[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â February 4th, 2014

To: tor-news@xxxxxxxxxxxxxxxxxxxx, tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Tor Weekly News â February 4th, 2014
From: Lunar <lunar@xxxxxxxxxxxxxx>
Date: Wed, 5 Feb 2014 13:28:49 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 05 Feb 2014 07:41:32 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Mail-followup-to: tor-news@xxxxxxxxxxxxxxxxxxxx, tor-talk@xxxxxxxxxxxxxxxxxxxx
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

========================================================================
Tor Weekly News                                       February 4th, 2014
========================================================================

Welcome to the fifth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

News from the browser team front
--------------------------------

Mike Perry has a detailed reportÂ[1] about what the growing Tor
Browser team has been up to. Among the good news, new fingerprinting
defenses are getting close to be merged for âscreen resolution, default
character sets, site permissions, and local service enumerationâ. Some
other changes that will reduce the attack surface include âdisabling
addon update requests for addons that should not update, a potential fix
for a disk leak in the browserâs video cache,Â[â], and a potential fix
to prevent the Flash plugin from being loaded into the browser at all
until the user actually requests to use it.â

Most censored users currently have to use a separate browser bundle
dubbed âpluggable transports bundleâ. This has proven quite inconvenient
for both users and those trying to support them. Mike
reports progress on âunifying the pluggable transport bundles with the
official bundles, so that both censored and uncensored users can use the
same bundles.Â[â] The progress is sufficient that we are very likely to
be able to deploy a 3.6-beta1 release in February to test these unified
bundles.â

Another important topic is how the privacy fixes in the Tor Browser
can benefit a wider userbase. The team has âcontinued the merge
process with Mozilla, and have worked to ensure that every patch of
ours is on their radar [â]. Two patches, one for an API we require to
manage the Tor subprocess, and another to give us a filter to remove
potentially dangerous drag-and-drop events to the desktop have already
been merged. Next steps will include filing more bugs, continual
contact with their development team, and touching up patches as
needed.â

There are even more things to smile about in the report. Read it in full
for the whole picture.

   [1]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000438.html

Key revocation in next generation hidden services
-------------------------------------------------

It looks like every public-key infrastructureÂ[2] struggles with how to
handle key revocation. Hidden services are no different. The current
design completely ignored preventing a stolen key from being reused by
an attacker.

With the on-going effort to create a new protocol for hidden
servicesÂ[3], now seems to be a good time for George Kadianakis to raise
this issueÂ[4]. In the past there was little control for the hidden
services operators over their secret key. The new design enables offline
management operations which include key revocation.

As George puts it, currently well-known solutions âare always messy and
donât work really well (look at SSLâs OCSPÂ[5] and CRLsÂ[6]).â So how
can âthe legitimate Hidden Service can inform a client that its keys got
compromisedâ?

In his email, George describes two solutions, one relying on the
directory authorities, the other on hidden service directories. Both
have drawbacks, so perhaps further research is necessary.

In the same thread, Nick Hopper suggestedÂ[7] a scheme that uses
multiple hidden service directories to cross-certify their revocation
lists. This gives more confidence to the user, since the adversary now
has to compromise multiple hidden service directories.

Please join the discussion if you have ideas to share!

   [2]:Âhttps://en.wikipedia.org/wiki/Public-key_infrastructure
   [3]:Âhttps://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt
   [4]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006146.html
   [5]:Âhttps://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
   [6]:Âhttps://en.wikipedia.org/wiki/Certificate_revocation_list
   [7]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006149.html

Help needed to remove DNS leaks from Mumble
-------------------------------------------

MumbleÂ[8] is a âlow-latency, high quality voice chat software primarily
intended for use while gamingâ.

Itâs proven to be a reliable solution for voice chat among multiple
parties over Tor. Matt and Colin have worked on a documentation on how
to setup both the client and the server sideÂ[9] for Tor users.

But the client is currently safely usable only on Linux system with
torsocks and on Tails. On other operating systems, the Mumble client
will unfortunately leak the address of the server to the local DNS
resolverÂ[10].

The changes that need to be made to the Mumble code are less trivial
than one would think. Matt describe the issue in more details in his
call for helpÂ[11]. Have a look if you are up to some C++/Qt hacking.

   [8]:Âhttp://mumble.sourceforge.net/
   [9]:Âhttps://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Mumble
  [10]:Âhttps://github.com/mumble-voip/mumble/issues/1033
  [11]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006158.html

Monthly status reports for January 2014
---------------------------------------

The wave of regular monthly reports from Tor project members for the
month of January has begun. Damian JohnsonÂ[12] released his report
first, followed by reports from Philipp WinterÂ[13], Sherief
AlaaÂ[14], the Tor Browser team from Mike PerryÂ[15], Colin C.Â[16], the
help deskÂ[17], MattÂ[18]. LunarÂ[19], George KadianakisÂ[20], and Pearl
CrescentÂ[21].

  [12]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-January/000435.html
  [13]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-January/000436.html
  [14]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000437.html
  [15]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000438.html
  [16]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000439.html
  [17]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000440.html
  [18]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000441.html
  [19]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000442.html
  [20]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000443.html
  [21]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000445.html

Miscellaneous news
------------------

Nick Mathewson came upÂ[22] with a Python scriptÂ[23] to convert the new
MaxMind GeoIP2 binary database to the format used by Tor for its
geolocation database.

  [22]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006157.html
  [23]:Âhttps://github.com/nmathewson/mmdb-convert

Thanks to John Ricketts from Quintex Alliance ConsultingÂ[24] for
providing another mirror for the Tor Projectâs website and software.

  [24]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-February/000464.html

Abhiram Chintangal and Oliver Baumann are reportingÂ[25] progress on
their rewriteÂ[26] of the Tor Weather service.

  [25]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006142.html
  [26]:Âhttps://github.com/baumanno/tor-weather-rewrite

Andreas Jonsson gave an updateÂ[27] on how Mozilla is moving to a
multi-process model for FirefoxÂ[28] and how this should positively
affect the possibility of sandboxing the Tor Browser in the future.

  [27]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-January/031959.html
  [28]:Âhttps://bugzilla.mozilla.org/show_bug.cgi?id=925570

As plannedÂ[29], to help âdevelopers to analyze the directory protocol
and for researchers to understand what information is available to
clients to make path selection decisionsâ, Karsten Loesing has madeÂ[30]
microdescriptor archives available on the metrics website.

  [29]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006061.html
  [30]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-January/006141.html

Christian has deployedÂ[31] a test platformÂ[32] for the JavaScript-less
version of Globe, a tool to retrieve information about the Tor network
and its relays.

  [31]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032012.html
  [32]:Âhttps://globe-node.herokuapp.com/

In an answer to Shadowmanâs questions about pluggable transports, George
Kadianakis wrote a detailed reply on how Tor manages pluggable
transportsÂ[33], both on the server side an on the client side.

  [33]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-January/031984.html

Arthur D. Edelstein has advertised a GreaseMonkey scriptÂ[34] to enable
Tor Browser to access YouTube videos without having JavaScript enabled.
Please be aware of the security risks that GreaseMonkey might
introduceÂ[35] before using such a solution.

  [34]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-February/032010.html
  [35]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-January/031623.html

Andrew Lewman reports on his trip to Washington DCÂ[36] where he met
Spitfire Strategies to learn about âTorâs brand, media presence, and
ideas for the futureâ. For a short excerpt: âItâs interesting to get
critiques on all our past media appearances; what was good and what
could be better. Overall, the team there are doing a great job.â

  [36]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-January/000434.html

Lunar accountedÂ[37] for Torâs presence at FOSDEM, one of the largest
free software event in Europe. The project had a small boothÂ[38] shared
with Mozilla and there was even a relay operator meetupÂ[39].

  [37]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-February/000444.html
  [38]:Âhttps://twitter.com/anthraxx42/status/429600652399247361
  [39]:Âhttps://twitter.com/FrennVunDerEnn/status/429636610603233280

Yan Zhu has releasedÂ[40] the first version of HTTPS Everywhere for
Firefox Mobile. A good news for users of the upcoming OrfoxÂ[41].

  [40]:Âhttps://lists.eff.org/pipermail/https-everywhere/2014-February/001964.html
  [41]:Âhttps://github.com/guardianproject/Orfox

Tor help desk roundup
---------------------

Users often want to know if Tor can make them appear to be coming from a
particular country. Although doing so can reduce oneâs anonymity, it is
documented on our FAQ pageÂ[42].

Orbot users have noticed that installing Orbot to their SD storage can
cause Orbot to stop functioning correctly. Installing Orbot to the
internal storage has resolved issues for a few users.

  [42]:Âhttps://www.torproject.org/docs/faq#ChooseEntryExit

News from Tor StackExchange
---------------------------

Rhin is looking for hidden services hosting services. Jens pointed them
to ahmia.fiÂ[43] but it looks like no there are no gratis hidden
services hosters currently available.

  [43]:Âhttps://tor.stackexchange.com/q/1402/88

Vijay kudal wanted to know how to change the current circuit within
shell scriptsÂ[44]. Jens Kubieziel gave an answer using expect and
hexdumpÂ[45].

  [44]:Âhttps://tor.stackexchange.com/q/1438/1041
  [45]:Âhttps://tor.stackexchange.com/a/1453/88

Roya saw check.torproject.org replying contradictory informationÂ[46]
with Atlas about the exit node being used. It seems to be a bug in check
occuring when multiple nodes are using the same IP addressÂ[47].

  [46]:Âhttps://tor.stackexchange.com/q/1439/88
  [47]:Âhttps://bugs.torproject.org/10499#comment:4

Upcoming events
---------------

Feb 8     | Aaron Gibson Presenting Tor @ New Media Inspiration 2014
          | Prague, Czech Republic
          | http://www.tuesday.cz/akce/new-media-inspiration-2014/
          |
Feb 8     | Colin Childs Presenting Tor @ CryptoParty, Winnipeg
          | Winnipeg, Canada
          | http://wiki.skullspace.ca/CryptoParty
          |
Feb 9     | Privacy SOS CryptoParty @ NorthEastern University in Boston
          | Boston, Massachusetts, United States
          | http://privacysos.org/party


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
qbi, George Kadianakis, Colin, Sandeep, Paul Feitzinger and
Karsten Loesing.

TWN is a community newsletter. It canât rest upon a single pair of
shoulders at all times, especially when those shoulders stand behind a
booth for two days straight. So if you want to continue reading TWN, we
really need your help! Please see the project pageÂ[48] and say âhiâ on
the team mailing listÂ[49].

  [48]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [49]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] Shutting down the relay-search service by the end of the year
Next by Author: Re: [tor-talk] Pissed off about Blacklists, and what to do?
Previous by thread: Re: [tor-talk] TBB: Can not set back to Never remember history
Next by thread: [tor-talk] Using Tor Browser without Tor?
Index(es):
- Author
- Thread