[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â May 22nd, 2015

Tor Weekly News                                           May 22nd, 2015

Welcome to the twentieth issue in 2015 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the aleatoric [1] Tor

  [1]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008821.html


 1. Tor is out
 2. Tor Browser 4.5.1 and 5.0a1 are out
 3. Fixing the Tor networkâs bandwidth measurement system
 4. Stopping onion service DoS attacks by limiting connections
 5. What is the value of anonymous communication?
 6. Miscellaneous news
 7. This week in Tor history
 8. Upcoming events

Tor is out

Nick Mathewson announced [2] a new release in the current stable branch
of the core Tor software. Tor stops directory authorities from
giving the HSDir flag to relays without a DirPort configured, which was
causing accessibility problems [3] for some hidden services. It also
fixes a bug [4] that could have allowed a Tor client to crash an onion
service in a very small number of cases where the service was making use
of Torâs âclient authorizationâ feature.

If you are running one of the Tor networkâs nine directory authorities,
you should upgrade as soon as possible. If you arenât one of those
people, no urgent action is required.

  [2]: https://blog.torproject.org/blog/tor-0268-released
  [3]: https://bugs.torproject.org/15850
  [4]: https://bugs.torproject.org/15823

Tor Browser 4.5.1 and 5.0a1 are out

Mike Perry announced new releases by the Tor Browser team in both the
stable and alpha series. Tor Browser 4.5.1 [5] relaxes the âfirst-party
isolationâ system slightly, in order to solve some usability issues
affecting websites that host their content on several subdomains. In
addition, NoScriptâs ClearClick anti-clickjacking feature is disabled,
as it had been causing frequent false positives, especially on pages
serving captchas.

In addition to those fixes, Tor Browser 5.0a1 [6] includes several new
privacy-preserving features. The automatic window-resizing feature from
4.5a4 is reintroduced here, and JavaScriptâs ability to take precise
timings of some activities has been limited, in order to defend against
browser fingerprinting attacks.

See Mikeâs announcements for full changelogs, download instructions, and
advice on reporting any issues you experience. Both releases include
important security updates to Firefox, so please upgrade as soon as you

  [5]: https://blog.torproject.org/blog/tor-browser-451-released
  [6]: https://blog.torproject.org/blog/tor-browser-50a1-released

Fixing the Tor networkâs bandwidth measurement system

When a Tor relay is first set up, it performs a test to estimate its own
ability to handle Tor traffic, and then reports this figure to the
directory authorities [7] â the so-called âadvertised bandwidthâ.  In
the earliest versions of the Tor network, the directory authorities used
this advertised value directly when creating the consensus [8], even
though the amount of bandwidth available to relays is sometimes greater
or lesser than the reported figure. This led to poor balancing of the
traffic load across the Tor network, and to the overwhelming impression
that Tor is just âslowâ.

In 2009, therefore, Mike Perry introduced the âbandwidth authorityâ (or
âbwauthâ) scripts as part of his TorFlow suite of tools [9]. Computers
that are configured to run as bwauths regularly scan the relays that
make up the Tor network to see if the bandwidth they advertise
corresponds to their real capacity. If not, the consensus will adjust
the advertised bandwidth up or down to reflect the measurements taken by
the bwauths; this adjusted value is the âconsensus weightâ, and clients
using the consensus weight to select their Tor circuits experience much
less of the lag that plagued the Tor network in its infancy [10].

At least, thatâs how it should work. For some time, the bwauth scripts
have been unmaintained, leading to problems for their operators, and
more recently they appear to have  broken in a way that is hard to
diagnose. As nusenu pointed out [11], a significant number of Tor relays
are now unmeasured, which means that some Tor relay operators are
contributing bandwidth which the network is not using in the most
efficient way.

In the short term, work is underway to patch up the bwauth scripts so
that they can once again scan all the relays in the network: Tom Ritter
announced [12] that new bwauths have been brought online to provide the
necessary measurements, and the scripts are being investigated to see if
differences between consensuses are causing scanners to miss some

A more permanent fix, however, might involve a total rewrite of the
bwauth scripts if, as Roger Dingledine suggested [13], the design itself
is flawed. Tor Project contributor Aaron Gibson will hopefully be
addressing this issue as part of an upcoming fellowship with OTF, and a
number of other research groups are also working towards a more robust
design for the bandwidth measurement system.

Be sure to sign up to the tor-relays mailing list [14] for further
information. Thanks to all relay operators for their patience while the
problem-solving continues!

  [7]: https://metrics.torproject.org/about.html#directory-authority
  [8]: https://metrics.torproject.org/about.html#consensus
  [9]: https://blog.torproject.org/blog/torflow-node-capacity-integrity-and-reliability-measurements-hotpets
 [10]: https://www.youtube.com/watch?v=f4BUZrbFbis
 [11]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007003.html
 [12]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007042.html
 [13]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007006.html
 [14]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Stopping onion service DoS attacks by limiting connections

George Kadianakis published an experimental workaround [15] for onion
services affected by a newly-discovered denial-of-service attack [16].
âIn this attackâ, as George explained, âthe adversary forces a hidden
service to create thousands of connections to its underlying application
(e.g. the webserver), which overwhelms both Tor and the underlying

Onion service operators who want to test the fix will need to recompile
their Tor from a special git branch, then configure the new settings in
their torrc file to set an upper limit on the number of TCP connections
a client can make. âLet us know if this works for you, by sending an
email to this list, or commenting on the trac ticket. If it works for
people, we might incorporate it in a Tor release soonâ, wrote George.

 [15]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008838.html
 [16]: https://bugs.torproject.org/16052

What is the value of anonymous communication?

Researchers at Drexel University in Philadelphia are investigating the
ways in which Tor users âwrite blog posts, edit Wikipedia articles,
contribute to open source projects on GitHub, post on discussion forums,
comment on news articles, Tweet, write reviews, and many other thingsâ
as part of their online activity, and whether or not they are inhibited
by obstacles such as captchas, IP blacklists, or other blocking
mechanisms, as Kate Krauss explained on the Tor blog [17].

According to Professor Rachael Greenstadt, one of the co-authors: âBy
understanding the contributions that Tor users make, we can help make a
case for the value of anonymity onlineâ.

One of the biggest threats to Torâs success, as Roger Dingledine wrote
last year [18], is the âsiloingâ of the Internet caused by the âgrowing
number of websites [that] treat users from anonymity services
differentlyâ, so itâs more important than ever to demonstrate the many
contributions to online projects made by Tor users. If you are a Tor
user and donât mind sharing your experiences of using Tor to communicate
anonymously online, please see Kateâs post for more information on how
to participate in the study.

 [17]: https://blog.torproject.org/blog/study-what-value-anonymous-communication
 [18]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users

Miscellaneous news

Damian Johnson put out a new release [19] of Stem [20], the Tor
controller library in Python. Stem 1.4 brings another increase in the
speed of document parsing (now that descriptors are not validated by
default), and includes support for Torâs new âephemeral onion serviceâ
and descriptor handling features [21]. See Damianâs announcement for the
full changelog.

 [19]: https://blog.torproject.org/blog/stem-release-14
 [20]: https://stem.torproject.org/
 [21]: https://stem.torproject.org/tutorials/over_the_river.html#ephemeral-hidden-services

Alec Muffett, the lead engineer behind Facebookâs onion service,
contributed some notes on his experiences [22] to a thread about serving
the same site as both an onion service and a regular website.

 [22]: https://lists.torproject.org/pipermail/tor-talk/2015-May/037840.html

Jesse Victors, one of the students participating in the first-ever Tor
Summer of Privacy [23], explained in greater detail [24] his proposal
for âOnioNSâ, a method of creating human-memorable yet secure addresses
for onion services.

 [23]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
 [24]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008826.html

Colin C. sent out the Tor Help Desk report for April [25].

 [25]: https://lists.torproject.org/pipermail/tor-reports/2015-May/000827.html

Thanks to Matt Hoover [26] and spriver [27] for running mirrors of the
Tor Project website and software archive!

 [26]: https://lists.torproject.org/pipermail/tor-mirrors/2015-May/000882.html
 [27]: https://lists.torproject.org/pipermail/tor-mirrors/2015-May/000888.html

Micah Lee discovered a bug [28] that is causing OnionShare, the onion
service-based file-sharing application, to crash the entire Tor process
when run using Tails [29].

 [28]: https://bugs.torproject.org/16106
 [29]: https://mailman.boum.org/pipermail/tails-dev/2015-May/008840.html

Martin Florian discussed [30] the problems caused by onion services that
change their IP address during operation, such as those hosted on mobile
devices. âSome logic needs to be included for forgetting about rendevouz
points that have failed onceâAm I on the right track? Is this a good
idea? And how do I forget about RPs?â

 [30]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008841.html

This week in Tor history

A year ago this week [31], Anders Andersson wondered [32] about the
problems that Tor would face if the .onion top-level domain (TLD) were
to be sold by ICANN for public registration, in the same way as the
large number of new âgenericâ TLDs. This question had already been the
subject of a submission [33] to the Internet Engineering Task Force
co-authored by the Tor Projectâs Jacob Appelbaum, arguing that the
.onion suffix should be one of several TLDs set aside for special use by
peer-to-peer software.

This week, Jacob and Facebookâs Alec Muffett submitted another
Internet-draft [34] to the IETF, specifically requesting the
registration of .onion as a special-use TLD now that it is in wide use.
If it is approved, the .onion suffix will be reserved for use by Tor,
ensuring that no conflicts arise later which might break the onion
service naming system or enable attacks on users.

 [31]: https://lists.torproject.org/pipermail/tor-news/2014-May/000046.html
 [32]: https://lists.torproject.org/pipermail/tor-talk/2014-May/032974.html
 [33]: https://tools.ietf.org/id/draft-grothoff-iesg-special-use-p2p-names-02.txt
 [34]: https://www.ietf.org/id/draft-appelbaum-dnsop-onion-tld-01.txt

Upcoming events

  May 22 16:00 UTC | SponsorO Tor Messenger/Tor Mail meeting
                   | #tor-project, irc.oftc.net
  May 25 18:00 UTC | Tor Browser meeting
                   | #tor-dev, irc.oftc.net
  May 25 18:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
  May 26 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  May 27 02:00 UTC | Pluggable transports/bridges meeting
                   | #tor-dev, irc.oftc.net
  May 27 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Jun 03 19:00 UTC | Tails contributors meeting
                   | #tails-dev, irc.oftc.net
                   | https://mailman.boum.org/pipermail/tails-project/2015-May/000206.html
  Jun 30 - Jul 02  | Many Tor people @ 15th Privacy Enhancing Technologies Symposium
                   | Philadelphia, USA
                   | https://petsymposium.org/2015/

This issue of Tor Weekly News has been assembled by Harmony, Karsten
Loesing, and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [35], write down your
name and subscribe to the team mailing list [36] if you want to
get involved!

 [35]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [36]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to