[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â July 30th, 2014

========================================================================
Tor Weekly News                                          July 30th, 2014
========================================================================

Welcome to the thirtieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.3 is out
------------------------

A new pointfix release for the 3.6 series of the Tor Browser is outÂ[1].
Most components have been updated and a couple of small issues fixed.
Details are available in the release announcement.

The release fixes import security updatesÂ[2] from Firefox. Be sure to
upgradeÂ[3]! Users of the experimental meekÂ[4] bundles have not been
forgottenÂ[5].

   [1]:Âhttps://blog.torproject.org/blog/tor-browser-363-released
   [2]:Âhttps://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.7
   [3]:Âhttps://www.torproject.org/download/download-easy.html
   [4]:Âhttps://trac.torproject.org/projects/tor/wiki/doc/meek
   [5]:Âhttps://people.torproject.org/~dcf/pt-bundle/3.6.3-meek-1/

New Tor stable and alpha releases
---------------------------------

Two new releases of Tor are out. The new 0.2.5.6-alpha releaseÂ[6]
âbrings us a big step closer to slowing down the risk from guard
rotation, and fixes a variety of other issues to get us closer to a
release candidateâ.

Once directory authorities have upgraded, they will âassign the Guard
flag to the fastest 25% of the networkâ. Some experiments showed that
âfor the current network, this results in about 1100 guards, down from
2500.â

The complementary change to moving the number of entry guards down to
oneÂ[7] is the introduction of two new consensus parameters.
NumEntryGuards and NumDirectoryGuards will respectively set the number
of entry guards and directory guards that clients will use. The default
for NumEntryGuards is currently three, but this will allow a reversible
switch to one in a near future.

Several important fixes have been backported to the stable branch in the
0.2.4.23 releaseÂ[8]. Source packages are available at the regular
locationÂ[9]. Binary packages have already landed in DebianÂ[10,11] and
the rest should follow shortly.

   [6]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-July/034180.html
   [7]:Âhttps://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/236-single-guard-node.txt
   [8]: https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html
   [9]:Âhttps://www.torproject.org/dist/
  [10]:Âhttps://tracker.debian.org/news/560607
  [11]:Âhttps://tracker.debian.org/news/560611

Security issue in Tails 1.1 and earlier
---------------------------------------

Several vulnerabilities have been discovered in I2P which is shipped in
Tails 1.1 and earlierÂ[12]. I2PÂ[13] is an anonymous overlay network
with many similarities to Tor. There was quite some confusion around the
disclosure process of this vulnerability. Readers are encouraged to read
what the Tails team has written about itÂ[14].

Starting I2P in Tails normally requires a click on the relevant menu
entry. Once started, the security issues can lead to the deanonymization
of a Tails user who visits a malicious web page. As a matter of
precaution, the Tails team recommends removing the âi2pâ package each
time Tails is started.

I2P has fixed the issue in version 0.9.14Â[15]. It is likely to be
included in the next Tails release, but the team is also discussingÂ[16]
implementing more in-depth protections that would be required in order
to keep I2P in Tails.

  [12]:Âhttps://tails.boum.org/security/Security_hole_in_I2P_0.9.13/
  [13]:Âhttps://geti2p.net/
  [14]:Âhttps://tails.boum.org/news/On_0days_exploits_and_disclosure/
  [15]:Âhttps://geti2p.net/en/blog/post/2014/07/26/0.9.14-Release
  [16]:Âhttps://mailman.boum.org/pipermail/tails-dev/2014-July/006459.html

Reporting bad relays
--------------------

âBadâ relays are malicious, misconfigured, or otherwise broken Tor
relays. As anyone is free to volunteer bandwidth and processing power to
spin up a new relay, users can encounter such bad relays once in a
while. Getting them out of everyoneâs circuits is thus important.

Damian Johnson and Philipp Winter have been working on improving and
documentingÂ[17] the process of reporting bad relays. âWhile we do
regularly scan the network for bad relays, we are also dependent on the
wider community to help us spot relays which donât act as they shouldâ
wroteÂ[18] Philipp.

When observing unusual behaviors, one way to learn about the current
exit relay before reporting it is to use the CheckÂ[19] service. This
method can be inaccurate and tends to be a little bit cumbersome. The
good news is that Arthur Edelstein is busy integratingÂ[20] more
feedback on Tor circuits being used directly into the Tor Browser.

  [17]:Âhttps://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
  [18]:Âhttps://blog.torproject.org/blog/how-report-bad-relays
  [19]:Âhttps://check.torproject.org/
  [20]:Âhttps://trac.torproject.org/projects/tor/ticket/8641#comment:12

Miscellaneous news
------------------

The Tor Project, Inc. has completed its standard financial audit for the
year 2013Â[21]. IRS Form 990Â[22], Massachusetts Form PCÂ[23], and the
Financial StatementsÂ[24] are now available for anyone to review.
Andrew Lewman explained: âwe publish all of our related tax documents
because we believe in transparency. All US non-profit organizations are
required by law to make their tax filings available to the public on
request by US citizens. We want to make them available for all.â

  [21]:Âhttps://blog.torproject.org/blog/transparency-openness-and-our-2013-financials
  [22]:Âhttps://www.torproject.org/about/findoc/2013-TorProject-Form990.pdf
  [23]:Âhttps://www.torproject.org/about/findoc/2013-TorProject-FormPC.pdf
  [24]:Âhttps://www.torproject.org/about/findoc/2013-TorProject-FinancialStatements.pdf

CJ announcedÂ[25] the release of orWallÂ[26] (previously named
Torrific), a new Android application that âwill force applications
selected through Orbot while preventing unchecked applications to have
network accessâ.

  [25]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-July/034006.html
  [26]:Âhttps://orwall.org/

The Thali projectÂ[27] aims to use hidden services to host web content.
As part of the effort, they have written a cross-platform Java
libraryÂ[28]. âThe code handles running the binary, configuring it,
managing it, starting a hidden service, etc.â wroteÂ[29] Yaron Goland.

  [27]:Âhttp://www.thaliproject.org/mediawiki/index.php?title=Main_Page
  [28]:Âhttps://github.com/thaliproject/Tor_Onion_Proxy_Library
  [29]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-July/034046.html

Gareth Owen releasedÂ[30] a Java-based Tor research frameworkÂ[31]. The
goal is to enable researchers to try things out without having to deal
with the full tor source. âAt present, it is a fully functional client
with a number of examples for hidden services and SOCKS. You can build
arbitrary circuits, build streams, send junk cells, etc.â wrote Gareth.

  [30]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007232.html
  [31]:Âhttps://github.com/drgowen/tor-research-framework

Version 0.2.3 of BridgeDBÂ[32] has been deployed. Among other
changesÂ[33], owners of riseup.net email accounts can now request
bridges through emailÂ[34].

  [32]:Âhttps://bridges.torproject.org/
  [33]:Âhttps://gitweb.torproject.org/bridgedb.git/blob/2a6d5463:/CHANGELOG
  [34]:Âhttps://bugs.torproject.org/11139#comment:15

The first candidate for Orbot 14.0.5 has been released. âThis update
includes improved management of the background processes, the ability to
easily change the local SOCKS port (to avoid conflicts on some Samsung
Galaxy and Note devices), and the fancy new notification dialog, showing
your current exit IPs and countryâ wroteÂ[35] Nathan Freitas.

  [35]:Âhttps://lists.mayfirst.org/pipermail/guardian-dev/2014-July/003667.html

While working on guard nodes, George Kadianakis realized that âthe data
structures and methods of the guard nodes code are not very robustâ.
Nick Mathewson and George have been busy trying to come up with better
abstractionsÂ[36]. More brains working on the problem would be welcome!

  [36]:Âhttps://bugs.torproject.org/12595

Mike Perry postedÂ[37] âa summary of the primitives that Marc Juarez
aims to implement for his Google Summer of Code project on prototyping
defenses for Website Traffic Fingerprinting and follow-on researchâ. Be
sure to have a look if you want to help prevent website fingerprint
attacks.

  [37]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007246.html

A new draft proposal âfor making all relays also be directory servers
(by default)â has been submittedÂ[38] by Matthew Finkel. Among the
motivations, Matthew wrote: âIn a network where every router is a
directory server, the profiling and partitioning attack vector is
reduced to the guard (for clients who use them), which is already in a
privileged position for this. In addition, with the increased set size,
relay descriptors and documents are more readily available and it
diversifies the providers.â This change might make the transition to a
single guard safer. Feedback welcome!

  [38]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007247.html

Noah Rahman reportedÂ[39] on the progress of the Stegotorus Google
Summer of Code project.

  [39]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007248.html

Tor help desk roundup
---------------------

A number of Iranian Tor users have reported that Tor no longer works out
of the box in Iran, and the Tor Metrics portal shows a corresponding
drop in the number of directly-connecting users thereÂ[40]. Collin
Anderson investigated the situation and reported that the
Telecommunication Company of Iran had begun blocking the Tor network by
blacklisting connections to Torâs directory authoritiesÂ[41]. Tor users
can circumvent this block by getting bridges from BridgeDBÂ[42] and
entering the bridge addresses they receive into their Tor Browser.

  [40]:Âhttps://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2014-04-30&end=2014-07-28&country=ir&events=on#userstats-relay-country
  [41]:Âhttps://bugs.torproject.org/12727
  [42]:Âhttps://bridges.torproject.org/

Upcoming events
---------------

 Aug. 1 16:00 UTC  | Pluggable transports online meeting
                   | #tor-dev, irc.oftc.net
                   |
 Aug. 3 19:00 UTC  | Tails contributors meeting
                   | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-July/000000.html
                   |
 August 18         | Roger @ FOCI â14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/foci14
                   |
 August 20-22      | Roger @ USENIX Security Symposium â14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/usenixsecurity14


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
harmony, and Philipp Winter.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[43], write down your
name and subscribe to the team mailing listÂ[44] if you want to
get involved!

  [43]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [44]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk