Changes between Version 69 and Version 70 of TorWeeklyNews/2013/10


Ignore:
Timestamp:
Sep 11, 2013, 3:25:37 PM (6 years ago)
Author:
lunar
Comment:

sent!

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2013/10

    v69 v70  
    33'''Editor:''' Lunar
    44
    5 '''Status:''' '''FROZEN'''. New items should go to [wiki:TorWeeklyNews/2013/11 next week edition]. Expected release time 2013-09-11 12:00 UTC. ''
    6 
    7 '''Subject:''' Tor Weekly News — September, 11th 2013
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                     September 11th, 2013
    12 ========================================================================
    13 
    14 Welcome to the eleventh issue of Tor Weekly News, the weekly newsletter
    15 that covers what is happening in the taut Tor community.
    16 
    17 tor 0.2.4.17-rc is out
    18 ----------------------
    19 
    20 There are now confirmations [1] that the sudden influx of Tor clients
    21 which started mid-August [2] is indeed coming from a botnet. “I guess
    22 all that work we’ve been doing on scalability was a good idea,” wrote
    23 Roger Dingledine in a blog post about “how to handle millions of
    24 new Tor clients” [3].
    25 
    26 On September 5th, Roger Dingledine announced the release of the third
    27 release candidate for the tor 0.2.4 series [4]. This is an emergency
    28 release “to help us tolerate the massive influx of users: 0.2.4 clients
    29 using the new (faster and safer) ‘NTor’ circuit-level handshakes now
    30 effectively jump the queue compared to the 0.2.3 clients using ‘TAP’
    31 handshakes” [5].
    32 
    33 It also contains several minor bugfixes and some new status messages for
    34 better monitoring of the current situation.
    35 
    36 Roger asked relay operators to upgrade to 0.2.4.17-rc [6]: “the more
    37 relays that upgrade to 0.2.4.17-rc, the more stable and fast Tor will be
    38 for 0.2.4 users, despite the huge circuit overload that the network is
    39 seeing.”
    40 
    41 For relays running Debian or Ubuntu, upgrading to the development branch
    42 can be done using the Tor project’s package repository [7]. New versions
    43 of the beta branch of the Tor Browser Bundle are also available [8]
    44 since September 6th. The next Tails release, scheduled for September
    45 19th [9] will also contain 0.2.4.17-rc [10].
    46 
    47 Hopefully, this will be the last release candidate. What looks missing
    48 at this point to declare the 0.2.4.x series stable is simply enough time
    49 to finish the release notes.
    50 
    51    [1] http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/
    52    [2] https://lists.torproject.org/pipermail/tor-talk/2013-September/029822.html
    53    [3] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
    54    [4] https://lists.torproject.org/pipermail/tor-talk/2013-September/029857.html
    55    [5] https://bugs.torproject.org/9574
    56    [6] https://lists.torproject.org/pipermail/tor-relays/2013-September/002701.html
    57    [7] https://www.torproject.org/docs/debian.html.en#development
    58    [8] https://blog.torproject.org/blog/new-tor-02417-rc-packages
    59    [9] https://mailman.boum.org/pipermail/tails-dev/2013-September/003622.html
    60   [10] https://mailman.boum.org/pipermail/tails-dev/2013-September/003621.html
    61 
    62 The future of Tor cryptography
    63 ------------------------------
    64 
    65 After the last round of revelations from Edward Snowden, described as
    66 “explosive” by Bruce Schneier [11], several threads started on the
    67 tor-talk mailing list to discuss Tor cryptography.
    68 
    69 A lot of what has been written is speculative at this point. But some
    70 have raised concerns [12] about 1024 bit Diffie-Hellman key
    71 exchange [13]. This has already been addressed with the introduction of
    72 the “ntor” handshake [14] in 0.2.4 and Nick Mathewson encourages
    73 everybody to upgrade [15].
    74 
    75 Another thread [16] prompted Nick to summarize [17] his views on the
    76 future of Tor cryptography. Regarding public keys, “with Tor 0.2.4,
    77 forward secrecy uses 256-bit ECC, which is certainly better, but
    78 RSA-1024 is still used in some places for signatures.  I want to fix all
    79 that in 0.2.5 — see proposal 220 [18], and George Kadianakis’ draft
    80 hidden service improvements [19,20], and so forth.” Regarding symmetric
    81 keys, Nick wrote: “We’re using AES128. I’m hoping to move to XSalsa20
    82 or something like it.” In response to a query, Nick clarifies that he
    83 doesn’t think AES is broken: only hard to implement right, and only
    84 provided in TLS in concert with modes that are somewhat (GCM) or fairly
    85 (CBC) problematic.
    86 
    87 The effort to design better cryptography for the Tor protocols is not
    88 new. More than a year ago, Nick Mathewson presented proposal 202 [21]
    89 outlining two possible new relay encryption protocols for Tor cells.
    90 Nick mentioned that he’s waiting for a promising paper to get finished
    91 here before implementation.
    92 
    93 A third question was raised [22] regarding the trust in algorithms
    94 certified by the US NIST [23]. Nick's speculations put aside, he also
    95 emphasized that several NIST algorithms were “hard to implement
    96 correctly” [24].
    97 
    98 Nick also plans to change more algorithms [25]: “Over the 0.2.5 series,
    99 I want to move even more things (including hidden services) to
    100 curve25519 and its allies for public key crypto. I also want to add
    101 more hard-to-implement-wrong protocols to our mix: Salsa20 is looking
    102 like a much better choice to me than AES nowadays, for instance.”
    103 
    104 Nick concluded one of his emails with the words: “these are interesting times for
    105 crypto”, which sounds like a good way to put it.
    106 
    107   [11] https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
    108   [12] https://lists.torproject.org/pipermail/tor-talk/2013-September/029917.html
    109   [13] https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
    110   [14] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/216-ntor-handshake.txt
    111   [15] https://lists.torproject.org/pipermail/tor-talk/2013-September/029930.html
    112   [16] https://lists.torproject.org/pipermail/tor-talk/2013-September/029927.html
    113   [17] https://lists.torproject.org/pipermail/tor-talk/2013-September/029941.html
    114   [18] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/220-ecc-id-keys.txt
    115   [19] https://lists.torproject.org/pipermail/tor-dev/2013-August/005279.html
    116   [20] https://lists.torproject.org/pipermail/tor-dev/2013-August/005280.html
    117   [21] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/202-improved-relay-crypto.txt
    118   [22] https://lists.torproject.org/pipermail/tor-talk/2013-September/029933.html
    119   [23] https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology
    120   [24] https://lists.torproject.org/pipermail/tor-talk/2013-September/029937.html
    121   [25] https://lists.torproject.org/pipermail/tor-talk/2013-September/029929.html
    122 
    123 Toward a better performance measurement tool
    124 --------------------------------------------
    125 
    126 “I just finished […] sketching out the requirements and a software
    127 design for a new Torperf implementation“ announced Karsten Loesing [26]
    128 on the tor-dev mailing list.
    129 
    130 The report begins with: “Four years ago, we presented a simple tool to
    131 measure performance of the Tor network. This tool, called Torperf,
    132 requests static files of three different sizes over the Tor network and
    133 logs timestamps of various request substeps. These data turned out to be
    134 quite useful to observe user-perceived network performance over
    135 time [27]. However, static file downloads are not the typical use case
    136 of a user browsing the web using Tor, so absolute numbers are not very
    137 meaningful. Also, Torperf consists of a bunch of shell scripts which
    138 makes it neither very user-friendly to set up and run, nor extensible to
    139 cover new use cases.”
    140 
    141 The specification lays out the various requirements for the new tool, and
    142 details several experiments like visiting high profile websites with an
    143 automated graphical web browser, downloading static files, crafting a
    144 canonical web page, measuring hidden service performance, and checking
    145 on upload capacity.
    146 
    147 Karsten added “neither the requirements nor the software design are set
    148 in stone, and the implementation, well, does not exist yet. Plenty of
    149 options for giving feedback and helping out, and most parts don’t even
    150 require specific experience with hacking on Tor. Just in case somebody’s
    151 looking for an introductory Tor project to hack on.”
    152 
    153 Saytha already wrote that this was enough material to get the
    154 implementation started [28]. The project needs enough work that anyone
    155 interested should get involved. Feel free to join him!
    156 
    157   [26] https://lists.torproject.org/pipermail/tor-dev/2013-September/005386.html
    158   [27] https://metrics.torproject.org/performance.html
    159   [28] https://lists.torproject.org/pipermail/tor-dev/2013-September/005388.html
    160 
    161 More monthly status reports for August 2013
    162 -------------------------------------------
    163 
    164 The wave of regular monthly reports from Tor project members continued
    165 this week with Sukhbir Singh [29], Matt Pagan [30], Ximin Luo [31],
    166 mrphs [32], Pearl Crescent [33], Andrew Lewman [34], Mike Perry [35],
    167 Kelley Misata [36], Nick Mathewson [37], Jason Tsai [38], Tails [39],
    168 Aaron [40], and Damian Johnson [41].
    169 
    170   [29] https://lists.torproject.org/pipermail/tor-reports/2013-September/000326.html
    171   [30] https://lists.torproject.org/pipermail/tor-reports/2013-September/000327.html
    172   [31] https://lists.torproject.org/pipermail/tor-reports/2013-September/000328.html
    173   [32] https://lists.torproject.org/pipermail/tor-reports/2013-September/000329.html
    174   [33] https://lists.torproject.org/pipermail/tor-reports/2013-September/000330.html
    175   [34] https://lists.torproject.org/pipermail/tor-reports/2013-September/000331.html
    176   [35] https://lists.torproject.org/pipermail/tor-reports/2013-September/000332.html
    177   [36] https://lists.torproject.org/pipermail/tor-reports/2013-September/000333.html
    178   [37] https://lists.torproject.org/pipermail/tor-reports/2013-September/000334.html
    179   [38] https://lists.torproject.org/pipermail/tor-reports/2013-September/000335.html
    180   [39] https://lists.torproject.org/pipermail/tor-reports/2013-September/000336.html
    181   [40] https://lists.torproject.org/pipermail/tor-reports/2013-September/000337.html
    182   [41] https://lists.torproject.org/pipermail/tor-reports/2013-September/000338.html
    183 
    184 Miscellaneous news
    185 ------------------
    186 
    187 Not all new Tor users are computer programs! According to their latest
    188 report [42], Tails is now booted twice as much as it was six months ago (from
    189 100,865 to 190,521 connections to the security feed).
    190 
    191   [42] https://lists.torproject.org/pipermail/tor-reports/2013-September/000336.html
    192 
    193 Thanks to Frenn vun der Enn [43] for setting up a new mirror [44] of the
    194 Tor project website.
    195 
    196   [43] http://enn.lu/
    197   [44] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000351.html
    198 
    199 With the Google Summer of Code ending in two weeks, the students have
    200 sent their penultimate reports: Kostas Jakeliunas for the
    201 Searchable metrics archive [45], Johannes Fürmann for EvilGenius [46],
    202 Hareesan for the Steganography Browser Extension [47], and
    203 Cristian-Matei Toader for Tor capabilities [48].
    204 
    205   [45] https://lists.torproject.org/pipermail/tor-dev/2013-September/005380.html
    206   [46] https://lists.torproject.org/pipermail/tor-dev/2013-September/005394.html
    207   [47] https://lists.torproject.org/pipermail/tor-dev/2013-September/005409.html
    208   [48] https://lists.torproject.org/pipermail/tor-dev/2013-September/005412.html
    209 
    210 Damian Johnson announced [49] that he had completed the rewrite of DocTor in
    211 Python [50], “a service that pulls hourly consensus information and
    212 checks it for a host of issues (directory authority outages, expiring
    213 certificates, etc). In the case of a problem it notifies
    214 tor-consensus-health@ [51], and we in turn give the authority operator a
    215 heads up.”
    216 
    217   [49] https://lists.torproject.org/pipermail/tor-reports/2013-September/000338.html
    218   [50] https://gitweb.torproject.org/doctor.git
    219   [51] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-consensus-health
    220 
    221 Matt Pagan has migrated [52] several Frequently-Asked Questions from the
    222 wiki to the official Tor website [53]. This should enable more users to
    223 find the answers they need!
    224 
    225   [52] https://svn.torproject.org/cgi-bin/viewvc.cgi/Tor?view=revision&revision=26333
    226   [53] https://www.torproject.org/docs/faq.html
    227 
    228 In his previous call for help to collect more statistics [54], addressed
    229 to bridge operators, George Kadianakis forgot to mention that an extra
    230 line with “ExtORPort 6669” needed to be added to the tor configuration
    231 file [55]. Make sure you do have it if you are running a bridge on the tor
    232 master branch.
    233 
    234   [54] https://lists.torproject.org/pipermail/tor-relays/2013-August/002477.html
    235   [55] https://lists.torproject.org/pipermail/tor-relays/2013-September/002691.html
    236 
    237 For the upgrade of tor to the 0.2.4.x series in Tails, a tester spotted
    238 a regression while “playing with an ISO built from experimental, thanks
    239 to our Jenkins autobuilder” [56]. This marks a significant milestone in
    240 the work on automated builds [57] done by several members of the
    241 Tails team in the course of the last year!
    242 
    243   [56] https://mailman.boum.org/pipermail/tails-dev/2013-September/003617.html
    244   [57] https://labs.riseup.net/code/issues/5324
    245 
    246 Tails' next 'low-hanging fruit' session will be on September 21st at
    247 08:00 UTC [58]. Mark the date if you want to get involved!
    248 
    249   [58] https://mailman.boum.org/pipermail/tails-dev/2013-September/003566.html
    250 
    251 David Fifield gave some tips on how to setup a test infrastructure [59]
    252 for flash proxy [60].
    253 
    254   [59] https://lists.torproject.org/pipermail/tor-dev/2013-September/005402.html
    255   [60] https://crypto.stanford.edu/flashproxy/
    256 
    257 Marek Majkowski reported [61] on how one can use his fluxcapacitor
    258 tool [62] to get a test Tor network started with Chutney [63] ready in
    259 only 6.5 seconds. A vast improvement over the 5 minutes he initially had
    260 to wait [64]!
    261 
    262   [61] https://lists.torproject.org/pipermail/tor-dev/2013-September/005403.html
    263   [62] https://github.com/majek/fluxcapacitor.git
    264   [63] https://gitweb.torproject.org/chutney.git
    265   [64] https://lists.torproject.org/pipermail/tor-dev/2013-September/005413.html
    266 
    267 Eugen Leitl drew attention [65] to a new research paper which aims to
    268 analyze the content and popularity of Hidden Services by Alex Biryukov, Ivan
    269 Pustogarov, and Ralf-Philipp Weinmann from the University of
    270 Luxembourg [66].
    271 
    272   [65] https://lists.torproject.org/pipermail/tor-talk/2013-September/029856.html
    273   [66] http://cryptome.org/2013/09/tor-analysis-hidden-services.pdf
    274 
    275 Tor Help Desk roundup
    276 ---------------------
    277 
    278 The Tor help desk had a number of emails this week asking about the
    279 recent stories in the New York Times, the Guardian, and ProPublica
    280 regarding NSA’s cryptographic capabilities. Some users asked whether
    281 there was a backdoor in Tor. Others asked if Tor’s crypto was broken.
    282 
    283 There is absolutely no backdoor in Tor. Tor project members have been
    284 vocal in the past about how tremendously irresponsible it would be to
    285 backdoor our users [67]. As it is a frequently-asked question, users
    286 have been encouraged to read how the project would respond to
    287 institutional pressure [68].
    288 
    289 The Tor project does not have any more facts about NSA’s cryptanalysis
    290 capabilities than what has been published in newspapers. Even if there
    291 is no actual evidence that Tor encryption is actually broken, the idea
    292 is to remain on the safe side by using more trusted algorithms for the Tor
    293 protocols. See above for a more detailed write-up.
    294 
    295   [67] https://blog.torproject.org/blog/calea-2-and-tor
    296   [68] http://www.torproject.org/docs/faq.html.en#Backdoor
    297 
    298 Help the Tor community!
    299 -----------------------
    300 
    301 Tor is about protecting everyone’s freedom and privacy. There are many
    302 ways to help [69] but getting involved in such a busy community can be
    303 daunting. Here’s a selection of tasks on which one could get started:
    304 
    305 Get tor to log the source of control port connections [70]. It would help
    306 in developing controller applications or libraries (like Stem [71]) to
    307 know which program is responsible for a given access to the control
    308 facilities of the tor daemon. Knowledge required: C programming, basic
    309 understanding of network sockets.
    310 
    311 Diagnose what is currently wrong with Tor Cloud images [72]. Tor
    312 Cloud [73] is an easy way to deploy bridges and it looks like the
    313 automatic upgrade procedure caused problems. Let’s make these virtual
    314 machines useful again for censored users. Knowledge required: basic
    315 understanding of Ubuntu system administration.
    316 
    317   [69] https://www.torproject.org/getinvolved/volunteer.html.en
    318   [70] https://bugs.torproject.org/9698
    319   [71] https://stem.torproject.org/
    320   [72] https://lists.torproject.org/pipermail/tor-dev/2013-September/005417.html
    321   [73] https://cloud.torproject.org/
    322 
    323 Upcoming events
    324 ---------------
    325 
    326 Sep 29    | Colin at the Winnipeg Cryptoparty
    327           | Winnipeg, Manitoba, Canada
    328           | http://wiki.skullspace.ca/index.php/CryptoParty
    329           |
    330 Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV
    331           | Berlin, Germany
    332           | https://www.openitp.org/openitp/circumvention-tech-summit.html
    333           |
    334 Oct 09-10 | Andrew speaking at Secure Poland 2013
    335           | Warszawa, Poland
    336           | http://www.secure.edu.pl/
    337 
    338 
    339 This issue of Tor Weekly News has been assembled by Lunar, dope457,
    340 mttp, malaparte, and Nick Mathewson.
    341 
    342 Want to continue reading TWN? Please help us create this newsletter.
    343 We still need more volunteers to watch the Tor community and report
    344 important news. Please see the project page [74], write down your
    345 name and subscribe to the team mailing list [75] if you want to
    346 get involved!
    347 
    348   [74] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    349   [75] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    350 }}}
     5'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2013-September/000011.html Sent!]