wiki:TorWeeklyNews/2013/10

Version 56 (modified by lunar, 6 years ago) (diff)

add credits

Eleventh issue of Tor Weekly News. Covering what's happening from from September 4th, 2013 to September 10th, 2013. To be released on September 11th, 2013.

Editor:

Subject: Tor Weekly News — September, 11th 2013

========================================================================
Tor Weekly News                                     September 11th, 2013
========================================================================

Welcome to the eleventh issue of Tor Weekly News, the weekly newsletter that
covers what is happening in the taut Tor community.

Tor 0.2.4.17-rc is out
----------------------

There are now confirmations [XXX] that the sudden influx of Tor clients which
started mid-August [XXX] is indeed coming from a botnet. “I guess all that 
work we've been doing on scalability was a good idea” wrote Roger 
Dingledine wrote in a blog post about “how to handle millions of new
Tor clients” [XXX].

On September 5th, Roger Dingledine announced the release of the third 
release candidate for the tor 0.2.4 series [XXX]. This is an emergency 
release “to help us tolerate the massive influx of users: 0.2.4 clients 
using the new (faster and safer) ‘NTor’ circuit-level handshakes now 
effectively jump the queue compared to the 0.2.3 clients using ‘TAP’ 
handshakes” [XXX].

It also contains several minor bugfixes and some new status messages for
better monitoring of the current situation.

Roger asked relay operators to upgrade to 0.2.4.17-rc [XXX]: “the more
relays that upgrade to 0.2.4.17-rc, the more stable and fast Tor will be
for 0.2.4 users, despite the huge circuit overload that the network is
seeing.”

For relays running Debian or Ubuntu, upgrading to the development branch 
can be done using the Tor project's package repository [XXX]. New 
versions of the beta branch of the Tor Browser Bundle are also 
available [XXX] since September 6th. The next Tails release, scheduled
for September 19th [XXX] will also contain 0.2.4.17-rc [XXX].

Hopefully, this will be the last release candidate. What looks missing 
at this point to declare the 0.2.4.x series stable is simply enough time
to finish the release notes.

  [XXX] http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029822.html
  [XXX] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029857.html
  [XXX] https://trac.torproject.org/projects/tor/ticket/9574
  [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-September/002701.html
  [XXX] https://www.torproject.org/docs/debian.html.en#development
  [XXX] https://blog.torproject.org/blog/new-tor-02417-rc-packages
  [XXX] https://mailman.boum.org/pipermail/tails-dev/2013-September/003622.html
  [XXX] https://mailman.boum.org/pipermail/tails-dev/2013-September/003621.html

The future of Tor cryptography
------------------------------

After the last round of revelations from Edward Snowden, described as
“explosive” by Bruce Schneier [XXX], several threads started on the
tor-talk mailing list to discuss Tor cryptography.

A lot of what has been written is speculative at this point. But some
have raised concerns [XXX] about 1024 bit Diffie-Helmank key exchange [XXX].
This has already been adressed with the introduction of the “ntor”
handshake [XXX] in 0.2.4 and Nick Mathewson encourages everybody to
upgrade [XXX].

Another thread [XXX] prompted Nick to summarize [XXX] its
views on the future of Tor cryptography. Regarding public keys, “with
Tor 0.2.4, forward secrecy uses 256-bit ECC, which is certainly
better, but RSA-1024 is still used in some places for signatures.
I want to fix all that in 0.2.5 — see proposal 220 [XXX], and George
Kadianakis’ draft hidden service improvements [XXX,XXX], and so forth.”
Regarding symmetric keys, Nick wrote: “We’re using AES128.  I’m hoping
to move to XSalsa20 or something like it.” In response to a query, Nick
clarifies that he doesn't think AES is broken: only hard to implement right,
and only provided in TLS in concert with modes that are somewhat (GCM)
or fairly (CBC) problematic.

The effort to design better cryptography for the Tor protocols is not
new. More than a year ago, Nick Mathewson presented proposal 202 [XXX]
outlining two possible new relay encryption protocols for Tor cells. Nick
mentioned that he's waiting for a promising paper to get finished here
before implementation.

A third question was raised [XXX] regarding the trust in algorithms
certified by the US NIST [XXX]. Nick speculations put aside, he also
emphasised that several NIST algorithms were “hard to implement
correctly” [XXX].

Nick also plans to change more algorithms [XXX]: “Over the 0.2.5
series, I want to move even more things (including hidden services) to
curve25519 and its allies for public key crypto.  I also want to add
more hard-to-implement-wrong protocols to our mix: Salsa20 is looking
like a much better choice to me than AES nowadays, for instance.”

Nick concluded one of his email with “these are interesting times for
crypto”. It sounds like a good way to put it.

  [XXX] https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029917.html
  [XXX] https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange
  [XXX] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/216-ntor-handshake.txt
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029930.html
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029927.html
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029941.html
  [XXX] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/220-ecc-id-keys.txt
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-August/005279.html
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-August/005280.html
  [XXX] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/202-improved-relay-crypto.txt
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029933.html
  [XXX] https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029937.html
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029929.html

Toward a better performance measurement tool
--------------------------------------------

“I just finished […] sketching out the requirements and a software design
for a new Torperf implementation“ announced Karsten Loesing [XXX] on
the tor-dev mailing list.

The report begins with: “Four years ago, we presented a simple tool to
measure performance of the Tor network.  This tool, called Torperf,
requests static files of three different sizes over the Tor network and
logs timestamps of various request substeps. These data turned out to be
quite useful to observe user-perceived network performance over 
time [XXX]. However, static file downloads are not the typical use case
of a user browsing the web using Tor, so absolute numbers are not very
meaningful. Also, Torperf consists of a bunch of shell scripts which
makes it neither very user-friendly to set up and run, nor extensible to
cover new use cases.”

The specification lay out the various requirements for the new tool, and
details several experiments like visiting high profile websites with an
automated graphical web browser, downloading static files, crafting a
canonical web page, measuring hidden service performance, and checking
on upload capacity.

Karsten added “neither the requirements nor the software design 
are set in stone, and the implementation, well, does not exist yet.
Plenty of options for giving feedback and helping out, and most parts
don't even require specific experience with hacking on Tor. Just in case
somebody's looking for an introductory Tor project to hack on.”

Saytha already wrote that this was enough material to get the 
implementation started [XXX]. The project needs enough work for anyone 
interested. Feel free to join him!

  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005386.html
  [XXX] https://metrics.torproject.org/performance.html
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005388.html

More monthly status reports for August 2013
-------------------------------------------

The wave of regular monthly reports from Tor project members continued
this week with Sukhbir Singh [XXX], Matt Pagan [XXX], Ximin Luo [XXX], 
mrphs [XXX], Pearl Crescent [XXX], Andrew Lewman [XXX], Mike Perry
[XXX], Kelley Misata [XXX], Nick Mathewson [XXX], Jason Tsai [XXX],
Tails [XXX], Aaron [XXX], and Damian Johnson [XXX].

  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000326.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000327.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000328.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000329.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000330.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000331.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000332.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000333.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000334.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000335.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000336.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000337.html
  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000338.html

Miscellaneous news
------------------

Not all new Tor users are computer programs! According to their latest
report [XXX], Tails is now booted twice as much as six months ago
(from 100 865 to 190 521 connections to the security feed).

  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000336.html

Thanks Frenn vun der Enn [XXX] for setting up a new mirror [XXX] of the 
Tor project website.

  [XXX] http://enn.lu/
  [XXX] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000351.html

With the Google Summer of Code ending in two weeks, the students have 
sent their the next to last reports: Kostas Jakeliunas for the 
Searchable metrics archive [XXX], Johannes Fürmann for EvilGenius [XXX],
Hareesan for the Steganography Browser Extension [XXX], and Cristian-Matei
Toader for Tor capabilities [XXX].

  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005380.html
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005394.html
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005409.html
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005412.html

Damian Johnson anounced [XXX] he had completed the rewrite of DocTor in
Python [XXX],  “a service that pulls hourly consensus information and
checks it for a host of issues (directory authority outages, expiring
certificates, etc). In the case of a problem it notifies
tor-consensus-health@ [XXX], and we in turn give the authority operator 
a heads up.”

  [XXX] https://lists.torproject.org/pipermail/tor-reports/2013-September/000338.html
  [XXX] https://gitweb.torproject.org/doctor.git
  [XXX] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-consensus-health

Matt Pagan has migrated [XXX] several Frequently Asked Questions from the wiki to the
official Tor website [XXX]. This should enable more users to find the answers they need!

  [XXX] https://svn.torproject.org/cgi-bin/viewvc.cgi/Tor?view=revision&revision=26333
  [XXX] https://www.torproject.org/docs/faq.html

In his previous call for help to collect more statistics [XXX], 
addressed at bridge operators, George Kadianakis forgot to mention that
an extra line with “ExtORPort 6669” needed to be added to tor 
configuration file [XXX]. Make sure you do have it if you are running a
bridge on tor master branch.

  [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-August/002477.html
  [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-September/002691.html

For the upgrade of tor to the 0.2.4.x series in Tails, a tester spotted
a regression while “playing with an ISO built from experimental, thanks
to our Jenkins autobuilder” [XXX]. This mark a significant milestone in the
work on automated builds [XXX] done by the several member of the Tails
team in the course of the last year!

  [XXX] https://mailman.boum.org/pipermail/tails-dev/2013-September/003617.html
  [XXX] https://labs.riseup.net/code/issues/5324

Tails next low-hanging fruits session will be on September 21st at
08:00 UTC [XXX]. Mark the date if you want to get involved!

  [XXX] https://mailman.boum.org/pipermail/tails-dev/2013-September/003566.html

David Fifield gave some tips on how to setup a test infrastructure [XXX] for
flash proxy [XXX].

  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005402.html
  [XXX] https://crypto.stanford.edu/flashproxy/

Marek Majkowski reported [XXX] on how one can use his fluxcapacitor tool [XXX]
to get a test Tor network started with Chutney [XXX] ready is only 6.5 
seconds. A vast improvement over the 5 minutes he initially had to wait!

  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005403.html
  [XXX] https://github.com/majek/fluxcapacitor.git
  [XXX] https://gitweb.torproject.org/chutney.git
  [XXX] https://lists.torproject.org/pipermail/tor-dev/2013-September/005413.html

Eugen Leitl drew attention [XXX] to a new research paper which aims to analyse 
content and popularity of Hidden Services by Alex Biryukov, Ivan Pustogarov, 
and Ralf-Philipp Weinmann from University of Luxembourg [XXX].
 
  [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/029856.html
  [XXX] http://cryptome.org/2013/09/tor-analysis-hidden-services.pdf

Tor Help Desk roundup
---------------------

The Tor help desk had a number of emails this week asking about the
recent stories in the New York Times, the Guardian, and Pro Publica
regarding NSA’s cryptographic capabilities. Some users asked whether
there was a backdoor in Tor. Others asked if Tor’s crypto was broken.

There is absolutely no backdoor in Tor. Tor project members have been
vocal in the past about how tremendously irresponsible it would be to
backdoor our users [XXX]. As it is a frequently asked question,
users have been encouraged to read how the project would respond to
institutional pressure [XXX].

The Tor project does not have any more facts about NSA’s cryptanalysis 
capabilities than what have been published in newspapers. Even if there
is no actual evidence that Tor encryption is actually broken, the
idea is to pace on the safe side by using more trusted algorithms for 
the Tor protocols. See above for a more detailed write-up.

  [XXX] https://blog.torproject.org/blog/calea-2-and-tor
  [XXX] http://www.torproject.org/docs/faq.html.en#Backdoor

Simple Ways to Contribute This Week 
----------------------------------- 

Each week will be listed here some simple tasks that people who want to
begin to hack on the Tor Project could do.

If you're hacking on Tor and want a ticket featured here, add "easy" to
the keywords field on Trac.

Highlighted this week:

* Let User's know which IP is making a new control port connection [XXX]
  Why? Let User's know which IP/application is making a new control port 
  connection so they have info to go on to rule out an attack. 
  Practice: C, Network Service Primitives 

* Change 'your' to 'this' on check.torproject.org page [XXX]
  Why? A small percentage of users will misinterpret "your browser" to
  mean their existing browser with dire consequences.
  Practice: Git, Patch, Diff

* Add tests to Stem to try and detect new versions of Tor [XXX]
  Why? Reduce workload for keeping Stem up to date with changes in Tor & 
  making sure programs that rely on Stem are kept closely up to date with
  Tor.
  Practice: Python, Tor Control Protocol, Testing
  
  [XXX] https://trac.torproject.org/projects/tor/ticket/9698 
  [XXX] https://trac.torproject.org/projects/tor/ticket/9631
  [XXX] https://trac.torproject.org/projects/tor/ticket/8250

Upcoming events
---------------

Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV
          | Berlin, Germany
          | https://www.openitp.org/openitp/circumvention-tech-summit.html
          |
Oct 09-10 | Andrew speaking at Secure Poland 2013
          | Warszawa, Poland
          | http://www.secure.edu.pl/


This issue of Tor Weekly News has been assembled by Lunar, dope457,
mttp, malaparte, and Nick Mathewson.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [XXX], write down your
name and subscribe to the team mailing list [XXX] if you want to
get involved!

  [XXX] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [XXX] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Possible items: