Changes between Version 45 and Version 46 of TorWeeklyNews/2013/19


Ignore:
Timestamp:
Nov 13, 2013, 1:14:45 PM (5 years ago)
Author:
lunar
Comment:

sent

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2013/19

    v45 v46  
    33'''Editor:''' Lunar
    44
    5 '''Status:''' FROZEN! Only technical and language fixes are now accepted. New items should go on [wiki:TorWeeklyNews/2013/20 next week's edition]. Expected publication time 2013-11-13 12:00 UTC.
    6 
    7 '''Subject:''' Tor Weekly News — November 13th, 2013
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                      November 13th, 2013
    12 ========================================================================
    13 
    14 Welcome to the twentieth issue of Tor Weekly News, the weekly newsletter
    15 that covers what is happening in the Tor community.
    16 
    17 First beta release of Tor Browser Bundle 3.0
    18 --------------------------------------------
    19 
    20 The Tor Browser Bundle [1] is the Tor Project's flagship product: an
    21 easy and straightforward way to browse the web with anonymity and
    22 privacy.
    23 
    24 With previous Tor Browser Bundles, users had to interact with two
    25 different applications, Vidalia and the browser itself. Vidalia was
    26 responsible for handling and configuring the tor daemon, and the
    27 browser had no knowledge of the connection status and other details.
    28 The result was confusing error messages, and mismatched user
    29 expectations.
    30 
    31 With the 3.0 series of Tor Browser Bundle, the browser is directly
    32 responsible for configuring and handling the tor daemon. Users only see
    33 one single application. It's clearer that only the browser will go
    34 through the Tor network. Starting and stopping the browser will take
    35 care of starting and stopping tor -- no extra steps are required.
    36 
    37 Mike Perry, Kathleen Brade, Mark Smith, Georg Koppen, among others, are
    38 working hard to perfect many other usability and technical improvements
    39 that are part of Tor Browser Bundle 3.0 which has now reached the “beta”
    40 stage.
    41 
    42 The new 3.0beta1 release [2] is based on Firefox 17.0.10esr for security
    43 updates [3], and contains several other small improvements and
    44 corrections.
    45 
    46 Current users of the 3.0 alpha series should update. Others should give
    47 it a try [4]!
    48 
    49    [1] https://www.torproject.org/projects/torbrowser.html
    50    [2] https://blog.torproject.org/blog/tor-browser-bundle-30beta1-released
    51    [3] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox17.0.10
    52    [4] https://archive.torproject.org/tor-package-archive/torbrowser/3.0b1/
    53 
    54 A critique of website traffic fingerprinting attacks
    55 ----------------------------------------------------
    56 
    57 For a new blog post [5], Mike Perry took the time to reflect on
    58 fingerprinting attacks on website traffic. These are attacks “where the
    59 adversary attempts to recognize the encrypted traffic patterns of
    60 specific web pages without using any other information. In the case of
    61 Tor, this attack would take place between the user and the Guard node,
    62 or at the Guard node itself.”
    63 
    64 In the post, Mike lays down three distinct types of adversary that could
    65 mount fingerprinting attacks: partial blocking of Tor, identification of
    66 visitors of a set of targeted pages, and identification of all web pages
    67 visited by a user.
    68 
    69 In theory, such attacks could pose devastating threats to Tor users.
    70 But in practice, “false positives matter” together with other factors
    71 that affect the classification accuracy. Mike gives a comprehensive
    72 introduction to these issues before reviewing five research papers
    73 published between 2011 and 2013. Each of them are summarized together
    74 with their shortcomings.
    75 
    76 Mike concludes that “defense work has not been as conclusively studied as
    77 these papers have claimed, and that defenses are actually easier than is
    78 presently assumed by the current body of literature.” He encourages
    79 researchers to re-evaluate existing defenses “such as HTTPOS [6], SPDY
    80 and pipeline randomization, Guard node adaptive padding [7], and Traffic
    81 Morphing [8]“, and to think about “the development of additional
    82 defenses”. Mike ends his post by mentioning that some new defenses can
    83 also be dual purpose and help with end-to-end correlation attacks.
    84 
    85    [5] https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks
    86    [6] http://freehaven.net/anonbib/cache/LZCLCP_NDSS11.pdf
    87    [7] https://bugs.torproject.org/7028
    88    [8] http://freehaven.net/anonbib/cache/morphing09.pdf
    89 
    90 The “bananaphone” pluggable transport
    91 -------------------------------------
    92 
    93 Pluggable transports [9] is how Tor traffic can be transformed from a
    94 client to a bridge in order to hide it from Deep Packet Inspection
    95 filters.
    96 
    97 Improving upon the initial work of Leif Ryge [10], David Stainton has
    98 been working on the new “bananaphone” pluggable transport for
    99 obfsproxy [11]. The latter implements “reverse hash encoding“,
    100 described by Leif Ryge as “a steganographic encoding scheme which
    101 transforms a stream of binary data into a stream of tokens (e.g.,
    102 something resembling natural language text) such that the stream can be
    103 decoded by concatenating the hashes of the tokens.”
    104 
    105 For a concrete example, that means that using Project Gutenberg’s Don
    106 Quixote [12] as corpus, one can encode “my little poney” into “lock
    107 whisper: yellow tremendous, again suddenly breathing. master's faces;
    108 fees, beheld convinced there calm” and back again!
    109 
    110 While it's probably not going to be the most compact pluggable
    111 transport, “bananaphone” looks like a promising project.
    112 
    113    [9] https://www.torproject.org/docs/pluggable-transports.html.en
    114   [10] https://github.com/leif/bananaphone
    115   [11] https://github.com/david415/obfsproxy/tree/david-bananaphone
    116   [12] http://www.gutenberg.org/cache/epub/29468/pg29468.txt
    117 
    118 Miscellaneous news
    119 ------------------
    120 
    121 Christian Grothoff, Matthias Wachs and Hellekin Wolf are working on
    122 getting special-use domain names for P2P networks reserved [13]
    123 according to RFC 6761 [14]: “the goal is to reserve .onion, .exit, .i2p,
    124 .gnu and .zkey (so that they don't become ordinary commercial TLDs at
    125 some point)”.
    126 
    127   [13] https://lists.torproject.org/pipermail/tor-talk/2013-November/031001.html
    128   [14] https://tools.ietf.org/html/rfc6761
    129 
    130 The Tails team has released their report on Tails activity during the
    131 month of October [15]. Things are happening on many fronts, have a look!
    132 
    133   [15] https://lists.torproject.org/pipermail/tor-reports/2013-November/000383.html
    134 
    135 Andrea Shepard has been working on new scheduler code for Tor. Its goal
    136 is to remove the limitation that “we can only see one channel at a time
    137 when making scheduling decisions.” Balancing between circuits without
    138 opening new attack vectors is tricky, Andrea is asking for comments on
    139 potential heuristics [16].
    140 
    141   [16] https://lists.torproject.org/pipermail/tor-dev/2013-November/005761.html
    142 
    143 Justin Findlay has recreated some of the website diagrams [17] in the
    144 versatile SVG format.
    145 
    146   [17] https://lists.torproject.org/pipermail/tor-dev/2013-November/005762.html
    147 
    148 Roger asked the community [18] to create a “Tor, king of anonymity”
    149 graphic for his presentations. Griffin Boyce made a “queen of anonymity”
    150 picture [19], Lazlo Westerhof crowned the onion [20] and Matt Pagan [21]
    151 did the full Tor logo.
    152 
    153   [18] https://lists.torproject.org/pipermail/tor-talk/2013-November/031001.html
    154   [19] http://i.imgur.com/PmuFz4n.jpg
    155   [20] http://i.imgur.com/vYZSu6Q.png
    156   [21] http://i.imgur.com/2yIMmcQ.png
    157 
    158 David Fifield released the new Pluggable Transports Tor Browser Bundle [22]
    159 version 2.4.17-rc-1-pt2 based on Tor Browser Bundle 2.4.17-rc-1. The
    160 only change from the previous release of the pluggable transport bundle
    161 is a workaround [23] that makes transports resume working on Mac OS X
    162 Mavericks.
    163 
    164   [22] https://blog.torproject.org/blog/pluggable-transports-bundles-2417-rc-1-pt2-firefox-17010esr
    165   [23] https://bugs.torproject.org/10030#comment:20
    166 
    167 Tor Help Desk Round-up
    168 ----------------------
    169 
    170 Recently users have been writing the help desk asking for assistance
    171 verifying the signature on their Tor Browser Bundle package. These users
    172 said they found the instructions on the official Tor Project page [24]
    173 confusing. One person reported being unsure of how to open a terminal on
    174 their computer. Another person did not know how to save the package
    175 signature onto the Desktop. Yet another person reported they were able
    176 to verify the signature only after discovering that their GnuPG program
    177 was named gpg2.exe rather than gpg.exe. A ticket on improving the
    178 signature verification page has been opened [25].
    179 
    180 One user mentioned wanting to use the Tor Browser Bundle as their
    181 default browser but being unable to do so because their online bank
    182 required Java. Java is disabled in the Tor Browser Bundle because it can
    183 bypass the browser proxy settings and leak the client's real IP address
    184 over the network.
    185 
    186   [24] https://torproject.org/docs/verifying-signatures.html
    187   [25] https://bugs.torproject.org/projects/10073
    188 
    189 Upcoming events
    190 ---------------
    191 
    192 Nov 18    | Damian Johnson and Lee Colleton @ TA3M-Seattle #3
    193           | Seattle, Washington, USA
    194           | https://wiki.openitp.org/events:techno-activism_3rd_mondays:seattle
    195           |
    196 Nov 20    | Tor's New Offices — Open House
    197           | Cambridge, Massachusetts
    198           | https://blog.torproject.org/events/tors-new-cambridge-offices-open-house
    199           |
    200 Dec 27-30 | Tor @ 30th Chaos Communication Congress
    201           | Hamburg, Germany
    202           | https://events.ccc.de/congress/2013/
    203 
    204 This issue of Tor Weekly News has been assembled by Lunar, dope457,
    205 David Stainton, sqrt2, and Roger Dingledine.
    206 
    207 Want to continue reading TWN? Please help us create this newsletter.
    208 We still need more volunteers to watch the Tor community and report
    209 important news. Please see the project page [26], write down your name
    210 and subscribe to the team mailing list [27] if you want to get involved!
    211 
    212   [26] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    213   [27] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    214 }}}
     5'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2013-November/000020.html Sent!]