========================================================================
Tor Weekly News January 29th, 2014
========================================================================
Welcome to the fourth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tor Browser Bundle 3.5.1 is released
------------------------------------
An update to the Tor Browser Bundle has been releasedÂ[1] on January
27th. The new release contains Tor 0.2.4.20 which fixes a bugÂ[2]
creating useless extra circuits. It also fixes a denial of service
condition in OpenSSL and removes âaddons.mozilla.orgâ from the NoScript
whitelist.
Arabic bundles are back after a short hiatus. Support for screen readers
is also enabled again and has been confirmed workingÂ[3].
HTTPS Everywhere has been updated to version 3.4.5. It contains a new
rule to secure connections to Stack Exchange and its Tor cornerÂ[4].
Look at the blog post for a more detailed changelog. And now, head over
to the download pageÂ[5] and upgrade!
[1]Âhttps://blog.torproject.org/blog/tor-browser-351-released
[2]Âhttps://bugs.torproject.org/10456
[3]Âhttps://lists.torproject.org/pipermail/tor-talk/2014-January/031575.html
[4]Âhttps://tor.stackexchange.com/
[5]Âhttps://www.torproject.org/download/download-easy.html
New Tor denial of service attacks and defenses
----------------------------------------------
Rob Jansen, Florian Tschorsch, Aaron Johnson, and BjÃrn Scheuermann have
been working on a new paperÂ[6] entitled âThe Sniper Attack: Anonymously
Deanonymizing and Disabling the Tor Networkâ. As research papers are
sometimes hard to fully understand, Rob Jansen has published a new blog
postÂ[7] giving an overview of the attacks, the defenses, what has been
modified in Tor so far, and what open questions remain.
âWe found a new vulnerability in the design of Torâs flow control
algorithm that can be exploited to remotely crash Tor relays. The attack
is an extremely low resource attack in which an adversaryâs bandwidth
may be traded for a target relayâs memory (RAM) at an amplification rate
of one to two orders of magnitudeâ explains Rob.
The authors have been working with Tor developers on integrating
defenses before publishing: âDue to our devastating findings, we also
designed three defenses that mitigate our attacks, one of which provably
renders the attack ineffective. Defenses have been implemented and
deployed into the Tor software to ensure that the Tor network is no
longer vulnerable as of Tor version 0.2.4.18-rc and later.â
Be sure to read the blog post and the paper in full if you want to know
more.
[6]Âhttps://www-users.cs.umn.edu/~jansen/publications/sniper-ndss2014.pdf
[7]Âhttps://blog.torproject.org/blog/new-tor-denial-service-attacks-and-defenses
Good times at Real World Crypto 2014
------------------------------------
On the second week of January, a bunch of Tor developers attended the
Real World Crypto (RWC) workshopÂ[8] in New York City.
The workshop featured a nice blend of industry and academic crypto talks
and a fruitful hallway track. Many researchers involved with Tor and
privacy technologies were also present.
As far as talks were concerned, Tom Shrimpton presented the
Format-Transforming Encryption (FTE) traffic obfuscation toolÂ[9] which
is currently being developed to work as a Tor pluggable transportÂ[10].
The Tor developers present also worked with Kevin Dyer, one of the paper
authors and developers of FTE, towards including FTE in the Pluggable
Transport Tor bundles.
On the censorship circumvention front, I2P developers showed interest in
using pluggable transports. Work has been done to identify various
problems with the current PT spec that need to be fixed so that other
projects can use pluggable transports more smoothlyÂ[11].
Furthermore, there were talks with the developers of UProxyÂ[12] (a
censorship circumvention tool made by Google) and helped them understand
how pluggable transports work and what they would need to do if they
wanted to use them in UProxy. They seemed interested and motivated to
work on this.
The Tor developers also worked on the âNext Generation Hidden Servicesâ
projectÂ[13], and sketched out some ways to move forward even though
there are some open research questionsÂ[14] with the current
design.
Nick Mathewson commented on IRC: âI think the hallway track to main
conference utility ratio was higher than usual, since the conference
actually sticks practitioners and cryptographers in the same room pretty
reliably.â Letâs hope for next year!
[8]Âhttps://realworldcrypto.wordpress.com/
[9]Âhttps://fteproxy.org/
[10]Âhttps://bugs.torproject.org/10362
[11]Âhttps://bugs.torproject.org/10629
[12]Âhttps://uproxy.org/
[13]Âhttps://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt
[14]Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006099.html
The media and some terminology
------------------------------
BusinessWeek published âThe inside story of Tor, the best Internet
anonymity tool the government ever builtâÂ[15]. Better that what one can
usually read about Tor in the press, the pieceÂâ courtesy of Dune
LawrenceÂâ still sparkled a discussion on the tor-talk mailing list
about terminologyÂ[16].
Katya Titov quoted a misleading part of the article: âIn addition to
facilitating anonymous communication online, Tor is an access point to
the âdark Webâ, vast reaches of the Internet that are intentionally kept
hidden and donât show up in Google or other search engines,Â[â].â
As references to the âdark webâ, the âdeep webâ, or the âdark deep shady
Knockturn Alley of the Internetâ have been popping up more and more in
the media over the past months, Katya wanted to come up with proper
definitions of commonly misunderstood terms to reduce misinformation and
FUDÂ[17].
She summarized the result of the discussion in a new
âHowBigIsTheDarkWebâ wiki pageÂ[18]. Be sure to point it to your fellow
journalists!
[15]Âhttp://www.businessweek.com/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency
[16]Âhttps://lists.torproject.org/pipermail/tor-talk/2014-January/031863.html
[17]Âhttp://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt
[18]Âhttps://trac.torproject.org/projects/tor/wiki/doc/HowBigIsTheDarkWeb
Miscellaneous news
------------------
To follow up on last weekâs Tor Weekly News coverage, Philipp Winter
wrote a blog post to explain âwhat the âSpoiled Onionsâ paper means for
Tor usersâÂ[19].
[19]Âhttps://blog.torproject.org/blog/what-spoiled-onions-paper-means-tor-users
Thanks to Sukhbir Singh, users with @outlook.com email addresses can now
request bridges and bundles via emailÂ[20].
[20]Âhttps://bugs.torproject.org/6591#comment:4
Karsten Loesing dug some statisticsÂ[21] about the Tor Weather service.
There are currently 1846 different email addresses subscribed for 2349
Tor relays.
[21]Âhttps://bugs.torproject.org/10699#comment:3
Tor developers will be present at the Mozilla booth during
FOSDEMâ14Â[22]. Drop by if you have questions or want to get involved
in Tor!
[22]Âhttps://twitter.com/torproject/status/427922491948818432
Tor help desk roundup
---------------------
Users repeatedly contact Tor help desk about unreachable hidden
services. If that happens, please first make sure the system clock is
accurate and try to visit the hidden service for the Tor Projectâs
websiteÂ[23]. If it works, it means that Tor is working as it should and
thereâs nothing more the Tor Project can do. Hidden services are solely
under the responsibility of their operators and they are the only one
that can do something when a hidden service goes offline.
[23]Âhttp://idnxcnkne4qt76tg.onion/
News from Tor StackExchange
---------------------------
Alex Ryan has been experiencing crashes of his relay running on a
Raspberry PiÂ[24] due to circuit creation storms. He found out that the
problem disappeared after upgrading to the new 0.2.4 series of Tor.
There are currently no official Raspbian packages, so users will have to
build the package manually from source.
[24]Âhttps://tor.stackexchange.com/q/1302/88
User cypherpunks wanted to know how to report security issues to the Tor
ProjectÂ[25]. Until a proper process is decidedÂ[26], the best way at
the moment is to contact Nick Mathewson, Andrea Shepard, or Roger
Dingledine privately using their GnuPG keys.
[25]Âhttps://tor.stackexchange.com/q/1339/88
[26]Âhttps://bugs.torproject.org/9186
How many hidden services can be served from a single Tor instance?Â[27]
Syrian Watermelon is looking to knowÂif there is a hard limit and how
memory usage will go. The question is still open and has attracted some
interest from other users.
[27]Âhttps://tor.stackexchange.com/q/1337/88
Upcoming events
---------------
Feb 1-2 | Tor @ FOSDEM
| Brussels, Belgium
| https://fosdem.org/2014/
|
Feb 8 | Aaron @ New Media Inspiration 2014
| Prague, Czech Republic
| http://www.tuesday.cz/akce/new-media-inspiration-2014/
|
Feb 8 | Colin @ Winnipeg CryptoParty
| Winnipeg, Canada
| http://wiki.skullspace.ca/CryptoParty
This issue of Tor Weekly News has been assembled by Lunar, George
Kadianakis, qbi, Karsten Loesing and dope457.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[28], write down your
name and subscribe to the team mailing listÂ[29] if you want to
get involved!
[28]Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[29]Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk