[tor-talk] Tor Weekly News â July, 10th 2013

[Lunar <lunar@xxxxxxxxxxxxxx>]

========================================================================
Tor Weekly News                                          July 10th, 2013
========================================================================

Welcome to the second issue of Tor Weekly News, the weekly newsletter
meant to cover what is happening in the great Tor community.

First release candidate for Tor 0.2.4.x series
----------------------------------------------

On July 3rd, Roger Dingledine announced the release of Tor
0.2.4.15-rcÂ[1]. As ârcâ suggests, it is the first release candidate for
the 0.2.4.x series. This version fixes a few smaller bugs over the
latest alpha, but âgenerally appears stable,â Roger notedÂ[1].

Some highlights of changes from 0.2.3.xÂ[2]:

 * bridges now report the pluggable transports they support to the
   bridge authorityÂ[3],
 * IPv6 supportÂ[4,5,6,7],
 * automatically forward the TCP ports of pluggable transport proxies
   using tor-fw-helper if PortForwarding is enabledÂ[8],
 * switch to a nonrecursive Makefile structure. Where available, now
   use automakeâs âsilentâ make rules by defaultÂ[9],
 * many, many more small improvements and fixes.

Please download it and test widely and wildlyÂ[10].

   [1]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/028776.html
   [2]Âhttps://gitweb.torproject.org/tor.git/blob/b13c6becc:/ChangeLog
   [3]Âhttps://bugs.torproject.org/3589
   [4]Âhttps://bugs.torproject.org/5534
   [5]Âhttps://bugs.torproject.org/5535
   [6]Âhttps://bugs.torproject.org/6362
   [7]Âhttps://bugs.torproject.org/6363
   [8]Âhttps://bugs.torproject.org/6522
   [9]Âhttps://bugs.torproject.org/4567
  [10]Âhttps://www.torproject.org/dist/

New vulnerability in Tor Browser Bundle 2.3.25-10?
--------------------------------------------------

An anonymous reporter reportedÂ[11] a potential leak when using the Tor
Browser Bundle on Windows. If Microsoft Security Essentials or another
cloud based anti-virus solution is configured, downloads will
automatically be sent to these external providers â bypassing Tor â once
complete.

The reporter suggested setting the
âbrowser.download.manager.scanWhenDoneâ property to âfalseâ to prevent
anti-virus solutions from starting without user interaction.

  [11]Âhttps://bugs.torproject.org/9195

The Tor Project is hiring a Lead Automation Engineer
----------------------------------------------------

Do you have experience programming in multiple languages, including
Java, Python/Ruby, shell scripting, and JavaScript?

The Tor Project opened a new positionÂ[12] as Lead Automation Engineer.
The project seeks to deploy nightly builds and continuous integration
for as many of its key software components and platform combinations as
possible. Mike Perry wrote, âCandidates are expected to be capable of
taking the lead in selecting, deploying, and maintaining multiple
automation systems in several different programming languages.â

For more details, including information on how to apply, see the job
postingÂ[13].

  [12]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-July/005119.html
  [13]Âhttps://www.torproject.org/about/jobs-lead-automation.html.en

check.torproject.org outage
---------------------------

As Andrew Lewman wrote on Thursday, July 4th, âover the past 24 hours
https://check.torproject.org has been unavailable due to excessive DNS
queries to the exitlist service. It seems there are a number of
individuals and companies with commercial products relying upon this
volunteer service. We finally hit the point where we couldnât keep up
with the queries and simply disabled the serviceâÂ[14].

At the time of writing, the service is again available, but the project
might âtake it down as needed without notice.â

âcheck.torproject.orgâ is no longer the homepage for Tails since January
of this yearÂ[14]. The Tor Browser Bundle will also switch to a new
homepage in version 3, currently in alpha stageÂ[16].

Other software or services that depend on check.torproject.org should
either migrate away or run their own version using the source code for
the web pageÂ[17]. It is supported by a database of running exit
nodes that can be queried through DNSÂ[18].

If you wish to help, one need is to make it easier for third parties to
get their own âcheckâ service running. This means getting the service
more modularÂ[19] and improving TorDNSELÂ[20] or finishing TorBELÂ[21].
Someone must also write documentation that is easy to follow.

  [14]Âhttps://blog.torproject.org/blog/tor-check-outage-03-and-04-july-2013
  [15]Âhttps://tails.boum.org/news/version_0.16/
  [16]Âhttps://bugs.torproject.org/7494
  [17]Âhttps://svn.torproject.org/cgi-bin/viewvc.cgi/Tor/check/trunk/
  [18]Âhttps://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
       (this page unfortunately contains outdated information
       as of 2013-07-04)
  [19]Âhttps://bugs.torproject.org/9204
  [20]Âhttps://gitweb.torproject.org/tordnsel.git
  [21]Âhttps://gitweb.torproject.org/torbel.git

An experimental transparent Tor proxy for Windows
-------------------------------------------------

basil announcedÂ[22] a new experimental transparent Tor proxy for using
Tor on Windows: â1) It (transparently) reroutes all HTTP traffic through
the Tor anonymity network; and 2) It blocks all non-Tor traffic
(including DNS) to and from your computer.â

The project is currently dubbed TorWall but the name is likely to change
as it is problematic regarding the Tor trademarkÂ[23] and Roger pointed
outÂ[24] that there is already a discontinued project called Torwall.
Roger also pointed out that transparent proxying might not be the best
solutions âon the theory that if the given application isnât
specifically configured to use Tor, itâs probably going to screw up
privacy-wise.â

basil answeredÂ[25] by stating that the project was âreally for those
who know and understand the risks (possibly a very limited market?).â
Feel free to give it a try if you do!

  [22]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/028809.html
  [23]Âhttps://www.torproject.org/docs/trademark-faq
  [24]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/028833.html
  [25]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/028840.html

Theft of Tor relay private keys?
--------------------------------

On Tuesday, July 2nd, Thomas H. expressed concern about a hypothetical
attacker breaking into a large number of nodes and stealing their
private keys, combined with gathering all the traffic possible.
âWouldnât this increase the likelihood that data from complete circuits
can be decrypted and traced back to the original sender?â [26]

In response to this question, Mike Perry admits that he shares Thomasâ
concerns: âIf their intercepts are passive, merely stealing relaysâ
private identity key wonât accomplish much because Tor uses Forward
SecrecyÂ[27] for both the relay TLS links and for circuit setup.
However, if their intercepts are active (as in they can arbitrarily
manipulate traffic in-flight), then stealing either Guard node keys or
directory authority keys allows complete route capture and traffic
discovery of targeted clientsâÂ[28].

To avoid this danger, Mike Perry has previously suggested âchanges to
Tor to make such key theft easier to detect, less damaging, and harder
to make use ofâÂ[29,30].

Mike also supports the idea of regular identity key rotation for
relaysÂ[31]. He would like to see support for default key rotation in
the future.

Mike pointed out that currently changing an identity key too frequently
has several disadvantages for the Tor network: âFirst, it takes the
bandwidth measurement servers a couple days to ramp up your capacity of
your new identity key, so you will spend a lot of time below your max
throughput. Second, you would also likely never get the Guard flag.
Third, there are also load balancing issues with Guard nodes where as
soon as you get the Guard flag, it will take 1-2 months before clients
switch to your new Guard, so you will also likely spend that time at
less than your full capacity.â

If you are operating a relay, please check the wiki page with tips for
enhancing the relayâs securityÂ[32].

  [26]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/028749.html
  [27]Âhttps://en.wikipedia.org/wiki/Perfect_forward_secrecy
  [28]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/028751.html
  [29]Âhttps://bugs.torproject.org/7126
  [30]Âhttps://bugs.torproject.org/5968
  [31]Âhttps://bugs.torproject.org/5563
  [32]Âhttps://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity

A new interface to explore the Tor network
------------------------------------------

On June 25th, Christian (makepanic) announcedÂ[33] a new web application
to explore the Tor network. Based on the Ember.js frameworkÂ[34], it
uses data from OnionooÂ[35] to display information about Tor relays and
bridges.

As Karsten pointed outÂ[36], this tool already has the same set of
features as AtlasÂ[37] â the current recommended way to get details
about relays â and even a few more: it can âlist 10 fastest relays on
start pageâ and âshow bridge detailsâ.  As Onionoo was designed exactly
to offer a backend for various visualization tools, Karsten thinks âitâs
fine to have more than one website providing access to Onionoo data.
Yay, diversity.â

Feel free to play with Tor Onionoo searchÂ[38] or have a look at its
source codeÂ[39].

  [33]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-June/005063.html
  [34]Âhttp://emberjs.com/
  [35]Âhttps://onionoo.torproject.org/
  [36]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-July/005122.html
  [37]Âhttps://atlas.torproject.org/
  [38]Âhttp://makepanic.github.io/emberjs-tor-onionoo/
  [39]Âhttps://github.com/makepanic/emberjs-tor-onionoo

Miscellaneous development news
------------------------------

Karsten Loesing has updated GeoIP databases for Tor and Onionoo to July
MaxMind databasesÂ[40] without their A1 Anonymous Proxy ranges. See
#6266Â[41] for more details on why and how we need to fix the data
released by MaxMind.

It looks like the âstart-tor-browserâ shell script cannot be used to
start the Tor Browser from the graphical file manager on Ubuntu
13.04Â[42]. If you have any great ideas, please chime in.

If you can write C code, you could make the lives of many relay
operators easier by making tor configuration accept âbit/sâ on top of
the current âbyte/sâÂ[43]. The former, being more commonly used by
network operators to describe bandwidth, could reduce a common case of
confusion. It looks like a patch would be pretty simple!

Work has started on a pluggable transport that would combine the traffic
obfuscation properties of obfsproxy with the address diversity of
FlashproxyÂ[44].

intrigeri has announced two âlow-hanging fruitsâ sessions for
TailsÂ[45]. Feel free to join the #tails IRC channel on July 11th at
8:00 UTC or on July 13, 2013, at 7:00 UTC. âEveryone interested in
contributing to Tails is warmly welcome to join! The idea is to spend a
while together on many small tasks that take less than 2 hours each, and
are waiting in our TODO list for too long.â He also gave a list of
candidate tasks.

As Erinn Clark pointed outÂ[46], the 3.x branch of Tor Browser is
currently missing a map of relays similar to the one shown in Vidalia.
The latter can be kept as a separate application, but this specific bit
of functionality might simply be implementable using web technologies.
Care to give it a try?

  [40]Âhttps://gitweb.torproject.org/tor.git/commit/2a61b0dd6be
  [41]Âhttps://bugs.torproject.org/6266
  [42]Âhttps://bugs.torproject.org/9091
  [43]Âhttps://bugs.torproject.org/9214
  [44]Âhttps://bugs.torproject.org/7167
  [45]Âhttps://mailman.boum.org/pipermail/tails-dev/2013-July/003240.html
  [46]Âhttps://lists.torproject.org/pipermail/tor-qa/2013-July/000157.html

More monthly status reports for June 2013
-----------------------------------------

Continuing from last week, more monthly reports are now available for
June 2013: George KadianakisÂ[47], Aaron G.Â[48], Runa A. SandvikÂ[49],
Mike PerryÂ[50], Karsten LoesingÂ[51], Tails folksÂ[52], and the Tor
help deskÂ[53].

  [47]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-July/000280.html
  [48] https://lists.torproject.org/pipermail/tor-reports/2013-July/000284.html
  [49]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-July/000285.html
  [50]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-July/000286.html
  [51]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-July/000287.html
  [52]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-July/000288.html
  [53]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-July/000289.html

Upcoming events
---------------

Jul 10-12 | Tor at Privacy Enhancing Technology Symposium
          | Bloomington, Indiana, USA
          |Âhttp://petsymposium.org/2013/
          |
Jul 22-26 | Tor annuel dev. meeting
          | MÃnchen, Germany
          |Âhttps://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting
          |
Jul 31-05 | Tor at OHM
          | Geestmerambacht, Netherlands
          |Âhttps://ohm2013.org/
          |
Aug 1-4   | Runa Sandvik @ DEF-CON 21
          | Rio Hotel, Las Vegas, USA
          |Âhttps://www.defcon.org/html/defcon-21/dc-21-index.html



This issue of Tor Weekly News has been assembled by Lunar, luttigdev,
dope457, whabib, Karsten Loesing and Peter Palfrader.

Want to continue reading TWN? Please help us create this newsletter. We
still need more volunteer writers to watch the Tor community and report
important news. Please see the project pageÂ[54] and write down your
name if you want to get involved!

  [54]Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk