Not sure if there is an open ticket I should be monitoring, or a meeting
I missed, but just saw the Firefox update to address Meltdown and Spectre:
https://www.mozilla.org/en-US/firefox/57.0.4/releasenotes/
Are Tor Browser and Orfox vulnerable these attacks? Has this been
covered somewhere else?
Thanks, and just figuring out if my week ahead is going to be spent on
an urgent Orfox release or not!
+n
I wrote to the Taler list <taler(a)gnu.org> about certificate concerns
with CloudFlare's OPRFs but never informed you guys.
https://blog.cloudflare.com/privacy-pass-the-math/
I'll re-edit the relevant email from 10 Nov 2017 below:
There are shades of a "bug door" in [CloudFlare's] no certificates
arguments :
- "The only thing edge to manage is a private scalar. No certificates."
- The edge's public key xG is "posted publicly [similar] to a
Certificate Transparency Log [and] "verifiable by all users and so the
deanonymization attack above would not be possible."
In other words, there is no plan for the Tor Project to control any
certificate authorizing the edge's public keys, ala an auditor key in
Taler. There aren't even any promises made about any particular
certificate transparency scheme being employed to keep edges from
employing unique keys.
I think their client software could track the public keys they see
themselves easily enough, but if different edge servers use different
keys then this becomes mostly useless. If for example the transparency
log posts 256 keys supposedly used concurrently by 256 different edge
servers, but secretly all edge servers used all keys, then your edge
public key adds 8 bits of identifying information, but nothing looks
suspicious in the transparency log.
I do think a certificate transparency scheme could address this concern,
but it's not exactly what one normally means by certificate
transparency.
Jeff
Hello friends,
After checking with GeKo, I'm cross-posting this request from
tor-project earlier this week. It's both FYI, and I'm also hoping that
folks on this particular list might have a minute or two to contribute
your tbb-specific knowledge...
So for those who aren't aware, my NGO, Aspiration, advises other NGOs
and activists on technology as part of our core mission.
And a common piece of advice we proffer is "make sure your web site
works well with Tor Browser", i.e., doesn't use Flash or overly depend
on Javascript.
The more I have given that advice, the more I have wondered if it was
documented anywhere what it actually takes to be a "Tor-friendly" site.
Big thanks to GeKo, who first confirmed for me that no such
documentation seems to exist. And then for helping me to bootstrap this
page:
https://pad.riseup.net/p/torfriendlysite
We've gotten some decent input from the tor-project responses, but I
think there is likely more to be captured...
I'm writing to ask folks on this list to both add any thoughts you have
on the matter, and to correct or comment on anything that's already
there and doesn't seem quite right.
Any contributions, both to the pad or emailed to me directly, are most
appreciated.
This is especially true if you know of relevant documentation anywhere
else that I should be looking at.
Once folks have weighed in, I will figure out where to post this on the
Tor wiki and elsewhere in order to make it more broadly and reliably
available.
And if for any reason you think this is an ill-informed endeavor, I
welcome that feedback as well :^)
thanks & peace,
gunner
--
Allen Gunn
Executive Director, Aspiration
+1.415.216.7252
www.aspirationtech.org
Aspiration: "Better Tools for a Better World"
Read our Manifesto: http://aspirationtech.org/publications/manifesto
Twitter: www.twitter.com/aspirationtech