wiki:TorWeeklyNews/2016/1
========================================================================
Tor Weekly News                                      February 15th, 2016
========================================================================

After a few-months-long hiatus, we're back with Tor Weekly News, the
weekly newsletter that covers what's happening in the Tor community.

Contents
--------

 1. Tails 2.0 released
 2. Tor Browser 5.5.1, 6.0a1, and 6.0a1-hardened released
 3. Monthly status reports for January 2016
 4. Miscellaneous news
 5. Upcoming events

Tails 2.0 released
------------------

This is a major version bump (from 1.8.2) covered previously on the Tor
Blog [1] and on the Tails site [2]. Here's a quick recap of the new
features: it's now based on Debian 8 (from Debian 7), it uses GNOME 3 in
"Classic Mode" (previously GNOME 2) [3], it's got the just-released
Tor Browser 5.5, they've replaced Claws Mail with Icedove, and there's a
fancy new set of installation instructions [4].

Several security issues [5] were found and fixed, so it's important
for existing users to upgrade [6] as soon as possible.

(As of Feb. 15th, the latest patch version is 2.0.1.)

 [1]: https://blog.torproject.org/blog/tails-20-out
 [2]: https://tails.boum.org/news/version_2.0/index.en.html
 [3]: https://tails.boum.org/doc/first_steps/introduction_to_gnome_and_the_tails_desktop/index.en.html
 [4]: https://tails.boum.org/install/
 [5]: https://tails.boum.org/security/Numerous_security_holes_in_1.8.2/
 [6]: https://tails.boum.org/upgrade/index.en.html

Tor Browser 5.5.1, 6.0a1, and 6.0a1-hardened released
-----------------------------------------------------

Most users should be following the stable series of Tor Browser, which
recently changed from 5.0.x to 5.5.x. 5.5 replaced 5.0.7 on January
27th [7], and the latest patch version as of Feb 15th is 5.5.2 [8].

The biggest new feature is a set of bundled fonts that prevent an
adversary from fingerprinting you based on your system fonts.

Developers and bug-tolerant users might want to try one of the alpha
versions: 6.0a1 [9] or 6.0a1-hardened [10]. (In case you missed it,
the Tor Browser Team started releasing the hardened series in November
[11].  Firefox is compiled with AddressSanitizer (ASan) [12], and Tor
is compiled with both ASan and Undefined Behaviour Sanitizer (UBSan)
[13].  These insert a lot of run-time safety checks to make memory
corruption bugs harder to exploit, at the cost of increased memory
usage, larger binary distributions, and slower performance.)

All of these new releases are based on Firefox 38.6.0esr, which includes
a few important security fixes [14] to the previous version, so users
should update as soon as possible.

  [7]: https://blog.torproject.org/blog/tor-browser-55-released
  [8]: https://blog.torproject.org/blog/tor-browser-552-released
  [9]: https://blog.torproject.org/blog/tor-browser-60a1-released
 [10]: https://blog.torproject.org/blog/tor-browser-60a1-hardened-released
 [11]: https://blog.torproject.org/blog/tor-browser-55a4-hardened-released
 [12]: https://en.wikipedia.org/wiki/AddressSanitizer
 [13]: http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan/
 [14]: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr38.6

Monthly status reports for December 2015
----------------------------------------

Tor Project members submitted their monthly reports for December.
Karsten [15] worked on metrics-lib; Leiah [16] worked on the fundraising
campaign graphics; the Tor Browser team [17] worked on six releases;
Isabela [18] worked on organizing the Network team, on contracts, and on
the fundraising campaign; Georg [19] worked on Tor Browser and wrote a
blog post on the reproducible builds workshop in Athens, which he
attended; Damian [20] worked on Nyx; Isis [21] gave a cryptography
lecture in the Netherlands and worked on BridgeDB; George's SponsorR
report [22] and his own report [23] included work on hidden services and
a 32c3 talk about them; David [24] also did hidden services work and
gave the same 32c3 talk; Arturo [25] reports that the OONI team worked
on the Lantern tests and the new API/web-frontend for the collected
reports; and Isabela's SponsorU report [26] includes work on ed25519
keys, DoS resilience, and developer documentation.

 [15]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000964.html
 [16]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000965.html
 [17]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000966.html
 [18]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000967.html
 [19]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000968.html
 [20]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000969.html
 [21]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000970.html
 [22]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000971.html
 [23]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000973.html
 [24]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000972.html
 [25]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000974.html
 [26]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000975.html

Miscellaneous news
------------------

Mike Perry added [27] a new proposal to the torspec repository [28].
"In order to properly load balance in the presence of padding and
non-negligible amounts of directory and hidden service traffic, the load
balancing equations in Section 3.8.3 of dir-spec.txt are in need of some
modifications."

 [27]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010181.html
 [28]: https://gitweb.torproject.org/torspec.git/tree/proposals/265-load-balancing-with-overhead.txt

George asked [29] for code review on proposal 250's shared randomness
[30] implementation [31], which will be used in the next-generation
hidden services.

 [29]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010182.html
 [30]: https://gitweb.torproject.org/torspec.git/tree/proposals/250-commit-reveal-consensus.txt
 [31]: https://gitweb.torproject.org/user/dgoulet/tor.git/log/?h=prop250_final_v1

There was a mailing list discussion [32] about the hidden service
changes in proposal 246.

 [32]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010203.html

Nick started a discussion [33] about the proposal review system.  There
followed a few meetings about proposals 241, 247, 250, 251 and 259, and
George and Mike posted their notes to the mailing list
[34][35][36][37].

 [33]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010219.html
 [34]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010265.html
 [35]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010279.html
 [36]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010290.html
 [37]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010328.html

Yawning released [38] obfs4proxy-0.0.6. "There aren't many significant
changes, and the internal changes primarily affect the client side
initialization, so those of you that are perfectly content with
obfs4proxy-0.0.5 can continue to use the existing version without
issue."

 [38]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010308.html

Serence, Arlo, and David released [39] Snowflake [40], a webrtc
pluggable transport inspired by flashproxy.

 [39]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010310.html
 [40]: https://gitweb.torproject.org/pluggable-transports/snowflake.git

Nathan announced [41] v15.1.0-RC-4 of Orbot and posted a roadmap [42]
for 2016.

 [41]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010318.html
 [42]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010185.html

ProPublica set up a hidden service version [43] of their website, and
Mike Tigas has an article [44] on their motivation and technical
details.

 [43]: http://www.propub3r6espa33w.onion/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services
 [44]: https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services

George announced [45] the tor-onions@lists.torproject.org mailing list
[46], for technical discussion about running Tor onion (hidden)
services.

 [45]: https://lists.torproject.org/pipermail/tor-talk/2016-January/040060.html
 [46]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions

Upcoming events
---------------

  Feb 17 13:30 UTC | Network Team Meeting
                   | #tor-dev, irc.oftc.net
                   | https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/MeetingSchedule
                   |
  Feb 18 14:00 UTC | Metrics Team Meeting
                   | #tor-dev, irc.oftc.net
                   | https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam
                   |
  Feb 26 - Mar 01  | Tor winter dev meeting 2016
                   | Valencia, Spain
                   | https://trac.torproject.org/projects/tor/wiki/org/meetings/2016WinterDevMeeting
                   |
  Mar 01 - Mar 07  | Internet Freedom Festival
                   | Valencia, Spain
                   | https://internetfreedomfestival.org/
                   |

This issue of Tor Weekly News has been assembled by jl and teor.

Want to continue reading TWN? Please help us create this newsletter. We
still need more volunteers to watch the Tor community and report
important news. Please see the project page [47], write down your name
and subscribe to the team mailing list [48] if you want to get
involved!

  [47]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [48]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Last modified 2 years ago Last modified on Feb 16, 2016, 3:06:43 PM