Version 42 (modified by lunar, 5 years ago) (diff)

more monthly reports

Very first edition of Tor Weekly News. Covering what's happening since June 26th, 2013. To be released on July 3rd, 2013.

Editor for this week: Lunar

Subject: Tor Weekly News — July 3rd, 2013

Tor Weekly News                           June 26, 2013 - July 3rd, 2013

Welcome to the very first issue of Tor Weekly News, the weekly
newsletter meant to cover what is happening in the vibrant Tor

Fully Deterministic, Independently Reproduced Builds of Tor Browser Bundle

Mike Perry, Linus Nordberg and Georg Koppen each independently built
identical binaries of the Tor Browser Bundle 3.0 alpha 2 release [X],
using the Gitian-based build system first adopted for the release of 3.0 
alpha 1.[X]  This work represents a major improvement in the security of the
Tor software build and distribution processes against targeted attacks.
The motivations and the technical details for this work will appear in a
pair of future blog posts.

Minor progress on datagram-based transport

As Steven Murdoch explained in 2011, in the current implementation of
Tor, “when a packet gets dropped or corrupted on a link between two Tor
nodes, […], all circuits passing through this pair of nodes will be
stalled, not only the circuit corresponding to the packet which was
dropped.” [1] This is because traffic from multiple circuits heading into
an OR node are multiplexed by default into a single TCP connection.
However, when the reliability and congestion control requirements of TCP
streams are enforced by the operating system on this multiplexed
connection, a situation is created in which one poor quality circuit can
disproportionately slow down the rest.

Such a shortcoming could be worked around by migrating Tor from TCP to a
datagram-based transport protocol. Nick Mathewson opened #9165 [2] to
track progress on the matter.

Late last year, Steven Murdoch began an experimental Tor branch using
uTP[3], a protocol “which provides reliable, ordered delivery
while maintaining minimum extra delay”, and is already used by uTorrent
for peer-to-peer connections [4].  Nick Mathewson finally got to review
his work and wrote several comments on #9166 [5]. The code isn't
close to production-quality right now; it is just good enough for performance



Yawning Angel sent out a request for comments [6] on the very first
release of `obfsproxyssh` [7], a pluggable transport that uses the ssh
wire protocol to hide Tor traffic.  Its behavior would appear to
potential eavesdroppers to be “identical to a user sshing to a host,
authenticating with a RSA public/private key pair and opening a
direct-tcp channel to the ORPort of the bridge.”

The announcement contains several open issues and questions.  Feel free
to have a look and voice your comments!


Crowdfunding for Tor exit relays and bridges

Moritz Bartl announced [8] that he has started a crowdfunding campaign
for Tor exit relays and bridges.

The donations will be distributed equally among all
partner organizations (Zwiebelfreunde e.V., DFRI, Nos Oignons, Swiss
Privacy Foundation, Frënn vun der Ënn and NoiseTor).

For a faster and better network, chip in and spread the word!


Tails 0.19 is out, new stable Tor Browser Bundles

On Wednesday, June 26, two of the most popular Tor projects both made new
releases: the Tor Browser Bundle, and Tails, The Amnesiac Incognito Live
System. Users are encouraged to upgrade as soon as possible.

The stable Tor Browser Bundle was updated to version 2.3.25-10 [10], and
includes fixes from upstream Firefox 17.0.7esr. Tails 0.19 [9] includes
the new stable Tor Browser, along with an updated 3.9.5 kernel and minor
security improvements to wireless, GNOME and GnuPG defaults.


Jenkins + Stem catching their first regression

Quoting Damian Johnson's June status report [16]: “Our automated Jenkins
test runs caught their first instance of tor regression. This concerned
LOADCONF's behavior after merging a branch for ticket #6752”. A bug [11]
was opened after Damian properly identified the issue.


First round of reports from GSoC projects

Johannes Fürmann reported [12] on his project, a virtual network
environment intended to simulate censorship for OONI (dubbed "Evil
Genius", after Descartes). Hareesan reported [13] on the steganography
browser addon.  Cristian-Matei Toader is working [14] on adding
capabilities-based sandboxing to Tor on Linux, using the kernel's seccomp
syscall filtering mechanism. Chang Lan implemented [15] a HTTP
proxy-based transport using CONNECT as the first step in his efforts to
implement a general Tor-over-HTTP pluggable transport.


Monthly status reports for June 2013

The wave of regular monthly reports from Tor members for the month of
June has begun.  Damian Johnson's was the first [16], followed by Philipp
Winter's [17], Colin C.'s [18], Nick Mathewson [19], Lunar [20], Moritz
Bartl [21], Jason Tsai [22], Andrew Lewman [23], Sherief Alaa [24] and
Kelley Misata [25], Matt Pagan [26], Andrea Shepard [27].


Tor on StackExchange

The proposed StackExchange Q&A page for Tor has left the "initial
definition" stage and has entered the "commitment" stage on Area 51.[19] During this
stage, interested users are asked to digitally "sign" the proposal with
their full name to help ensure the site will have an active community
during its critical early days.[20] 


Forensic analysis of the Tor Browser Bundle

Forensic analysis of the Tor Browser Bundle on OS X, Linux, and Windows by Runa Sandvik. [21]
"We made a decision to only consider traces left by the Tor Browser Bundle after the bundle had been deleted and the
system had been completely shut down."


Miscellaneous development news

David Goulet has made good progress on his rewrite of torsocks [X] and
should have a beta ready in a couple of weeks. He awaits your review,
comments, and contributions.

Leo Unglaub ran into some trouble with a dependency while publishing
the work-in-progress code for his Vidalia replacement [Z]. He is working on
replacing the dependency.

Nick Mathewson did some analysis on possible methods for reducing the volume
of fetched directory information, by running some scripts over the last month
of consensus directories. [CD]


A Tor protocol vulnerability?

An anonymous individual contacted Tor developers on Twitter to report a
claimed vulnerability in the way microdescriptors are validated by Tor
clients. It was claimed this vulnerability allows "determination of the
source and end-point of a given tor connection with little more than a
couple relays and some rogue directory authorities." [X] Nick Mathewson
[X] explained at length how this observation was flawed, reducing "at
worst... to the "request filtering" attack... which has defenses" (see
[Y] for the best summary).

The issue was also mentioned (and likewise dismissed) on the security mailing list, Full
Disclosure. [X] For anyone interested in reporting vulnerabilities
in Tor software, please avoid following that example. Until a process
gets documented [PROCESS], the best way to report the discovery of a
vulnerability is to get in touch with one of the Tor core developers
using encrypted email.


Upcoming events

Jul  6-11 | Lunar @ LSM 2013
          | Brussels, Belgium
Jul 10-12 | Tor at Privacy Enhancing Technology Symposium
          | Bloomington, Indiana, USA
Jul 22-26 | Tor annual dev. meeting
          | München, Germany
Jul 31-05 | Tor at OHM
          | Geestmerambacht, Netherlands
Aug 1-4   | Runa Sandvik @ DEF-CON 21
          | Rio Hotel, Las Vegas, USA
Aug 13    | Roger @ FOCI '13,
          | Washington, D.C., USA

This issue of Tor Weekly News has been assembled by Lunar, dope457,
moskvax, Mike Perry, Nick Mathewson, mttp, and luttigdev.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteer writers who watch the Tor community
and report about what is going on. Please see the project page [XXX]
and write down your name if you want to get involved!