[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â August, 14th 2013

========================================================================
Tor Weekly News                                        August 14th, 2013
========================================================================

Welcome to the seventh issue of Tor Weekly News, the weekly newsletter
that covers what is happening in the fast-paced Tor community.

New Tor Browser Bundle releases
-------------------------------

Mozilla released Firefox version 17.0.8esrÂ[1] on August 6th, fixing
several release critical bugs. Three days later, the stable, beta and
alpha versions of the Tor Browser Bundle were updated, along with Tails
(see below).

The stable 2.3.25-11 and 2.4.15-beta-2 also updates HTTPS Everywhere,
PDF.js, NoScript and libpng to their latest version. Both bundles had a
localization issue which was fixed in the subsequently released
2.3.25-12 and 2.4.16-beta-1Â[2].

Before updating your browser to the latest version, please pause and
admire the enhanced download pageÂ[3]. Kudos to J.M. Todaro for the
design and patchesÂ[4] and Andrew for the final integration.

The pluggable transports bundles have also been updated to
2.4.15-beta-2-pt1Â[5]. Like previously, they contains flash proxy and
obfsproxy configured to run by default. Using flash proxy requires a few
extra stepsÂ[6], as before.

For more experimental matters, the new 3.0 series has seen the release
of alpha3Â[7]. On top of the previous updates, several other small
improvements were made: in the new launcher and build system, in
fingerprinting fixes and in a possible anonymity threat for Windows
users coming from cloud anti-virus solutionsÂ[8]. This is another
opportunity to play with the new build system that should produce
byte-to-byte identical results. Please have a tryÂ[9] and report any
discrepancies with Mike Perryâs builds.

   [1]Âhttps://www.mozilla.org/en-US/firefox/17.0.8/releasenotes/
   [2]Âhttps://blog.torproject.org/blog/new-tor-02416-rc-packages-and-updated-stable-tor-browser-bundles
   [3]Âhttps://www.torproject.org/projects/torbrowser.html.en#downloads
   [4]Âhttps://blog.torproject.org/blog/pluggable-transports-bundles-2415-beta-2-pt1-firefox-1708esr
   [5]Âhttps://trac.torproject.org/projects/tor/wiki/FlashProxyHowto
   [6]Âhttps://trac.torproject.org/projects/tor/ticket/2109#comment:7
   [7]Âhttps://blog.torproject.org/blog/tor-browser-bundle-30alpha3-released
   [8]Âhttps://bugs.torproject.org/9195
   [9]Âhttps://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/README

Tails 0.20 has been released
----------------------------

The 32nd release of Tails is outÂ[10]. It fixes several security issues,
and all users are advised to upgradeÂ[11].

Among other small bugfixes, minor improvements and translation updates,
this release tightens the security around Pidgin â by removing support
for protocols other than IRC and XMPP â and restricting access to the
ptrace(2) system call for unprivileged users.

DownloadÂ[12], burn, and upgradeÂ[13]!

  [10]Âhttps://tails.boum.org/news/version_0.20/
  [11]Âhttps://tails.boum.org/security/Numerous_security_holes_in_0.19/
  [12]Âhttps://tails.boum.org/download/
  [13]Âhttps://tails.boum.org/doc/first_steps/usb_upgrade/

New release candidate for the 0.2.4 tor branch
----------------------------------------------

Roger Dingledine announced the release of tor 0.2.4.16-rcÂ[14], the
latest incarnation of the 0.2.4 series. This release include several
major and minor bugfixes.

The most important one is probably a crash that can be triggered
remotely via badly formatted INTRODUCE1 cells. Roger advises: âAnybody
running a hidden service on the experimental 0.2.4.x branch should
upgradeâ.

Erinn Clark has updated the beta version of the Tor Browser BundleÂ[2]
for a wider audience of testers.

  [14]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-August/029344.html

About Tor Browser usability
---------------------------

Last week events [15] sparked a good amount of discussions on Tor
Browser usability.  Several discussions on tor-talk and in other places
revolved around the idea that âJavaScript should be disabled by
defaultâ. scarp wrote a good summaryÂ[16] on why it is not so simple: âI
understand that JavaScript was enabled globally in the Tor Browser
Bundle for usability reasons as well as to prevent browser
fingerprinting. [â] If the torproject were to disable it by default,
that would not ensure that users are protected in the future by similar
methods. Sites can be written in a way that if you do not allow
JavaScript they simply wonât work at all. If I was writing an exploit
Iâd do this to frustrate users so hopefully they enable JavaScript and
accept my exploit.â Roger Dingledine also improvedÂ[17] the relevant
question in Tor FAQÂ[18].

One possible solution to satisfy contradicting requirements would be to
add a âsecurity sliderâÂ[19] that would allow users to easily trade off
web compatibility over security. The slider would have three or four
different positions that would gradually deactivate more and more
features of the browser. One has to understand that the âmost secureâ
should probably disable loading of any pictures. This also impacts the
Tor Browser anonymity set but this is probably a trade off that can be
afforded given the actual size of the Tor Browser user base.

scarp had also pined another big usability problem related to updating:
âThis exploit wasnât new. [â] Users running the latest Tor Browser
Bundle didnât have any issues as their browsers had been patched. It is
inappropriate for a web browser to not be automatically updated.â Nick
Mathewson went backÂ[20] on the latest plan that was discussed during
the last summer dev. meetingÂ[21] to simply build upon Firefox update
mechanism. The next step is to do a proper review. Hopefully, given it
is âmature and widespreadâ and has been âproven to update Firefoxâ, we
will not ârun screaming for the hillsâ when looking at the
disadvantages.

On a more general level, an unexpected comment came from Brendan Eich
(Mozillaâs chief technology officer) on TwitterÂ[22]: âMaybe we should
just adopt, support, and bundle Tor in Firefox...â  David Dahl
subsequently opened a bug report in Mozillaâs tracker to discuss a way
forwardÂ[23]. Mike Perry commented on a threadÂ[24] on the
liberationtech mailing list: âIn short, I am excited by this news, and I
look forward to improving our communication and cooperation with Mozilla
on this front.â

  [15]Âhttps://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-august-7th-2013
  [16]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-August/029266.html
  [17]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-August/029364.html
  [18]Âhttps://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled
  [19]Âhttps://bugs.torproject.org/9387
  [20]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-August/005228.html
  [21]Âhttps://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting/BundleUpdatePlan
  [22]Âhttps://twitter.com/BrendanEich/status/364265592112414720
  [23]Âhttps://bugzilla.mozilla.org/show_bug.cgi?id=901614
  [24]Âhttps://mailman.stanford.edu/pipermail/liberationtech/2013-August/010650.html

Tails 2013 summit
-----------------

The Tails team has sent a report on their 2013 development summitÂ[25]
for which âa bunch of people spend a dozen days together in Julyâ.

Read the report in full for all the details. Some highlights: task
tracking have been moved to RedmineÂ[26], tasks fit for new contributors
has been better identifiedÂ[27], progress has been made to move Tails to
the current Debian stable releaseÂ[28], the roadmap has been
updatedÂ[29].

Communication channels are going to change a little bit âto ease
involvement of new contributors, to make more workload sharing possible,
and to be able to provide better user supportâ. As a start a new user
support mailing list was createdÂ[30]. Subscribe if you have questions
or want to help fellow Tails users.

A lot of discussions revolved around âthe growth of the project: given
the growing number of users and our super-short release cycle, it is a
challenge to keep the project sustainable and maintainable in the
mid/long term.â Give the current project exposure, the report rightfully
concludes: âTails is living decisive times, so we expect the next year
to be pretty interesting. You can perhaps make the difference, so do not
hesitate joining the danceÂ[31]!â.

  [25]Âhttps://tails.boum.org/news/summit_2013/
  [26]Âhttps://labs.riseup.net/code/projects/tails
  [27]Âhttps://labs.riseup.net/code/projects/tails/issues?query_id=112
  [28]Âhttps://labs.riseup.net/code/issues/6015
  [29]Âhttps://labs.riseup.net/code/projects/tails/roadmap
  [30]Âhttps://tails.boum.org/support/tails-support/
  [31]Âhttps://tails.boum.org/contribute/

Three new proposals
-------------------

On Monday, Nick Mathewson robbed everyone of his âIâm a little teapotâ
performanceÂ[32] by releasing the following three new proposals:

Proposal 219Â[33] has been written a year ago by Ondrej Mikle. It is
currently at draft stage. Its goal is to make Tor support any DNS query
type and also support full DNSSEC resolution. The latter is important as
it provides âprotection against DNS cache-poisoning attacksâ but is made
tricky given a routine hostname resolution with DNSSEC âcan require
dozens of round trips across a circuitâ.

In another draft proposalÂ[34], Nick Mathewson describes a plan for a
smooth transition from the current 1024-bit RSA keys used for router
identity and TLS links to Ed25519-SHA-512Â[35] keys. Several small
details still have to be ironed out.  This proposal does not address
hidden service keys. They will have to be addressed in another proposal
once an agreement has been reached regarding the best crypto
schemeÂ[36].

Now that the ntor onionskin handshakeÂ[37] has been implemented in
0.2.4, we could get better forward secrecy by having clients top sending
CREATE_FAST cells. Nick Mathewson has issued proposal 221Â[38] to detail
the reasons and the implications of such change.

All these proposals are now up for discussions on the tor-dev mailing
list.

  [32]Âhttps://twitter.com/nickm_tor/status/365527533627777025
  [33]Âhttps://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/219-expanded-dns.txt
  [34]Âhttps://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/220-ecc-id-keys.txt
  [35]Âhttps://bugs.torproject.org/8106
  [36]Âhttp://ed25519.cr.yp.to/
  [37]Âhttps://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/216-ntor-handshake.txt
  [38]Âhttps://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/221-stop-using-create-fast.txt

Miscellaneous news
------------------

Jens Kubieziel researched how to get a GnuPG version for Windows in a
secure wayÂ[39], something needed for users that would like to properly
verify the Tor Browser Bundle signatures on Windows systems.

  [39]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-August/029256.html

George Kadianakis wrote on âhow to deploy your very own pluggable
transportâÂ[40] explaining what to do before, while and after coding a
new pluggable transport. Given they were designed to be âpluggableâ, âit
should be easy to write new [ones]â. So be sure to read these advices
and start experimenting!

  [40]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-August/005231.html

A new round of GSoC reports arrived to the tor-dev mailing list:
Johannes FÃrmann about EvilGeniusÂ[41], Cristian-Matei Toader about Tor
capabilitiesÂ[42], Hareesan about the Steganography Browser
ExtensionÂ[43], and Kostas Jakeliunas about the searchable metrics
archiveÂ[44]. All of them seems to be making good progress. Letâs wish
them success for the last six weeks!

  [41]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-August/005237.html
  [42]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-August/005238.html
  [43]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-August/005243.html
  [44]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-August/005244.html

More reports came from the July 2013 wave: the Tor Help Desk by Runa
SandvikÂ[45], and Moritz BartlÂ[46].

  [45]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-August/000310.html
  [46]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-August/000311.html

Andrew Lewman gave a talk during the US National Network to End Domestic
Violenceâs (NNEDV) annual technology summit. His presentationÂ[47]
covered âa quick overview of Tor, why Iâm here talking about domestic
violence and intimate partner abuse, and what weâre doing to help.â. Be
sure to read his reportÂ[48] in full.

  [47]Âhttps://svn.torproject.org/svn/projects/presentations/2013-07-30-NNEDV-Presentation.pdf
  [48]Âhttps://blog.torproject.org/blog/nnedv-tech-summit-2013-report

Thanks to Paul Templeton from CoffsWiFiÂ[49], and nsaneÂ[50] for running
new Tor website mirrors.

  [49]Âhttps://lists.torproject.org/pipermail/tor-commits/2013-August/060352.html
  [50]Âhttps://lists.torproject.org/pipermail/tor-commits/2013-August/060583.html

Several people are trying to assemble localization teams for Tails:
Miriam Matar for ArabicÂ[51], irregulator for GreekÂ[52], hemlockii for
TurkishÂ[53]. Tails policy regarding website translationsÂ[54] specifies
that âa team of translators, not just one person, is necessaryâ, so
please join if you can help!

  [51]Âhttps://mailman.boum.org/pipermail/tails-l10n/2013-August/000637.html
  [52]Âhttps://mailman.boum.org/pipermail/tails-l10n/2013-August/000646.html
  [53]Âhttps://mailman.boum.org/pipermail/tails-l10n/2013-August/000652.html
  [54]Âhttps://tails.boum.org/contribute/how/translate/

Help Desk Roundup
-----------------

Below is a summary of some frequent questions received at the Tor help
desk this past week:

Users are frequently confused by the message they receive from GetTor.
Currently the Tor Browser Bundle is too large to send over GetTor, so
users instead receive three mirrors with a link to a page with all
available translations of the Tor Browser Bundle. Many users email the
help desk unsure of what this page means or which package they need.

A number of users asked whether or not they needed to disable JavaScript
in the Tor Browser Bundle. While the vulnerability in Firefox does not
affect the latest Tor Browser Bundle, disabling JavaScript globally will
reduce oneâs risk of being affected by future JavaScript exploits. Users
were asked to choose for themselves between greater protection inside
the browser or a browsing experience with more functionality enabled.

Upcoming event
--------------

Aug 14    | Roger at 22nd USENIX Security Symposium
          | Washington, DC, USA
          | https://www.usenix.org/conference/usenixsecurity13



This issue of Tor Weekly News has been assembled by Lunar, malaparte,
mttp, Phoul, Tails developers, David Fifield, Nick Mathewson, and
Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[55], write down your
name and subscribe to the team mailing listÂ[56] if you want to
get involved!

  [55]Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [56]Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk