[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â July 3rd, 2013

Tor Weekly News                                           July 3rd, 2013

Welcome to the very first issue of Tor Weekly News, the weekly
newsletter meant to cover what is happening in the vibrant Tor

Deterministic, independently reproduced builds of Tor Browser Bundle

Mike Perry, Linus Nordberg and Georg Koppen each independently built
identical binaries of the Tor Browser Bundle 3.0 alpha 2 releaseÂ[1],
now available for download at the Tor Package ArchiveÂ[2].

The build systemÂ[3], first adopted for the release of 3.0 alpha 1, uses
GitianÂ[4] to enable anyone to produce byte-identical Tor Browser Bundle
binary packages from source. This represents a major improvement in the
security of the Tor software build and distribution processes against
targeted attacks.  The motivations and technical details of this work
will appear in future Tor Project blog posts.


Minor progress on datagram-based transport

As Steven Murdoch explained in 2011, in the current implementation of
Tor, âwhen a packet gets dropped or corrupted on a link between two Tor
nodes, [â], all circuits passing through this pair of nodes will be
stalled, not only the circuit corresponding to the packet which was
dropped.âÂ[5] This is because traffic from multiple circuits heading
into an OR node are multiplexed by default into a single TCP connection.
However, when the reliability and congestion control requirements of TCP
streams are enforced (by the operating system) on this multiplexed
connection, a situation is created in which one poor quality circuit can
disproportionately slow down the others.

This shortcoming could be worked around by migrating Tor from TCP to a
datagram-based transport protocol. Nick Mathewson opened #9165Â[6] to
track progress on the matter.

Late last year, Steven Murdoch began an experimental Tor branch using
uTPÂ[7], a protocol âwhich provides reliable, ordered delivery while
maintaining minimum extra delayâ, and is already used by uTorrent for
peer-to-peer connectionsÂ[8]. Nick Mathewson finally got to review his
work and wrote several comments on #9166Â[9]. The code isnât close to
production-quality right now; it is just good enough for performance



Yawning Angel sent out a request for commentsÂ[10] on the very first
release of âobfsproxysshâÂ[11], a pluggable transport that uses the ssh
wire protocol to hide Tor traffic. Its behavior would appear to
potential eavesdroppers to be âidentical to a user sshing to a host,
authenticating with a RSA public/private key pair and opening a
direct-tcp channel to the ORPort of the bridge.â

The announcement contains several open issues and questions. Feel free
to have a look and voice your comments!


Crowdfunding for Tor exit relays and bridges

Moritz Bartl announcedÂ[12] that he has started a crowdfunding campaign
for Tor exit relays and bridges.

The donations will be distributed equally among all Torservers.net
partner organizations (Zwiebelfreunde e.V., DFRI, Nos Oignons, Swiss
Privacy Foundation, FrÃnn vun der Ãnn and NoiseTor).

For a faster and better network, chip in and spread the word!


Tails 0.19 is out, new stable Tor Browser Bundles

On Wednesday, June 26, two of the most popular Tor projects both made
new releases: the Tor Browser Bundle, and Tails, The Amnesiac Incognito
Live System. Users are encouraged to upgrade as soon as possible.

The stable Tor Browser Bundle was updated to version 2.3.25-10Â[13], and
includes fixes from upstream Firefox 17.0.7esr. Tails 0.19Â[14] includes
the new stable Tor Browser, along with an updated 3.9.5 kernel and minor
security improvements to wireless, GNOME and GnuPG defaults.


Jenkins + Stem catching their first regression

Quoting Damian Johnsonâs June status reportÂ[20]: âOur automated
Jenkins test runs caught their first instance of tor regression. This
concerned LOADCONFâs behavior after merging a branch for ticket #6752â.
A new ticketÂ[15] was opened after Damian properly identified the issue.


First round of reports from GSoC projects

Johannes FÃrmann reportedÂ[16] on his project, a virtual network
environment intended to simulate censorship for OONI (dubbed âEvil
Geniusâ, after Descartes). Hareesan reportedÂ[17] on the steganography
browser addon. Cristian-Matei Toader is workingÂ[18] on adding
capabilities-based sandboxing to Tor on Linux, using the kernelâs
seccomp syscall filtering mechanism. Chang Lan implementedÂ[19] a HTTP
proxy-based transport using CONNECT as the first step in his efforts to
implement a general Tor-over-HTTP pluggable transport.


Monthly status reports for June 2013

The wave of regular monthly reports from Tor project members for the
month of June has begun. Damian Johnsonâs was the firstÂ[20], followed
soon after by reports from Philipp WinterÂ[21], Colin C.Â[22], Nick
MathewsonÂ[23], LunarÂ[24], Moritz BartlÂ[25], Jason TsaiÂ[26], Andrew
LewmanÂ[27], Sherief AlaaÂ[28], Kelley MisataÂ[29], Matt PaganÂ[30], and
Andrea ShepardÂ[31].


Tor on StackExchange

The proposed StackExchange Q&A page for TorÂ[32] has left the âinitial
definitionâ stage and has entered the âcommitmentâ stage on Area 51.
During this stageÂ[33], interested users are asked to digitally âsignâ
the proposal with their name to help ensure the site will have an active
community during its critical early days.


Forensic analysis of the Tor Browser Bundle

On Friday, June 28, Runa Sandvik published Tor Tech Report 2013-06-001,
titled âForensic Analysis of the Tor Browser Bundle on OS X, Linux, and
WindowsâÂ[34], as part of a deliverable project for two Tor sponsors.
The report is a detailed write-up of the forensic experiments Sandvik
has been documenting on her blogÂ[35], the goal of which was âto
identify traces left behind by the Tor Browser Bundle after extracting,
using, and deleting the bundleâ.

In short, each platform indeed retains forensic traces of the existence
of the Tor Browser Bundle. Many âare related to default operating system
settings, some of which the bundle might not be able to remove. We
therefore propose the creation of a documentÂ[36] which lists steps our
users can take to mitigate these traces on the different operating

Of course, Tor Browser Bundle users wishing to take immediate action to
prevent the creation of forensic traces are not out of luck: âthe
easiest way to avoid leaving traces on a computer system is to use The
Amnesiac Incognito Live System (Tails)Â[37].â


Miscellaneous development news

David Goulet is making good progressÂ[38] on his rewrite of torsocks
[39] and should have a beta ready in a couple of weeks. He awaits your
code reviews, comments and contributions.

Leo Unglaub ran into some trouble with a dependency just as he was about
to publish the work-in-progress code for his Vidalia replacementÂ[40].

Nick Mathewson did some analysis on possible methods for reducing the
volume of fetched directory informationÂ[41], by running some scripts
over the last month of consensus directories.


A vulnerability affecting microdescriptors in Tor?

On Friday, June 28 an anonymous individual contacted Tor developers over
TwitterÂ[41] claiming to have found a vulnerability in the way
microdescriptors are validated by Tor clients which would allow
âdetermination of the source and end-point of a given [victimâs] tor
connection with little more than a couple relays and some rogue
directory authorities [both controlled by the adversary].âÂ[42]

Detailed testing by Nick MathewsonÂ[42,43] could not reproduce the
behavior in the Tor client that was claimed to enable such an attack.
After a lengthy Twitter debate with Mathewson, the reporter disappeared,
no bugs have been filed, and it appears the vulnerability was nothing of
the sort.  Without being able to verify the existence of the claimed vulnerability, Mathewson
concluded that the reporterâs described attack was equivalent âat worstâ
to the ârequest filteringâ attackâ which has defensesâÂ[45].

The issue was also mentioned (and likewise dismissed) on the security
mailing list, Full DisclosureÂ[46].

For anyone interested in reporting vulnerabilities in Tor software,
please avoid following that example. Until a process gets
documentedÂ[47], the best way to report the discovery of a vulnerability
is to get in touch with one of the Tor core developers using encrypted


Upcoming events

Jul  6-11 | Lunar @ LSM 2013
          | Brussels, Belgium
          | https://2013.rmll.info/
Jul 10-12 | Tor at Privacy Enhancing Technology Symposium
          | Bloomington, Indiana, USA
          | http://petsymposium.org/2013/
Jul 22-26 | Tor annual dev. meeting
          | MÃnchen, Germany
          | https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting
Jul 31-05 | Tor at OHM
          | Geestmerambacht, Netherlands
          | https://ohm2013.org/

This issue of Tor Weekly News has been assembled by Lunar, dope457,
moskvax, Mike Perry, Nick Mathewson, mttp, and luttigdev.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteer writers who watch the Tor community
and report about what is going on. Please see the project pageÂ[48]
and write down your name if you want to get involved!


Attachment: signature.asc
Description: Digital signature

tor-talk mailing list