Changes between Version 11 and Version 12 of TorWeeklyNews/2015/24


Ignore:
Timestamp:
Jun 17, 2015, 10:34:49 PM (4 years ago)
Author:
harmony
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2015/24

    v11 v12  
    55'''Subject:''' Tor Weekly News — June 17th, 2015
    66
    7 {{{
    8 ========================================================================
    9 Tor Weekly News                                          June 17th, 2015
    10 ========================================================================
    11 
    12 Welcome to the twenty-fourth issue in 2015 of Tor Weekly News, the
    13 weekly newsletter that covers what’s happening in the Tor community.
    14 
    15 Contents
    16 --------
    17 
    18  1. Tor 0.2.6.9 is out
    19  2. Tor Browser 4.5.2 and 5.0a2 are out
    20  3. The future of GetTor and uncensorable software distribution
    21  4. Great progress on Orfox browser
    22  5. A persistent Tor state for Tails?
    23  6. Miscellaneous news
    24  7. Upcoming events
    25 
    26 Tor 0.2.6.9 is out
    27 ------------------
    28 
    29 Nick Mathewson announced [1] a new release in Tor’s current stable
    30 series. Version 0.2.6.9 stops relays without the Stable flag from
    31 serving as onion service directories, and raises the uptime requirement
    32 for the Stable flag itself, which means that any Sybil attacks launched
    33 against the network will not become effective for at least a week. This
    34 change only affects the Tor network’s nine directory authorities, most
    35 of whom have already upgraded.
    36 
    37 The other significant fix in this release concerns port-based isolation
    38 of client requests, which now functions properly; if you make use of
    39 this feature in your standalone Tor client, then please upgrade as soon
    40 as possible. For other users, writes Nick, this “is not a high-urgency
    41 item”.
    42 
    43   [1]: https://blog.torproject.org/blog/tor-0269-released
    44 
    45 Tor Browser 4.5.2 and 5.0a2 are out
    46 -----------------------------------
    47 
    48 The Tor Browser team put out new stable and alpha releases of the
    49 privacy-preserving browser. As well as updates to key software
    50 components, versions 4.5.2 [2] and 5.0a2 [3] both contain fixes for the
    51 “Logjam” attack on TLS security [4] - as Nick Mathewson wrote [5] at the
    52 time of this vulnerability’s disclosure, the connections between Tor
    53 clients and relays were unlikely to have been affected by this attack,
    54 but the bug is now fixed in the browser component of Tor Browser as
    55 well.
    56 
    57 These new releases also fix a possible crash in Linux, and stop the
    58 Add-ons page from breaking if Torbutton is disabled. The new alpha
    59 further improves meek’s compatibility with the automatic update process
    60 on Windows machines.
    61 
    62 All users should upgrade their Tor Browser as soon as possible. Your
    63 browser might already have prompted you to do this — if not, you can
    64 always upgrade by downloading a fresh copy from the Tor website [6].
    65 
    66   [2]: https://blog.torproject.org/blog/tor-browser-452-released
    67   [3]: https://blog.torproject.org/blog/tor-browser-50a2-released
    68   [4]: https://weakdh.org/
    69   [5]: https://lists.torproject.org/pipermail/tor-dev/2015-May/008868.html
    70   [6]: https://www.torproject.org/projects/torbrowser.html
    71 
    72 The future of GetTor and uncensorable software distribution
    73 -----------------------------------------------------------
    74 
    75 The GetTor service [7] offers users who are unable to reach the Tor
    76 website an alternative method of downloading Tor Browser: any email sent
    77 to gettor@torproject.org will receive an automated reply containing
    78 links to file-hosting services (such as Dropbox) for the latest Tor
    79 Browser package and its signature.
    80 
    81 Israel Leiva, lead developer on the revamped GetTor project since last
    82 year’s Google Summer of Code, is back for the first-ever Tor Summer of
    83 Privacy [8] to continue expanding the feature set of this tool. As
    84 Israel wrote to the tor-dev mailing list [9], current plans for the
    85 summer include the addition of other file-hosting services, Tor Browser
    86 localizations, and other distribution methods (including instant
    87 messaging and Twitter).
    88 
    89 However, it might also be time for a more radical change in the way
    90 GetTor works. An official distributor application or browser add-on,
    91 available through channels like the OS X or Google Chrome app stores,
    92 could automate Tor Browser downloads, as well as the vital but
    93 unintuitive process of verifying the signature to ensure the software
    94 has not been tampered with. Israel offered two suggestions for the inner
    95 workings of such a distributor: one involving a fixed (but potentially
    96 blockable) backend API with which the distributor communicates, and one
    97 in which a more complex distributor is capable of helping the user
    98 download the required software from several different sources.
    99 
    100 Some related projects are already underway: the Tails team is discussing
    101 the possibility of its own browser add-on for ISO download and
    102 verification [10], while Griffin Boyce pointed [11] to his own Satori
    103 project, a distributor application that offers torrent files and
    104 content-delivery network (CDN) links. The discussion over the possible
    105 GetTor distributor’s relationship with these projects is still to be
    106 had.
    107 
    108 “I would really love to hear your comments about this idea, my work at
    109 Summer of Privacy might change depending on this discussion”, writes
    110 Israel. It’s clear that forcing users to depend on “single points of
    111 failure” for their software is bad news all round, so if you have
    112 worthwhile ideas to add to this discussion, feel free to take them to
    113 the tor-dev mailing list thread.
    114 
    115   [7]: https://www.torproject.org/projects/gettor
    116   [8]: https://trac.torproject.org/projects/tor/wiki/org/TorSoP
    117   [9]: https://lists.torproject.org/pipermail/tor-dev/2015-June/008949.html
    118  [10]: https://tails.boum.org/blueprint/bootstrapping/extension/
    119  [11]: https://github.com/glamrock/satori
    120 
    121 Great progress on Orfox browser
    122 -------------------------------
    123 
    124 Nathan Freitas, of mobile device security specialists the Guardian
    125 Project, reported [12] on the status of Orfox, the Android-compatible
    126 Tor Browser build. “The goal is to get as close to the ‘real Tor
    127 Browser’ while taking into account the new, unique issues we face on
    128 Android”, he wrote. Amogh Pradeep, former Google Summer of Code student
    129 and now intern at the Guardian Project, has made significant progress
    130 getting the software to build, and you can follow his regular updates on
    131 the Orfox development blog [13]. “We expect to have an alpha out this
    132 week”, wrote Nathan, “but feel free to jump in on testing of the posted
    133 builds, and file bugs or feature requests as you find them”.
    134 
    135  [12]: https://lists.mayfirst.org/pipermail/guardian-dev/2015-June/004446.html
    136  [13]: https://dev.guardianproject.info/projects/orfox-private-browser/news
    137 
    138 A persistent Tor state for Tails?
    139 ---------------------------------
    140 
    141 The Tails team is discussing the possibility of making Tor’s state
    142 persist across sessions in the anonymous live operating system. As the
    143 team writes on the relevant blueprint page [14], such a change would
    144 have several benefits: not only would Tor’s bootstrap process be faster
    145 and more efficient, but it would enable Tails to take advantage of the
    146 “entry guards” concept [15], without which Tails users are more likely
    147 to select a malicious entry node at some point over the course of their
    148 activity. Moreover, the fact that Tails selects a new entry node on
    149 every boot, while Tor Browser does not, allows an adversary to determine
    150 whether a user who remains on one network (their home or place of work,
    151 for example) is using Tails or not. This would also be solved by a
    152 persistent Tor state.
    153 
    154 However, this change does of course have some drawbacks. For one thing,
    155 although entry guards in Tails would help defend against end-to-end
    156 correlation attacks, they enable a certain kind of fingerprinting: if a
    157 user makes a connection to an entry guard from their home, and an
    158 adversary later observes a connection to the same guard from an event or
    159 meeting-place that the user is suspected of attending, the adversary can
    160 draw a conclusion about the user’s geographical movement. This violates
    161 one of Tails’ threat model principles, which the team calls
    162 “AdvGoalTracking”. There are ways that Tails could request location
    163 information from the user in order to maintain different entry guards
    164 for different locations, but too many requests for information might
    165 bamboozle Tails users into accidentally worsening their own security,
    166 especially if they do not understand the threat model behind the
    167 requests, or it does not apply to them.
    168 
    169 What is needed, then, is a balance between “defaults that suit the vast
    170 majority of use-cases […] for Tails’ target audience” and helping “users
    171 with different needs to avoid becoming less safe ‘thanks’ to this new
    172 feature”. The discussion continues on the tails-dev mailing list [16].
    173 
    174  [14]: https://tails.boum.org/blueprint/persistent_Tor_state/
    175  [15]: https://www.torproject.org/docs/faq#EntryGuards
    176  [16]: https://mailman.boum.org/pipermail/tails-dev/2015-June/009095.html
    177 
    178 Miscellaneous news
    179 ------------------
    180 
    181 Nick Mathewson recommended [17] that all relay operators upgrade their
    182 copies of OpenSSL to fix several issues that could enable remote
    183 denial-of-service attacks. As Nick makes clear, this is an “upgrade when
    184 you can”-level announcement, rather than a “run in circles freaking
    185 out”. Nick also requests that people still using OpenSSL’s 0.9.8 series
    186 upgrade to one of the more recent versions, as 0.9.8 contains several
    187 security flaws and will not be supported by Tor 0.2.7.2-alpha or later.
    188 
    189  [17]: https://lists.torproject.org/pipermail/tor-relays/2015-June/007179.html
    190 
    191 Sherief Alaa reported on his activities in May [18].
    192 
    193  [18]: https://lists.torproject.org/pipermail/tor-reports/2015-June/000854.html
    194 
    195 Upcoming events
    196 ---------------
    197 
    198   Jun 22 18:00 UTC | Tor Browser meeting
    199                    | #tor-dev, irc.oftc.net
    200                    |
    201   Jun 22 18:00 UTC | OONI development meeting
    202                    | #ooni, irc.oftc.net
    203                    |
    204   Jun 23 18:00 UTC | little-t tor patch workshop
    205                    | #tor-dev, irc.oftc.net
    206                    |
    207   Jun 24 13:30 UTC | little-t tor development meeting
    208                    | #tor-dev, irc.oftc.net
    209                    |
    210   Jun 24 02:00 UTC | Pluggable transports/bridges meeting
    211                    | #tor-dev, irc.oftc.net
    212                    |
    213   Jun 30 - Jul 02  | Many Tor people @ 15th Privacy Enhancing Technologies Symposium
    214                    | Philadelphia, USA
    215                    | https://petsymposium.org/2015/
    216                    |
    217   Jul 03 19:00 UTC | Tails contributors meeting
    218                    | #tails-dev, irc.oftc.net
    219                    | https://mailman.boum.org/pipermail/tails-project/2015-June/000242.html
    220 
    221 
    222 This issue of Tor Weekly News has been assembled by Harmony.
    223 
    224 Want to continue reading TWN? Please help us create this newsletter.
    225 We still need more volunteers to watch the Tor community and report
    226 important news. Please see the project page [19], write down your
    227 name and subscribe to the team mailing list [20] if you want to
    228 get involved!
    229 
    230  [19]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    231  [20]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    232 }}}
     7'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2015-June/000102.html Sent].