Tor Weekly News — August, 7th 2013
lunar at torproject.org
Wed Aug 7 12:13:17 UTC 2013
Tor Weekly News August 7th, 2013
Welcome to the 6th issue of Tor Weekly News, the weekly newsletter that
covers what is happening in the resilient Tor community.
Large hidden services provider compromised, attacks older TBB versions
Andrew Lewman wrote : “Around midnight on August 4th we were
notified by a few people that a large number of hidden service addresses
have disappeared from the Tor network.”
It turned out that Freedom Hosting, a company specializing in hosting
websites accessible through Tor hidden services, was compromised. As
Andrew puts it, “From what is known so far, the breach was used to
exploit in the web pages delivered to users. This exploit is used to
load a malware payload to infect user’s computers.” Andrew also
reiterated that “the person, or persons, who run Freedom Hosting are in
no way affiliated or connected to The Tor Project, Inc., the
organization coordinating the development of the Tor software and
The Tor Browser is currently based on Mozilla Firefox 17 ESR. With the
help of Mozilla  and other researchers  it was understood that
Windows users of the Tor Browser Bundle. This vulnerability was fixed
in Firefox 17.0.7 ESR  and subsequently in versions 2.3.25-10
(released June 26 2013) , 2.4.15-alpha-1 (released June 26 2013)
 3.0alpha2 (released June 30 2013)  and 2.4.15-beta-1
(released July 8 2013) .
are not affected by the exploit.
Roger Dingledine issued a security advisory  with advice to mitigate
future issues: “be sure you’re running a recent enough Tor Browser
Bundle”, “be sure to keep up-to-date in the future”, “consider disabling
Tails”, “be aware that many other vectors remain for vulnerabilities in
Firefox”. It is strongly advised to read the advisory in full.
The versions of Firefox used in Pluggable Transport bundles are still
vulnerable. Replacements have been built, with credit to David Field,
but they are yet to be released .
The press is running many stories covering these events, several
containing false information. A better example is Kevin Poulsen’s
article published in Wired on August, 5th  It did however assert
“the malware only targets Firefox 17 ESR, the version of Firefox that
forms the basis of the Tor Browser Bundle”, in-fact most recent Tor
Browser Bundle releases, with the exception of Pluggable Transports
bundles, contained the patched version of Firefox ESR.
Monthly status reports for July 2013
The wave of regular monthly reports from Tor project members for the
month of July has begun. Philipp Winter was first this time ,
followed by reports from Arlo Breault , Nick Mathewson , Noel
David Torress Taño , Colin C. , Sherief Alaa , Karsten
Loesing , Damian Johnson , Mike Perry , George
Kadianakis , and Andrew Lewman .
Tails developers issued a call for testing of the first release
candidate of the upcoming 0.20 . Send them your reports!
Security researcher Jason Geffner presented a new tool to route all
TCP/IP and DNS traffic through the Tor network on Windows called
“Tortilla”  during Black Hat USA 2013 and subsequently on the
tor-talk mailing list . Binary and source code are
available  and are awaiting reviews by the community.
Wendell announced the first release of Tor.framework , a “Cocoa
framework that allows developers to write apps for Mac OS X and iOS that
work over the Tor onion routing network”. No comments have been made
yet. Feel free to look at the source code , review and
Jerzy Łogiewa asked on tor-talk  if Tor hidden services could be
made to work near the speed of the standard web. Arian Sanusi replied
that speed of light was actually the limiting factor for latency issues:
“if relays were homogeneous distributed among the globe, two random
relays will be 1/4 earth circumference apart on average. […] That’s
400ms from finite speed of light. Switches, routers and relays along the
way will add to that.”
Thanks to Michael Marz and Neo for running new mirrors of the Tor
Aug 13 | Roger at the 3rd USENIX Workshop on Free and Open
| Communications on the Internet
| Washington, DC, USA
Aug 14 | Roger at 22nd USENIX Security Symposium
| Washington, DC, USA
This issue of Tor Weekly News has been assembled by dope457, malaparte,
Lunar, harmony, and Yawning.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page , write down your
name and subscribe to the team mailing-list  if you want to
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: Digital signature
More information about the tor-news