Version 4 (modified by harmony, 5 years ago) (diff)


105th issue of Tor Weekly News. Covering what's happening from June 30th, 2015 to July 8th, 2015. To be released on July 9th, 2015.

Editor: Harmony

Subject: Tor Weekly News — July 9th, 2015

Tor Weekly News                                           July 9th, 2015

Welcome to the twenty-seventh issue in 2015 of Tor Weekly News,
the weekly newsletter that covers what’s happening in the Tor community.


 1. Tails 1.4.1 is out 
 2. Tor Browser 4.5.3 and 5.0a3 are out
 3. Tor unaffected by new OpenSSL security issue
 4. OVH is the largest and fastest-growing AS on the Tor network
 5. More monthly status reports for June 2015
 6. Miscellaneous news
 7. Upcoming events

Tails 1.4.1 is out 

The Tails team announced [XXX] version 1.4.1 of the anonymous live
operating system. Most notable in this release is the fix of automatic
upgrades in Windows Camouflage mode, and plugging a hole in Tor
Browser’s AppArmor sandbox that previously allowed it to access the list
of recently-used files.

For a full list of changes, see the team’s announcement. This release 
contains important security updates, so head to the download page [XXX] 
(or the automatic upgrader) as soon as possible. 


Tor Browser 4.5.3 and 5.0a3 are out

The Tor Browser team put out new releases in both the stable and alpha
series of the secure, private web browser. Tor Browser 4.5.3 [XXX]
contains updates to Firefox, OpenSSL, NoScript, and Torbutton; it also
fixes a crash triggered by .svg files when the security slider was set
to “High”, and backports a Tor patch that allows domain names containing
underscores (a practice generally discouraged) to resolve properly.
For example, users should now be able to view the website of the New
York Times without problems.

Tor Browser 5.0a3 [XXX], meanwhile, is the first release to be based on
Firefox 38 ESR. “For this release, we performed a thorough network and
feature review of Firefox 38, and fixed the most pressing privacy
issues, as well as all Tor proxy safety issues that we discovered during
the audit”, wrote Georg Koppen. Changes to the toolchain used to build
the browser mean “we are […] especially interested in feedback if there
are stability issues or broken Tor Browser bundles due to these
toolchain upgrades.

These are important security releases, and you should upgrade to the new
version in whichever series you prefer. Head to the download page [XXX]
to get your first copy of Tor Browser, or use the in-browser updater.


Tor unaffected by new OpenSSL security issue

A few days ago, the team behind the essential Internet encryption
toolkit OpenSSL announced [XXX] that a security issue classified as
“high” would shortly be disclosed and fixed, leading to concern that
another Heartbleed [XXX] was on the cards. In the event, the
now-disclosed CVE-2015-1793 vulnerability does not appear to affect
either the Tor daemon or Tor Browser, as Nick Mathewson explained [XXX].
However, you should still upgrade your OpenSSL as soon as possible, in
order to protect the other software you use which may be vulnerable.


OVH is the largest and fastest-growing AS on the Tor network

nusenu observed [XXX] that the hosting company OVH is both the largest
autonomous system [XXX] on the Tor network by number of relays, and the
fastest-growing. While it’s no bad thing to have multiple relays located
on the same network, it becomes a problem if any one entity (or someone
who watches them closely enough) is able to observe too large a fraction
of Tor traffic — they would then be in a position to harm the anonymity
of Tor users.

This is what is meant by “diversity” on the Tor network. If you’re
considering running a Tor relay, then as nusenu says, “choose non-top 10
ASes when adding relays (10 is an arbitrary number)”. See nusenu’s post
for more information on how to select a hosting location for a stronger
and more diverse Tor network.


More monthly status reports for June 2015

The wave of regular monthly reports from Tor project members for the
month of June continued, with reports from Leiah Jansen [XXX] (working
on graphic design and branding), Georg Koppen [XXX] (developing Tor
Browser), Isabela Bagueros [XXX] (overall project management), Sukhbir
Singh [XXX] (developing Tor Messenger), Arlo Breault (also working on
Tor Messenger, as well as Tor Check) [XXX], Colin Childs [XXX] (carrying
out support, localization, and outreach), and Juha Nurmi [XXX] (working
on onion service indexing).

Donncha O’Cearbhaill sent his third Tor Summer of Privacy status
report [XXX] with updates about the OnionBalance onion service
load-balancing tool, while Jesse Victors did the same [XXX]for the
DNS-like Onion Naming System, and Israel Leiva submitted a status
update [XXX] for the GetTor alternative software distributor, which is
also being expanded as part of TSoP, as explained in Israel’s
re-introduction of the project [XXX]. Cristobal Leiva also introduced
his TSoP project, a web-based status dashboard for Tor relay
operators [XXX]


Miscellaneous news

David Fifield published the regular summary of costs [XXX] incurred by
the infrastructure for the meek pluggable transport over the past month.
“The rate limiting of meek-google and meek-amazon has been partially
effective in bringing costs down. […] meek-azure bandwidth use continues
to increase, up 17% compared to the previous month. Keep in mind that
our grant expires in October, so you should not count it continuing to
work after that.”


Following Donncha O’Cearbhaill’s 0.0.1 alpha release of OnionBalance [XXX],
s7r called for help [XXX] putting it to the test on a running onion
service. One week on [XXX], there have been four million hits on the
service, with hardly a murmur of complaint from OnionBalance or the
service it is handling: “the same instances are running since service
first started, no reboot or application restart”. See s7r’s post for
more numbers.


Upcoming events

  Jul 12 19:00 UTC | Tails low hanging fruit session
                   | #tails-dev,
  Jul 13 17:00 UTC | OONI development meeting
                   | #ooni,
  Jul 13 18:00 UTC | Tor Browser meeting
                   | #tor-dev,
  Jul 14 18:00 UTC | little-t tor patch workshop
                   | #tor-dev,
  Jul 15 13:30 UTC | little-t tor development meeting
                   | #tor-dev,
  Jul 22 02:00 UTC | Pluggable transports/bridges meeting
                   | #tor-dev,

This issue of Tor Weekly News has been assembled by the Tails team and

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [XXX], write down your
name and subscribe to the team mailing list [XXX] if you want to
get involved!