========================================================================
Tor Weekly News March 5th, 2014
========================================================================
Welcome to the ninth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tor 0.2.4.21 is out
-------------------
Roger Dingledine announced the release of Tor 0.2.4.21Â[1], whose major
new feature is the forced inclusion of at least one NTor-capable relay
in any given three-hop circuit as a defence against adversaries who
might be able to break 1024-bit encryption; this feature was first seen
in the latest alpha release (0.2.5.2-alpha) three weeks agoÂ[2], but is
here incorporated into the current stable series.
You can find full details of this releaseâs other features and bugfixes
in Rogerâs announcement.
[1]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-March/032242.html
[2]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032150.html
Tor in Google Summer of Code 2014
---------------------------------
As has been the case over the past several years, Tor will once again be
participatingÂ[3] in Googleâs annual Summer of Code program â aspiring
software developers have the chance to work on a Tor-related project
with financial assistance from Google and expert guidance from a core
Tor Project member. Several prospective students have already contacted
the community with questions about the program, and Damian Johnson took
to the Tor Blog to give a brief summary of what students can expect from
the Summer of CodeÂ[4], and what the Tor Project expects from its
students.
In particular, Damian encouraged potential applicants to discuss their
ideas with the community on the tor-dev mailing list or IRC channel
before submitting an application: âCommunication is essential to success
in the summer of code, and weâre unlikely to accept students we havenât
heard from before reading their application.â
If you are hoping to contribute to Tor as part of the Summer of Code
program, please have a look through Damianâs advice and then, as he
says, âcome to the list or IRC channel and talk to us!â
[3]:Âhttps://www.google-melange.com/gsoc/org2/google/gsoc2014/tor
[4]:Âhttps://blog.torproject.org/blog/tor-google-summer-code-2014
Two ways to help with Tails development
---------------------------------------
One of the most interesting upcoming additions to the Tails operating
system is the ability to thwart attempts at tracking the movements of
network-enabled devices by spoofing the MAC address on each boot. As
part of the testing process for this new feature, the Tails developers
have releasedÂ[5] an experimental disk image which turns it on by
default, alongside a step-by-step guide to trying it out and reporting
any issues encountered. However, as the developers state, âthis is a
test image. Do not use it for anything other than testing this feature.â
If you are willing to take note of this caveat, please feel free to
download the test image and let the community know what you find.
Turning to the longer-term development of the project, the team also
published a detailed set of guidelines for anyone who wants to help
improve Tails itself by contributing to the development of DebianÂ[6],
the operating system on which Tails is based. They include advice on the
relationship between the two distributions, tasks in need of attention,
and channels for discussing issues with the Tails community; if you are
keen on the idea of helping two free-software projects at one stroke,
please have a look!
[5]:Âhttps://tails.boum.org/news/spoof-mac/
[6]:Âhttps://tails.boum.org/contribute/how/debian/
Monthly status reports for February 2014
----------------------------------------
The wave of regular monthly reports from Tor project members for the
month of February has begun. Georg Koppen released his report firstÂ[7],
followed by reports from Sherief AlaaÂ[8], Pearl CrescentÂ[9], Nick
MathewsonÂ[10], Colin C.Â[11], LunarÂ[12], Kelley MisataÂ[13], Damian
JohnsonÂ[14], George KadianakisÂ[15], Philipp WinterÂ[16], and Karsten
LoesingÂ[17].
Lunar also reported on behalf of the help deskÂ[18], while Mike Perry
did the same on behalf of the Tor Browser teamÂ[19], and Arturo FilastÃ
for the OONI teamÂ[20].
[7]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000464.html
[8]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000465.html
[9]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000466.html
[10]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000467.html
[11]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000468.html
[12]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000471.html
[13]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000472.html
[14]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000474.html
[15]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000475.html
[16]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000476.html
[17]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000478.html
[18]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000469.html
[19]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000473.html
[20]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000477.html
Miscellaneous news
------------------
Members of the Prosecco research team released a new attack on the TLS
protocolÂ[21]Ââ dubbed âTriple HandshakeâÂâ allowing impersonation of a
given client when client authentication is in use together with session
resumption and renegotiation. Nick Mathewson published a detailed
analysis of why Tor is not affectedÂ[22], and also outlines future
changes to make Tor resistant to even more potential TLS issues.
[21]:Âhttps://secure-resumption.com/
[22]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006372.html
Mike Perry announcedÂ[23] the start of a weekly Tor Browser developerâs
meeting, to be held on #tor-dev on irc.oftc.net. These meetings are
tentatively scheduled for 19:00 UTC on Wednesdays. Details on the format
and flow of the meetings can be found on the tor-dev and tbb-devÂ[24]
mailing lists.
[23]:Âhttps://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.html
[24]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev
Roger Dingledine and Nick Mathewson were among the signatories of an
open letterÂ[25] published by the EFF which offers ten principles for
technology companies to follow in protecting users from illegal
surveillance.
[25]:Âhttps://www.eff.org/deeplinks/2014/02/open-letter-to-tech-companies
Nick Mathewson also detailedÂ[26] a change in the way that the core Tor
development team will use the bugtrackerâs âmilestoneâ feature to
separate tickets marked for resolution in a given Tor version from those
that can be deferred to a later release.
[26]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-February/006341.html
Nick then sent out the latest in his irregular series of Tor proposal
status updatesÂ[27], containing summaries of each open proposal,
guidance for reviewers, and notes for further work. If you'd like to
help Torâs development by working on one of these proposals, start here!
[27]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-February/006342.html
On the subject of proposals, two new ones were sent to the tor-dev list
for review: proposal 228Â[28], which offers a way for relays to prove
ownership of their onion keys as well as their identity key, and
proposal 229Â[29] based on Yawning Angelâs unnumbered submission from
last week, which concerns improvements to the SOCKS5 protocol for
communication between clients, Tor, and pluggable transports.
[28]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-February/006304.html
[29]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-February/006340.html
Nicholas Merrill wroteÂ[30] to the Liberationtech list to announce that
xmpp.net now lists XMPP servers that are reachable over hidden
servicesÂ[31], and that xmpp.netâs server scanner works with these as
well.
[30]:Âhttps://mailman.stanford.edu/pipermail/liberationtech/2014-February/013041.html
[31]:Âhttps://xmpp.net/reports.php#onions
Patrick Schleizer announcedÂ[32] the release of version 8 of
WhonixÂ[33]Ââ an operating system focused on anonymity, privacy and
security based on the Tor anonymity network, Debian and security by
isolation. The curious should take a look at the long changelog.
[32]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032227.html
[33]:Âhttps://www.whonix.org/
Kelley Misata wrote up an accountÂ[34] of her talk âJournalists â
Staying Safe in a Digital Worldâ, which she delivered at the
Computer-Assisted Reporting Conference in Baltimore.
[34]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-March/000470.html
Having co-authored a paper in 2012 on usability issues connected with
the Tor Browser BundleÂ[35], Greg Norcie drew attentionÂ[36] to a
follow-up study named âWhy Johnny Canât Blow the WhistleâÂ[37], which
focuses on verifying the conclusions of the earlier tests while
exploring a number of other possible usability improvements. The study
was, however, carried out before the release of Tor Browser version 3,
which improved the bundleâs usability based on earlier suggestions.
[35]:Âhttp://petsymposium.org/2012/papers/hotpets12-1-usability.pdf
[36]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032205.html
[37]:Âhttp://www.norcie.com/papers/torUSEC.pdf
Mac OS X users will be thrilled to learn that the next Tor Browser
Bundle will be shipped as a DMG (disk image)Â[38] instead of the
previous unusual .ZIP archiveÂ[39].
[38]:Âhttps://people.torproject.org/~mikeperry/images/TBBDMG.png
[39]:Âhttps://bugs.torproject.org/4261
David Rajchenbach-Teller from Mozilla reached outÂ[40] to the Tor
Browser developers about their overhaul of the Firefox Session Restore
mechanism. This is another milestone in the growing collaboration
between the Tor Project and Mozilla.
[40]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032204.html
On the âanonymity is hardâ front, David Fifield reportedÂ[41] a
fingerprinting issue on the Tor Browser. Fallback charsets can be used
to learn the user locale as they vary from one to another. The next
release of the Tor Browser will use âwindows-1252â for all locales, as
this matches the impersonated âUser-Agentâ string (FirefoxÂâÂEnglish
versionÂâ on Windows) that it already sends in its HTTP headers.
[41]:Âhttps://bugs.torproject.org/10703
Yawning Angel called for helpÂ[42] in testing and reviewing
obfsclient-0.0.1rc2, the second obfsclient release candidate this week:
âassuming nothing is broken, this will most likely become v0.0.1, though
I may end up disabling Session Ticket handshakes.â
[42]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006358.html
David Fifield publishedÂ[43] a guide to patching meek, an HTTP pluggable
transport, so that it can be used to send traffic via LanternÂ[44], a
censorship circumvention system which âacts as an HTTP proxy and proxies
your traffic through trusted friends.â
[43]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006356.html
[44]:Âhttps://www.getlantern.org/
Fortasse started a discussionÂ[45] on tor-talk about using HTTPS
Everywhere to redirect Tor Browser users to .onion addresses when
available. Several people commented regarding the procedure, its
security, or how it could turn the Tor Project or the EFF into some kind
of registrar.
[45]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032220.html
anonym has been busyÂ[46] adapting the configuration interface from the
Tor BrowserÂâ called âTor LauncherâÂâ to Tailsâ needs. Preliminary
results can already be seen in the images built from the experimental
branchÂ[47].
[46]:Âhttps://mailman.boum.org/pipermail/tails-dev/2014-February/005023.html
[47]:Âhttp://nightly.tails.boum.org/build_Tails_ISO_experimental/
Ramo wroteÂ[48] to announce their Nagios plugin projectÂ[49] to the
relay operator community. Lunar pointed out a complementary probe named
âcheck_tor.pyâÂ[50].
[48]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-March/004007.html
[49]:Âhttps://github.com/goodvikings/tor_nagios/
[50]:Âhttp://anonscm.debian.org/gitweb/?p=users/lunar/check_tor.git;a=blob;f=README;hb=HEAD
Virgil Griffith sent a draft proposalÂ[51] for changes to improve the
latency of hidden services when using the âTor2webâ mode. Roger
Dingledine commentedÂ[52] that one of the proposed changes actually
opened a new research question regarding the actual latency benefits.
[51]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-February/006344.html
[52]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006347.html
David Goulet released the fourth candidate of his Torsocks rewriteÂ[53].
This new version comes after âa big code review from Nick and help from
a lot of people contributing and testingâ. But more reviews and testing
are now welcome!
[53]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-March/006371.html
Tor help desk roundup
---------------------
Often users email the help desk when the Tor Browserâs Tor client fails
somehow. There are many ways for the Tor Browser to fail in such a way
that the Tor log is inaccessible. Since antivirus programs, firewalls,
system clock skew, proxied internet connections, and internet censorship
have all been known to cause Tor failures, it is not always easy to
determine the source of the problem. Thankfully, the Tor Browser team is
working on making the logs easier to access in case of failures
(#10059Â[54], #10603Â[55]).
[54]:Âhttps://trac.torproject.org/projects/tor/ticket/10059
[55]:Âhttps://trac.torproject.org/projects/tor/ticket/10603
News from Tor StackExchange
---------------------------
Janice needs to be able to connect from an IP address in a specific city
and wanted to know if Tor can be used to do soÂ[56]. Several users
suggested that this is not possible with Tor. For city-level IP
addresses, it might better to use other services like a proxy or a
tunnel, provided one does not require anonymity.
[56]:Âhttps://tor.stackexchange.com/q/1485/88
The Tor Browser Bundle sets the default font to Times New Roman 16pt and
allows pages to use their own fonts. User joeb likes to change the
settings and wondered how this increases the possibility to fingerprint
a userÂ[57]. gacar suggested that this will facilitate fingerprinting
attacks. Several important sites use font probing to fingerprint their
usersÂ[58], and changing the default fonts is likely to make a user
stand out from the common anonymity set.
[57]:Âhttps://tor.stackexchange.com/q/1619/88
[58]:Âhttps://www.cosic.esat.kuleuven.be/fpdetective/#results
Kristopher Ives wonderedÂ[59] if Tor uses some kind of compression.
Several users searched the source code archives for âgzipâÂ[60] and
found code which deals with directory information. Jens Kubieziel argued
that Tor operates on encrypted data and compressing encrypted data
usually results in a increase in size, so it makes no sense to compress
this data.
[59]:Âhttps://tor.stackexchange.com/q/1598/88
[60]:Âhttps://gitweb.torproject.org/tor.git?a=search&h=HEAD&st=grep&s=gzip
Stackexchange uses bounties to award higher reputations to answers. By
using this one can attract attention and get better answers or an answer
at all. The question about using DNSSEC and DNScrypt over TorÂ[61] is
probably the first to receive a bounty: an answer to this question would
be rewarded with 50 points. However, they have not been earned yet, so
if you know an answer, please enlighten the rest of the community.
[61]:Âhttps://tor.stackexchange.com/q/1503/88
Upcoming events
---------------
Mar 03-07 | Tor @ Financial Cryptography and Data Security 2014
| Barbados
| http://fc14.ifca.ai/
|
Mar 05 18:00 UTC | Tor Weather development meeting
| #tor-dev, irc.oftc.net
| https://trac.torproject.org/projects/tor/wiki/doc/weather-in-2014
|
Mar 05 19:00 UTC | Tor Browser development meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.html
|
Mar 05 20:00 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-March/006366.html
|
Mar 05 21:00 UTC | Tails contributors meeting
| #tails-dev, irc.oftc.net
| https://mailman.boum.org/pipermail/tails-dev/2014-February/004934.html
|
Mar 07-11 | Karen and Kelley @ SXSW 2014
| Austin, Texas, USA
| http://schedule.sxsw.com/2014/events/event_IAP19728
|
Mar 07 17:00 UTC | Tor Instant Messaging Bundle development meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-March/006369.html
|
Mar 22-23 | Tor @ LibrePlanet 2014
| Cambridge, Massachusetts, USA
| http://libreplanet.org/2014/
This issue of Tor Weekly News has been assembled by harmony, Lunar, qbi,
Matt Pagan, Karsten Loesing, Mike Perry, dope457, and Philipp Winter.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[62], write down your
name and subscribe to the team mailing listÂ[63] if you want to
get involved!
[62]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[63]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk