Changes between Version 55 and Version 56 of TorWeeklyNews/2013/0


Ignore:
Timestamp:
Jul 3, 2013, 12:16:18 PM (7 years ago)
Author:
lunar
Comment:

Sent!

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2013/0

    v55 v56  
    1 ''Very first edition of [wiki:TorWeeklyNews Tor Weekly News]. Covering what's happening since June 26th, 2013. To be released on July 3rd, 2013.''
     1''Very first edition of [wiki:TorWeeklyNews Tor Weekly News]. Covering what's happening between June 26th, 2013 and July 2nd, 2013. Released on July 3rd, 2013.''
    22
    33'''Editor for this week:''' Lunar
    44
    5 '''Status:''' ''Frozen! — '''only language edits allowed''''', publication due on 2013-07-03 12:00 UTC. New items should go on [wiki:TorWeeklyNews/2013/1 next week newsletter].
    6 
    7 '''Subject:''' Tor Weekly News — July 3rd, 2013
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                           July 3rd, 2013
    12 ========================================================================
    13 
    14 Welcome to the very first issue of Tor Weekly News, the weekly
    15 newsletter meant to cover what is happening in the vibrant Tor
    16 community.
    17 
    18 Deterministic, independently reproduced builds of Tor Browser Bundle
    19 --------------------------------------------------------------------
    20 
    21 Mike Perry, Linus Nordberg and Georg Koppen each independently built
    22 identical binaries of the Tor Browser Bundle 3.0 alpha 2 release [1],
    23 now available for download at the Tor Package Archive [2].
    24 
    25 The build system [3], first adopted for the release of 3.0 alpha 1, uses
    26 Gitian [4] to enable anyone to produce byte-identical Tor Browser Bundle
    27 binary packages from source. This represents a major improvement in the
    28 security of the Tor software build and distribution processes against
    29 targeted attacks.  The motivations and technical details of this work
    30 will appear in future Tor Project blog posts.
    31 
    32    [1] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
    33    [2] https://archive.torproject.org/tor-package-archive/torbrowser/3.0a2/
    34    [3] https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/README.build
    35    [4] http://gitian.org/
    36 
    37 Minor progress on datagram-based transport
    38 ------------------------------------------
    39 
    40 As Steven Murdoch explained in 2011, in the current implementation of
    41 Tor, “when a packet gets dropped or corrupted on a link between two Tor
    42 nodes, […], all circuits passing through this pair of nodes will be
    43 stalled, not only the circuit corresponding to the packet which was
    44 dropped.” [5] This is because traffic from multiple circuits heading
    45 into an OR node are multiplexed by default into a single TCP connection.
    46 However, when the reliability and congestion control requirements of TCP
    47 streams are enforced (by the operating system) on this multiplexed
    48 connection, a situation is created in which one poor quality circuit can
    49 disproportionately slow down the others.
    50 
    51 This shortcoming could be worked around by migrating Tor from TCP to a
    52 datagram-based transport protocol. Nick Mathewson opened #9165 [6] to
    53 track progress on the matter.
    54 
    55 Late last year, Steven Murdoch began an experimental Tor branch using
    56 uTP [7], a protocol “which provides reliable, ordered delivery while
    57 maintaining minimum extra delay”, and is already used by uTorrent for
    58 peer-to-peer connections [8]. Nick Mathewson finally got to review his
    59 work and wrote several comments on #9166 [9]. The code isn’t close to
    60 production-quality right now; it is just good enough for performance
    61 testing.
    62 
    63    [5] https://blog.torproject.org/blog/moving-tor-datagram-transport
    64    [6] https://bugs.torproject.org/9165
    65    [7] https://gitweb.torproject.org/sjm217/tor.git/shortlog/refs/heads/utp
    66    [8] http://www.bittorrent.org/beps/bep_0029.html
    67    [9] https://bugs.torproject.org/9166
    68 
    69 obfsproxyssh
    70 ------------
    71 
    72 Yawning Angel sent out a request for comments [10] on the very first
    73 release of “obfsproxyssh” [11], a pluggable transport that uses the ssh
    74 wire protocol to hide Tor traffic. Its behavior would appear to
    75 potential eavesdroppers to be “identical to a user sshing to a host,
    76 authenticating with a RSA public/private key pair and opening a
    77 direct-tcp channel to the ORPort of the bridge.”
    78 
    79 The announcement contains several open issues and questions. Feel free
    80 to have a look and voice your comments!
    81 
    82   [10] https://lists.torproject.org/pipermail/tor-dev/2013-June/005083.html
    83   [11] https://github.com/Yawning/obfsproxyssh
    84 
    85 Crowdfunding for Tor exit relays and bridges
    86 --------------------------------------------
    87 
    88 Moritz Bartl announced [12] that he has started a crowdfunding campaign
    89 for Tor exit relays and bridges.
    90 
    91 The donations will be distributed equally among all Torservers.net
    92 partner organizations (Zwiebelfreunde e.V., DFRI, Nos Oignons, Swiss
    93 Privacy Foundation, Frënn vun der Ënn and NoiseTor).
    94 
    95 For a faster and better network, chip in and spread the word!
    96 
    97   [12] http://www.indiegogo.com/projects/tor-anti-censorship-and-anonymity-infrastructure/
    98 
    99 Tails 0.19 is out, new stable Tor Browser Bundles
    100 -------------------------------------------------
    101 
    102 On Wednesday, June 26, two of the most popular Tor projects both made
    103 new releases: the Tor Browser Bundle, and Tails, The Amnesiac Incognito
    104 Live System. Users are encouraged to upgrade as soon as possible.
    105 
    106 The stable Tor Browser Bundle was updated to version 2.3.25-10 [13], and
    107 includes fixes from upstream Firefox 17.0.7esr. Tails 0.19 [14] includes
    108 the new stable Tor Browser, along with an updated 3.9.5 kernel and minor
    109 security improvements to wireless, GNOME and GnuPG defaults.
    110 
    111   [13] https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages
    112   [14] https://tails.boum.org/news/version_0.19/
    113 
    114 Jenkins + Stem catching their first regression
    115 ----------------------------------------------
    116 
    117 Quoting Damian Johnson’s June status report [20]: “Our automated
    118 Jenkins test runs caught their first instance of tor regression. This
    119 concerned LOADCONF’s behavior after merging a branch for ticket #6752”.
    120 A new ticket [15] was opened after Damian properly identified the issue.
    121 
    122   [15] https://bugs.torproject.org/9122
    123 
    124 First round of reports from GSoC projects
    125 -----------------------------------------
    126 
    127 Johannes Fürmann reported [16] on his project, a virtual network
    128 environment intended to simulate censorship for OONI (dubbed “Evil
    129 Genius”, after Descartes). Hareesan reported [17] on the steganography
    130 browser addon. Cristian-Matei Toader is working [18] on adding
    131 capabilities-based sandboxing to Tor on Linux, using the kernel’s
    132 seccomp syscall filtering mechanism. Chang Lan implemented [19] a HTTP
    133 proxy-based transport using CONNECT as the first step in his efforts to
    134 implement a general Tor-over-HTTP pluggable transport.
    135 
    136   [16] https://lists.torproject.org/pipermail/tor-dev/2013-June/005078.html
    137   [17] https://lists.torproject.org/pipermail/tor-dev/2013-June/005082.html
    138   [18] https://lists.torproject.org/pipermail/tor-dev/2013-June/005085.html
    139   [19] https://lists.torproject.org/pipermail/tor-dev/2013-June/005086.html
    140 
    141 Monthly status reports for June 2013
    142 ------------------------------------
    143 
    144 The wave of regular monthly reports from Tor project members for the
    145 month of June has begun. Damian Johnson’s was the first [20], followed
    146 soon after by reports from Philipp Winter [21], Colin C. [22], Nick
    147 Mathewson [23], Lunar [24], Moritz Bartl [25], Jason Tsai [26], Andrew
    148 Lewman [27], Sherief Alaa [28], Kelley Misata [29], Matt Pagan [30], and
    149 Andrea Shepard [31].
    150 
    151   [20] https://lists.torproject.org/pipermail/tor-reports/2013-June/000262.html
    152   [21] https://lists.torproject.org/pipermail/tor-reports/2013-June/000263.html
    153   [22] https://lists.torproject.org/pipermail/tor-reports/2013-July/000264.html
    154   [23] https://lists.torproject.org/pipermail/tor-reports/2013-July/000266.html
    155   [24] https://lists.torproject.org/pipermail/tor-reports/2013-July/000267.html
    156   [25] https://lists.torproject.org/pipermail/tor-reports/2013-July/000268.html
    157   [26] https://lists.torproject.org/pipermail/tor-reports/2013-July/000269.html
    158   [27] https://lists.torproject.org/pipermail/tor-reports/2013-July/000270.html
    159   [28] https://lists.torproject.org/pipermail/tor-reports/2013-July/000271.html
    160   [29] https://lists.torproject.org/pipermail/tor-reports/2013-July/000272.html
    161   [30] https://lists.torproject.org/pipermail/tor-reports/2013-July/000273.html
    162   [31] https://lists.torproject.org/pipermail/tor-reports/2013-July/000276.html
    163 
    164 Tor on StackExchange
    165 --------------------
    166 
    167 The proposed StackExchange Q&A page for Tor [32] has left the “initial
    168 definition” stage and has entered the “commitment” stage on Area 51.
    169 During this stage [33], interested users are asked to digitally “sign”
    170 the proposal with their name to help ensure the site will have an active
    171 community during its critical early days.
    172 
    173   [32] http://area51.stackexchange.com/proposals/56447/tor-online-anonymity-privacy-and-security
    174   [33] https://lists.torproject.org/pipermail/tor-talk/2013-June/028473.html
    175 
    176 Forensic analysis of the Tor Browser Bundle
    177 -------------------------------------------
    178 
    179 On Friday, June 28, Runa Sandvik published Tor Tech Report 2013-06-001,
    180 titled “Forensic Analysis of the Tor Browser Bundle on OS X, Linux, and
    181 Windows” [34], as part of a deliverable project for two Tor sponsors.
    182 The report is a detailed write-up of the forensic experiments Sandvik
    183 has been documenting on her blog [35], the goal of which was “to
    184 identify traces left behind by the Tor Browser Bundle after extracting,
    185 using, and deleting the bundle”.
    186 
    187 In short, each platform indeed retains forensic traces of the existence
    188 of the Tor Browser Bundle. Many “are related to default operating system
    189 settings, some of which the bundle might not be able to remove. We
    190 therefore propose the creation of a document [36] which lists steps our
    191 users can take to mitigate these traces on the different operating
    192 systems.”
    193 
    194 Of course, Tor Browser Bundle users wishing to take immediate action to
    195 prevent the creation of forensic traces are not out of luck: “the
    196 easiest way to avoid leaving traces on a computer system is to use The
    197 Amnesiac Incognito Live System (Tails) [37].”
    198 
    199   [34] https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf
    200   [35] http://encrypted.cc/post/51552592311/forensic-analysis-of-tor-on-os-x
    201   [36] https://bugs.torproject.org/7033
    202   [37] https://tails.boum.org/
    203 
    204 Miscellaneous development news
    205 ------------------------------
    206 
    207 David Goulet is making good progress [38] on his rewrite of torsocks
    208 [39] and should have a beta ready in a couple of weeks. He awaits your
    209 code reviews, comments and contributions.
    210 
    211 Leo Unglaub ran into some trouble with a dependency just as he was about
    212 to publish the work-in-progress code for his Vidalia replacement [40].
    213 
    214 Nick Mathewson did some analysis on possible methods for reducing the
    215 volume of fetched directory information [41], by running some scripts
    216 over the last month of consensus directories.
    217 
    218   [38] https://lists.torproject.org/pipermail/tor-dev/2013-June/005069.html
    219   [39] https://lists.torproject.org/pipermail/tor-dev/2013-June/004959.html
    220   [40] https://lists.torproject.org/pipermail/tor-dev/2013-June/005084.html
    221   [41] https://bugs.torproject.org/7009
    222 
    223 A vulnerability affecting microdescriptors in Tor?
    224 --------------------------------------------------
    225 
    226 On Friday, June 28 an anonymous individual contacted Tor developers over
    227 Twitter [41] claiming to have found a vulnerability in the way
    228 microdescriptors are validated by Tor clients which would allow
    229 “determination of the source and end-point of a given [victim’s] tor
    230 connection with little more than a couple relays and some rogue
    231 directory authorities [both controlled by the adversary].” [42]
    232 
    233 Detailed testing by Nick Mathewson [42,43] could not reproduce the
    234 behavior in the Tor client that was claimed to enable such an attack.
    235 After a lengthy Twitter debate with Mathewson, the reporter disappeared,
    236 no bugs have been filed, and it appears the vulnerability was nothing of
    237 the sort.  Without being able to verify the existence of the claimed vulnerability, Mathewson
    238 concluded that the reporter’s described attack was equivalent “at worst…
    239 to the ‘request filtering’ attack… which has defenses” [45].
    240 
    241 The issue was also mentioned (and likewise dismissed) on the security
    242 mailing list, Full Disclosure [46].
    243 
    244 For anyone interested in reporting vulnerabilities in Tor software,
    245 please avoid following that example. Until a process gets
    246 documented [47], the best way to report the discovery of a vulnerability
    247 is to get in touch with one of the Tor core developers using encrypted
    248 email.
    249 
    250   [41] https://twitter.com/ewrwerwtretetet/status/350815079882686464
    251   [42] http://pastebin.com/pRiMx0CW
    252   [43] https://lists.torproject.org/pipermail/tor-talk/2013-June/028699.html
    253   [44] https://lists.torproject.org/pipermail/tor-talk/2013-June/028700.html
    254   [45] https://lists.torproject.org/pipermail/tor-talk/2013-June/028701.html
    255   [46] http://seclists.org/fulldisclosure/2013/Jun/245
    256   [47] https://bugs.torproject.org/9186
    257 
    258 Upcoming events
    259 ---------------
    260 
    261 Jul  6-11 | Lunar @ LSM 2013
    262           | Brussels, Belgium
    263           | https://2013.rmll.info/
    264           |
    265 Jul 10-12 | Tor at Privacy Enhancing Technology Symposium
    266           | Bloomington, Indiana, USA
    267           | http://petsymposium.org/2013/
    268           |
    269 Jul 22-26 | Tor annual dev. meeting
    270           | München, Germany
    271           | https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting
    272           |
    273 Jul 31-05 | Tor at OHM
    274           | Geestmerambacht, Netherlands
    275           | https://ohm2013.org/
    276 
    277 
    278 
    279 This issue of Tor Weekly News has been assembled by Lunar, dope457,
    280 moskvax, Mike Perry, Nick Mathewson, mttp, and luttigdev.
    281 
    282 Want to continue reading TWN? Please help us create this newsletter.
    283 We still need more volunteer writers who watch the Tor community
    284 and report about what is going on. Please see the project page [48]
    285 and write down your name if you want to get involved!
    286 
    287   [48] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    288 }}}
     5'''Status:''' ''[https://lists.torproject.org/pipermail/tor-talk/2013-July/028770.html Sent!]''