======================================================================== Tor Weekly News February 15th, 2016 ========================================================================

After a few-months-long hiatus, we're back with Tor Weekly News, the weekly newsletter that covers what's happening in the Tor community.

Contents --------

1. Tails 2.0 released 2. Tor Browser 5.5.1, 6.0a1, and 6.0a1-hardened released 3. Monthly status reports for January 2016 4. Miscellaneous news 5. Upcoming events

Tails 2.0 released ------------------

This is a major version bump (from 1.8.2) covered previously on the Tor Blog [1] and on the Tails site [2]. Here's a quick recap of the new features: it's now based on Debian 8 (from Debian 7), it uses GNOME 3 in "Classic Mode" (previously GNOME 2) [3], it's got the just-released Tor Browser 5.5, they've replaced Claws Mail with Icedove, and there's a fancy new set of installation instructions [4].

Several security issues [5] were found and fixed, so it's important for existing users to upgrade [6] as soon as possible.

(As of Feb. 15th, the latest patch version is 2.0.1.)

[1]: https://blog.torproject.org/blog/tails-20-out [2]: https://tails.boum.org/news/version_2.0/index.en.html [3]: https://tails.boum.org/doc/first_steps/introduction_to_gnome_and_the_tails_d... [4]: https://tails.boum.org/install/ [5]: https://tails.boum.org/security/Numerous_security_holes_in_1.8.2/ [6]: https://tails.boum.org/upgrade/index.en.html

Tor Browser 5.5.1, 6.0a1, and 6.0a1-hardened released -----------------------------------------------------

Most users should be following the stable series of Tor Browser, which recently changed from 5.0.x to 5.5.x. 5.5 replaced 5.0.7 on January 27th [7], and the latest patch version as of Feb 15th is 5.5.2 [8].

The biggest new feature is a set of bundled fonts that prevent an adversary from fingerprinting you based on your system fonts.

Developers and bug-tolerant users might want to try one of the alpha versions: 6.0a1 [9] or 6.0a1-hardened [10]. (In case you missed it, the Tor Browser Team started releasing the hardened series in November [11]. Firefox is compiled with AddressSanitizer (ASan) [12], and Tor is compiled with both ASan and Undefined Behaviour Sanitizer (UBSan) [13]. These insert a lot of run-time safety checks to make memory corruption bugs harder to exploit, at the cost of increased memory usage, larger binary distributions, and slower performance.)

All of these new releases are based on Firefox 38.6.0esr, which includes a few important security fixes [14] to the previous version, so users should update as soon as possible.

[7]: https://blog.torproject.org/blog/tor-browser-55-released [8]: https://blog.torproject.org/blog/tor-browser-552-released [9]: https://blog.torproject.org/blog/tor-browser-60a1-released [10]: https://blog.torproject.org/blog/tor-browser-60a1-hardened-released [11]: https://blog.torproject.org/blog/tor-browser-55a4-hardened-released [12]: https://en.wikipedia.org/wiki/AddressSanitizer [13]: http://developerblog.redhat.com/2014/10/16/gcc-undefined-behavior-sanitizer-... [14]: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#fi...

Monthly status reports for December 2015 ----------------------------------------

Tor Project members submitted their monthly reports for December. Karsten [15] worked on metrics-lib; Leiah [16] worked on the fundraising campaign graphics; the Tor Browser team [17] worked on six releases; Isabela [18] worked on organizing the Network team, on contracts, and on the fundraising campaign; Georg [19] worked on Tor Browser and wrote a blog post on the reproducible builds workshop in Athens, which he attended; Damian [20] worked on Nyx; Isis [21] gave a cryptography lecture in the Netherlands and worked on BridgeDB; George's SponsorR report [22] and his own report [23] included work on hidden services and a 32c3 talk about them; David [24] also did hidden services work and gave the same 32c3 talk; Arturo [25] reports that the OONI team worked on the Lantern tests and the new API/web-frontend for the collected reports; and Isabela's SponsorU report [26] includes work on ed25519 keys, DoS resilience, and developer documentation.

[15]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000964.html [16]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000965.html [17]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000966.html [18]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000967.html [19]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000968.html [20]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000969.html [21]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000970.html [22]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000971.html [23]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000973.html [24]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000972.html [25]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000974.html [26]: https://lists.torproject.org/pipermail/tor-reports/2016-January/000975.html

Miscellaneous news ------------------

Mike Perry added [27] a new proposal to the torspec repository [28]. "In order to properly load balance in the presence of padding and non-negligible amounts of directory and hidden service traffic, the load balancing equations in Section 3.8.3 of dir-spec.txt are in need of some modifications."

[27]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010181.html [28]: https://gitweb.torproject.org/torspec.git/tree/proposals/265-load-balancing-...

George asked [29] for code review on proposal 250's shared randomness [30] implementation [31], which will be used in the next-generation hidden services.

[29]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010182.html [30]: https://gitweb.torproject.org/torspec.git/tree/proposals/250-commit-reveal-c... [31]: https://gitweb.torproject.org/user/dgoulet/tor.git/log/?h=prop250_final_v1

There was a mailing list discussion [32] about the hidden service changes in proposal 246.

[32]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010203.html

Nick started a discussion [33] about the proposal review system. There followed a few meetings about proposals 241, 247, 250, 251 and 259, and George and Mike posted their notes to the mailing list [34][35][36][37].

[33]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010219.html [34]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010265.html [35]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010279.html [36]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010290.html [37]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010328.html

Yawning released [38] obfs4proxy-0.0.6. "There aren't many significant changes, and the internal changes primarily affect the client side initialization, so those of you that are perfectly content with obfs4proxy-0.0.5 can continue to use the existing version without issue."

[38]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010308.html

Serence, Arlo, and David released [39] Snowflake [40], a webrtc pluggable transport inspired by flashproxy.

[39]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010310.html [40]: https://gitweb.torproject.org/pluggable-transports/snowflake.git

Nathan announced [41] v15.1.0-RC-4 of Orbot and posted a roadmap [42] for 2016.

[41]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010318.html [42]: https://lists.torproject.org/pipermail/tor-dev/2016-January/010185.html

ProPublica set up a hidden service version [43] of their website, and Mike Tigas has an article [44] on their motivation and technical details.

[43]: http://www.propub3r6espa33w.onion/nerds/item/a-more-secure-and-anonymous-pro... [44]: https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica...

George announced [45] the tor-onions@lists.torproject.org mailing list [46], for technical discussion about running Tor onion (hidden) services.

[45]: https://lists.torproject.org/pipermail/tor-talk/2016-January/040060.html [46]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions

Upcoming events ---------------

Feb 17 13:30 UTC | Network Team Meeting | #tor-dev, irc.oftc.net | https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/MeetingS... | Feb 18 14:00 UTC | Metrics Team Meeting | #tor-dev, irc.oftc.net | https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam | Feb 26 - Mar 01 | Tor winter dev meeting 2016 | Valencia, Spain | https://trac.torproject.org/projects/tor/wiki/org/meetings/2016WinterDevMeet... | Mar 01 - Mar 07 | Internet Freedom Festival | Valencia, Spain | https://internetfreedomfestival.org/ |

This issue of Tor Weekly News has been assembled by jl and teor.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [47], write down your name and subscribe to the team mailing list [48] if you want to get involved!

[47]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [48]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team