turkey had quadrupled in the previous month, after an
order by the Turkish government to block access to several popular
social media websites led to a surge in Tor connections [21]. This
week, the same thing happened (albeit more briefly) [22], leading to
another increase in Tor use within Turkey [23].

The best time to prepare for these censorship events is before they
happen â and that includes letting people around you know what they
should do to ensure their freedom of expression remains uninterrupted.
Show them the Tor animation [24] and Tor brochures [25], help them
install Tor Browser [26] and Orbot [27], and teach them how to configure
their social media applications to connect over Tor [28]. If you make a
habit of browsing over Tor, you may not even have to take any notice
when things get blocked!

 [20]: https://lists.torproject.org/pipermail/tor-talk/2014-April/032574.html
 [21]: https://metrics.torproject.org/userstats-relay-country.html?graph=userstats-relay-country&start=2014-01-08&end=2014-04-08&country=tr&events=off
 [22]: https://twitter.com/guardianproject/status/585114389826502656
 [23]: https://metrics.torproject.org/userstats-bridge-country.html?graph=userstats-bridge-country&start=2015-03-15&end=2015-04-08&country=tr
 [24]: https://blog.torproject.org/blog/releasing-tor-animation
 [25]: https://blog.torproject.org/blog/spread-word-about-tor
 [26]: https://www.torproject.org/projects/torbrowser.html
 [27]: https://guardianproject.info/apps/orbot/
 [28]: https://guardianproject.info/2012/05/02/orbot-your-twitter/

Upcoming events
  Apr 09 15:00 UTC | SponsorO support and documentation meeting
                   | #tor-project, irc.oftc.net
  Apr 13 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
                   | https://lists.torproject.org/pipermail/tbb-dev/2015-March/000248.html
  Apr 13 18:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
  Apr 14 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  Apr 16 - 18      | Roger @ 2015 German-American Frontiers of Engineering Symposium
                   | Potsdam, Germany
                   | http://www.naefrontiers.org/Symposia/GAFOE/21649/44840.aspx
  Apr 24           | Roger @ CTIC Privacy Conference
                   | University of Pennsylvania Law School
                   | https://www.law.upenn.edu/newsevents/calendar.php#event_id/48977/view/event

This issue of Tor Weekly News has been assembled by Harmony, nicoo, and
Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [29], write down your
name and subscribe to the team mailing list [30] if you want to
get involved!

 [29]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [30]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to