Changes between Version 5 and Version 6 of TorWeeklyNews/2015/20


Ignore:
Timestamp:
May 22, 2015, 1:31:12 PM (4 years ago)
Author:
harmony
Comment:

sent

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2015/20

    v5 v6  
    55'''Subject:''' Tor Weekly News — May 22nd, 2015
    66
    7 {{{
    8 ========================================================================
    9 Tor Weekly News                                           May 22nd, 2015
    10 ========================================================================
    11 
    12 Welcome to the twentieth issue in 2015 of Tor Weekly News, the weekly
    13 newsletter that covers what’s happening in the aleatoric [1] Tor
    14 community.
    15 
    16   [1]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008821.html
    17 
    18 Contents
    19 --------
    20 
    21  1. Tor 0.2.6.8 is out
    22  2. Tor Browser 4.5.1 and 5.0a1 are out
    23  3. Fixing the Tor network’s bandwidth measurement system
    24  4. Stopping onion service DoS attacks by limiting connections
    25  5. What is the value of anonymous communication?
    26  6. Miscellaneous news
    27  7. This week in Tor history
    28  8. Upcoming events
    29 
    30 Tor 0.2.6.8 is out
    31 ------------------
    32 
    33 Nick Mathewson announced [2] a new release in the current stable branch
    34 of the core Tor software. Tor 0.2.6.8 stops directory authorities from
    35 giving the HSDir flag to relays without a DirPort configured, which was
    36 causing accessibility problems [3] for some hidden services. It also
    37 fixes a bug [4] that could have allowed a Tor client to crash an onion
    38 service in a very small number of cases where the service was making use
    39 of Tor’s “client authorization” feature.
    40 
    41 If you are running one of the Tor network’s nine directory authorities,
    42 you should upgrade as soon as possible. If you aren’t one of those
    43 people, no urgent action is required.
    44 
    45   [2]: https://blog.torproject.org/blog/tor-0268-released
    46   [3]: https://bugs.torproject.org/15850
    47   [4]: https://bugs.torproject.org/15823
    48 
    49 Tor Browser 4.5.1 and 5.0a1 are out
    50 -----------------------------------
    51 
    52 Mike Perry announced new releases by the Tor Browser team in both the
    53 stable and alpha series. Tor Browser 4.5.1 [5] relaxes the “first-party
    54 isolation” system slightly, in order to solve some usability issues
    55 affecting websites that host their content on several subdomains. In
    56 addition, NoScript’s ClearClick anti-clickjacking feature is disabled,
    57 as it had been causing frequent false positives, especially on pages
    58 serving captchas.
    59 
    60 In addition to those fixes, Tor Browser 5.0a1 [6] includes several new
    61 privacy-preserving features. The automatic window-resizing feature from
    62 4.5a4 is reintroduced here, and JavaScript’s ability to take precise
    63 timings of some activities has been limited, in order to defend against
    64 browser fingerprinting attacks.
    65 
    66 See Mike’s announcements for full changelogs, download instructions, and
    67 advice on reporting any issues you experience. Both releases include
    68 important security updates to Firefox, so please upgrade as soon as you
    69 can!
    70 
    71   [5]: https://blog.torproject.org/blog/tor-browser-451-released
    72   [6]: https://blog.torproject.org/blog/tor-browser-50a1-released
    73 
    74 Fixing the Tor network’s bandwidth measurement system
    75 -----------------------------------------------------
    76 
    77 When a Tor relay is first set up, it performs a test to estimate its own
    78 ability to handle Tor traffic, and then reports this figure to the
    79 directory authorities [7] — the so-called “advertised bandwidth”.  In
    80 the earliest versions of the Tor network, the directory authorities used
    81 this advertised value directly when creating the consensus [8], even
    82 though the amount of bandwidth available to relays is sometimes greater
    83 or lesser than the reported figure. This led to poor balancing of the
    84 traffic load across the Tor network, and to the overwhelming impression
    85 that Tor is just “slow”.
    86 
    87 In 2009, therefore, Mike Perry introduced the “bandwidth authority” (or
    88 “bwauth”) scripts as part of his TorFlow suite of tools [9]. Computers
    89 that are configured to run as bwauths regularly scan the relays that
    90 make up the Tor network to see if the bandwidth they advertise
    91 corresponds to their real capacity. If not, the consensus will adjust
    92 the advertised bandwidth up or down to reflect the measurements taken by
    93 the bwauths; this adjusted value is the “consensus weight”, and clients
    94 using the consensus weight to select their Tor circuits experience much
    95 less of the lag that plagued the Tor network in its infancy [10].
    96 
    97 At least, that’s how it should work. For some time, the bwauth scripts
    98 have been unmaintained, leading to problems for their operators, and
    99 more recently they appear to have  broken in a way that is hard to
    100 diagnose. As nusenu pointed out [11], a significant number of Tor relays
    101 are now unmeasured, which means that some Tor relay operators are
    102 contributing bandwidth which the network is not using in the most
    103 efficient way.
    104 
    105 In the short term, work is underway to patch up the bwauth scripts so
    106 that they can once again scan all the relays in the network: Tom Ritter
    107 announced [12] that new bwauths have been brought online to provide the
    108 necessary measurements, and the scripts are being investigated to see if
    109 differences between consensuses are causing scanners to miss some
    110 relays.
    111 
    112 A more permanent fix, however, might involve a total rewrite of the
    113 bwauth scripts if, as Roger Dingledine suggested [13], the design itself
    114 is flawed. Tor Project contributor Aaron Gibson will hopefully be
    115 addressing this issue as part of an upcoming fellowship with OTF, and a
    116 number of other research groups are also working towards a more robust
    117 design for the bandwidth measurement system.
    118 
    119 Be sure to sign up to the tor-relays mailing list [14] for further
    120 information. Thanks to all relay operators for their patience while the
    121 problem-solving continues!
    122 
    123   [7]: https://metrics.torproject.org/about.html#directory-authority
    124   [8]: https://metrics.torproject.org/about.html#consensus
    125   [9]: https://blog.torproject.org/blog/torflow-node-capacity-integrity-and-reliability-measurements-hotpets
    126  [10]: https://www.youtube.com/watch?v=f4BUZrbFbis
    127  [11]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007003.html
    128  [12]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007042.html
    129  [13]: https://lists.torproject.org/pipermail/tor-relays/2015-May/007006.html
    130  [14]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
    131 
    132 Stopping onion service DoS attacks by limiting connections
    133 ----------------------------------------------------------
    134 
    135 George Kadianakis published an experimental workaround [15] for onion
    136 services affected by a newly-discovered denial-of-service attack [16].
    137 “In this attack”, as George explained, “the adversary forces a hidden
    138 service to create thousands of connections to its underlying application
    139 (e.g. the webserver), which overwhelms both Tor and the underlying
    140 application”.
    141 
    142 Onion service operators who want to test the fix will need to recompile
    143 their Tor from a special git branch, then configure the new settings in
    144 their torrc file to set an upper limit on the number of TCP connections
    145 a client can make. “Let us know if this works for you, by sending an
    146 email to this list, or commenting on the trac ticket. If it works for
    147 people, we might incorporate it in a Tor release soon”, wrote George.
    148 
    149  [15]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008838.html
    150  [16]: https://bugs.torproject.org/16052
    151 
    152 What is the value of anonymous communication?
    153 ---------------------------------------------
    154 
    155 Researchers at Drexel University in Philadelphia are investigating the
    156 ways in which Tor users “write blog posts, edit Wikipedia articles,
    157 contribute to open source projects on GitHub, post on discussion forums,
    158 comment on news articles, Tweet, write reviews, and many other things”
    159 as part of their online activity, and whether or not they are inhibited
    160 by obstacles such as captchas, IP blacklists, or other blocking
    161 mechanisms, as Kate Krauss explained on the Tor blog [17].
    162 
    163 According to Professor Rachael Greenstadt, one of the co-authors: “By
    164 understanding the contributions that Tor users make, we can help make a
    165 case for the value of anonymity online”.
    166 
    167 One of the biggest threats to Tor’s success, as Roger Dingledine wrote
    168 last year [18], is the “siloing” of the Internet caused by the “growing
    169 number of websites [that] treat users from anonymity services
    170 differently”, so it’s more important than ever to demonstrate the many
    171 contributions to online projects made by Tor users. If you are a Tor
    172 user and don’t mind sharing your experiences of using Tor to communicate
    173 anonymously online, please see Kate’s post for more information on how
    174 to participate in the study.
    175 
    176  [17]: https://blog.torproject.org/blog/study-what-value-anonymous-communication
    177  [18]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users
    178 
    179 Miscellaneous news
    180 ------------------
    181 
    182 Damian Johnson put out a new release [19] of Stem [20], the Tor
    183 controller library in Python. Stem 1.4 brings another increase in the
    184 speed of document parsing (now that descriptors are not validated by
    185 default), and includes support for Tor’s new “ephemeral onion service”
    186 and descriptor handling features [21]. See Damian’s announcement for the
    187 full changelog.
    188 
    189  [19]: https://blog.torproject.org/blog/stem-release-14
    190  [20]: https://stem.torproject.org/
    191  [21]: https://stem.torproject.org/tutorials/over_the_river.html#ephemeral-hidden-services
    192 
    193 Alec Muffett, the lead engineer behind Facebook’s onion service,
    194 contributed some notes on his experiences [22] to a thread about serving
    195 the same site as both an onion service and a regular website.
    196 
    197  [22]: https://lists.torproject.org/pipermail/tor-talk/2015-May/037840.html
    198 
    199 Jesse Victors, one of the students participating in the first-ever Tor
    200 Summer of Privacy [23], explained in greater detail [24] his proposal
    201 for “OnioNS”, a method of creating human-memorable yet secure addresses
    202 for onion services.
    203 
    204  [23]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
    205  [24]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008826.html
    206 
    207 Colin C. sent out the Tor Help Desk report for April [25].
    208 
    209  [25]: https://lists.torproject.org/pipermail/tor-reports/2015-May/000827.html
    210 
    211 Thanks to Matt Hoover [26] and spriver [27] for running mirrors of the
    212 Tor Project website and software archive!
    213 
    214  [26]: https://lists.torproject.org/pipermail/tor-mirrors/2015-May/000882.html
    215  [27]: https://lists.torproject.org/pipermail/tor-mirrors/2015-May/000888.html
    216 
    217 Micah Lee discovered a bug [28] that is causing OnionShare, the onion
    218 service-based file-sharing application, to crash the entire Tor process
    219 when run using Tails [29].
    220 
    221  [28]: https://bugs.torproject.org/16106
    222  [29]: https://mailman.boum.org/pipermail/tails-dev/2015-May/008840.html
    223 
    224 Martin Florian discussed [30] the problems caused by onion services that
    225 change their IP address during operation, such as those hosted on mobile
    226 devices. “Some logic needs to be included for forgetting about rendevouz
    227 points that have failed once…Am I on the right track? Is this a good
    228 idea? And how do I forget about RPs?”
    229 
    230  [30]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008841.html
    231 
    232 This week in Tor history
    233 ------------------------
    234 
    235 A year ago this week [31], Anders Andersson wondered [32] about the
    236 problems that Tor would face if the .onion top-level domain (TLD) were
    237 to be sold by ICANN for public registration, in the same way as the
    238 large number of new “generic” TLDs. This question had already been the
    239 subject of a submission [33] to the Internet Engineering Task Force
    240 co-authored by the Tor Project’s Jacob Appelbaum, arguing that the
    241 .onion suffix should be one of several TLDs set aside for special use by
    242 peer-to-peer software.
    243 
    244 This week, Jacob and Facebook’s Alec Muffett submitted another
    245 Internet-draft [34] to the IETF, specifically requesting the
    246 registration of .onion as a special-use TLD now that it is in wide use.
    247 If it is approved, the .onion suffix will be reserved for use by Tor,
    248 ensuring that no conflicts arise later which might break the onion
    249 service naming system or enable attacks on users.
    250 
    251  [31]: https://lists.torproject.org/pipermail/tor-news/2014-May/000046.html
    252  [32]: https://lists.torproject.org/pipermail/tor-talk/2014-May/032974.html
    253  [33]: https://tools.ietf.org/id/draft-grothoff-iesg-special-use-p2p-names-02.txt
    254  [34]: https://www.ietf.org/id/draft-appelbaum-dnsop-onion-tld-01.txt
    255 
    256 Upcoming events
    257 ---------------
    258 
    259   May 22 16:00 UTC | SponsorO Tor Messenger/Tor Mail meeting
    260                    | #tor-project, irc.oftc.net
    261                    |
    262   May 25 18:00 UTC | Tor Browser meeting
    263                    | #tor-dev, irc.oftc.net
    264                    |
    265   May 25 18:00 UTC | OONI development meeting
    266                    | #ooni, irc.oftc.net
    267                    |
    268   May 26 18:00 UTC | little-t tor patch workshop
    269                    | #tor-dev, irc.oftc.net
    270                    |
    271   May 27 02:00 UTC | Pluggable transports/bridges meeting
    272                    | #tor-dev, irc.oftc.net
    273                    |
    274   May 27 13:30 UTC | little-t tor development meeting
    275                    | #tor-dev, irc.oftc.net
    276                    |
    277   Jun 03 19:00 UTC | Tails contributors meeting
    278                    | #tails-dev, irc.oftc.net
    279                    | https://mailman.boum.org/pipermail/tails-project/2015-May/000206.html
    280                    |
    281   Jun 30 - Jul 02  | Many Tor people @ 15th Privacy Enhancing Technologies Symposium
    282                    | Philadelphia, USA
    283                    | https://petsymposium.org/2015/
    284 
    285 
    286 This issue of Tor Weekly News has been assembled by Harmony, Karsten
    287 Loesing, and Roger Dingledine.
    288 
    289 Want to continue reading TWN? Please help us create this newsletter.
    290 We still need more volunteers to watch the Tor community and report
    291 important news. Please see the project page [35], write down your
    292 name and subscribe to the team mailing list [36] if you want to
    293 get involved!
    294 
    295  [35]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    296  [36]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    297 }}}
     7'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2015-May/000098.html Sent].