[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â June 17th, 2015

Tor Weekly News                                          June 17th, 2015

Welcome to the twenty-fourth issue in 2015 of Tor Weekly News, the
weekly newsletter that covers whatâs happening in the Tor community.


 1. Tor is out
 2. Tor Browser 4.5.2 and 5.0a2 are out
 3. The future of GetTor and uncensorable software distribution
 4. Great progress on Orfox browser
 5. A persistent Tor state for Tails?
 6. Miscellaneous news
 7. Upcoming events

Tor is out

Nick Mathewson announced [1] a new release in Torâs current stable
series. Version stops relays without the Stable flag from
serving as onion service directories, and raises the uptime requirement
for the Stable flag itself, which means that any Sybil attacks launched
against the network will not become effective for at least a week. This
change only affects the Tor networkâs nine directory authorities, most
of whom have already upgraded.

The other significant fix in this release concerns port-based isolation
of client requests, which now functions properly; if you make use of
this feature in your standalone Tor client, then please upgrade as soon
as possible. For other users, writes Nick, this âis not a high-urgency

  [1]: https://blog.torproject.org/blog/tor-0269-released

Tor Browser 4.5.2 and 5.0a2 are out

The Tor Browser team put out new stable and alpha releases of the
privacy-preserving browser. As well as updates to key software
components, versions 4.5.2 [2] and 5.0a2 [3] both contain fixes for the
âLogjamâ attack on TLS security [4] - as Nick Mathewson wrote [5] at the
time of this vulnerabilityâs disclosure, the connections between Tor
clients and relays were unlikely to have been affected by this attack,
but the bug is now fixed in the browser component of Tor Browser as

These new releases also fix a possible crash in Linux, and stop the
Add-ons page from breaking if Torbutton is disabled. The new alpha
further improves meekâs compatibility with the automatic update process
on Windows machines.

All users should upgrade their Tor Browser as soon as possible. Your
browser might already have prompted you to do this â if not, you can
always upgrade by downloading a fresh copy from the Tor website [6].

  [2]: https://blog.torproject.org/blog/tor-browser-452-released
  [3]: https://blog.torproject.org/blog/tor-browser-50a2-released
  [4]: https://weakdh.org/
  [5]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008868.html
  [6]: https://www.torproject.org/projects/torbrowser.html

The future of GetTor and uncensorable software distribution

The GetTor service [7] offers users who are unable to reach the Tor
website an alternative method of downloading Tor Browser: any email sent
to gettor@xxxxxxxxxxxxxx will receive an automated reply containing
links to file-hosting services (such as Dropbox) for the latest Tor
Browser package and its signature.

Israel Leiva, lead developer on the revamped GetTor project since last
yearâs Google Summer of Code, is back for the first-ever Tor Summer of
Privacy [8] to continue expanding the feature set of this tool. As
Israel wrote to the tor-dev mailing list [9], current plans for the
summer include the addition of other file-hosting services, Tor Browser
localizations, and other distribution methods (including instant
messaging and Twitter).

However, it might also be time for a more radical change in the way
GetTor works. An official distributor application or browser add-on,
available through channels like the OS X or Google Chrome app stores,
could automate Tor Browser downloads, as well as the vital but
unintuitive process of verifying the signature to ensure the software
has not been tampered with. Israel offered two suggestions for the inner
workings of such a distributor: one involving a fixed (but potentially
blockable) backend API with which the distributor communicates, and one
in which a more complex distributor is capable of helping the user
download the required software from several different sources.

Some related projects are already underway: the Tails team is discussing
the possibility of its own browser add-on for ISO download and
verification [10], while Griffin Boyce pointed [11] to his own Satori
project, a distributor application that offers torrent files and
content-delivery network (CDN) links. The discussion over the possible
GetTor distributorâs relationship with these projects is still to be

âI would really love to hear your comments about this idea, my work at
Summer of Privacy might change depending on this discussionâ, writes
Israel. Itâs clear that forcing users to depend on âsingle points of
failureâ for their software is bad news all round, so if you have
worthwhile ideas to add to this discussion, feel free to take them to
the tor-dev mailing list thread.

  [7]: https://www.torproject.org/projects/gettor
  [8]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
  [9]: https://lists.torproject.org/pipermail/tor-dev/2015-June/008949.html
 [10]: https://tails.boum.org/blueprint/bootstrapping/extension/
 [11]: https://github.com/glamrock/satori

Great progress on Orfox browser

Nathan Freitas, of mobile device security specialists the Guardian
Project, reported [12] on the status of Orfox, the Android-compatible
Tor Browser build. âThe goal is to get as close to the âreal Tor
Browserâ while taking into account the new, unique issues we face on
Androidâ, he wrote. Amogh Pradeep, former Google Summer of Code student
and now intern at the Guardian Project, has made significant progress
getting the software to build, and you can follow his regular updates on
the Orfox development blog [13]. âWe expect to have an alpha out this
weekâ, wrote Nathan, âbut feel free to jump in on testing of the posted
builds, and file bugs or feature requests as you find themâ.

 [12]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-June/004446.html
 [13]: https://dev.guardianproject.info/projects/orfox-private-browser/news

A persistent Tor state for Tails?

The Tails team is discussing the possibility of making Torâs state
persist across sessions in the anonymous live operating system. As the
team writes on the relevant blueprint page [14], such a change would
have several benefits: not only would Torâs bootstrap process be faster
and more efficient, but it would enable Tails to take advantage of the
âentry guardsâ concept [15], without which Tails users are more likely
to select a malicious entry node at some point over the course of their
activity. Moreover, the fact that Tails selects a new entry node on
every boot, while Tor Browser does not, allows an adversary to determine
whether a user who remains on one network (their home or place of work,
for example) is using Tails or not. This would also be solved by a
persistent Tor state.

However, this change does of course have some drawbacks. For one thing,
although entry guards in Tails would help defend against end-to-end
correlation attacks, they enable a certain kind of fingerprinting: if a
user makes a connection to an entry guard from their home, and an
adversary later observes a connection to the same guard from an event or
meeting-place that the user is suspected of attending, the adversary can
draw a conclusion about the userâs geographical movement. This violates
one of Tailsâ threat model principles, which the team calls
âAdvGoalTrackingâ. There are ways that Tails could request location
information from the user in order to maintain different entry guards
for different locations, but too many requests for information might
bamboozle Tails users into accidentally worsening their own security,
especially if they do not understand the threat model behind the
requests, or it does not apply to them.

What is needed, then, is a balance between âdefaults that suit the vast
majority of use-cases [â] for Tailsâ target audienceâ and helping âusers
with different needs to avoid becoming less safe âthanksâ to this new
featureâ. The discussion continues on the tails-dev mailing list [16].

 [14]: https://tails.boum.org/blueprint/persistent_Tor_state/
 [15]: https://www.torproject.org/docs/faq#EntryGuards
 [16]: https://mailman.boum.org/pipermail/tails-dev/2015-June/009095.html

Miscellaneous news

Nick Mathewson recommended [17] that all relay operators upgrade their
copies of OpenSSL to fix several issues that could enable remote
denial-of-service attacks. As Nick makes clear, this is an âupgrade when
you canâ-level announcement, rather than a ârun in circles freaking
outâ. Nick also requests that people still using OpenSSLâs 0.9.8 series
upgrade to one of the more recent versions, as 0.9.8 contains several
security flaws and will not be supported by Tor or later.

 [17]: https://lists.torproject.org/pipermail/tor-relays/2015-June/007179.html

Sherief Alaa reported on his activities in May [18].

 [18]: https://lists.torproject.org/pipermail/tor-reports/2015-June/000854.html

Upcoming events

  Jun 22 18:00 UTC | Tor Browser meeting
                   | #tor-dev, irc.oftc.net
  Jun 22 18:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
  Jun 23 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  Jun 24 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Jun 24 02:00 UTC | Pluggable transports/bridges meeting
                   | #tor-dev, irc.oftc.net
  Jun 30 - Jul 02  | Many Tor people @ 15th Privacy Enhancing Technologies Symposium
                   | Philadelphia, USA
                   | https://petsymposium.org/2015/
  Jul 03 19:00 UTC | Tails contributors meeting
                   | #tails-dev, irc.oftc.net
                   | https://mailman.boum.org/pipermail/tails-project/2015-June/000242.html

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [19], write down your
name and subscribe to the team mailing list [20] if you want to
get involved!

 [19]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [20]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to