[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â January 14th, 2015

Tor Weekly News                                       January 14th, 2015

Welcome to the second issue in 2015 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

What to do if meek gets blocked

Regular readers of Tor Weekly News will be familiar with meek [1], the
pluggable transport developed by David Fifield. Where most existing
transports work by connecting clients to âbridgeâ relays that are
difficult for the adversary to discover (or identify as relays), meek
makes all of a clientâs Tor traffic appear as though it is destined for
a domain that is âtoo big to blockâ â in other words, web platforms so
popular that a censor cannot prevent access to them without disrupting
lots of unrelated Internet activity in its sphere of control â when in
fact the traffic is sent to meek servers running on those platforms,
which in turn relay it into the regular Tor network. Google, Amazon, and
Microsoft are some of the services whose domain names currently work as
disguises for meek.

Unfortunately, that doesnât mean meek is unblockable. As David wrote [2]
to the tor-talk mailing list, âthatâs the wrong way to think about the
problemâ. âIt is designed to be difficult and expensive to block [â] but
suppose a censor makes that call, and blocks Google/Amazon/whatever.
What then?â

Two easy solutions are selecting a different backend (meek-amazon
instead of meek-google, for example) or using a different DNS server:
âThe most common way to block a domain name is by DNS poisoning; i.e.,
the IP address behind the name is accessible, but the local DNS server
gives you a false address. Try a public DNS server such as But
if that works, be aware that itâs probably only a temporary fix, as
censors have historically figured out the alternate-DNS trick pretty

âWhat you really want to doâ, David suggested, âif the easy things donât
work, is choose a different front domain.â Please see Davidâs message
for a fuller explanation of the difference between the backend and the
âfront domainâ, and a guide to configuring new domains â as well as one
to setting up your own meek web app, if all else fails.

  [1]: https://trac.torproject.org/projects/tor/wiki/doc/meek
  [2]: https://lists.torproject.org/pipermail/tor-talk/2015-January/036410.html

Miscellaneous news

sycamoreone announced [3] orc, a Go library that implements parts of
Torâs control protocol. âI do have some ideas for a higher-level
interface, but no fixed plan yet. The next step will probably be to add
net/http-like handlerFuncs to handle (asynchronous) replies from the
onion router.â

  [3]: https://lists.torproject.org/pipermail/tor-talk/2015-January/036425.html

taxakis linked [4] to âPost-Quantum Secure Onion Routingâ [5] by
Satrajit Ghosh and Aniket Kate, a new paper proposing a successor to the
currently-used ntor handshake protocol that would be âresilient against
quantum attacks, but also at the same time allow OR nodes to use the
current DH public keys, and consequently require no modification to the
current Tor public key infrastructure.â Nick Mathewson wondered [6]
whether âanybody around here has the cryptographic background to comment
on the PQ part of their scheme?â, and compared it to Yawning Angelâs
experimental âbasketâ protocol [7].

  [4]: https://lists.torproject.org/pipermail/tor-talk/2015-January/036420.html
  [5]: http://eprint.iacr.org/2015/008
  [6]: https://lists.torproject.org/pipermail/tor-talk/2015-January/036429.html
  [7]: https://lists.torproject.org/pipermail/tor-dev/2014-December/007977.html

Nick also sent out a draft of proposal 240 [8], describing âa simple way
for directory authorities to perform signing key revocationâ.

  [8]: https://lists.torproject.org/pipermail/tor-dev/2015-January/008115.html

Daniel Forster asked [9] for advice on proposed research into splitting
traffic over multiple entry guards in combination with traffic padding:
âIs the approach heading in a not so great direction w.r.t. the Tor
Projectâs âonly one entry nodeâ decision?â

  [9]: https://lists.torproject.org/pipermail/tor-dev/2015-January/008099.html

Karsten Loesing submitted his status report for December [10], and
George Kadianakis sent out the report for SponsorR [11].

 [10]: https://lists.torproject.org/pipermail/tor-reports/2015-January/000744.html
 [11]: https://lists.torproject.org/pipermail/tor-reports/2015-January/000745.html

âAfter CCC I have a list of people that I have given raspberry piâs with
ooniprobe, and I would like to start coordinating with them via a
mailing listâ, wrote Arturo Filastà [12], and the result is the
ooni-operators mailing list [13]. If you regularly run ooniprobe, or
want to start, be sure to sign up!

 [12]: https://bugs.torproject.org/14140
 [13]: https://lists.torproject.org/cgi-bin/mailman/listinfo/ooni-operators

Aleksejs Popovs shared with the ooni-dev mailing list [14] the results
of an OONI investigation into Latvian internet censorship, conducted
using ooniprobe.

 [14]: https://lists.torproject.org/pipermail/ooni-dev/2015-January/000220.html

Dan OâHuiginn started a conversation [15] about how to ensure users are
informed of the possible consequences of running OONI tests.

 [15]: https://lists.torproject.org/pipermail/ooni-dev/2015-January/000208.html

Thanks to John Knoll [16] and Monsieur Tino [17] for running mirrors of
the Tor Projectâs website and software archive!

 [16]: https://lists.torproject.org/pipermail/tor-mirrors/2015-January/000828.html
 [17]: https://lists.torproject.org/pipermail/tor-mirrors/2015-January/000835.html

âHow do we prevent a website mirror admin from tampering with the served
files?â, wondered FrÃdÃric Cornu [18]. Christian Krbusek clarified [19]
that âin fact, you canât prevent that, but you are also mirroring the
signature files. So anybody downloading from any mirror â even the
original host â should verify the downloadsâ. Andrew Lewman added [20]
that âthe binaries are signed by well-known keys of tor packagers and
developers. The mirror update script randomly selects a binary and
verifies it each time it runs. If the binaries donât match, the mirror
is removed from the public list.â

 [18]: https://lists.torproject.org/pipermail/tor-mirrors/2015-January/000844.html
 [19]: https://lists.torproject.org/pipermail/tor-mirrors/2015-January/000845.html
 [20]: https://lists.torproject.org/pipermail/tor-mirrors/2015-January/000848.html

Upcoming events

  Jan 14 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Jan 14 16:00 UTC | Pluggable transports meeting
                   | #tor-dev, irc.oftc.net
                   | https://lists.torproject.org/pipermail/tor-dev/2015-January/008143.html
  Jan 16 19:30 UTC | Tails/Jessie progress meeting
                   | #tails-dev, irc.oftc.net
                   | https://mailman.boum.org/pipermail/tails-dev/2014-December/007696.html
  Jan 19 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
  Jan 19 18:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
  Jan 20 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  Jan 22 17:30 JST | Jacob @ Free Software Initiative of Japan
                   | Tokyo, Japan
                   | http://www.fsij.org/monthly-meetings/2015/Jan.html

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [21], write down your
name and subscribe to the team mailing list [22] if you want to
get involved!

 [21]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [22]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to