[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Tor Weekly News â September 17th, 2014
========================================================================
Tor Weekly News September 17th, 2014
========================================================================
Welcome to the thirty-seventh issue in 2014 of Tor Weekly News, the
weekly newsletter that covers whatâs happening in the community around
Tor, the anonymity network that makes full use of its library card.
tor 0.2.5.7-rc is out
---------------------
Nick Mathewson announced [1] the first release candidate in torâs
0.2.5.x series. This version âfixes several regressions from earlier in
the 0.2.5.x release series, and some long-standing bugs related to
ORPort reachability testing and failure to send CREATE cellsâ; relay
operators running it will also receive a warning if they try to
configure a hidden service on the same process as their relay, as the
public nature of much information about Tor relays can help identify
services running on the same machine [2]. As ever, you can read the full
list of improvements and fixes in Nickâs announcement, and download the
source code from the Tor Projectâs distribution directory [3].
[1]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034740.html
[2]: https://bugs.torproject.org/12908#comment:5
[3]: https://www.torproject.org/dist/
Tor protects library patronsâ right to privacy
----------------------------------------------
April Glaser and Alison Macrina published [4] an article for BoingBoing
on efforts by Massachusetts librarians to guarantee their patronsâ right
to access information without fear of surveillance or censorship.
Macrina and her colleagues, in partnership with the ACLU of
Massachusetts, have been giving workshops on the use of
privacy-preserving technologies to other librarians, and spreading the
word about the risk that pervasive surveillance poses to freedom of
thought and intellectual inquiry.
As the authors remark, âitâs no secret that libraries are among our most
democratic institutions. Libraries provide access to information and
protect patronsâ right to explore new ideas, no matter how controversial
or subversive [â] and protecting unfettered access to information is
important whether that research is done using physical books or online
search engines. But now it has become common knowledge that governments
and corporations are tracking our digital lives, and that surveillance
means our right to freely research information is in jeopardyâ.
Tor and Tails are a natural fit for any response to this problem, and
BoingBoing reports that not only have âmultiple Massachusetts
libraries [â] installed the Tor browser on all of their public PCsâ
following the workshops, some have even âset up Tor middle relays on
their librariesâ networksâ.
It would be a shame, however, if these exciting developments were
restricted to the state of Massachusetts. If you are a library user
concerned about this issue, share the article with your local
librarians. If you work in a library, contact the authors of the
article at the addresses they provide to find out how you can offer
privacy workshops and tools to your own community!
[4]: http://boingboing.net/2014/09/13/radical-librarianship-how-nin.html
Hidden service enumeration and how to prevent it
------------------------------------------------
When a Tor user wants to connect to a hidden service, their client makes
a request over the Tor network to a relay acting as a âhidden service
directoryâ, or HSDir. In return, the client receives a hidden service
âdescriptorâ containing the information necessary for a connection to be
made, including the set of Introduction Points that the hidden service
is currently using [5].
Hidden services would ideally not be discoverable unless the address is
public or has been shared directly, but one of the weaknesses of the
current protocol is that hidden service directories know which services
they are serving descriptors for; this same shortcoming was an element
of the âRELAY_EARLYâ traffic confirmation attack discovered in July [6].
Although the full set of descriptors is not published to all directories
at once â at any given time, six directories are responsible for a
serviceâs descriptor [7] â the list is rotated frequently, so it would
not be hard for an adversary to run a relay stable enough to gain the
HSDir flag, and harvest hidden service addresses as they are uploaded to
it in turn.
Fabio Pietrosanti informed the tor-talk mailing list [8] of an
experiment designed to detect this enumeration of hidden services: he
set up thirty new hidden services, keeping their addresses secret, with
each service running a script to report any attempts at access from
outside. As the existence of these services was not disclosed to anyone,
any requests to the service could only come from a client that had
obtained the address from a directory which had previously held the
descriptor, possibly âa malicious Tor relay acting as a TorHS directory,
with Torâs code modified to dump from the RAM memory the TorHS list,
then harvest them with an http client/script/crawlerâ. After
approximately a month, according to Fabioâs message, a client did indeed
try to access one of the âhoneypotâ services.
Regular readers of Tor Weekly News will know [9] that the hidden service
protocol is being fully redesigned, and this ânext-generationâ proposal
already suggests defenses against this kind of attack [10], but (as
ever) more eyes are needed. If youâre interested, see George Kadianakisâ
introduction to the issues facing hidden services [11]; those familiar
with cryptography in C are welcome to review the discussion of this
particular issue on the bug tracker [12].
[5]: https://www.torproject.org/docs/hidden-services
[6]: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
[7]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/rend-spec.txt#l496
[8]: https://lists.torproject.org/pipermail/tor-talk/2014-September/034751.html
[9]: https://lists.torproject.org/pipermail/tor-news/2013-December/000023.html
[10]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt#l571
[11]: https://blog.torproject.org/blog/hidden-services-need-some-love
[12]: https://bugs.torproject.org/8106
Miscellaneous news
------------------
Nathan Freitas announced [13] version 14.0.8.1 of Orbot, the Tor client
for Android. The highlights of this release are an upgrade to tor
0.2.5.7-rc (see above), which solves an issue with the âairplane modeâ
feature, as well as a number of improvements to do with transparent
proxying. Find the full changelog and download links in Nathanâs
message.
[13]: https://lists.mayfirst.org/pipermail/guardian-dev/2014-September/003773.html
Juha Nurmi described [14] the current state of ahmia.fi, the search
engine for hidden services, following a successful Google Summer of Code
project. The post includes notes on the design, content statistics, and
plans for future work.
[14]: https://blog.torproject.org/blog/ahmia-search-after-gsoc-development
David Fifield called for a volunteer operating a âbig fast bridgeâ [15]
to take over the running of the meek [16] pluggable transport: âI want
to do this both to diffuse trust, so that I donât run all the
infrastructure, and because my bridge is not especially fast and Iâm not
especially adept at performance tuningâ.
[15]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007482.html
[16]: https://trac.torproject.org/projects/tor/wiki/doc/meek
David also wondered why the number of FTE users appeared to dip in late
August [17], and explored possible reasons behind the correlation in
usage statistics for meek and Flashproxy, whose backends both run on the
same bridge [18]. Karsten Loesing suggested [19] that the latter was
because âweâre counting consensuses downloaded from a bridge via any
supported transport, and then weâre attributing those downloads to
specific transports based on what fraction of IPs connected per
transportâ.
[17]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007481.html
[18]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007480.html
[19]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007483.html
Tim reported [20] on progress made towards a âfuzzerâ [21] for Tor,
based on the Tor research framework previously announced by Gareth
Owen [22], including a draft design for the process and a list of
patches against Tor made during development.
[20]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007471.html
[21]: https://en.wikipedia.org/wiki/Fuzz_testing
[22]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007232.html
Matt Pagan submitted his status report [23] for August, while Roger
Dingledine sent out the report for SponsorF [24].
[23]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000650.html
[24]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000649.html
Karsten Loesing posted [25] the minutes of last weekâs Globe/Atlas
developer IRC meeting.
[25]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007469.html
Upcoming events
---------------
Sep 17 13:30 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
|
Sep 17 16:00 UTC | Pluggable transport online meeting
| #tor-dev, irc.oftc.net
|
Sep 19 17:00 CET | OONI development meeting
| #ooni, irc.oftc.net
| https://lists.torproject.org/pipermail/tor-dev/2014-September/007455.html
|
Sep 22 18:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
|
Oct 06 08:30 PDT | Roger @ ISCI â1984+30â panel
| UC Berkeley, California, USA
| https://blog.torproject.org/events/www.icsi.berkeley.edu/icsi/events/2014/10/1984-plus-30
This issue of Tor Weekly News has been assembled by harmony, Lunar,
Roger Dingledine, George Kadianakis, and special.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [26], write down your
name and subscribe to the team mailing list [27] if you want to
get involved!
[26]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[27]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk