Changes between Version 45 and Version 46 of TorWeeklyNews/2014/31


Ignore:
Timestamp:
Aug 5, 2014, 3:54:07 PM (5 years ago)
Author:
lunar
Comment:

FREEZE

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2014/31

    v45 v46  
    44
    55'''Subject:''' Tor Weekly News — August 6th, 2014
     6
     7'''Status:''' Frozen. Language and technical fixes only. New items should go in [wiki:TorWeeklyNews/2014/32 next week's edition]. Expected publication time: 2014-08-06 12:00 UTC.
    68
    79{{{
     
    1820Roger Dingledine ended several months of concern and speculation in the
    1921Tor community with a security advisory posted to the tor-announce
    20 mailing list [XXX] and the Tor blog [XXX].
     22mailing list [1] and the Tor blog [2].
    2123
    2224In it, he gave details of a five-month-long active attack on operators
     
    2729“tag” any hidden service descriptor requests received by malicious
    2830relays — a tag which could then be picked up by other bad nodes acting
    29 as entry guards [XXX], in the process identifying clients which
    30 requested information about a particular hidden service.
     31as entry guards [3], in the process identifying clients which requested
     32information about a particular hidden service.
    3133
    3234The attack is suspected to be linked to a now-cancelled talk that was
    33 due to be delivered at the BlackHat security conference [XXX]. There
    34 have been several fruitful and positive research projects involving
     35due to be delivered at the BlackHat security conference [4]. There have
     36been several fruitful and positive research projects involving
    3537theoretical attacks on Tor’s security, but this was not among them. Not
    3638only were there problems with the process of responsible disclosure,
     
    3840service in the injected signal (as opposed to, say, sending a random
    3941number and keeping a local list mapping random number to hidden service
    40 name)”, thereby “[putting] users at risk indefinitely into the future”.
     42name)”, thereby “ [putting] users at risk indefinitely into the future”.
    4143
    4244On the other hand, it is important to note that “while this particular
     
    6062in the near future. Relay operators should be sure to upgrade; a
    6163point-release of the Tor Browser will offer the same fixes to ordinary
    62 users. Nusenu suggested [XXX] that relay operators regularly check
    63 their logs for the new warning, “even if the attack origin is not
    64 directly attributable from a relay’s point of view”. Be sure to read the
    65 full security advisory for a fuller explanation of the attack and its
     64users. Nusenu suggested [5] that relay operators regularly check their
     65logs for the new warning, “even if the attack origin is not directly
     66attributable from a relay’s point of view”. Be sure to read the full
     67security advisory for a fuller explanation of the attack and its
    6668implications.
    6769
    68  [XXX]: https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html
    69  [XXX]: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
    70  [XXX]: https://www.torproject.org/docs/faq#EntryGuards
    71  [XXX]: https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation
    72  [XXX]: https://lists.torproject.org/pipermail/tor-relays/2014-August/005046.html
     70   [1]: https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html
     71   [2]: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
     72   [3]: https://www.torproject.org/docs/faq#EntryGuards
     73   [4]: https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation
     74   [5]: https://lists.torproject.org/pipermail/tor-relays/2014-August/005046.html
    7375
    7476Why is bad-relays a closed mailing list?
     
    7678
    7779Damian Johnson and Philipp Winter have been working on improving the
    78 process of reporting bad relays [XXX]. The process starts by having
    79 users report odd behaviors to the bad-relays mailing list.
     80process of reporting bad relays [6]. The process starts by having users
     81report odd behaviors to the bad-relays mailing list.
    8082
    8183Only a few trusted volunteers receive and review these reports. Nusenu
    82 started a discussion on tor-talk [XXX] advocating for more transparency.
     84started a discussion on tor-talk [7] advocating for more transparency.
    8385Nusenu argues that an open list would “likely get more confirm/can’t
    8486confirm feedback for a given badexit candidate”, and that it would allow
     
    8688
    8789Despite being “usually on the side of transparency”, Roger Dingledine
    88 described [XXX] being “stuck” on the issue, “because the arms race is so
     90described [8] being “stuck” on the issue, “because the arms race is so
    8991lopsidedly against us”.
    9092
     
    98100A better future and more transparency probably lies in adaptative test
    99101systems run by multiple volunteer groups. Until they come to existence,
    100 as a small improvement, Philipp Winter wrote [XXX] it was probably safe
    101 to publish why relays were disabled, through “short sentence along the
     102as a small improvement, Philipp Winter wrote [9] it was probably safe to
     103publish why relays were disabled, through “short sentence along the
    102104lines of ‘running HTTPS MitM’ or ‘running sslstrip’”.
    103105
    104  [XXX]: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
    105  [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034198.html
    106  [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034219.html
    107  [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034216.html
     106   [6]: https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays
     107   [7]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034198.html
     108   [8]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034219.html
     109   [9]: https://lists.torproject.org/pipermail/tor-talk/2014-July/034216.html
    108110
    109111Monthly status reports for July 2014
     
    111113
    112114Time for monthly reports from Tor project members. The July 2014 round
    113 was opened by Georg Koppen [XXX], followed by Philipp Winter [XXX],
    114 Sherief Alaa [XXX], Lunar [XXX], Nick Mathewson [XXX], Pearl
    115 Crescent [XXX], George Kadianakis [XXX], Matt Pagan [XXX], Isis
    116 Lovecruft [XXX], Griffin Boyce [XXX], Arthur Edelstein [XXX], and
    117 Karsten Loesing [XXX].
    118 
    119  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000598.html
    120  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000599.html
    121  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000601.html
    122  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000603.html
    123  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000604.html
    124  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000605.html
    125  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000608.html
    126  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000609.html
    127  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000610.html
    128  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000611.html
    129  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000612.html
    130  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000614.html
    131 
    132 Lunar reported on behalf of the help desk [XXX] and Mike Perry for the
    133 Tor Browser team [XXX].
    134 
    135  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000602.html
    136  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000607.html
     115was opened by Georg Koppen [10], followed by Philipp Winter [11],
     116Sherief Alaa [12], Lunar [13], Nick Mathewson [14], Pearl Crescent [15],
     117George Kadianakis [16], Matt Pagan [17], Isis Lovecruft [18], Griffin
     118Boyce [19], Arthur Edelstein [20], and Karsten Loesing [21].
     119
     120  [10]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000598.html
     121  [11]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000599.html
     122  [12]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000601.html
     123  [13]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000603.html
     124  [14]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000604.html
     125  [15]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000605.html
     126  [16]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000608.html
     127  [17]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000609.html
     128  [18]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000610.html
     129  [19]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000611.html
     130  [20]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000612.html
     131  [21]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000614.html
     132
     133Lunar reported on behalf of the help desk [22] and Mike Perry for the
     134Tor Browser team [23].
     135
     136  [22]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000602.html
     137  [23]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000607.html
    137138
    138139Miscellaneous news
     
    141142Anthony G. Basile announced a new release of tor-ramdisk, an i686 or
    142143x86_64 uClibc-based micro Linux distribution whose only purpose is to
    143 host a Tor server. Version 20140801 [XXX] updates Tor to version
     144host a Tor server. Version 20140801 [24] updates Tor to version
    1441450.2.4.23, and the kernel to 3.15.7 with Gentoo’s hardened patches.
    145146
    146  [XXX]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-August/000132.html
    147 
    148 meejah has announced [XXX] a new command-line application. carml is a versatile
    149 set of tools to “query and control a running Tor”. It can do things like “list
    150 and remove streams and circuits; monitor stream, circuit and address-map
    151 events; watch for any Tor event and print it (or many) out; monitor bandwidth;
    152 run any Tor control-protocol command; pipe through common Unix tools like grep,
    153 less, cut, etcetera; download TBB through Tor, with pinned certs and signature
    154 checking; and even spit out and run xplanet configs (with router/circuit
    155 markers)!” The application is written in Python and uses the
    156 txtorcon library [XXX]. meejah describes it as early-alpha and warns that it
    157 might contain “serious, anonymity-destroying bugs”. Watch out!
    158 
    159  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007295.html
    160  [XXX]: https://github.com/meejah/carml
    161  [XXX]: https://txtorcon.readthedocs.org/
    162 
    163 Only two weeks left for the Google Summer of Code students, and the last round of
    164 reports but one: Juha Nurmi on the ahmia.fi project [XXX], Marc Juarez on
    165 website fingerprinting defenses [XXX], Amogh Pradeep on Orbot and Orfox
    166 improvements [XXX], Zack Mullaly on the HTTPS Everywhere secure ruleset update
    167 mechanism [XXX], Israel Leiva on the GetTor revamp [XXX], Quinn Jarrell on the
    168 pluggable transport combiner [XXX], Daniel Martí on incremental updates to
    169 consensus documents [XXX], Noah Rahman on Stegotorus enhancements [XXX],
    170 and Sreenatha Bhatlapenumarthi on the Tor Weather rewrite [XXX].
    171 
    172  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000600.html
    173  [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000606.html
    174  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007282.html
    175  [XXX]: https://lists.eff.org/pipermail/https-everywhere/2014-August/002199.html
    176  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007284.html
    177  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007285.html
    178  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007287.html
    179  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007288.html
    180  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007293.html
     147  [24]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-August/000132.html
     148
     149meejah has announced [25] a new command-line application. carml [26] is
     150a versatile set of tools to “query and control a running Tor”. It can do
     151things like “list and remove streams and circuits; monitor stream,
     152circuit and address-map events; watch for any Tor event and print it (or
     153many) out; monitor bandwidth; run any Tor control-protocol command; pipe
     154through common Unix tools like grep, less, cut, etcetera; download TBB
     155through Tor, with pinned certs and signature checking; and even spit out
     156and run xplanet configs (with router/circuit markers)!” The application
     157is written in Python and uses the txtorcon library [27]. meejah
     158describes it as early-alpha and warns that it might contain “serious,
     159anonymity-destroying bugs”. Watch out!
     160
     161  [25]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007295.html
     162  [26]: https://github.com/meejah/carml
     163  [27]: https://txtorcon.readthedocs.org/
     164
     165Only two weeks left for the Google Summer of Code students, and the last
     166round of reports but one: Juha Nurmi on the ahmia.fi project [28], Marc
     167Juarez on website fingerprinting defenses [29], Amogh Pradeep on Orbot
     168and Orfox improvements [30], Zack Mullaly on the HTTPS Everywhere secure
     169ruleset update mechanism [31], Israel Leiva on the GetTor revamp [32],
     170Quinn Jarrell on the pluggable transport combiner [33], Daniel Martí on
     171incremental updates to consensus documents [34], Noah Rahman on
     172Stegotorus enhancements [35], and Sreenatha Bhatlapenumarthi on the Tor
     173Weather rewrite [36].
     174
     175  [28]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000600.html
     176  [29]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000606.html
     177  [30]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007282.html
     178  [31]: https://lists.eff.org/pipermail/https-everywhere/2014-August/002199.html
     179  [32]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007284.html
     180  [33]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007285.html
     181  [34]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007287.html
     182  [35]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007288.html
     183  [36]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007293.html
    181184
    182185The Tails team is looking for testers to solve a possible incompatiblity
    183 in one of the recommended installation procedures. If you have a running Tails
    184 system, a spare USB stick and some time, please help [XXX]. Don’t miss
    185 the recommended command-line options [XXX]!
    186 
    187  [XXX]: https://mailman.boum.org/pipermail/tails-testers/2014-July/000059.html
    188  [XXX]: https://mailman.boum.org/pipermail/tails-testers/2014-July/000060.html
    189 
    190 The Citizen Lab Summer Institute [XXX] took place at the University of Toronto
    191 from July 28 to 31. The event brought together policy and technology
    192 researchers who focus on Internet censorship and measurement. A lot of great
    193 work was presented including but not limited to a proposal to measure the
    194 chilling effect, ongoing work to deploy Telex [XXX], and several projects to
    195 measure censorship in different countries. Some Tor-related work was also
    196 presented: Researchers are working on understanding how the Tor network is used
    197 for political purposes. Another project makes use of TCP/IP side channels to
    198 measure the reachability of Tor relays from within China [XXX].
    199 
    200 [XXX] https://citizenlab.org/summerinstitute/2014.html
    201 [XXX] http://freehaven.net/anonbib/cache/usenix11-telex.pdf
    202 [XXX] https://arxiv.org/pdf/1312.5739.pdf
     186in one of the recommended installation procedures. If you have a running
     187Tails system, a spare USB stick and some time, please help [37]. Don’t
     188miss the recommended command-line options [38]!
     189
     190  [37]: https://mailman.boum.org/pipermail/tails-testers/2014-July/000059.html
     191  [38]: https://mailman.boum.org/pipermail/tails-testers/2014-July/000060.html
     192
     193The Citizen Lab Summer Institute [39] took place at the University of
     194Toronto from July 28 to 31. The event brought together policy and
     195technology researchers who focus on Internet censorship and measurement.
     196A lot of great work was presented including but not limited to a
     197proposal to measure the chilling effect, ongoing work to deploy
     198Telex [40], and several projects to measure censorship in different
     199countries. Some Tor-related work was also presented: Researchers are
     200working on understanding how the Tor network is used for political
     201purposes. Another project makes use of TCP/IP side channels to measure
     202the reachability of Tor relays from within China [41].
     203
     204  [39]: https://citizenlab.org/summerinstitute/2014.html
     205  [40]: http://freehaven.net/anonbib/cache/usenix11-telex.pdf
     206  [41]: https://arxiv.org/pdf/1312.5739.pdf
    203207
    204208The Electronic Frontier Foundation wrote two blog posts to show why Tor
    205 is important for universities and how universities can help the Tor network.
    206 The first part [XXX] explains why Tor matters, gives several examples of
    207 universities already contributing to the Tor network, and outlines a few
    208 reasons for hosting new Tor nodes. The second part [XXX] gives actual tips
    209 on where to start, and how to do it best.
    210 
    211  [XXX]: https://www.eff.org/deeplinks/2014/08/tor-campus-part-i-its-been-done-and-should-happen-again
    212  [XXX]: https://www.eff.org/deeplinks/2014/08/tor-campus-part-ii-icebreakers-and-risk-mitigation-strategies
     209is important for universities and how universities can help the Tor
     210network.  The first part [42] explains why Tor matters, gives several
     211examples of universities already contributing to the Tor network, and
     212outlines a few reasons for hosting new Tor nodes. The second part [43]
     213gives actual tips on where to start, and how to do it best.
     214
     215  [42]: https://www.eff.org/deeplinks/2014/08/tor-campus-part-i-its-been-done-and-should-happen-again
     216  [43]: https://www.eff.org/deeplinks/2014/08/tor-campus-part-ii-icebreakers-and-risk-mitigation-strategies
    213217
    214218Tor help desk roundup
    215219---------------------
    216220
    217 Users occasionally ask if there is any way to set Tor Browser as the default
    218 browser on their system. Currently this is not possible, although it may be
    219 possible in a future Tor Browser release [XXX]. In the mean time, Tails
    220 provides another way to prevent accidentally opening hyperlinks in a non-Tor
    221 browser.
    222 
    223  [XXX]: https://bugs.torproject.org/12763
     221Users occasionally ask if there is any way to set Tor Browser as the
     222default browser on their system. Currently this is not possible,
     223although it may be possible in a future Tor Browser release [44]. In the
     224mean time, Tails provides another way to prevent accidentally opening
     225hyperlinks in a non-Tor browser.
     226
     227  [44]: https://bugs.torproject.org/12763
    224228
    225229Easy development tasks to get involved with
     
    228232Tor Launcher is the Tor controller shipped with Tor Browser written in
    229233JavaScript. Starting with Firefox 14 the “nsILocalFile” interface has
    230 been deprecated and replaced with the “nsIFile” interface [XXX]. What we
     234been deprecated and replaced with the “nsIFile” interface [45]. What we
    231235should do is replace all instances of “nsILocalFile” with “nsIFile” and
    232236see if anything else needs fixing to make Tor Launcher still work as
    233237expected. If you know a little bit about Firefox extensions and want to
    234 give this a try, clone the repository [XXX], make the necessary changes,
     238give this a try, clone the repository [46], make the necessary changes,
    235239run “make package”, and tell us whether something broke in interesting
    236240ways.
    237241
    238  [XXX]: https://bugs.torproject.org/10573
    239  [XXX]: https://gitweb.torproject.org/tor-launcher.git
     242  [45]: https://bugs.torproject.org/10573
     243  [46]: https://gitweb.torproject.org/tor-launcher.git
    240244
    241245Upcoming events
     
    263267Want to continue reading TWN? Please help us create this newsletter.
    264268We still need more volunteers to watch the Tor community and report
    265 important news. Please see the project page [XXX], write down your
    266 name and subscribe to the team mailing list [XXX] if you want to
     269important news. Please see the project page [47], write down your
     270name and subscribe to the team mailing list [48] if you want to
    267271get involved!
    268272
    269   [XXX]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    270   [XXX]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
     273  [47]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
     274  [48]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    271275}}}