[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â March 25th, 2015

Tor Weekly News                                         March 25th, 2015

Welcome to the twelfth issue in 2015 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

Tor,, and are out

Nick Mathewson announced three new releases by the core Tor team.
Versions and [1] are updates to the stable release
series, featuring backports from later releases and an updated list of
Tor directory authorities.

Tor [2], meanwhile, is the second release candidate in the
upcoming Tor 0.2.6 series. It fixes a couple of possible crashes, and
makes it easier to run Tor inside the Shadow network simulator. To find
out more about all the new features that are expected in this release
series, take a look at Nickâs guide [3] on the Tor blog.

Please see the release announcements for details of all changes, and
download the source code from the distribution directory [4].

  [1]: https://blog.torproject.org/blog/tor-02426-and-02511-are-released
  [2]: https://blog.torproject.org/blog/tor-0265-rc-released
  [3]: https://blog.torproject.org/blog/coming-tor-026
  [4]: https://dist.torproject.org/

Tor Browser 4.0.5 is out

Following the disclosure of two potentially serious security flaws in
Firefox, the Tor Browser team announced [5] a pointfix release of the
privacy-preserving browser. Tor Browser 4.0.5 is based on Firefox 31.5.3
ESR, fixing flaws in the handling of SVG files [6] and Javascript bounds
checking [7] that could have allowed an adversary to run malicious code
on a target machine.

This is an important security update, and all users of the stable Tor
Browser should upgrade as soon as possible. Users of the alpha Tor
Browser release channel will need to wait another week for an updated
version; in the meantime, as Georg Koppen explained, they âare strongly
recommended to use Tor Browser 4.0.5â. Download your copy of the new Tor
Browser from the project page [8].

  [5]: https://blog.torproject.org/blog/tor-browser-405-released
  [6]: https://www.mozilla.org/en-US/security/advisories/mfsa2015-28/
  [7]: https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
  [8]: https://www.torproject.org/projects/torbrowser.html

Tails 1.3.1 is out

The Tails 1.3.1 emergency release was put out on March 23 [9], following
the Firefox security announcement. As well as Tor Browser 4.0.5, this
release includes updates to key software, fixing numerous security
issues [10]. All Tails users must upgrade as soon as possible; see the
announcement for download instructions.

This release is also the first to be signed by the Tails teamâs new
OpenPGP signing key. For full details of the new key, see the teamâs
announcement [11].

  [9]: https://tails.boum.org/news/version_1.3.1/
 [10]: https://tails.boum.org/security/Numerous_security_holes_in_1.3/
 [11]: https://tails.boum.org/news/signing_key_transition/

Who runs most of the Tor network?

The Tor network is a diverse and mostly decentralized system, and it
would not exist without the efforts of thousands of volunteer relay
operators around the world. Some focus on the task of maintaining a
single relay, while others set up âfamiliesâ of nodes that handle a
larger share of Tor traffic.

In an effort to identify the largest (publicly-declared) groupings of
relays on the Tor network today, Nusenu posted [12] a list of entries
found in the MyFamily field [13] of Tor relay configuration files,
grouped by total âconsensus weightâ [14]. This list also includes other
relevant data such as the number of Autonomous Systems, /16 IP address
blocks, and country codes in which these relays are located; as Nusenu
says, âmore is betterâ for these statistics, at least as far as
diversity is concerned. If the concentration of relays in one location
is too high, there is a greater risk that a single adversary will be
able to see a large proportion of Tor traffic.

Nusenu also posted shorter lists of the largest relay families sorted by
contact information [15], and in the course of all this research was
able to notify some relay operators of problems with their
configuration. The future of the MyFamily setting is still being
discussed [16]; in the meantime, thanks to Nusenu for this impressive

 [12]: https://lists.torproject.org/pipermail/tor-talk/2015-March/037305.html
 [13]: https://www.torproject.org/docs/faq.html.en#MultipleRelays
 [14]: https://metrics.torproject.org/about.html#consensus-weight
 [15]: https://lists.torproject.org/pipermail/tor-relays/2015-March/006657.html
 [16]: https://bugs.torproject.org/6676

Miscellaneous news

Nathan Freitas announced [17] Orbot version 15-alpha-5, bringing support
for the meek and obfs4 pluggable transports, QR code bridge
distribution, and other new features closer to a stable release.

 [17]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-March/004283.html

George Kadianakis invited feedback on proposal 243 [18], which would
require Tor relays to earn the âStableâ flag before they are allowed to
act as onion service directories, making it harder for malicious relay
operators to launch denial-of-service attacks on onion services.

 [18]: https://lists.torproject.org/pipermail/tor-dev/2015-March/008532.html

Nick Mathewson asked for comments [19] on a list of possible future
improvements to Torâs controller protocol: âThis is a brainstorming
exercise, not a declaration of intent. The goal right now is to generate
a lot of ideas and thoughts now, and to make decisions about what to
build later.â

 [19]: https://lists.torproject.org/pipermail/tor-dev/2015-March/008502.html

David Fifield wondered [20] why many of the graphs of Tor user numbers
on the Metrics portal [21] appear to show weekly cycles.

 [20]: https://lists.torproject.org/pipermail/tor-dev/2015-March/008473.html
 [21]: https://metrics.torproject.org

Jens Kubieziel posted a list of ideas [22] for the further development
of the Torservers organization, following recent discussions.

 [22]: https://lists.torproject.org/pipermail/tor-relays/2015-March/006670.html

Mashael AlSabah and Ian Goldberg published âPerformance and Security
Improvements for Tor: A Surveyâ [23], a detailed introduction to the
current state of research into performance and security on the Tor
network. If you want to get up to speed on the most important technical
questions facing the Tor development community, start here!

 [23]: https://eprint.iacr.org/2015/235

Aaron Johnson announced [24] that this yearâs Workshop on Hot Topics in
Privacy Enhancing Technologies (HotPETS) [25] is accepting two-page talk
proposals, rather than full-length papers, in the hope that âthis will
make it even easier for more of the Tor community to participate,
especially people who donât write research papers for a livingâ. If you
can offer ânew ideas, spirited debates, or controversial perspectives on
privacy (and lack thereof)â, see the Workshopâs website for submission

 [24]: https://lists.torproject.org/pipermail/tor-talk/2015-March/037294.html
 [25]: https://www.petsymposium.org/2015/hotpets.php

Upcoming events

  Mar 30 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
  Mar 30 18:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
  Mar 31 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  Apr 03 20:00 UTC | Tails contributors meeting
                   | #tails-dev, irc.oftc.net
                   | https://mailman.boum.org/pipermail/tails-project/2015-March/000159.html

This issue of Tor Weekly News has been assembled by Harmony, the Tails
team, nicoo, and other contributors.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [26], write down your
name and subscribe to the team mailing list [27] if you want to
get involved!

 [26]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [27]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to