========================================================================
Tor Weekly News May 21st, 2014
========================================================================
Welcome to the twentieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tor 0.2.4.22 is out
-------------------
A new version of the Tor stable branch was releasedÂ[1] on May 16th:
âTor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5
alpha release series. These include blocking all authority signing keys
that may have been affected by the OpenSSL âheartbleedâ bug, choosing a
far more secure set of TLS ciphersuites by default, closing a couple of
memory leaks that could be used to run a target relay out of RAM, and
several others.â
For more details, look at the full changelogÂ[2]. The source is
available at the usual locationÂ[3]. Packages should be coming shortly,
if not already availableÂ[4].
[1]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-May/032956.html
[2]:Âhttps://gitweb.torproject.org/tor.git/blob_plain/2ee56e4c2:/ChangeLog
[3]:Âhttps://www.torproject.org/dist/
[4]:Âhttp://packages.qa.debian.org/t/tor/news/20140517T102023Z.html
Digital Restrictions Management and Firefox
-------------------------------------------
Mozillaâs decision to support playing media with digital
restrictionsÂ[5] in Firefox by implementing the W3C EME specification
has raised a fair amount of controversy. Paul CrableÂwanted to knowÂ[6]
what it meant for the Tor Browser.
Mike Perry answeredÂ[7] that âsimply removing the DRM will be trivial,
and it will be high on our list of tasksâ.
But he also explained his worries regarding a âper-device unique
identifierâ that Firefox would provide as part of the implementation:
âit is likely that this identifier will soon be abused by all sorts of
entities,Â[â] quickly moving on to the advertising industry (why not
play a short device-linked DRM video with your banner ad? You get a
persistent, device-specific tracking identifier as part of the deal!). I
think it is also quite likely that many arbitrary sites will actually
deny access to users who do not provide them with such a device-id, if
only due to ease of increased revenue generation from a fully identified
userbase.â
Mike has raised the issueÂ[8] on Mozillaâs dev-privacy mailing-list
where Henri Sivonen replied that device-identifying information
will be hashed together with a âper-origin browser-generated secretâ
that âpersists until the user asks the salt to be forgottenâ.
So it does not look as gloom as it initially appeared. As always,
the devil is in the details.
[5]:Âhttps://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/
[6]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-May/032947.html
[7]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-May/032985.html
[8]: https://groups.google.com/forum/#!topic/mozilla.dev.privacy/3jA9zt1pXVo
Miscellaneous news
------------------
David Goulet reportedÂ[9] on the status of the development of Torsocks
2.0, the library for safely using applications with Tor.
[9]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-May/006872.html
Karsten Loesing postedÂ[10] on the Tor Blog to commemorate the tenth
anniversary of the first archived Tor directory, and discussed the
different ways in which the public archive of directory data is being
used for research and development.
[10]:Âhttps://blog.torproject.org/blog/10-years-collecting-tor-directory-data
Karsten also notifiedÂ[11] the community of a change in the compression
algorithm used for the tarballs of archived metrics data, which has
reduced their total size from 212 gigabytes to 33 â an 85% gain!
[11]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-May/006884.html
KnockÂ[12] is a variant of port-knocking that might be useful in the
future for pluggable transports. âAs Knock uses two fields in the TCP
header in order to hide information and we explicitly want to be
compatible with machines sitting in typical home networksâ, writesÂ[13]
Julian Kirsch, âwe thus created a program which tests if Knock would
work in your environment.â Please give it a tryÂ[14] to help the team
figure out if Knock could be deployed in the wild.
[12]:Âhttps://gnunet.org/knock
[13]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-May/006873.html
[14]:Âhttps://gnunet.org/knock_nat_tester
Thanks to Jesse VictorsÂ[15], AndreaÂ[16], Nicholas MerrillÂ[17], and
Martin A.Â[18] for running mirrors of the Tor Project website!
[15]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-May/000581.html
[16]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-May/000589.html
[17]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-May/000592.html
[18]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-May/000594.html
Michael Schloh von Bennewitz has been busy analyzing a disk leakÂ[19] in
Tor Browser: when one copies a significant chunk of text to the
clipboard, a temporary file is created with its content. Michael found a
possible fix and is welcoming reviewsÂ[20].
[19]:Âhttps://bugs.torproject.org/9701
[20]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-May/006875.html
Nicolas Vigier has been investigatingÂ[21] some extra connections made
by the Tor Browser on startup to the local resolver and the default port
or the SOCKS proxy.
[21]:Âhttps://lists.torproject.org/pipermail/tbb-dev/2014-May/000050.html
Shawn Nock proved us once more that talking to ISP is key to run Tor
relays on high-speed links. Shawnâs exit node was abruptly shut down by
its providerÂ[22] on May 15th. After a well-crafted plea explaining why
Tor is important, the provider restored the serviceÂ[23] on the very
same day!
[22]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-May/004553.html
[23]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-May/004555.html
However, dope457 reported that their provider is now giving them trouble
for being the operator of a non-exit relayÂ[24], due to a large amount
of traffic on the DNS port (53), which is being used as the ORPort by a
recently-established Tor relayÂ[25], as pointedÂout [26] by Roman
Mamedov.
[24]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-May/004562.html
[25]:Âhttps://atlas.torproject.org/#details/44EFAF942314F756FC7EA50292D5B383E568A9BD
[26]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-May/004563.html
Now that ICANN is âsellingâ top-level domain names, Anders Andersson
raised concernsÂ[27] about the .onion extension used by Tor.
Fortunately, RFC6761Â[28] defines a process regarding special-use domain
names. Last November, Christian Grothoff, Matthias Wachs, Hellekin O.
Wolf, and Jacob Appelbaum submitted a request to reserve several TLDs
used in peer-to-peer systemsÂ[29]. Hellekin sent an updateÂ[30] about
the procedure: âthe current status quo from the IETF so far is that this
issue is not a priorityâ.
[27]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-May/032974.html
[28]:Âhttps://tools.ietf.org/html/rfc6761
[29]:Âhttps://tools.ietf.org/html/draft-grothoff-iesg-special-use-p2p-names-02
[30]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-May/032983.html
Tor help desk roundup
---------------------
Local antivirus or firewall applications can prevent Tor from connecting
unless they are disabled. Firewall tools that have caused usability
issues in the past include Webroot SecureAnywhere AV, Kaspersky Internet
Security 2012, Sophos Antivirus for Mac, and Microsoft Security
Essentials.
News from Tor StackExchange
---------------------------
The Tor StackExchange siteÂ[31] now provides more than 1000 answers to
user-supplied questions. However, there are still ~130 questionsÂ[32]
which need a good answer, so if you happen to know one then please visit
the site and help out.
The majority of the questions are about the Tor Browser BundleÂ[33], but
hidden services also attract a large amount of attentionÂ[34]. When it
comes to operating systems, there are 42 Windows-related questionsÂ[35],
while questions about TailsÂ[36] and WhonixÂ[37] number nearly 50. All
your questions about Tor and related software are welcome.
[31]:Âhttps://tor.stackexchange.com/
[32]:Âhttps://tor.stackexchange.com/unanswered
[33]:Âhttps://tor.stackexchange.com/questions/tagged/tor-browser-bundle
[34]:Âhttps://tor.stackexchange.com/questions/tagged/hidden-services
[35]:Âhttps://tor.stackexchange.com/questions/tagged/windows
[36]:Âhttps://tor.stackexchange.com/questions/tagged/tails
[37]:Âhttps://tor.stackexchange.com/questions/tagged/whonix
Blue_Pyro uses Orweb on a mobile phone and wants to save images from
websitesÂ[38]. Abel of Guardian recommended two options: first, a user
can use Firefox mobile with privacy enhanced optionsÂ[39], or one can
try OrfoxÂ[40], a development version of a Firefox-based browser.
[38]:Âhttps://tor.stackexchange.com/q/1753/88
[39]:Âhttps://guardianproject.info/apps/firefoxprivacy/
[40]:Âhttps://guardianproject.info/builds/Orfox/latest/
Easy development tasks to get involved with
-------------------------------------------
StemÂ[41] is a Python controller library for Tor. It comes with
tutorials and generally has pretty good test coverage. The newly-added
example scripts, however, donât yet have unit tests. Damian Johnson
suggested ways to add unit tests for example scriptsÂ[42]; if you
want to help out, learn how to get startedÂ[43], start writing unit
tests for the example scripts, and then comment on the ticket.
[41]: https://stem.torproject.org/
[42]:Âhttps://trac.torproject.org/projects/tor/ticket/11335
[43]:Âhttps://gitweb.torproject.org/stem.git
The traffic obfuscator obfsproxyÂ[44] should validate command-line
arguments appropriatelyÂ[45]. Right now, itâs printing an error and
continuing, but it should really abort. This sounds like a trivial
change, but maybe thereâs more to fix in the nearby code. If you like
Python and want to give it a try, thereâs more information for you on
the ticket.
[44]: https://www.torproject.org/projects/obfsproxy.html
[45]:Âhttps://trac.torproject.org/projects/tor/ticket/9823
Upcoming events
---------------
May 21 19:00 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
|
May 23 15:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
|
May 23 16:00 UTC | Pluggable transports online meeting
| #tor-dev, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-April/006764.html
|
May 27-28 | Tor @ Stockholm Internet Forum
| Stockholm, Sweden
| http://www.stockholminternetforum.se/
This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt
Pagan, Karsten Loesing, qbi, and Georg Koppen.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[46], write down your
name and subscribe to the team mailing listÂ[47] if you want to
get involved!
[46]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[47]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk