========================================================================
Tor Weekly News February 12th, 2014
========================================================================
Welcome to the sixth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tails 0.22.1 is out
-------------------
The Tails team cut its 36th release on February 4th. Their Debian-based
live operating system continues to provide anonymity by ensuring that
all outgoing connections are routed through Tor, and privacy by ensuring
that no traces are left without the userâs knowledge.
Tails 0.22.1Â[1] contains security fixesÂ[2] to Firefox, NSS, and
Pidgin. It also brings an updated Linux kernel and several fixes for
regressions and small issues.
While advertised as a minor version, the new incremental upgrades are a
major usability improvement. Previously, upgrading Tails basically meant
installing Tails again by downloading the image and putting it on a DVD
or a USB stick. Users who store persistent data in their Tails instance
then had to use this new medium to upgrade the stick with their data. A
tedious process, to say the least. Now, with incremental upgrades, Tails
users with USB sticks will be prompted to perform a few clicks, wait,
and reboot to get their system up-to-date.
One usability change might surprise long time Tails users: the browser
now has to be manually opened when Tor has successfully reached the
network.
As always, be sure to upgradeÂ[3]! Users of Tails 0.22 on USB sticks can
do so easily by running the âTails Upgraderâ application in the âTailsâ
menu.
[1]:Âhttps://tails.boum.org/news/version_0.22.1/
[2]:Âhttps://tails.boum.org/security/Numerous_security_holes_in_0.22/
[3]:Âhttps://tails.boum.org/doc/first_steps/upgrade/
Tor Browser Bundle 3.5.2 is released
------------------------------------
The Tor Browser team delivers a new Tor Browser BundleÂ[4]. Version
3.5.2 brings Tor users important security fixes from FirefoxÂ[5] and
contains fixes to the ânew identityâ feature, window size rounding, and
the welcome screen with right-to-left language, among others.
The curious can take a peek at the changelogÂ[6] for more details.
Every Tor user is encouraged to upgrade as soon possible. Jump to the
download pageÂ[7]!
[4]:Âhttps://blog.torproject.org/blog/tor-browser-352-released
[5]:Âhttps://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.3
[6]:Âhttps://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/a1bab4013e:/Bundle-Data/Docs/ChangeLog.txt
[7]:Âhttps://www.torproject.org/download/download-easy.html
Call to bridge operators to deploy ScrambleSuit
-----------------------------------------------
In the beginning there was Tor. When censors started filtering every
known relay address, bridgesÂ[8] were invented as a way to access the
Tor network through unlisted relays. Deep packet inspection systems then
started to filter Tor based on its traffic signature, so pluggable
transportsÂ[9] and obfucation protocols were designed in order to
prevent bridge detection.
Currently, obfuscation is achieved through âobfs2â and âobfs3â. obfs2 is
flawed; itâs detectable by deep packet inspection and is being phased
out. obfs3 is unfortunately still vulnerable to active probing attacks.
As obfs3 bridges are open to anyone, an attacker who uses a traffic
classifier and finds an unclassified connection can figure out if itâs
Tor simply by trying to connect through the same destination.
ScrambleSuitÂ[10] comes to the rescue. On top of making the traffic
harder to recognize by timing or volume characteristics, ScrambleSuit
requires a shared secret between the bridge and the client. A censor
looking at the connection wonât have this secret, and therefore be
unable to connect to the bridge and confirm that itâs Tor.
obfsproxy 0.2.6 was released last weekÂ[11] and adds ScrambleSuit to the
set of available pluggable transports. Bridge operators are now
calledÂ[12] to update their software and configuration. At least Tor
0.2.5.1-alpha is required. The latest version of obfsproxy can be
installed from sourceÂ[13], pipÂ[14] and Debian unstableÂ[15].
There must be a critical mass of bridges before ScrambleSuit is made
available to the Tor users who need it, so please help!
[8]:Âhttps://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/125-bridges.txt
[9]:Âhttps://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/pt-spec.txt
[10]:Âhttp://www.cs.kau.se/philwint/scramblesuit/
[11]:Âhttps://gitweb.torproject.org/pluggable-transports/obfsproxy.git/commit/a3b43d475c4172
[12]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html
[13]:Âhttps://gitweb.torproject.org/pluggable-transports/obfsproxy.git
[14]:Âhttps://pypi.python.org/pypi/obfsproxy
[15]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-February/003894.html
More status reports for January 2014
------------------------------------
The wave of regular monthly reports from Tor project members for the
month of January continued. Kevin P DyerÂ[16], Nick MathewsonÂ[17],
Georg KoppenÂ[18], Karsten LoesingÂ[19], Jacob AppelbaumÂ[20], Arturo
FilastÃÂ[21], Isis LovecruftÂ[22] and Nicolas VigierÂ[23] all released
their reports this week.
Roger Dingledine has also sent the reportÂ[24] to SponsorF.
[16]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000446.html
[17]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000447.html
[18]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000448.html
[19]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000449.html
[20]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000450.html
[21]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000451.html
[22]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000452.html
[23]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000453.html
[24]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000454.html
Miscellaneous news
------------------
Most Tor developers will gather next week in ReykjavÃk, Iceland for the
2014 winter meetingÂ[25]. Expect a drop in activity on the usual
communication channels while everyone is busy with face-to-face
conversations. See upcoming events below for activities open to the
larger Tor community.
[25]:Âhttps://trac.torproject.org/projects/tor/wiki/org/meetings/2014WinterDevMeeting
David Fifield is looking for testersÂ[26] for experimental 3.5.2 browser
bundles with tor-fw-helper. âtor-fw-helper is a tool that uses UPnP or
NAT-PMP to forward a port automaticallyâÂâ something that
flashproxyÂ[27] requires. David is âinterested in finding out how likely
it is to workâ.
[26]:Âhttps://lists.torproject.org/pipermail/tor-qa/2014-February/000324.html
[27]:Âhttps://crypto.stanford.edu/flashproxy/
David Goulet gave us an update on the development of Torsocks 2.xÂ[28].
He hopes to perform a âfull on releaseâ after the Tor developers
meeting.
[28]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-February/006172.html
âThe Trying Trusted Tor Traceroutes project is coming closer to the next
data review (03/2014)â wroteÂ[29] Sebastian Urbach. If you are a relay
operator, please help find out how Tor performs against network-level
attackers. The team now has a scoreboardÂ[30] with feedback for the
participants.
[29]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-February/003865.html
[30]:Âhttp://datarepo.cs.illinois.edu/relay_scoreboard.html
One relay started to act funny regarding its advertised bandwidth. Roger
Dingledine quickly reported his worriesÂ[31] to the tor-talkÂmailing
list. A couple of hours later Hyoung-Kee Choi accountedÂ[32] that one of
the students from his research group had made a mistake while
experimenting on the Tor bandwidth scanner. Directory authorities are
now restricting its usage in the consensus.
[31]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032094.html
[32]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032096.html
On February 11th, the Tor Project participated on âThe Day We Fight
BackâÂ[33], a global day of mobilization against NSA mass surveillance.
[33]:Âhttps://thedaywefightback.org/
Tor help desk roundup
---------------------
Tor supporters are often curious about the legal risks involved in
running a Tor relay. The Tor Project is not aware of any country where
running Tor is a punishable offense. Running a bridge relay or a
non-exit relay is the best way to grow the Tor network without being
exposed to additional legal scrutiny. The decision to run an exit relay
should be made only after carefully reviewing the best practicesÂ[34].
Unlike non-exit and bridge operators, exit relay operators need to be
prepared to respond to abuse complaints.
Users continue to express interest in a 64-bit Tor Browser Bundle for
Windows. Work to provide this new variant is on-goingÂ[35].
[34]:Âhttps://blog.torproject.org/running-exit-node
[35]:Âhttps://bugs.torproject.org/10026
News from Tor StackExchange
---------------------------
strugee is running a Fast, Running and Valid relay and wonders when the
relay will get the V2Dir flagÂ[36]. weasel answered that relays should
âget the V2Dir flag simply by publishing a DirPortâ, but that Tor will
not always publish a DirPort: the full list can be found in the source
codeÂ[37].
[36]:Âhttps://tor.stackexchange.com/q/1485/88
[37]:Âhttps://gitweb.torproject.org/tor.git/blob/tor-0.2.4.20:/src/or/router.c#l1018
Ivar noted that the site Howâs my SSLÂ[38] thinks that the SSL
configuration of the Tor Browser is bad and wondered how the situation
could be improvedÂ[39]. Jens Kubieziel explained some settings for
about:config and pointed to a more detailed blog postÂ[40]. Sam Whited
also pointed out some settings for Firefox and noted that Firefox 27
improved the rating to âprobably goodâÂ[41] which will help the Tor
Browser in the future.
[38]:Âhttps://www.howsmyssl.com/
[39]:Âhttps://tor.stackexchange.com/q/1455/88
[40]:Âhttp://kubieziel.de/blog/archives/1564-Using-SSL-securely-in-your-browser.html
[41]:Âhttps://blog.samwhited.com/2014/01/fixing-tls-in-firefox/
fred set up a relay on a Windows machine where ÂTorrent is used besides
Tor. When Tor is enabled many trackers become unreachable, but come back
as soon as the relay is disabled. An explanation to this behaviourÂ[42]
has yet to be found, donât hesitate to chime in.
[42]:Âhttps://tor.stackexchange.com/q/1243/88
Upcoming events
---------------
Feb 18 20:00 | Crypto Party at MÃltikÃlti
| ReykjavÃk, Iceland
| http://www.multi-kulti.org/
|
Feb 19 18:30 | Talk: âTor: Lessons Learned over the past 12 monthsâ
| ReykjavÃk University M101, Iceland
| http://en.ru.is
|
Feb 20 9:00 | Digital Safety for Journalists âÂÂÂday hands-on workshop
| Grand Hotel, ReykjavÃk, Iceland
|
Feb 21 9:30 | Tor public hack day
| Grand Hotel, ReykjavÃk, Iceland
This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
Paul Feitzinger, qbi, Roger Dingledine and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[43], write down your
name and subscribe to the team mailing listÂ[44] if you want to
get involved!
[43]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[44]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk