[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â May 21st, 2014

Tor Weekly News                                           May 21st, 2014

Welcome to the twentieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor is out

A new version of the Tor stable branch was releasedÂ[1] on May 16th:
âTor backports numerous high-priority fixes from the Tor 0.2.5
alpha release series. These include blocking all authority signing keys
that may have been affected by the OpenSSL âheartbleedâ bug, choosing a
far more secure set of TLS ciphersuites by default, closing a couple of
memory leaks that could be used to run a target relay out of RAM, and
several others.â

For more details, look at the full changelogÂ[2]. The source is
available at the usual locationÂ[3]. Packages should be coming shortly,
if not already availableÂ[4].


Digital Restrictions Management and Firefox

Mozillaâs decision to support playing media with digital
restrictionsÂ[5] in Firefox by implementing the W3C EME specification
has raised a fair amount of controversy. Paul CrableÂwanted to knowÂ[6]
what it meant for the Tor Browser.

Mike Perry answeredÂ[7] that âsimply removing the DRM will be trivial,
and it will be high on our list of tasksâ.

But he also explained his worries regarding a âper-device unique
identifierâ that Firefox would provide as part of the implementation:
âit is likely that this identifier will soon be abused by all sorts of
entities,Â[â] quickly moving on to the advertising industry (why not
play a short device-linked DRM video with your banner ad? You get a
persistent, device-specific tracking identifier as part of the deal!). I
think it is also quite likely that many arbitrary sites will actually
deny access to users who do not provide them with such a device-id, if
only due to ease of increased revenue generation from a fully identified

Mike has raised the issueÂ[8] on Mozillaâs dev-privacy mailing-list
where Henri Sivonen replied that device-identifying information
will be hashed together with a âper-origin browser-generated secretâ
that âpersists until the user asks the salt to be forgottenâ.
So it does not look as gloom as it initially appeared. As always,
the devil is in the details.

   [8]: https://groups.google.com/forum/#!topic/mozilla.dev.privacy/3jA9zt1pXVo

Miscellaneous news

David Goulet reportedÂ[9] on the status of the development of Torsocks
2.0, the library for safely using applications with Tor.


Karsten Loesing postedÂ[10] on the Tor Blog to commemorate the tenth
anniversary of the first archived Tor directory, and discussed the
different ways in which the public archive of directory data is being
used for research and development.


Karsten also notifiedÂ[11] the community of a change in the compression
algorithm used for the tarballs of archived metrics data, which has
reduced their total size from 212 gigabytes to 33 â an 85% gain!


KnockÂ[12] is a variant of port-knocking that might be useful in the
future for pluggable transports. âAs Knock uses two fields in the TCP
header in order to hide information and we explicitly want to be
compatible with machines sitting in typical home networksâ, writesÂ[13]
Julian Kirsch, âwe thus created a program which tests if Knock would
work in your environment.â Please give it a tryÂ[14] to help the team
figure out if Knock could be deployed in the wild.


Thanks to Jesse VictorsÂ[15], AndreaÂ[16], Nicholas MerrillÂ[17], and
Martin A.Â[18] for running mirrors of the Tor Project website!


Michael Schloh von Bennewitz has been busy analyzing a disk leakÂ[19] in
Tor Browser: when one copies a significant chunk of text to the
clipboard, a temporary file is created with its content. Michael found a
possible fix and is welcoming reviewsÂ[20].


Nicolas Vigier has been investigatingÂ[21] some extra connections made
by the Tor Browser on startup to the local resolver and the default port
or the SOCKS proxy.


Shawn Nock proved us once more that talking to ISP is key to run Tor
relays on high-speed links. Shawnâs exit node was abruptly shut down by
its providerÂ[22] on May 15th. After a well-crafted plea explaining why
Tor is important, the provider restored the serviceÂ[23] on the very
same day!


However, dope457 reported that their provider is now giving them trouble
for being the operator of a non-exit relayÂ[24], due to a large amount
of traffic on the DNS port (53), which is being used as the ORPort by a
recently-established Tor relayÂ[25], as pointedÂout [26] by Roman


Now that ICANN is âsellingâ top-level domain names, Anders Andersson
raised concernsÂ[27] about the .onion extension used by Tor.
Fortunately, RFC6761Â[28] defines a process regarding special-use domain
names. Last November, Christian Grothoff, Matthias Wachs, Hellekin O.
Wolf, and Jacob Appelbaum submitted a request to reserve several TLDs
used in peer-to-peer systemsÂ[29]. Hellekin sent an updateÂ[30] about
the procedure: âthe current status quo from the IETF so far is that this
issue is not a priorityâ.


Tor help desk roundup

Local antivirus or firewall applications can prevent Tor from connecting
unless they are disabled. Firewall tools that have caused usability
issues in the past include Webroot SecureAnywhere AV, Kaspersky Internet
Security 2012, Sophos Antivirus for Mac, and Microsoft Security

News from Tor StackExchange

The Tor StackExchange siteÂ[31] now provides more than 1000 answers to
user-supplied questions. However, there are still ~130 questionsÂ[32]
which need a good answer, so if you happen to know one then please visit
the site and help out.

The majority of the questions are about the Tor Browser BundleÂ[33], but
hidden services also attract a large amount of attentionÂ[34]. When it
comes to operating systems, there are 42 Windows-related questionsÂ[35],
while questions about TailsÂ[36] and WhonixÂ[37] number nearly 50. All
your questions about Tor and related software are welcome.


Blue_Pyro uses Orweb on a mobile phone and wants to save images from
websitesÂ[38]. Abel of Guardian recommended two options: first, a user
can use Firefox mobile with privacy enhanced optionsÂ[39], or one can
try OrfoxÂ[40], a development version of a Firefox-based browser.


Easy development tasks to get involved with

StemÂ[41] is a Python controller library for Tor. It comes with
tutorials and generally has pretty good test coverage. The newly-added
example scripts, however, donât yet have unit tests. Damian Johnson
suggested ways to add unit tests for example scriptsÂ[42]; if you
want to help out, learn how to get startedÂ[43], start writing unit
tests for the example scripts, and then comment on the ticket.

  [41]: https://stem.torproject.org/

The traffic obfuscator obfsproxyÂ[44] should validate command-line
arguments appropriatelyÂ[45]. Right now, itâs printing an error and
continuing, but it should really abort. This sounds like a trivial
change, but maybe thereâs more to fix in the nearby code. If you like
Python and want to give it a try, thereâs more information for you on
the ticket.

  [44]: https://www.torproject.org/projects/obfsproxy.html

Upcoming events

May 21 19:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
May 23 15:00 UTC | Tor Browser online meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
May 23 16:00 UTC | Pluggable transports online meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-April/006764.html
May 27-28        | Tor @ Stockholm Internet Forum
                 | Stockholm, Sweden
                 | http://www.stockholminternetforum.se/

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt
Pagan, Karsten Loesing, qbi, and Georg Koppen.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[46], write down your
name and subscribe to the team mailing listÂ[47] if you want to
get involved!


Attachment: signature.asc
Description: Digital signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to