Changes between Version 46 and Version 47 of TorWeeklyNews/2014/24


Ignore:
Timestamp:
Jun 18, 2014, 11:06:00 AM (5 years ago)
Author:
lunar
Comment:

sent!

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2014/24

    v46 v47  
    55'''Subject:''' Tor Weekly News — June 18th, 2014
    66
    7 '''Status:''' FROZEN. Only technical and language fixes allowed. New items should go in [wiki:TorWeeklyNews/2014/25 next week's edition]. Expected publication time 2014-06-18 14:00 UTC.
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                          June 18th, 2014
    12 ========================================================================
    13 
    14 Welcome to the fiftieth issue of Tor Weekly News, the weekly newsletter
    15 that covers what is happening in the Tor community.
    16 
    17 Tails 1.0.1 is out
    18 ------------------
    19 
    20 The Tails developers announced [1] the first point release in the Tails
    21 1.0 series, following their decision [2] to postpone the release of
    22 Tails 1.1 (which will be based on Wheezy, the latest stable version of
    23 Debian).
    24 
    25 This release contains no major new features, but does fix numerous
    26 security issues [3] present in 1.0, so all Tails users should upgrade as
    27 soon as possible.
    28 
    29   [1]: https://tails.boum.org/news/version_1.0.1/
    30   [2]: https://mailman.boum.org/pipermail/tails-dev/2014-May/005917.html
    31   [3]: https://tails.boum.org/security/Numerous_security_holes_in_1.0/index
    32 
    33 Collecting statistics from Tor exits in a privacy-sensitive manner
    34 ------------------------------------------------------------------
    35 
    36 Optimizing the Tor network to better support the most common use-cases
    37 could make a real difference to its perceived usability. Unfortunately,
    38 Tor is an anonymity network. Understanding what the most common
    39 use-cases are, in a way that does not endanger its users, is far from
    40 being a trivial problem.
    41 
    42 There have been some cases of inconsiderate spying on Tor network users
    43 in the past [4]. This is one of the motivations for the Tor Project to
    44 provide and research properly anonymized statistics through the
    45 Metrics [5] and CollecTor [6] portals.
    46 
    47 Tariq Elahi, George Danezis, and Ian Goldberg are working on new
    48 solutions to tackle the problem of collecting statistics from Tor exits
    49 in a privacy-sensitive manner. Tariq announced [7] the PrivEx system,
    50 which “preserves the security and privacy properties of anonymous
    51 communication networks, even in the face of adversaries that can
    52 compromise data collection nodes or coerce operators to reveal
    53 cryptographic secrets and keys”.
    54 
    55 The introduction of the detailed tech report [8] gives a general
    56 description of the solution: “PrivEx collects aggregated statistics to
    57 provide insights about user behaviour trends by recording aggregate
    58 usage of the anonymity network. To further reduce the risk of
    59 inadvertent disclosures, it collects only information about destinations
    60 that appear in a list of known censored websites. The aggregate
    61 statistics are themselves collected and collated in a privacy-friendly
    62 manner using secure multiparty computation primitives, enhanced and
    63 tuned to resist a variety of compulsion attacks and compromises.
    64 Finally, the granularity of the statistics is reduced […] to foil
    65 correlation attacks.”
    66 
    67 PrivEx’s threat model is described in section 3, and matches the current
    68 mode of operation of the Tor network, relying on a set of mostly honest
    69 collectors while being able to cope with a limited number of malicious
    70 nodes. Two variants are described: one “is secure in the
    71 honest-but-curious setting but can be disrupted by a misbehaving actor”
    72 while “the other is secure in the covert adversary setting in that
    73 misbehaving servers can be identified”, but is more computationally
    74 expensive.
    75 
    76 Tariq mentions that implementations of the two variants of PrivEx
    77 described in the tech report have been created and should soon be
    78 released to the community. The researchers expect to “start by rolling
    79 out our own PrivEx-enabled exits in the Tor network and begin collecting
    80 destination visit statistics” around the “June-August timeframe”.
    81 Section 6 contains an analysis of the overhead in both CPU and bandwidth
    82 of the two PrivEx variants, and the requirements seem reasonable.
    83 
    84 Given how much privacy matters to the Tor community and to all network
    85 users, the researchers wants “a measure of confidence that collecting
    86 data with PrivEx is inherently good and is being done in a responsible
    87 and intelligent manner”. They are therefore asking the “community at
    88 large” to review the design of the proposal, and its implementation once
    89 released.
    90 
    91 If no fundamental flaws are discovered in the process, the Tor community
    92 might finally be able to enjoy better network statistics in the
    93 not-too-distant future.
    94 
    95   [4]: http://www.ifca.ai/pub/fc11/wecsr11/soghoian.pdf
    96   [5]: https://metrics.torproject.org/
    97   [6]: https://collector.torproject.org/
    98   [7]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006999.html
    99   [8]: http://cacr.uwaterloo.ca/techreports/2014/cacr2014-08.pdf
    100 
    101 Upcoming developments in pluggable transports
    102 ---------------------------------------------
    103 
    104 In a new blog post [9], George Kadianakis reported on some recent
    105 pluggable transports developments. Some — like the release of Tor
    106 Browser 3.6 [10], the deprecation of obfs2 [11], the new meek
    107 transport [12], or the recently-written “Child’s Garden Of Pluggable
    108 Transports” guide [13] should already be known to regular readers of Tor
    109 Weekly News.
    110 
    111 It was previously impossible to use pluggable transports at the same
    112 time as an HTTP or SOCKS proxy [14]. The release of Tor Browser
    113 3.6.2 [15] is the first to include work by Yawning Angel which solves
    114 this deficiency.
    115 
    116 However, ScrambleSuit, released last winter, has not yet been included
    117 in Tor Browser. The pluggable transport team is considering skipping its
    118 deployment in favor of a new protocol, dubbed “obfs4” [16], which is
    119 “like ScrambleSuit (with regards to features and threat model), but it’s
    120 faster and autofixes some of the open issues”.
    121 
    122 George also mentions that enabling pluggable transports to work over
    123 IPv6 is on the team’s radar. As advanced deep packet inspection (DPI) on
    124 IPv6 is less common, it should buy some more time for users on censored
    125 networks.
    126 
    127   [9]: https://blog.torproject.org/blog/recent-and-upcoming-developments-pluggable-transports
    128  [10]: https://blog.torproject.org/blog/tor-browser-36-released
    129  [11]: https://trac.torproject.org/projects/tor/ticket/10314
    130  [12]: https://trac.torproject.org/projects/tor/wiki/doc/meek
    131  [13]: https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPluggableTransports
    132  [14]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/232-pluggable-transports-through-proxy.txt
    133  [15]: https://blog.torproject.org/blog/tor-browser-362-released
    134  [16]: https://github.com/Yawning/obfs4
    135 
    136 Miscellaneous news
    137 ------------------
    138 
    139 David Fifield updated [17] the experimental Tor Browser builds that
    140 include the meek pluggable transport [18]. The new packages are based on
    141 Tor Browser version 3.6.2.
    142 
    143  [17]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033229.html
    144  [18]: https://people.torproject.org/~dcf/pt-bundle/3.6.2-meek-1/
    145 
    146 meejah announced [19] a new release of txtorcon — a Twisted-based
    147 asynchronous Tor control protocol implementation. Version 0.10.0 adds
    148 support for Twisted’s endpoint strings. meejah explains: “this means
    149 that ANY Twisted program that uses endpoints can accept ‘onion:’ strings
    150 to bring up a hidden services easily […]. Typically, no code changes to
    151 the application should be needed […].”
    152 
    153  [19]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007006.html
    154 
    155 The Tails team reported [20] progress on code, documentation,
    156 infrastructure, discussions, funding, and outreach matters for May. The
    157 report also mentions Tails’ position regarding the discontinuation of
    158 TrueCrypt.
    159 
    160  [20]: https://tails.boum.org/news/report_2014_05/
    161 
    162 Following up on his earlier promise [21], Karsten Loesing shut down [22]
    163 the Tor Metrics portal’s relay-search service, and in doing so reduced
    164 the size of the metrics database from 95 gigabytes to a mere 3. “If the
    165 metrics website shows you funny numbers in the next couple of days,
    166 please let me know”, wrote Karsten.
    167 
    168  [21]: https://lists.torproject.org/pipermail/tor-dev/2013-December/005948.html
    169  [22]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007007.html
    170 
    171 Andrew Lewman reported [23] on his activities for May. Sebastian G.
    172 subsequently opened two discussions on the tor-talk mailing list [24]:
    173 one regarding the challenges of integrating Tor into millions of
    174 products [25] and another on how US legislation is preventing the Tor
    175 Project, Inc. from receiving donations from certain countries [26].
    176 
    177  [23]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000563.html
    178  [24]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
    179  [25]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033254.html
    180  [26]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033255.html
    181 
    182 Several GSoC students reported on the progress of their projects: Kostas
    183 Jakeliunas on the BridgeDB Twitter distributor [27], Juha Nurmi for
    184 ahmia.fi [28], and Zack Mullaly on the HTTPS Everywhere secure ruleset
    185 update mechanism [29].
    186 
    187  [27]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006988.html
    188  [28]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000562.html
    189  [29]: https://lists.eff.org/pipermail/https-everywhere/2014-June/002128.html
    190 
    191 Lukas Erlacher has released OnionPy 0.1.5 [30]. “If you are planning to
    192 make something in python that uses the tor network status, accessing
    193 Onionoo [31] using OnionPy might be exactly what you need”, Lukas wrote.
    194 
    195  [30]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007018.html
    196  [31]: https://onionoo.torproject.org/
    197 
    198 The Tails developers suggested [32] that Tails translation teams using
    199 git, rather than the online Transifex platform, should begin signing
    200 their email pull requests with OpenPGP keys, to ensure that the process
    201 is not open to exploitation.
    202 
    203  [32]: https://mailman.boum.org/pipermail/tails-l10n/2014-June/001293.html
    204 
    205 Drupal.org, the main website for the development community around the
    206 free and open-source web platform Drupal, subscribes to a blacklist that
    207 includes Tor exit nodes, making it difficult for Tor users to interact
    208 with the site. AohRveTPV explained the problem [33], and asked for
    209 “ideas on how to actually achieve better Drupal.org support for Tor
    210 users”.
    211 
    212  [33]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033250.html
    213 
    214 Chris Double described [34] a detailed but experimental method for using
    215 Tor with Firefox OS, the mobile operating system from Mozilla. “This is
    216 just a proof of concept. Don’t depend on this […] Ideally Tor would be
    217 integrated with Firefox OS so that you can start and stop it as a
    218 service and maybe whitelist or blacklist sites that should and shouldn’t
    219 use Tor. I hope to do some of this over time or hope someone else gets
    220 excited enough to work on it too.”
    221 
    222  [34]: http://bluishcoder.co.nz/2014/06/12/using-tor-with-firefox-os.html
    223 
    224 Tor help desk roundup
    225 ---------------------
    226 
    227 The help desk has received some complaints regarding the default window
    228 size of the Tor Browser. To prevent window size fingerprinting, the
    229 browser window size has been set to a multiple of 100 pixels according
    230 to the detected screen resolution. Taskbars in the user workspace making
    231 selecting an appropriate window size slightly more complicated though;
    232 more details are available on the bug’s ticket [35].
    233 
    234  [35]: https://bugs.torproject.org/9268
    235 
    236 News from Tor StackExchange
    237 ---------------------------
    238 
    239 bk201 found some random-looking domain names in the logs of some network
    240 software. These connection attempts disappeared when Tor was
    241 closed [36], so bk201 wants to know what they are. Lunar explained that
    242 they are requests for non-existent domain names. Tor wants to find out
    243 if some DNS servers send fake answers. This feature was added in
    244 2007 [37].
    245 
    246  [36]: https://tor.stackexchange.com/q/3324/88
    247  [37]: https://gitweb.torproject.org/tor.git/blob/HEAD:/ReleaseNotes#l6663
    248 
    249 user1747 often visits web sites which provide their services both within
    250 the visible web and as a hidden service (DuckDuckGo might serve as an
    251 example). Does the Tor Browser Bundle (TBB) automatically switch to a
    252 hidden service in this case [38]? mirimir explained that there is no
    253 connection between DNS and the names of hidden services, so TBB doesn’t
    254 know about this hidden service and can’t connect automatically. user2949
    255 pointed to a plugin [39], similar to HTTPS Everywhere, that forwards a
    256 request to a hidden service if it is available.
    257 
    258  [38]: https://tor.stackexchange.com/q/3262/88
    259  [39]: https://github.com/chris-barry/darkweb-everywhere
    260  
    261 Upcoming events
    262 ---------------
    263 
    264 June 18 19:00 UTC | little-t tor development meeting
    265                   | #tor-dev, irc.oftc.net
    266                   | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
    267                   |
    268 June 20 15:00 UTC | Tor Browser online meeting
    269                   | #tor-dev, irc.oftc.net
    270                   | https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
    271                   |
    272 June 20 16:00 UTC | Pluggable transports online meeting
    273                   | #tor-dev, irc.oftc.net
    274                   | https://lists.torproject.org/pipermail/tor-dev/2014-April/006764.html
    275                   |
    276 June 30 — Jul 4   | Tor’s Summer Dev Meeting
    277                   | Paris, France
    278                   | https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting
    279 
    280 
    281 This issue of Tor Weekly News has been assembled by harmony, Lunar, the
    282 Tails developers, Matt Pagan, Karsten Loesing, and qbi.
    283 
    284 Want to continue reading TWN? Please help us create this newsletter.
    285 We still need more volunteers to watch the Tor community and report
    286 important news. Please see the project page [40], write down your
    287 name and subscribe to the team mailing list [41] if you want to
    288 get involved!
    289 
    290  [40]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    291  [41]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    292 }}}
     7'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2014-June/000050.html Sent]