wiki:TorWeeklyNews/2013/0

Version 40 (modified by luttigdev, 5 years ago) (diff)

--

Very first edition of Tor Weekly News. Covering what's happening since June 26th, 2013. To be released on July 3rd, 2013.

Editor for this week: Lunar

Subject: Tor Weekly News — July 3rd, 2013

========================================================================
Tor Weekly News                           June 26, 2013 - July 3rd, 2013
========================================================================

Welcome to the very first issue of Tor Weekly News, the weekly
newsletter meant to cover what is happening in the vibrant Tor
community.

Fully Deterministic, Independently Reproduced Builds of Tor Browser Bundle
--------------------------------------------------------------------------

Mike Perry, Linus Nordberg and Georg Koppen each independently built
identical binaries of the Tor Browser Bundle 3.0 alpha 2 release [X],
using the Gitian-based build system first adopted for the release of 3.0 
alpha 1.[X]  This work represents a major improvement in the security of the
Tor software build and distribution processes against targeted attacks.
The motivations and the technical details for this work will appear in a
pair of future blog posts.

Minor progress on datagram-based transport
------------------------------------------

As Steven Murdoch explained in 2011, in the current implementation of
Tor, “when a packet gets dropped or corrupted on a link between two Tor
nodes, […], all circuits passing through this pair of nodes will be
stalled, not only the circuit corresponding to the packet which was
dropped.” [1] This is because traffic from multiple circuits heading into
an OR node are multiplexed by default into a single TCP connection.
However, when the reliability and congestion control requirements of TCP
streams are enforced by the operating system on this multiplexed
connection, a situation is created in which one poor quality circuit can
disproportionately slow down the rest.

Such a shortcoming could be worked around by migrating Tor from TCP to a
datagram-based transport protocol. Nick Mathewson opened #9165 [2] to
track progress on the matter.

Late last year, Steven Murdoch began an experimental Tor branch using
uTP[3], a protocol “which provides reliable, ordered delivery
while maintaining minimum extra delay”, and is already used by uTorrent
for peer-to-peer connections [4].  Nick Mathewson finally got to review
his work and wrote several comments on #9166 [5]. The code isn't
close to production-quality right now; it is just good enough for performance
testing.

 [1] https://blog.torproject.org/blog/moving-tor-datagram-transport
 [2] https://bugs.torproject.org/9165
 [3] https://gitweb.torproject.org/sjm217/tor.git/shortlog/refs/heads/utp
 [4] http://www.bittorrent.org/beps/bep_0029.html
 [5] https://bugs.torproject.org/9166

obfsproxyssh
------------

Yawning Angel sent out a request for comments [6] on the very first
release of `obfsproxyssh` [7], a pluggable transport that uses the ssh
wire protocol to hide Tor traffic.  Its behavior would appear to
potential eavesdroppers to be “identical to a user sshing to a host,
authenticating with a RSA public/private key pair and opening a
direct-tcp channel to the ORPort of the bridge.”

The announcement contains several open issues and questions.  Feel free
to have a look and voice your comments!

 [6] https://lists.torproject.org/pipermail/tor-dev/2013-June/005083.html
 [7] https://github.com/Yawning/obfsproxyssh

Crowdfunding for Tor exit relays and bridges
--------------------------------------------

Moritz Bartl announced [8] that he has started a crowdfunding campaign
for Tor exit relays and bridges.

The donations will be distributed equally among all Torservers.net
partner organizations (Zwiebelfreunde e.V., DFRI, Nos Oignons, Swiss
Privacy Foundation, Frënn vun der Ënn and NoiseTor).

For a faster and better network, chip in and spread the word!

 [8] http://www.indiegogo.com/projects/tor-anti-censorship-and-anonymity-infrastructure/

Tails 0.19 is out, new stable Tor Browser Bundles
-------------------------------------------------

Last Wednesday, two of the most popular Tor projects both made new
releases: the Tor Browser Bundle, and Tails, The Amnesiac Incognito Live
System. Users are encouraged to upgrade as soon as possible.

The stable Tor Browser Bundle was updated to version 2.3.25-10 [10], and
includes fixes from upstream Firefox 17.0.7esr. Tails 0.19 [9] includes
the new stable Tor Browser, along with an updated 3.9.5 kernel and minor
security improvements to wireless, GNOME and GnuPG defaults.

 [9] https://tails.boum.org/news/version_0.19/
 [10] https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages

Jenkins + Stem catching their first regression
----------------------------------------------

Quoting Damian Johnson's June status report [16]: “Our automated Jenkins
test runs caught their first instance of tor regression. This concerned
LOADCONF's behavior after merging a branch for ticket #6752”. A bug [11]
was opened after Damian properly identified the issue.

 [11] https://bugs.torproject.org/9122

First round of reports from GSoC projects
-----------------------------------------

Johannes Fürmann reported [12] on his project, a virtual network
environment intended to simulate censorship for OONI (dubbed "Evil
Genius", after Descartes). Hareesan reported [13] on the steganography
browser addon.  Cristian-Matei Toader is working [14] on adding
capabilities-based sandboxing to Tor on Linux, using the kernel's seccomp
syscall filtering mechanism. Chang Lan implemented [15] a HTTP
proxy-based transport using CONNECT as the first step in his efforts to
implement a general Tor-over-HTTP pluggable transport.

 [12] https://lists.torproject.org/pipermail/tor-dev/2013-June/005078.html
 [13] https://lists.torproject.org/pipermail/tor-dev/2013-June/005082.html
 [14] https://lists.torproject.org/pipermail/tor-dev/2013-June/005085.html
 [15] https://lists.torproject.org/pipermail/tor-dev/2013-June/005086.html

Monthly status reports for June 2013
------------------------------------

The wave of regular monthly reports from Tor members for the month of
June has begun.  Damian Johnson's was the first [16], followed by Philipp
Winter's [17], Colin C.'s [18], Nick Mathewson [19], Lunar [20], Moritz
Bartl [21], Jason Tsai [22], Andrew Lewman [23], Sherief Alaa [24] and
Kelley Misata [25].

 [16] https://lists.torproject.org/pipermail/tor-reports/2013-June/000262.html
 [17] https://lists.torproject.org/pipermail/tor-reports/2013-June/000263.html
 [18] https://lists.torproject.org/pipermail/tor-reports/2013-July/000264.html
 [19] https://lists.torproject.org/pipermail/tor-reports/2013-July/000266.html
 [20] https://lists.torproject.org/pipermail/tor-reports/2013-July/000267.html
 [21] https://lists.torproject.org/pipermail/tor-reports/2013-July/000268.html
 [22] https://lists.torproject.org/pipermail/tor-reports/2013-July/000269.html
 [23] https://lists.torproject.org/pipermail/tor-reports/2013-July/000270.html
 [24] https://lists.torproject.org/pipermail/tor-reports/2013-July/000271.html
 [25] https://lists.torproject.org/pipermail/tor-reports/2013-July/000272.html

Tor on StackExchange
--------------------

The proposed StackExchange Q&A page for Tor has left the "initial
definition" stage and has entered the "commitment" stage on Area 51.[19] During this
stage, interested users are asked to digitally "sign" the proposal with
their full name to help ensure the site will have an active community
during its critical early days.[20] 

 [19]: http://area51.stackexchange.com/proposals/56447/tor-online-anonymity-privacy-and-security
 [20]: https://lists.torproject.org/pipermail/tor-talk/2013-June/028473.html

Forensic analysis of the Tor Browser Bundle
-------------------------------------------

Forensic analysis of the Tor Browser Bundle on OS X, Linux, and Windows by Runa Sandvik. [21]
"We made a decision to only consider traces left by the Tor Browser Bundle after the bundle had been deleted and the
system had been completely shut down."

 [21] https://research.torproject.org/techreports/tbb-forensic-analysis-2013-06-28.pdf

Miscellaneous development news
------------------------------

David Goulet has made good progress on his rewrite of torsocks [X] and
should have a beta ready in a couple of weeks. He awaits your review,
comments, and contributions.

Leo Unglaub ran into some trouble with a dependency while publishing
the work-in-progress code for his Vidalia replacement [Z]. He is working on
replacing the dependency.

Nick Mathewson did some analysis on possible methods for reducing the volume
of fetched directory information, by running some scripts over the last month
of consensus directories. [CD]

 [X] https://lists.torproject.org/pipermail/tor-dev/2013-June/004959.html
 [Z] https://lists.torproject.org/pipermail/tor-dev/2013-June/005084.html
 [CD] https://trac.torproject.org/projects/tor/ticket/7009


A Tor protocol vulnerability?
-----------------------------

An anonymous individual contacted Tor developers on Twitter to report a
claimed vulnerability in the way microdescriptors are validated by Tor
clients. It was claimed this vulnerability allows "determination of the
source and end-point of a given tor connection with little more than a
couple relays and some rogue directory authorities." [X] Nick Mathewson
[X] explained at length how this observation was flawed, reducing "at
worst... to the "request filtering" attack... which has defenses" (see
[Y] for the best summary).

The issue was also mentioned (and likewise dismissed) on the security mailing list, Full
Disclosure. [X] For anyone interested in reporting vulnerabilities
in Tor software, please avoid following that example. Until a process
gets documented [PROCESS], the best way to report the discovery of a
vulnerability is to get in touch with one of the Tor core developers
using encrypted email.

 [X] https://lists.torproject.org/pipermail/tor-qa/2013-June/000141.html
    https://archive.torproject.org/tor-package-archive/torbrowser/3.0a2/
 [X] https://lists.torproject.org/pipermail/tor-dev/2013-June/005069.html
 [X] https://lists.torproject.org/pipermail/tor-talk/2013-June/028699.html
    https://lists.torproject.org/pipermail/tor-talk/2013-June/028700.html
 [Y] https://lists.torproject.org/pipermail/tor-talk/2013-June/028701.html
    http://seclists.org/fulldisclosure/2013/Jun/245
    http://pastebin.com/pRiMx0CW
 [PROCESS] https://bugs.torproject.org/9186

Upcoming events
---------------

Jul  6-11 | Lunar @ LSM 2013
          | Brussels, Belgium
          | https://2013.rmll.info/
          |
Jul 10-12 | Tor at Privacy Enhancing Technology Symposium
          | Bloomington, Indiana, USA
          | http://petsymposium.org/2013/
          |
Jul 22-26 | Tor annual dev. meeting
          | München, Germany
          | https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting
          |
Jul 31-05 | Tor at OHM
          | Geestmerambacht, Netherlands
          | https://ohm2013.org/
          |
Aug 1-4   | Runa Sandvik @ DEF-CON 21
          | Rio Hotel, Las Vegas, USA
          | https://www.defcon.org/html/defcon-21/dc-21-index.html
          |
Aug 13    | Roger @ FOCI '13,
          | Washington, D.C., USA
          | https://www.usenix.org/conference/foci13/



This issue of Tor Weekly News has been assembled by Lunar, dope457,
moskvax, Mike Perry, Nick Mathewson, mttp, and luttigdev.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteer writers who watch the Tor community
and report about what is going on. Please see the project page [XXX]
and write down your name if you want to get involved!

[XXX] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews

Expand: