Changes between Version 39 and Version 40 of TorWeeklyNews/2013/16


Ignore:
Timestamp:
Oct 23, 2013, 1:06:14 PM (5 years ago)
Author:
lunar
Comment:

sent

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2013/16

    v39 v40  
    33'''Editor:''' Lunar
    44
    5 '''Status:''' FROZEN! Publication expected around 2013-05-22 12:00 UTC. New items are for [wiki:TorWeeklyNews/2013/17 next week's edition].
    6 
    7 '''Subject:''' Tor Weekly News — October 23th, 2013
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                       October 23th, 2013
    12 ========================================================================
    13 
    14 Welcome to the seventeenth issue of Tor Weekly News, the weekly
    15 newsletter that covers what is happening in the Tor community.
    16 
    17 Tor’s anonymity and guards parameters
    18 -------------------------------------
    19 
    20 In a lengthly blog post [1], Roger Dingledine looked back on three
    21 research papers published in the past year. Some of them have been
    22 covered and most of the time misunderstood by the press. A good recap of
    23 the research problems, what the findings mean and possible solutions
    24 hopefully will help everyone understand better.
    25 
    26 Introduced in 2005 [2], entry guards were added to recognise that “some
    27 circuits are going to be compromised, but it’s better to increase your
    28 probability of having no compromised circuits at the expense of also
    29 increasing the proportion of your circuits that will be compromised if
    30 any of them are.” Roger “originally picked ‘one or two months’ for guard
    31 rotation” but the initial parameters called for more in-depth
    32 research [3].
    33 
    34 That call was heard by “the Tor research community [4], and it’s great
    35 that Tor gets such attention. We get this attention because we put so
    36 much effort into making it easy [5] for researchers to analyze Tor.” In
    37 his writing Roger highlights the finding of three papers. Two of them
    38 published at WPES 2012 and Oakland 2013, and another upcoming at
    39 CCS 2013.
    40 
    41 These research efforts highlighted several issues in the way Tor handles
    42 entry guards. Roger details five complementary fixes: using fewer
    43 guards, keeping the same guards for longer, better handling of brief
    44 unreachability of a guard, making the network bigger, and smarter
    45 assignment of the guard flag to relays. Some will require further
    46 research to identify the best solution. There are also other aspects
    47 regarding systems which don’t currently record guards such as Tails, how
    48 pluggable transports could prevent attackers from recognising Tor users,
    49 or enhancing measurements from the bandwidth authorities…
    50 
    51 The whole blog post is insightful and is a must read for everyone who
    52 wishes to better understand some of Tor’s risk mitigation strategies. It
    53 is also full of little and big things where you could make a difference!
    54 
    55    [1] https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
    56    [2] https://blog.torproject.org/blog/top-changes-tor-2004-design-paper-part-2
    57    [3] https://blog.torproject.org/blog/research-problem-better-guard-rotation-parameters
    58    [4] http://freehaven.net/anonbib/
    59    [5] https://research.torproject.org/
    60 
    61 Hidden Service research
    62 -----------------------
    63 
    64 George Kadianakis posted a list of items that need work in the Hidden
    65 Service area [6]. Despite not being exhaustive, the list contains many
    66 items that might help with upgrading the Hidden Service design, be it
    67 around security, performance, guard issues or “petname” systems.
    68 
    69 Help and comments are welcome!
    70 
    71    [6] https://lists.torproject.org/pipermail/tor-dev/2013-October/005637.html
    72 
    73 Usability issues in existing OTR clients
    74 ----------------------------------------
    75 
    76 The consensus after the first round of discussions and research done in
    77 the prospect of providing a new secure instant-messaging Tor bundle [7]
    78 is to use Mozilla Instantbird at its core. Arlo Breault sent out a draft
    79 plan [8] on how to do so.
    80 
    81 Instantbird currently lacks a core feature to turn it into the Tor
    82 Messenger: support for the OTR [9] protocol for encrypted chat. Now is
    83 thus a good time to gather usability issues in existing OTR clients.
    84 
    85 Mike Perry kicked off the discussion [10] by pointing out several
    86 deficiencies regarding problems with multiple clients, key management
    87 issues, and other sub-optimal behaviour.
    88 
    89 Ian Goldberg — original author of the pervasive OTR plugin for Pidgin —
    90 pointed out [11] that at least one of the behaviour singled out by Mike
    91 was “done on purpose. The thing it’s trying to prevent is that Alice and
    92 Bob are chatting, and Bob ends OTR just before Alice hits Enter on her
    93 message. If Alice’s client went to ‘Not private’ instead of ‘Finished’,
    94 Alice’s message would be sent in the clear, which is undesirable.
    95 Switching to ‘Finished’ makes Alice have to actively acknowledge that
    96 the conversation is no longer secure.”
    97 
    98 This tradeoff is a good example of how designing usable and secure user
    99 interfaces can be hard. Usability, in itself, is an often overlooked
    100 security feature. Now is a good time to contribute your ideas!
    101 
    102    [7] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive
    103    [8] https://lists.torproject.org/pipermail/tor-dev/2013-October/005616.html
    104    [9] https://otr.cypherpunks.ca/
    105   [10] https://lists.torproject.org/pipermail/tor-dev/2013-October/005636.html
    106   [11] https://lists.torproject.org/pipermail/tor-dev/2013-October/005640.html
    107 
    108 Tor Help Desk Roundup
    109 ---------------------
    110 
    111 The Tor Help Desk continues to be bombarded with help requests from
    112 users behind university proxies who cannot use ORPort bridges or the
    113 Pluggable Transports Browser to circumvent their network’s firewall.
    114 Although the cases are not all the same, bridges on port 443 or port 80
    115 do not always suffice to circumvent such proxies.
    116 
    117 Ubuntu 13.10 (Saucy Salamander) was released this week. One user
    118 reported their Tor Browser Bundle behaving unusually after updating
    119 their Ubuntu operating system. This issue was resolved by switching to
    120 the Tor Browser Bundle 3. Another user asked when Tor APT repositories
    121 would have packages for Saucy Salamander. Since then, packages for the
    122 latest version of Ubuntu have been made available from the usual
    123 deb.torproject.org.
    124 
    125 Miscellaneous news
    126 ------------------
    127 
    128 Tails has issued a call for testing [12] of its upcoming 0.21 release.
    129 The new version contains two security fixes regarding access to the Tor
    130 control port and persistent settings [13] among other improvements and
    131 package updates [14]. “Test wildly!” as the Tails team wrote.
    132 
    133   [12] https://tails.boum.org/news/test_0.21-rc1/
    134   [13] https://git-tails.immerda.ch/tails/plain/wiki/src/doc/first_steps/persistence/upgrade.mdwn?h=bugfix/safer-persistence
    135   [14] https://git-tails.immerda.ch/tails/plain/debian/changelog?id=0.21-rc1
    136 
    137 Andrew Lewman was invited to speak at SECURE Poland 2013 [15] and sent a
    138 report on his trip [16] to Warsaw.
    139 
    140   [15] http://www.secure.edu.pl/
    141   [16] https://lists.torproject.org/pipermail/tor-reports/2013-October/000364.html
    142 
    143 Tails developers are looking for Mac and PC hardware with UEFI [17]. If
    144 you have some spare hardware, please consider a donation!
    145 
    146   [17] https://tails.boum.org/news/Mac_and_PC_UEFI_hardware_needed/
    147 
    148 Ximin Luo has been the first to create a ticket with 5 digits [18] on
    149 Tor tracker. At the current rate, ticket #20000 should happen by the end
    150 of 2015… Or will the project’s continued growth make this happen sooner?
    151 
    152   [18] https://bugs.torproject.org/10000
    153 
    154 Roger Dingledine reported [19] on his activities for September and
    155 October.  Arturo Filastò also reported [20] on his September.
    156 
    157   [19] https://lists.torproject.org/pipermail/tor-reports/2013-October/000365.html
    158   [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000366.html
    159 
    160 Runa Sandvik continues her work on the new, more comprehensible Tor User
    161 Manual [21]. The first draft is already out [22]. Please review and
    162 contribute.
    163 
    164   [21] https://lists.torproject.org/pipermail/tor-dev/2013-October/005649.html
    165   [22] https://bugs.torproject.org/5811
    166 
    167 Aaron published a branch with his work on a Tor exit scanner based on
    168 OONI [23].
    169 
    170   [23] https://github.com/TheTorProject/ooni-probe/tree/feature/tor_test_template
    171 
    172 Upcoming events
    173 ---------------
    174 
    175 Oct 25    | Matt @ EPIC and Public Citizen’s CryptoParty
    176           | Washington, DC, USA
    177           | https://epic.org/events/cryptoparty/
    178           |
    179 Nov 04    | Workshop on Privacy in the Electronic Society
    180           | Berlin, Germany
    181           | http://wpes2013.di.unimi.it/
    182           |
    183 Nov 04-05 | 20th ACM Conference on Computer and Communications Security
    184           | Berlin, Germany
    185           | http://www.sigsac.org/ccs/CCS2013/
    186 
    187 
    188 This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
    189 dope457, George Kadianakis, Philipp Winter and velope.
    190 
    191 Want to continue reading TWN? Please help us create this newsletter.
    192 We still need more volunteers to watch the Tor community and report
    193 important news. Please see the project page [24], write down your name
    194 and subscribe to the team mailing list [25] if you want to get involved!
    195 
    196   [24] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    197   [25] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    198 }}}
     5'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2013-October/000017.html Sent!]