wiki:TorWeeklyNews/2014/33

Version 38 (modified by harmony, 6 years ago) (diff)

add aphex twin

59th issue of Tor Weekly News. Covering what's happening from August 12th, 2014 to August 19th, 2014. To be released on August 20th, 2014.

Editor: harmony

Subject: Tor Weekly News — August 20th, 2014

========================================================================
Tor Weekly News                                        August 20th, 2014
========================================================================

Welcome to the thirty-third issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the community around Tor,
the anonymity network preferred by Aphex Twin [XXX].

 [XXX]: https://www.dailydot.com/entertainment/aphex-twin-deep-web-album-syro/

Tor Browser 3.6.4 and 4.0-alpha-1 are out
-----------------------------------------

Erinn Clark took to the Tor Blog [XXX] to announce two new releases by
the Tor Browser team. The stable version (3.6.4) contains fixes for
several new OpenSSL bugs, although since Tor should only be vulnerable
to one of them, and “as this issue is only a DoS”, it is not considered
a critical security update. This release also brings Tor Browser users
the fixes that give log warnings about the RELAY_EARLY traffic
confirmation attack explained last month [XXX]. Please be sure to
upgrade as soon as possible.

Alongside this stable release, the first alpha version of Tor Browser
4.0 is now available. Among the most exciting new features of this
series is the inclusion of the meek [XXX] pluggable transport. In
contrast to the bridge-based transports already available in Tor
Browser, meek relies on a principle of “too big to block”, as its
creator David Fifield explained: “instead of going through a bridge
with a secret address, you go through a known domain (www.google.com
for example) that the censor will be reluctant to block. You don’t need
to look up any bridge addresses before you get started” [XXX]. meek
currently supports two “front domains”, Google and Amazon Web Services;
it may therefore be especially useful for users behind extremely
restrictive national or local firewalls. David posted a fuller
explanation of meek, and how to configure it, in a separate blog
post [XXX].

This alpha release also “paves the way to [the] upcoming autoupdater by
reorganizing the directory structure of the browser”, as Erinn wrote.
This means that users upgrading from any previous Tor Browser series
cannot extract the new version over their existing Tor Browser folder,
or it will not work.

You can consult the full list of changes and bugfixes for both versions
in Erinn’s post, and download the new releases themselves from the Tor
website [XXX].

 [XXX]: https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released
 [XXX]: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
 [XXX]: https://trac.torproject.org/projects/tor/wiki/doc/meek
 [XXX]: XXX will link when I find out how to reference specific blog comments
 [XXX]: https://blog.torproject.org/blog/how-use-%E2%80%9Cmeek%E2%80%9D-pluggable-transport
 [XXX]: https://www.torproject.org/dist/torbrowser/

The Tor network doesn't support addressing relays by name anymore
-----------------------------------------------------------------

Since the very first versions of Tor [XXX], relay operators have been
able specify “nicknames” for their relays. Such nicknames were initially
meant to be unique accross the network, and operators of directory
authorities would manually “bind” a relay identity key after verifying
the nickname. The process became formalized with the “Named” flag
introduced in the 0.1.1 series [XXX], and latter automated with the
0.2.0 series. If a relay held a unique nickname for long enough, the
authority would recognize the binding, and subsequently reserve the name
for half a year.

Nicknames are useful because it appears humans are not very good at 
thinking using long strings of random bits. Initially, they made it 
possible to understand what was happening in the network more easily, 
and to address a specific relay in a shorter way. Having two relays with 
the same nickname in the whole network is not really problematic when 
one is looking at nodes, or a list on Globe [XXX] as relays can always 
be differentiated by their IP addresses or identity keys. 

But complications start when nicknames are used to specify a relay and 
not another. If the wrong relay get selected, then it can become a 
security risk. Even if a good amount of efforts [XXX] have been spent 
trying to improve the situation, properly enforcing uniqueness has 
always been problematic and a burden for the few directory authorities 
handling naming. 

Back in April, “Heartblead” [XXX] forced many relays to switch to a new
identity key, thus loosing their “Named” flag. Because this meant that
anyone addressing relays with nickname would now have a hard time
continuing to do so, this was seen by Sebastian Hahn as the opportunity
to get rid of the idea entirely [XXX].

This week, Sebastian wrote [XXX]: “Code review down to 0.2.3.x has shown
that the naming-related code hasn't changed much at all, and no issues
were found which would mean a Named-flag free consensus would cause any
problems. gabelmoo and tor26 have stopped acting as Naming Directory
Authorities, and — pending any issues — will stay that way.”

This mans that addressing relays by nicknames has now stopped working.
“If you — in your Tor configuration file — refer to any relay by name
and not by identity hash, please change that immediately. Future
versions of Tor will not support using names in the configuration at
all”, warns Sebastian [XXX].

 [XXX]: https://gitweb.torproject.org/tor.git/blob/161d7d1:/src/config/torrc.in#l20
 [XXX]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/attic/dir-spec-v2.txt#l427
 [XXX]: https://globe.torproject.org/#/search/query=Unnamed
 [XXX]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/122-unnamed-flag.txt
 [XXX]: https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
 [XXX]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/235-kill-named-flag.txt
 [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007348.html
 [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-August/034380.html

Miscellaneous news
------------------

meejah announced [XXX] the release of version 0.11.0 of txtorcon, a
Twisted-based Python controller library for Tor. This release brings
several API improvements; see meejah’s message for full release notes
and instructions on how to download it.

 [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007375.html

Nick Mathewson asked for comments [XXX] on Trunnel, “a little tool to
automatically generate binary encoding and parsing code based on
C-like structure descriptions” intended to prevent Heartbleed-style
vulnerabilities from creeping into Tor’s binary-parsing code in C. “My
open questions are: Is this a good idea? Is it a good idea to use this
in Tor? Are there any tricky bugs left in the generated code? What am I
forgetting to think of?”, wrote Nick.

 [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007355.html

Arturo Filastò requested feedback [XXX] on some proposed changes to
the format of the “test deck” used by ooni-probe, the main project of
the Open Observatory of Network Interference. “A test deck is basically
a way of telling it ‘Run this list of OONI tests with these inputs and
by the way be sure you also set these options properly when doing
so’…This new format is supposed to overcome some of the limitations of
the old design and we hope that a major redesign will not be needed in
the near future”, wrote Arturo.

 [XXX]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007353.html

Tor’s importance to users who are at risk, for a variety of reasons,
makes it an attractive target for creators of malware, who distribute
fake or modified versions of Tor software for malicious purposes.
Following a recent report of a fake Tor Browser in circulation, Julien
Voisin carried out an investigation of the compromised software, and
posted a detailed analysis [XXX] of the results. To ensure you are
protected against this sort of attack, make sure you verify any Tor
software you download [XXX] before running it!

 [XXX]: http://dustri.org/b/torbundlebrowserorg.html
 [XXX]: https://www.torproject.org/docs/verifying-signatures

Arlo Breault submitted a status report for July [XXX].

 [XXX]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000622.html

Tor help desk roundup
---------------------

The help desk has been asked if it's possible to set up an anonymous blog 
using Tor. The Hyde project [XXX], developed by Karsten Loesing, documents 
the step-by-step process of using Tor, Jekyll, and Nginx to host an 
anonymous blog as a hidden service. 

 [XXX]: https://github.com/kloesing/hyde/blob/master/publisher-manual/index.md

News from Tor StackExchange
---------------------------

The Tor StackExchange site is looking for another friendly and helpful
moderator [XXX]. Moderators need to take care of flagged items
(spam, me-too-comments, etc.), and are liaisons between the
community and StackExchange's community team. So if you're
interested, have a look at the theory of moderation [XXX] and
post an answer to the question at the Tor StackExchange Meta site.

 [XXX]: https://meta.tor.stackexchange.com/q/207/88
 [XXX]: http://blog.stackoverflow.com/2009/05/a-theory-of-moderation/

Easy development tasks to get involved with
-------------------------------------------

Text with cited source [XXX].

 [XXX]: 

Upcoming events
---------------

 August 20-22      | Roger @ USENIX Security Symposium ’14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/usenixsecurity14
                   |
 Aug. 20 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
                   |
 Aug. 22 15:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
                   | https://lists.torproject.org/pipermail/ooni-dev/2014-August/000145.html
                   |
 Aug. 25 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
                   |
 Sep.  3 19:00 UTC | Tails contributors meeting
                   | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-August/000016.html


This issue of Tor Weekly News has been assembled by XXX, Matt Pagan,
Sebastian Hahn and Ximin Luo. 

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [XXX], write down your
name and subscribe to the team mailing list [XXX] if you want to
get involved!

  [XXX]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [XXX]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team