[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â March 5th, 2014

Tor Weekly News                                          March 5th, 2014

Welcome to the ninth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor is out

Roger Dingledine announced the release of TorÂ[1], whose major
new feature is the forced inclusion of at least one NTor-capable relay
in any given three-hop circuit as a defence against adversaries who
might be able to break 1024-bit encryption; this feature was first seen
in the latest alpha release ( three weeks agoÂ[2], but is
here incorporated into the current stable series.

You can find full details of this releaseâs other features and bugfixes
in Rogerâs announcement.


Tor in Google Summer of Code 2014

As has been the case over the past several years, Tor will once again be
participatingÂ[3] in Googleâs annual Summer of Code program â aspiring
software developers have the chance to work on a Tor-related project
with financial assistance from Google and expert guidance from a core
Tor Project member. Several prospective students have already contacted
the community with questions about the program, and Damian Johnson took
to the Tor Blog to give a brief summary of what students can expect from
the Summer of CodeÂ[4], and what the Tor Project expects from its

In particular, Damian encouraged potential applicants to discuss their
ideas with the community on the tor-dev mailing list or IRC channel
before submitting an application: âCommunication is essential to success
in the summer of code, and weâre unlikely to accept students we havenât
heard from before reading their application.â

If you are hoping to contribute to Tor as part of the Summer of Code
program, please have a look through Damianâs advice and then, as he
says, âcome to the list or IRC channel and talk to us!â


Two ways to help with Tails development

One of the most interesting upcoming additions to the Tails operating
system is the ability to thwart attempts at tracking the movements of
network-enabled devices by spoofing the MAC address on each boot. As
part of the testing process for this new feature, the Tails developers
have releasedÂ[5] an experimental disk image which turns it on by
default, alongside a step-by-step guide to trying it out and reporting
any issues encountered. However, as the developers state, âthis is a
test image. Do not use it for anything other than testing this feature.â
If you are willing to take note of this caveat, please feel free to
download the test image and let the community know what you find.

Turning to the longer-term development of the project, the team also
published a detailed set of guidelines for anyone who wants to help
improve Tails itself by contributing to the development of DebianÂ[6],
the operating system on which Tails is based. They include advice on the
relationship between the two distributions, tasks in need of attention,
and channels for discussing issues with the Tails community; if you are
keen on the idea of helping two free-software projects at one stroke,
please have a look!


Monthly status reports for February 2014

The wave of regular monthly reports from Tor project members for the
month of February has begun. Georg Koppen released his report firstÂ[7],
followed by reports from Sherief AlaaÂ[8], Pearl CrescentÂ[9], Nick
MathewsonÂ[10], Colin C.Â[11], LunarÂ[12], Kelley MisataÂ[13], Damian
JohnsonÂ[14], George KadianakisÂ[15], Philipp WinterÂ[16], and Karsten

Lunar also reported on behalf of the help deskÂ[18], while Mike Perry
did the same on behalf of the Tor Browser teamÂ[19], and Arturo FilastÃ
for the OONI teamÂ[20].


Miscellaneous news

Members of the Prosecco research team released a new attack on the TLS
protocolÂ[21]Ââ dubbed âTriple HandshakeâÂâ allowing impersonation of a
given client when client authentication is in use together with session
resumption and renegotiation. Nick Mathewson published a detailed
analysis of why Tor is not affectedÂ[22], and also outlines future
changes to make Tor resistant to even more potential TLS issues.


Mike Perry announcedÂ[23] the start of a weekly Tor Browser developerâs
meeting, to be held on #tor-dev on irc.oftc.net. These meetings are
tentatively scheduled for 19:00 UTC on Wednesdays. Details on the format
and flow of the meetings can be found on the tor-dev and tbb-devÂ[24]
mailing lists.


Roger Dingledine and Nick Mathewson were among the signatories of an
open letterÂ[25] published by the EFF which offers ten principles for
technology companies to follow in protecting users from illegal


Nick Mathewson also detailedÂ[26] a change in the way that the core Tor
development team will use the bugtrackerâs âmilestoneâ feature to
separate tickets marked for resolution in a given Tor version from those
that can be deferred to a later release.


Nick then sent out the latest in his irregular series of Tor proposal
status updatesÂ[27], containing summaries of each open proposal,
guidance for reviewers, and notes for further work. If you'd like to
help Torâs development by working on one of these proposals, start here!


On the subject of proposals, two new ones were sent to the tor-dev list
for review: proposal 228Â[28], which offers a way for relays to prove
ownership of their onion keys as well as their identity key, and
proposal 229Â[29] based on Yawning Angelâs unnumbered submission from
last week, which concerns improvements to the SOCKS5 protocol for
communication between clients, Tor, and pluggable transports.


Nicholas Merrill wroteÂ[30] to the Liberationtech list to announce that
xmpp.net now lists XMPP servers that are reachable over hidden
servicesÂ[31], and that xmpp.netâs server scanner works with these as


Patrick Schleizer announcedÂ[32] the release of version 8 of
WhonixÂ[33]Ââ  an operating system focused on anonymity, privacy and
security based on the Tor anonymity network, Debian and security by
isolation. The curious should take a look at the long changelog.


Kelley Misata wrote up an accountÂ[34] of her talk âJournalists â
Staying Safe in a Digital Worldâ, which she delivered at the
Computer-Assisted Reporting Conference in Baltimore.


Having co-authored a paper in 2012 on usability issues connected with
the Tor Browser BundleÂ[35], Greg Norcie drew attentionÂ[36] to a
follow-up study named âWhy Johnny Canât Blow the WhistleâÂ[37], which
focuses on verifying the conclusions of the earlier tests while
exploring a number of other possible usability improvements. The study
was, however, carried out before the release of Tor Browser version 3,
which improved the bundleâs usability based on earlier suggestions.


Mac OS X users will be thrilled to learn that the next Tor Browser
Bundle will be shipped as a DMG (disk image)Â[38] instead of the
previous unusual .ZIP archiveÂ[39].


David Rajchenbach-Teller from Mozilla reached outÂ[40] to the Tor
Browser developers about their overhaul of the Firefox Session Restore
mechanism. This is another milestone in the growing collaboration
between the Tor Project and Mozilla.


On the âanonymity is hardâ front, David Fifield reportedÂ[41] a
fingerprinting issue on the Tor Browser. Fallback charsets can be used
to learn the user locale as they vary from one to another. The next
release of the Tor Browser will use âwindows-1252â for all locales, as
this matches the impersonated âUser-Agentâ string (FirefoxÂâÂEnglish
versionÂâ on Windows) that it already sends in its HTTP headers.


Yawning Angel called for helpÂ[42] in testing and reviewing
obfsclient-0.0.1rc2, the second obfsclient release candidate this week:
âassuming nothing is broken, this will most likely become v0.0.1, though
I may end up disabling Session Ticket handshakes.â


David Fifield publishedÂ[43] a guide to patching meek, an HTTP pluggable
transport, so that it can be used to send traffic via LanternÂ[44], a
censorship circumvention system which âacts as an HTTP proxy and proxies
your traffic through trusted friends.â


Fortasse started a discussionÂ[45] on tor-talk about using HTTPS
Everywhere to redirect Tor Browser users to .onion addresses when
available. Several people commented regarding the procedure, its
security, or how it could turn the Tor Project or the EFF into some kind
of registrar.


anonym has been busyÂ[46] adapting the configuration interface from the
Tor BrowserÂâ called âTor LauncherâÂâ to Tailsâ needs. Preliminary
results can already be seen in the images built from the experimental


Ramo wroteÂ[48] to announce their Nagios plugin projectÂ[49] to the
relay operator community. Lunar pointed out a complementary probe named


Virgil Griffith sent a draft proposalÂ[51] for changes to improve the
latency of hidden services when using the âTor2webâ mode. Roger
Dingledine commentedÂ[52] that one of the proposed changes actually
opened a new research question regarding the actual latency benefits.


David Goulet released the fourth candidate of his Torsocks rewriteÂ[53].
This new version comes after âa big code review from Nick and help from
a lot of people contributing and testingâ. But more reviews and testing
are now welcome!


Tor help desk roundup

Often users email the help desk when the Tor Browserâs Tor client fails
somehow. There are many ways for the Tor Browser to fail in such a way
that the Tor log is inaccessible. Since antivirus programs, firewalls,
system clock skew, proxied internet connections, and internet censorship
have all been known to cause Tor failures, it is not always easy to
determine the source of the problem. Thankfully, the Tor Browser team is
working on making the logs easier to access in case of failures
(#10059Â[54], #10603Â[55]).


News from Tor StackExchange

Janice needs to be able to connect from an IP address in a specific city
and wanted to know if Tor can be used to do soÂ[56]. Several users
suggested that this is not possible with Tor. For city-level IP
addresses, it might better to use other services like a proxy or a
tunnel, provided one does not require anonymity.


The Tor Browser Bundle sets the default font to Times New Roman 16pt and
allows pages to use their own fonts. User joeb likes to change the
settings and wondered how this increases the possibility to fingerprint
a userÂ[57]. gacar suggested that this will facilitate fingerprinting
attacks. Several important sites use font probing to fingerprint their
usersÂ[58], and changing the default fonts is likely to make a user
stand out from the common anonymity set.


Kristopher Ives wonderedÂ[59] if Tor uses some kind of compression.
Several users searched the source code archives for âgzipâÂ[60] and
found code which deals with directory information. Jens Kubieziel argued
that Tor operates on encrypted data and compressing encrypted data
usually results in a increase in size, so it makes no sense to compress
this data.


Stackexchange uses bounties to award higher reputations to answers. By
using this one can attract attention and get better answers or an answer
at all. The question about using DNSSEC and DNScrypt over TorÂ[61] is
probably the first to receive a bounty: an answer to this question would
be rewarded with 50 points. However, they have not been earned yet, so
if you know an answer, please enlighten the rest of the community.


Upcoming events

Mar 03-07        | Tor @ Financial Cryptography and Data Security 2014
                 | Barbados
                 | http://fc14.ifca.ai/
Mar 05 18:00 UTC | Tor Weather development meeting
                 | #tor-dev, irc.oftc.net
                 | https://trac.torproject.org/projects/tor/wiki/doc/weather-in-2014
Mar 05 19:00 UTC | Tor Browser development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.html
Mar 05 20:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006366.html
Mar 05 21:00 UTC | Tails contributors meeting
                 | #tails-dev, irc.oftc.net
                 | https://mailman.boum.org/pipermail/tails-dev/2014-February/004934.html
Mar 07-11        | Karen and Kelley @ SXSW 2014
                 | Austin, Texas, USA
                 | http://schedule.sxsw.com/2014/events/event_IAP19728
Mar 07 17:00 UTC | Tor Instant Messaging Bundle development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006369.html
Mar 22-23        | Tor @ LibrePlanet 2014
                 | Cambridge, Massachusetts, USA
                 | http://libreplanet.org/2014/

This issue of Tor Weekly News has been assembled by harmony, Lunar, qbi,
Matt Pagan, Karsten Loesing, Mike Perry, dope457, and Philipp Winter.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[62], write down your
name and subscribe to the team mailing listÂ[63] if you want to
get involved!


Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to