========================================================================
Tor Weekly News June 25th, 2014
========================================================================
Welcome to the twenty-fifth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the community around Tor,
the âfine-meshed netâÂ[1].
[1]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033358.html
Tor 0.2.5.5-alpha is out
------------------------
Tor 0.2.5.5-alpha was releasedÂ[2], fixing âa wide variety of remaining
issues in the Tor 0.2.5.x release series, including a couple of DoS
issues, some performance regressions, a large number of bugs affecting
the Linux seccomp2 sandbox code, and various other bugfixesâ, in Nick
Mathewsonâs words. Among the major security improvements is an
adjustment to the way Tor decides when to close TLS connections, which
âshould improve Torâs resistance against some kinds of traffic analysis,
and lower some overhead from needlessly closed connectionsâ.
You can download the source tarballÂ[3], or install the package by
following the instructions for your systemÂ[4]. This release is also now
available in the DebianÂ[5] and Tor ProjectÂ[6] repositories.
[2]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033347.html
[3]:Âhttps://www.torproject.org/dist/
[4]:Âhttps://www.torproject.org/docs/installguide
[5]:Âhttp://packages.qa.debian.org/t/tor/news/20140619T120436Z.html
[6]:Âhttps://www.torproject.org/docs/debian.html.en#development
Debian Wheezyâs tor version to be updated
-----------------------------------------
Following a suggestion by Peter PalfraderÂ[7], Debian developers are
preparing to update the version of tor found in the Debian stable
repositories from 0.2.3.25 to 0.2.4.22. Among the chief motives for
doing so is that âabout a quarter of the Tor network (just considering
the relays, not any clients), is on 0.2.3.25, presumably because they
run Debian stable. If they all upgraded to the 0.2.4.x tree, the network
as a whole would become a lot more secure as 0.2.4.x allows clients to
use stronger crypto for connections built through these nodes.â Other
benefits, including the various measures taken to defend against OpenSSL
vulnerabilities discovered earlier this year, make this an attractive
proposal.
The updateÂ[8] will be shipped in the forthcoming point release (7.6) of
Debian Wheezy, on July 12th.
[7]:Âhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751977
[8]:Âhttps://lists.debian.org/debian-changes/2014/06/msg00072.html
Miscellaneous news
------------------
Building on the May release of experimental Tor Browsers hardened with
AddressSanitizer (ASan)Â[9], Georg Koppen announcedÂ[10] a new set of
experimental Linux builds that include both AddressSanitizer and
Undefined Behaviour Sanitizer (UBSan), asking for testing and feedback.
See Georgâs message for download and build instructions, as well as a
couple of known issues.
[9]:Âhttps://lists.torproject.org/pipermail/tor-qa/2014-May/000414.html
[10]:Âhttps://lists.torproject.org/pipermail/tor-qa/2014-June/000428.html
Nick Mathewson remindedÂ[11] Tor users, relay operators, and especially
hidden service administrators that torâs 0.2.2 series is no longer
supported, and many features will soon stop working entirely; if you are
affected, then please upgrade!
[11]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033376.html
Several of Torâs Google Summer of Code students submitted their regular
progress reports: Daniel Martà on the implementation of consensus
diffsÂ[12], Mikhail Belous on the multicore tor daemonÂ[13], Juha Nurmi
on the ahmia.fi projectÂ[14], Zack Mullaly on the HTTPS Everywhere
secure ruleset update mechanismÂ[15], Amogh Pradeep on the Orbot+Orfox
projectÂ[16], Sreenatha Bhatlapenumarthi on the Tor Weather
rewriteÂ[17], Marc Juarez on the link-padding pluggable transport
developmentÂ[18], Israel Leiva on the GetTor revampÂ[19], Quinn Jarrell
on the pluggable transport combinerÂ[20], Kostas Jakeliunas on the
BridgeDB Twitter DistributorÂ[21], and Noah Rahman on Stegotorus
security enhancementÂ[22].
[12]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007030.html
[13]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007034.html
[14]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-June/000564.html
[15]:Âhttps://lists.eff.org/pipermail/https-everywhere/2014-June/002147.html
[16]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007036.html
[17]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007037.html
[18]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-June/000567.html
[19]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007039.html
[20]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007040.html
[21]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007041.html
[22]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007043.html
Researchers from the Internet Geographies project at the Oxford Internet
Institute produced a cartogramÂ[23] of Tor users by country, using
archived data freely available from the Tor Projectâs own Metrics
portalÂ[24], along with an analysis of the resulting image. âAs ever
more governments seek to control and censor online activities, users
face a choice to either perform their connected activities in ways that
adhere to official policies, or to use anonymity to bring about a freer
and more open Internetâ, they conclude.
[23]:Âhttp://geography.oii.ox.ac.uk/?page=tor
[24]:Âhttps://metrics.torproject.org
Andrew Lewman reportedÂ[25] that users with email addresses at Yahoo and
AOL have been removed from the tor-relays mailing listÂ[26], as these
addresses have been bouncing list emails.
[25]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-June/004752.html
[26]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thanks to the FoDT.it webteamÂ[27] and MaxanooÂ[28] for running mirrors
of the Tor Projectâs website!
[27]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-June/000617.html
[28]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-June/000619.html
fr33tux sharedÂ[29] the slidesÂ[30] for a French-language presentation
on Tor, delivered at Università de technologie Belfort-MontbÃliard. The
source code (in the LaTeX markup language) is also availableÂ[31]: âfeel
free to borrow whatever you want from it!â
[29]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-June/033337.html
[30]:Âhttp://fr33tux.org/data/prez.pdf
[31]:Âhttp://git.fr33tux.org/conference_tor_utbm.git
Thanks to Ximin Luo, the server component of FlashproxyÂ[32] is now
available in DebianÂ[33] in the âpt-websocketâ package.
[32]:Âhttps://crypto.stanford.edu/flashproxy/
[33]:Âhttps://packages.debian.org/sid/pt-websocket
A couple of weeks ago, Roger Dingledine wondered âhow many relays are
firewalling certain outbound ports (and thus messing with connectivity
inside the Tor network)â. ra has just published the resultsÂ[34] of a
three-week-long test of the interconnectivity between 6730 relays.
Contacting the operators of problematic relays is probably the next step
for those who wish to keep the network at its best.
[34]:Âhttps://bugs.torproject.org/12131#comment:11
George Kadianakis slipped on his storyteller costume to guide usÂ[35]
through layers of the Tor core, motivated by the quest for knowledge.
That accursed riddle, âWhy does Roger have so many guards?â, now has an
answer. Be prepared for a âbeautiful stalagmiteâ and the âtruly amazingâ
nature of Tor!
[35]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-June/007042.html
Tor help desk roundup
---------------------
If the Tor Browser stalls while âloading the network statusâ, please
double-check that the system clock is accurate; the same goes for the
timezone and daylight saving time settings. Tor needs an accurate clock
in order to prevent several classes of attacks on its protocol. It wonât
work properly when the local time does not match the one used by other
network participants.
Easy development tasks to get involved with
-------------------------------------------
When the tor daemon is configured to open a SOCKS port on a public
address, it warns about this possible configuration problem twice: once
when it reads the configuration file, and a second time when it opens
the listener. One warning should be enough. We had a friendly volunteer
two years ago who sketched out possible fixes and even wrote a patch,
but then concluded that his patch had a problem and went away. If youâre
up to some digging into torâs configuration file handling, and want to
clean up a two-year-old patch potentially to be included in tor 0.2.6,
please find the details in the ticketÂ[36]. Itâs tagged as easy, so how
hard can it be?
[36]:Âhttps://bugs.torproject.org/4019
Upcoming events
---------------
June 25 19:00 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
|
June 27 15:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
|
June 30 â July 4 | Torâs Summer Dev Meeting
| Paris, France
| https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting
|
July 5-11 | Lunar @ Libre Software Meeting 2014
| Montpellier, France
| https://2014.rmll.info/?lang=en
This issue of Tor Weekly News has been assembled by harmony, Lunar,
Matt Pagan, Karsten Loesing, and Roger Dingledine.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[37], write down your
name and subscribe to the team mailing listÂ[38] if you want to
get involved!
[37]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[38]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk