[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-talk] Tor Weekly News â August 30th, 2015
========================================================================
Tor Weekly News August 30th, 2015
========================================================================
Welcome to the thirty-third issue in 2015 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.
Contents
--------
1. Hash visualizations to protect against onion phishing
2. Tor-enabled Debian mirrors
3. Miscellaneous news
4. Upcoming events
Hash visualizations to protect against onion phishing
-----------------------------------------------------
Unlike URLs on the non-private web, the .onion addresses used by Tor
hidden services are not handed out by any central authority â instead,
they are derived by the hidden services themselves based on their
cryptographic key information. This means that they are typically quite
hard for humans to remember, unless the hidden service operator â
whether by chance or by making repeated attempts â hits upon a memorable
string, as in the case of Facebookâs hidden service [1].
âThe problemâ, writes George Kadianakis, is that due to these
user-unfriendly strings, âmany people donât verify the whole onion
address, they just trust the onion link or verify the first few
characters. This is bad since an attacker can create a hidden service
with a similar onion address very easilyâ, then trick users into
visiting that address instead for a variety of malicious purposes. This
species of attack that has already been seen in the wild [2]. After
discussions with other researchers in this area, George drew up a
proposal [3] to incorporate visual information into the verification
process: âSo when TBB connects to a hidden service, it uses the onion
address to generate a randomart or key poem and makes them available for
the user to examine.â
As with all new development proposals, however, there are many
unanswered questions. What kind of visualization would work best? Should
there also be an auditory component, like a randomly-generated tune? How
should the feature be made available to users without confusing those
who have no idea what it is or why itâs needed? In short, âSome real UX
research needs to be done here, before we decide something terrible.â
If you have clear and constructive feedback to offer on this unusual but
important proposal, please send it to the tor-dev mailing list.
[1]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035413.html
[2]: https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html
[3]: https://lists.torproject.org/pipermail/tor-dev/2015-August/009302.html
Tor-enabled Debian mirrors
--------------------------
Richard Hartmann, Peter Palfrader, and Jonathan McDowell have set up the
first official onion service mirrors [4] of the Debian operating
systemâs software package infrastructure. This means that it is now
possible to update your Debian system without the update information or
downloaded packages leaving the Tor network at all, preventing a network
adversary from discovering information about your system. A follow-up
post by Richard [5] includes guidance on using apt-transport-tor [6]
with the new mirrors.
These services are only the first in what should hopefully become a
fully Tor-enabled system mirroring âthe complete package lifecycle,
package information, and the websiteâ. âThis service is not redundant,
it uses a key which is stored on the local drive, the .onion will
change, and things are expected to breakâ, wrote Richard, but if you are
interested in trying out the new infrastructure, see the write-ups for
further information.
[4]: http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/
[5]: http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/
[6]: https://retout.co.uk/blog/2014/07/21/apt-transport-tor
Miscellaneous news
------------------
David Fifield announced [7] that his 17-minute PETS talk on the theory
and practice of âdomain frontingâ, which is the basis for Torâs
innovative and successful meek pluggable transport [8], is now available
to view online.
[7]: https://lists.torproject.org/pipermail/tor-dev/2015-August/009365.html
[8]: https://trac.torproject.org/projects/tor/wiki/doc/meek
Arturo Filastà announced [9] that registration for ADINA15 [10], the
upcoming OONI hackathon at the Italian Parliament in Rome, is now open.
If youâre interested in hacking on internet censorship data in this
rarified location, with the possibility of âinteresting prizesâ for the
winning teams, see Arturoâs mail for the full details.
[9]: https://lists.torproject.org/pipermail/tor-talk/2015-August/038822.html
[10]: https://ooni.torproject.org/event/adina15/
Arturo also sent out the OONI teamâs July status report [11], while Tor
Summer of Privacy progress updates were submitted by Israel Leiva [12],
Cristobal Leiva [13], and Jesse Victors [14].
[11]: https://lists.torproject.org/pipermail/tor-reports/2015-August/000900.html
[12]: https://lists.torproject.org/pipermail/tor-reports/2015-August/000897.html
[13]: https://lists.torproject.org/pipermail/tor-reports/2015-August/000898.html
[14]: https://lists.torproject.org/pipermail/tor-dev/2015-August/009324.html
Fabio Pietrosanti issued an open call [15] for developers interested in
working on GlobaLeaks [16], the open-source anonymous whistleblowing
software. âAre you interested in making the world a better place by
putting your development skills to use in a globally used free software
project? Do you feel passionate about using web technologies for
developing highly usable web applications?â If so, please see Fabioâs
message for more information.
[15]: https://lists.torproject.org/pipermail/tor-talk/2015-August/038835.html
[16]: https://globaleaks.org/
News from Tor StackExchange
---------------------------
saurav created a network using the Shadow simulator [17] and started
with 40 guard and 40 exit nodes. After a simulation was performed,
another 40/40 nodes were added. saurav then noticed that the more
recent nodes had a higher probability of being selected. Can you explain
why this is the case? The users of Torâs Q&A page will be happy to know.
[17]: https://tor.stackexchange.com/q/3756/88
Upcoming events
---------------
Aug 31 17:00 UTC | OONI development meeting
| #ooni, irc.oftc.net
|
Aug 31 18:00 UTC | Tor Browser meeting
| #tor-dev, irc.oftc.net
|
Sep 01 18:00 UTC | little-t tor patch workshop
| #tor-dev, irc.oftc.net
|
Sep 02 02:00 UTC | Pluggable transports/bridges meeting
| #tor-dev, irc.oftc.net
|
Sep 02 13:30 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
|
Sep 02 14:00 UTC | Measurement team meeting
| #tor-project, irc.oftc.net
|
Sep 03 19:00 UTC | Tails contributors meeting
| #tails-dev, irc.oftc.net
| https://mailman.boum.org/pipermail/tails-project/2015-August/000296.html
|
Sep 27 - Oct 03 | Tor summer dev meeting 2015
| Berlin, Germany
| https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMeeting
|
Oct 01 - Oct 03 | ADINA15: A Dive Into Network Anomalies
| Rome, Italy
| https://ooni.torproject.org/event/adina15/
This issue of Tor Weekly News has been assembled by qbi, Lunar,
nicoo, and Harmony.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [18], write down your
name and subscribe to the team mailing list [19] if you want to
get involved!
[18]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[19]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk