[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â June 18th, 2014



========================================================================
Tor Weekly News                                          June 18th, 2014
========================================================================

Welcome to the fiftieth issue of Tor Weekly News, the weekly newsletter
that covers what is happening in the Tor community.

Tails 1.0.1 is out
------------------

The Tails developers announcedÂ[1] the first point release in the Tails
1.0 series, following their decisionÂ[2] to postpone the release of
Tails 1.1 (which will be based on Wheezy, the latest stable version of
Debian).

This release contains no major new features, but does fix numerous
security issuesÂ[3] present in 1.0, so all Tails users should upgrade as
soon as possible.

  [1]:Âhttps://tails.boum.org/news/version_1.0.1/
  [2]:Âhttps://mailman.boum.org/pipermail/tails-dev/2014-May/005917.html
  [3]:Âhttps://tails.boum.org/security/Numerous_security_holes_in_1.0/index

Collecting statistics from Tor exits in a privacy-sensitive manner
------------------------------------------------------------------

Optimizing the Tor network to better support the most common use-cases
could make a real difference to its perceived usability. Unfortunately,
Tor is an anonymity network. Understanding what the most common
use-cases are, in a way that does not endanger its users, is far from
being a trivial problem.

There have been some cases of inconsiderate spying on Tor network users
in the pastÂ[4]. This is one of the motivations for the Tor Project to
provide and research properly anonymized statistics through the
MetricsÂ[5] and CollecTorÂ[6] portals.

Tariq Elahi, George Danezis, and Ian Goldberg are working on new
solutions to tackle the problem of collecting statistics from Tor exits
in a privacy-sensitive manner. Tariq announcedÂ[7] the PrivEx system,
which âpreserves the security and privacy properties of anonymous
communication networks, even in the face of adversaries that can
compromise data collection nodes or coerce operators to reveal
cryptographic secrets and keysâ.

The introduction of the detailed tech report [8] gives a general
description of the solution: âPrivEx collects aggregated statistics to
provide insights about user behaviour trends by recording aggregate
usage of the anonymity network. To further reduce the risk of
inadvertent disclosures, it collects only information about destinations
that appear in a list of known censored websites. The aggregate
statistics are themselves collected and collated in a privacy-friendly
manner using secure multiparty computation primitives, enhanced and
tuned to resist a variety of compulsion attacks and compromises.
Finally, the granularity of the statistics is reducedÂ[â] to foil
correlation attacks.â

PrivExâs threat model is described in section 3, and matches the current
mode of operation of the Tor network, relying on a set of mostly honest
collectors while being able to cope with a limited number of malicious
nodes. Two variants are described: one âis secure in the
honest-but-curious setting but can be disrupted by a misbehaving actorâ
while âthe other is secure in the covert adversary setting in that
misbehaving servers can be identifiedâ, but is more computationally
expensive.

Tariq mentions that implementations of the two variants of PrivEx
described in the tech report have been created and should soon be
released to the community. The researchers expect to âstart by rolling
out our own PrivEx-enabled exits in the Tor network and begin collecting
destination visit statisticsâ around the âJune-August timeframeâ.
Section 6 contains an analysis of the overhead in both CPU and bandwidth
of the two PrivEx variants, and the requirements seem reasonable.

Given how much privacy matters to the Tor community and to all network
users, the researchers wants âa measure of confidence that collecting
data with PrivEx is inherently good and is being done in a responsible
and intelligent mannerâ. They are therefore asking the âcommunity at
largeâ to review the design of the proposal, and its implementation once
released.

If no fundamental flaws are discovered in the process, the Tor community
might finally be able to enjoy better network statistics in the
not-too-distant future.

  [4]:Âhttp://www.ifca.ai/pub/fc11/wecsr11/soghoian.pdf
  [5]:Âhttps://metrics.torproject.org/
  [6]:Âhttps://collector.torproject.org/
  [7]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/006999.html
  [8]:Âhttp://cacr.uwaterloo.ca/techreports/2014/cacr2014-08.pdf

Upcoming developments in pluggable transports
---------------------------------------------

In a new blog post [9], George Kadianakis reported on some recent
pluggable transports developments. Some â like the release of Tor
Browser 3.6 [10], the deprecation of obfs2 [11], the new meek
transport [12], or the recently-written âChildâs Garden Of Pluggable
Transportsâ guide [13] should already be known to regular readers of Tor
Weekly News.

It was previously impossible to use pluggable transports at the same
time as an HTTP or SOCKS proxyÂ[14]. The release of Tor Browser
3.6.2 [15] is the first to include work by Yawning Angel which solves
this deficiency.

However, ScrambleSuit, released last winter, has not yet been included
in Tor Browser. The pluggable transport team is considering skipping its
deployment in favor of a new protocol, dubbed âobfs4â [16], which is
âlike ScrambleSuit (with regards to features and threat model), but itâs
faster and autofixes some of the open issuesâ.

George also mentions that enabling pluggable transports to work over
IPv6 is on the teamâs radar. As advanced deep packet inspection (DPI) on
IPv6 is less common, it should buy some more time for users on censored
networks.

  [9]: https://blog.torproject.org/blog/recent-and-upcoming-developments-pluggable-transports
 [10]: https://blog.torproject.org/blog/tor-browser-36-released
 [11]: https://trac.torproject.org/projects/tor/ticket/10314
 [12]:Âhttps://trac.torproject.org/projects/tor/wiki/doc/meek
 [13]: https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
 [14]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/232-pluggable-transports-through-proxy.txt
 [15]: https://blog.torproject.org/blog/tor-browser-362-released
 [16]: https://github.com/Yawning/obfs4

Miscellaneous news
------------------

David Fifield updatedÂ[17] the experimental Tor Browser builds that
include the meek pluggable transportÂ[18]. The new packages are based on
Tor Browser version 3.6.2.

 [17]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033229.html
 [18]:Âhttps://people.torproject.org/~dcf/pt-bundle/3.6.2-meek-1/

meejah announcedÂ[19] a new release of txtorcon â a Twisted-based
asynchronous Tor control protocol implementation. Version 0.10.0 adds
support for Twistedâs endpoint strings. meejah explains: âthis means
that ANY Twisted program that uses endpoints can accept âonion:â strings
to bring up a hidden services easilyÂ[â]. Typically, no code changes to
the application should be neededÂ[â].â

 [19]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007006.html

The Tails team reportedÂ[20] progress on code, documentation,
infrastructure, discussions, funding, and outreach matters for May. The
report also mentions Tailsâ position regarding the discontinuation of
TrueCrypt.

 [20]:Âhttps://tails.boum.org/news/report_2014_05/

Following up on his earlier promiseÂ[21], Karsten Loesing shut downÂ[22]
the Tor Metrics portalâs relay-search service, and in doing so reduced
the size of the metrics database from 95 gigabytes to a mere 3. âIf the
metrics website shows you funny numbers in the next couple of days,
please let me knowâ, wrote Karsten.

 [21]:Âhttps://lists.torproject.org/pipermail/tor-dev/2013-December/005948.html
 [22]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007007.html

Andrew Lewman reportedÂ[23] on his activities for May. Sebastian G.
subsequently opened two discussions on the tor-talk mailing listÂ[24]:
one regarding the challenges of integrating Tor into millions of
productsÂ[25] and another on how US legislation is preventing the Tor
Project, Inc. from receiving donations from certain countriesÂ[26].

 [23]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-June/000563.html
 [24]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
 [25]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033254.html
 [26]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033255.html

Several GSoC students reported on the progress of their projects: Kostas
Jakeliunas on the BridgeDB Twitter distributorÂ[27], Juha Nurmi for
ahmia.fiÂ[28], and Zack Mullaly on the HTTPS Everywhere secure ruleset
update mechanismÂ[29].

 [27]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/006988.html
 [28]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-June/000562.html
 [29]:Âhttps://lists.eff.org/pipermail/https-everywhere/2014-June/002128.html

Lukas Erlacher has released OnionPy 0.1.5Â[30]. âIf you are planning to
make something in python that uses the tor network status, accessing
OnionooÂ[31] using OnionPy might be exactly what you needâ, Lukas wrote.

 [30]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007018.html
 [31]:Âhttps://onionoo.torproject.org/

The Tails developers suggestedÂ[32] that Tails translation teams using
git, rather than the online Transifex platform, should begin signing
their email pull requests with OpenPGP keys, to ensure that the process
is not open to exploitation.

 [32]:Âhttps://mailman.boum.org/pipermail/tails-l10n/2014-June/001293.html

Drupal.org, the main website for the development community around the
free and open-source web platform Drupal, subscribes to a blacklist that
includes Tor exit nodes, making it difficult for Tor users to interact
with the site. AohRveTPV explained the problemÂ[33], and asked for
âideas on how to actually achieve better Drupal.org support for Tor
usersâ.

 [33]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033250.html

Chris Double describedÂ[34] a detailed but experimental method for using
Tor with Firefox OS, the mobile operating system from Mozilla. âThis is
just a proof of concept. Donât depend on thisÂ[â] Ideally Tor would be
integrated with Firefox OS so that you can start and stop it as a
service and maybe whitelist or blacklist sites that should and shouldnât
use Tor. I hope to do some of this over time or hope someone else gets
excited enough to work on it too.â

 [34]:Âhttp://bluishcoder.co.nz/2014/06/12/using-tor-with-firefox-os.html

Tor help desk roundup
---------------------

The help desk has received some complaints regarding the default window
size of the Tor Browser. To prevent window size fingerprinting, the
browser window size has been set to a multiple of 100 pixels according
to the detected screen resolution. Taskbars in the user workspace making
selecting an appropriate window size slightly more complicated though;
more details are available on the bugâs ticketÂ[35].

 [35]:Âhttps://bugs.torproject.org/9268

News from Tor StackExchange
---------------------------

bk201 found some random-looking domain names in the logs of some network
software. These connection attempts disappeared when Tor was
closedÂ[36], so bk201 wants to know what they are. Lunar explained that
they are requests for non-existent domain names. Tor wants to find out
if some DNS servers send fake answers. This feature was added in
2007Â[37].

 [36]:Âhttps://tor.stackexchange.com/q/3324/88
 [37]:Âhttps://gitweb.torproject.org/tor.git/blob/HEAD:/ReleaseNotes#l6663

user1747 often visits web sites which provide their services both within
the visible web and as a hidden service (DuckDuckGo might serve as an
example). Does the Tor Browser Bundle (TBB) automatically switch to a
hidden service in this caseÂ[38]? mirimir explained that there is no
connection between DNS and the names of hidden services, so TBB doesnât
know about this hidden service and canât connect automatically. user2949
pointed to a pluginÂ[39], similar to HTTPS Everywhere, that forwards a
request to a hidden service if it is available.

 [38]:Âhttps://tor.stackexchange.com/q/3262/88
 [39]:Âhttps://github.com/chris-barry/darkweb-everywhere

Upcoming events
---------------

June 18 19:00 UTC | little-t tor development meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
                  |
June 20 15:00 UTC | Tor Browser online meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
                  |
June 20 16:00 UTC | Pluggable transports online meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tor-dev/2014-April/006764.html
                  |
June 30 â Jul 4   | Torâs Summer Dev Meeting
                  | Paris, France
                  | https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting


This issue of Tor Weekly News has been assembled by harmony, Lunar, the
Tails developers, Matt Pagan, Karsten Loesing, and qbi.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[40], write down your
name and subscribe to the team mailing listÂ[41] if you want to
get involved!

 [40]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [41]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk