January 2018 - tbb-dev - lists.torproject.org

Updating TB and Orfox for Meltdown and Spectre?
by Nathan Freitas 08 Jan '18

08 Jan '18

Not sure if there is an open ticket I should be monitoring, or a meeting I missed, but just saw the Firefox update to address Meltdown and Spectre: https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/ Are Tor Browser and Orfox vulnerable these attacks? Has this been covered somewhere else? Thanks, and just figuring out if my week ahead is going to be spent on an urgent Orfox release or not! +n

3 5

Cloudflare's OPRFs
by Jeff Burdges 08 Jan '18

08 Jan '18

I wrote to the Taler list <taler(a)gnu.org> about certificate concerns with CloudFlare's OPRFs but never informed you guys. https://blog.cloudflare.com/privacy-pass-the-math/ I'll re-edit the relevant email from 10 Nov 2017 below: There are shades of a "bug door" in [CloudFlare's] no certificates arguments : - "The only thing edge to manage is a private scalar. No certificates." - The edge's public key xG is "posted publicly [similar] to a Certificate Transparency Log [and] "verifiable by all users and so the deanonymization attack above would not be possible." In other words, there is no plan for the Tor Project to control any certificate authorizing the edge's public keys, ala an auditor key in Taler. There aren't even any promises made about any particular certificate transparency scheme being employed to keep edges from employing unique keys. I think their client software could track the public keys they see themselves easily enough, but if different edge servers use different keys then this becomes mostly useless. If for example the transparency log posts 256 keys supposedly used concurrently by 256 different edge servers, but secretly all edge servers used all keys, then your edge public key adds 8 bits of identifying information, but nothing looks suspicious in the transparency log. I do think a certificate transparency scheme could address this concern, but it's not exactly what one normally means by certificate transparency. Jeff

2 1

Crowdsourcing (more) guidelines for what it means to make a web site "Tor-friendly"
by Allen Gunn 05 Jan '18

05 Jan '18

Hello friends, After checking with GeKo, I'm cross-posting this request from tor-project earlier this week. It's both FYI, and I'm also hoping that folks on this particular list might have a minute or two to contribute your tbb-specific knowledge... So for those who aren't aware, my NGO, Aspiration, advises other NGOs and activists on technology as part of our core mission. And a common piece of advice we proffer is "make sure your web site works well with Tor Browser", i.e., doesn't use Flash or overly depend on Javascript. The more I have given that advice, the more I have wondered if it was documented anywhere what it actually takes to be a "Tor-friendly" site. Big thanks to GeKo, who first confirmed for me that no such documentation seems to exist. And then for helping me to bootstrap this page: https://pad.riseup.net/p/torfriendlysite We've gotten some decent input from the tor-project responses, but I think there is likely more to be captured... I'm writing to ask folks on this list to both add any thoughts you have on the matter, and to correct or comment on anything that's already there and doesn't seem quite right. Any contributions, both to the pad or emailed to me directly, are most appreciated. This is especially true if you know of relevant documentation anywhere else that I should be looking at. Once folks have weighed in, I will figure out where to post this on the Tor wiki and elsewhere in order to make it more broadly and reliably available. And if for any reason you think this is an ill-informed endeavor, I welcome that feedback as well :^) thanks & peace, gunner -- Allen Gunn Executive Director, Aspiration +1.415.216.7252 www.aspirationtech.org Aspiration: "Better Tools for a Better World" Read our Manifesto: http://aspirationtech.org/publications/manifesto Twitter: www.twitter.com/aspirationtech

1 0