[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â October 22nd, 2014

Tor Weekly News                                       October 22nd, 2014

Welcome to the forty-second issue in 2014 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

Tor is out

Nick Mathewson announced [1] what is hopefully the final release
candidate in the Tor 0.2.5 series. It contains two enhancements in
response to the recent POODLE attack on OpenSSL [2], âeven though POODLE
does not affect Torâ, as well as a number of other miscellaneous

Upgrading is especially important for relay operators, as a remote crash
is possible [3] when older Tor versions are used with a version of
OpenSSL released last week that was built with the âno-ssl3â flag.

As ever, you can download the source code from the distribution
directory [4] and packages should follow shortly.

  [1]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035302.html
  [2]: https://blog.torproject.org/blog/new-sslv3-attack-found-disable-sslv3-torbrowser
  [3]: https://blog.torproject.org/blog/advisory-remote-dos-when-using-tor-recent-openssl-versions-built-no-ssl3-option
  [4]: https://www.torproject.org/dist/

Tor Browser 4.0 is out

Mike Perry announced [5] a major release by the Tor Browser team.
Version 4.0 of the secure and anonymous web browser brings several
exciting new features to the stable series, including the meek [6]
censorship-circumvention tool, the secure updater, and a simplified
Javascript enabling/disabling process in NoScript, all based on a
customized Firefox ESR31. SSLv3 is also disabled, in response to the
recent POODLE attack.

This release contains important security fixes, and all users should
upgrade as soon as possible. Please note that the new directory
structure means users cannot simply extract the new Tor Browser over
their existing 3.6.6 directory, and must instead delete the old version
entirely. The secure updater still requires manual activation in the
âAbout Tor Browserâ menu option, as its security will depend âon the
specific CA that issued the www.torproject.org HTTPS certificate
(Digicert)â until site-specific certificate pinning [7] and signed
update files [8] are implemented. Furthermore, âwe still need to improve
meekâs performance to match other transportsâ, wrote Mike, âso adjust
your expectations accordinglyâ.

See Mikeâs post for further details and a full changelog, and get your
copy of Tor Browser 4.0 from the distribution directory [9] or the
download page [10].

  [5]: https://blog.torproject.org/blog/tor-browser-40-released
  [6]: https://trac.torproject.org/projects/tor/wiki/doc/meek
  [7]: https://bugs.torproject.org/11955
  [8]: https://bugs.torproject.org/13379
  [9]: https://www.torproject.org/dist/torbrowser/4.0/
 [10]: https://www.torproject.org/download/download-easy

Tails 1.2 is out

The Tails team put out version 1.2 [11] of the anonymizing live
operating system. This release replaces the Iceweasel browser with âmost
ofâ the regular Tor Browser, and confines several important applications
with AppArmor.

I2P will now, like Tor, be started upon network connection if activated
with the âi2pâ boot parameter, and must be used with the new dedicated
I2P Browser. This is also the last Tails release to ship with the
now-unmaintained TrueCrypt tool, but the Tails team has already
documented the method for opening TrueCrypt volumes with
cryptsetup [12]. See the teamâs announcement for a full list of changes
in the new version.

This is an important security release and all users should upgrade as
soon as possible. If you have a running Tails, you should be able to use
the incremental updater; if your Tails drive was manually created, or
you are a new user, head to the download page [13] for more information.

 [11]: https://tails.boum.org/news/version_1.2/
 [12]: https://tails.boum.org/doc/encryption_and_privacy/truecrypt/index#cryptsetup
 [13]: https://tails.boum.org/download/

Miscellaneous news

tagnaq warned [14] users of TorBirdy [15], the torifying extension for
the Thunderbird mail client, that a change in Thunderbird 31âs handling
of the âreply_header_authorwroteâ header means that the word âwroteâ,
translated into the userâs system language, may be inserted before
quoted text when replying to emails, leaking the system language to
recipients of replies if not removed. Jacob Appelbaum responded [16]
that a new release of TorBirdy addressing this and other issues was

 [14]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035285.html
 [15]: https://trac.torproject.org/projects/tor/wiki/torbirdy
 [16]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035305.html

Arturo Filastà announced [17] the release of ooniprobe 1.1.2, containing
âtwo new report entry keys, test_start_time and test_runtimeâ, and a fix
for a bug that âled to ooniresources not working properlyâ.

 [17]: https://lists.torproject.org/pipermail/ooni-dev/2014-October/000177.html

evilaliv3 announced [18] version 3.1.20 of tor2web, an HTTP proxy that
enables access to hidden services without a Tor client, for users who do
not require strong anonymity. As well as âsome networking bugfixing and
optimizationsâ, this release adds a âreplaceâ mode for remotely-fetched
blocklists in addition to âmergeâ, and a feature that allows different
hostnames to be mapped to specific hidden services.

 [18]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007641.html

Karsten Loesing gave users of Onionoo a âone-month heads-upâ [19] that
on or after November 15th, a change to the protocol will let the search
parameter âaccept base64-encoded fingerprints in addition to hex-encoded
fingerprints, nicknames, and IP addresses.â These searches will also
return relays whose base64-encoded fingerprints are a partial match for
the search string. âIf youâre fine with that, feel free to ignore this
message and do nothingâ, but if not, âyouâll have to filter out those
relays locallyâ.

 [19]: https://lists.torproject.org/pipermail/onionoo-announce/2014/000001.html

Following updates to the Tor Projectâs website, Sebastian Hahn drew
attention [20] to a change in the steps necessary to run a website
mirror [21]. âPlease ask if you run into any trouble, and thanks for
providing a mirror!â

 [20]: https://lists.torproject.org/pipermail/tor-mirrors/2014-October/000727.html
 [21]: https://www.torproject.org/docs/running-a-mirror

Inspired by âthe Directory Authorities, the crappy experiment leading up
to Black Hat, and the promise that one can recreate the Tor network in
the event of some catastropheâ, Tom Ritter sent out a detailed
report [22] of issues he encountered while setting up his own Tor
network using âfull-featured independent tor daemonsâ, rather than a
network simulator like Shadow or Chutney [23].

 [22]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007613.html
 [23]: https://www.torproject.org/docs/faq#PrivateTorNetwork

Cthulhu asked for assistance in overhauling the GoodBadISP page [24],
which is the starting point for many relay operators around the world.
If you have some time to spare, or know some ISPs not yet on the list,
it would be greatly appreciated if they could be added to the page. This
new effort to reach out to hosting providers could be of great value
after years of what Roger Dingledine has described [25] as a âslash and
burnâ agriculture model of operating Tor nodes.

 [24]: https://bugs.torproject.org/13421
 [25]: https://lists.torproject.org/pipermail/tor-relays/2014-October/005495.html

Vladimir Martyanov started a discussion [26] on the question of whether
Tor developers should ensure that tor can still be built using compilers
that do not support the C99 programming language standard, such as older
versions of Microsoft Visual Studio.

 [26]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007619.html

Upcoming events

  Oct 22 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Oct 22 16:00 UTC | Pluggable transport online meeting
                   | #tor-dev, irc.oftc.net
  Oct 24 17:00 CET | OONI development meeting
                   | #ooni, irc.oftc.net
  Oct 27 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
  Oct 28 17:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  Nov 03 19:00 UTC | Tails contributors meeting
                   | #tails-dev (irc.indymedia.org/h7gf2ha3hefoj5ls.onion)
                   | https://mailman.boum.org/pipermail/tails-project/2014-October/000045.html

This issue of Tor Weekly News has been assembled by Lunar, Cthulhu,
Roger Dingledine, Karsten Loesing, and Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [27], write down your
name and subscribe to the team mailing list [28] if you want to
get involved!

 [27]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [28]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to