Tor Weekly News — August, 14th 2013

Lunar lunar at
Wed Aug 14 06:46:07 UTC 2013

Tor Weekly News                                        August 14th, 2013

Welcome to the seventh issue of Tor Weekly News, the weekly newsletter
that covers what is happening in the fast-paced Tor community.

New Tor Browser Bundle releases

Mozilla released Firefox version 17.0.8esr [1] on August 6th, fixing
several release critical bugs. Three days later, the stable, beta and
alpha versions of the Tor Browser Bundle were updated, along with Tails
(see below).

The stable 2.3.25-11 and 2.4.15-beta-2 also updates HTTPS Everywhere,
PDF.js, NoScript and libpng to their latest version. Both bundles had a
localization issue which was fixed in the subsequently released
2.3.25-12 and 2.4.16-beta-1 [2].

Before updating your browser to the latest version, please pause and
admire the enhanced download page [3]. Kudos to J.M. Todaro for the
design and patches [4] and Andrew for the final integration.

The pluggable transports bundles have also been updated to
2.4.15-beta-2-pt1 [5]. Like previously, they contains flash proxy and
obfsproxy configured to run by default. Using flash proxy requires a few
extra steps [6], as before.

For more experimental matters, the new 3.0 series has seen the release
of alpha3 [7]. On top of the previous updates, several other small
improvements were made: in the new launcher and build system, in
fingerprinting fixes and in a possible anonymity threat for Windows
users coming from cloud anti-virus solutions [8]. This is another
opportunity to play with the new build system that should produce
byte-to-byte identical results. Please have a try [9] and report any
discrepancies with Mike Perry’s builds.


Tails 0.20 has been released

The 32nd release of Tails is out [10]. It fixes several security issues,
and all users are advised to upgrade [11].

Among other small bugfixes, minor improvements and translation updates,
this release tightens the security around Pidgin — by removing support
for protocols other than IRC and XMPP — and restricting access to the
ptrace(2) system call for unprivileged users.

Download [12], burn, and upgrade [13]!


New release candidate for the 0.2.4 tor branch

Roger Dingledine announced the release of tor [14], the
latest incarnation of the 0.2.4 series. This release include several
major and minor bugfixes.

The most important one is probably a crash that can be triggered
remotely via badly formatted INTRODUCE1 cells. Roger advises: “Anybody
running a hidden service on the experimental 0.2.4.x branch should

Erinn Clark has updated the beta version of the Tor Browser Bundle [2]
for a wider audience of testers.


About Tor Browser usability

Last week events [15] sparked a good amount of discussions on Tor
Browser usability.  Several discussions on tor-talk and in other places
revolved around the idea that “JavaScript should be disabled by
default”. scarp wrote a good summary [16] on why it is not so simple: “I
understand that JavaScript was enabled globally in the Tor Browser
Bundle for usability reasons as well as to prevent browser
fingerprinting. […] If the torproject were to disable it by default,
that would not ensure that users are protected in the future by similar
methods. Sites can be written in a way that if you do not allow
JavaScript they simply won’t work at all. If I was writing an exploit
I’d do this to frustrate users so hopefully they enable JavaScript and
accept my exploit.“ Roger Dingledine also improved [17] the relevant
question in Tor FAQ [18].

One possible solution to satisfy contradicting requirements would be to
add a “security slider” [19] that would allow users to easily trade off
web compatibility over security. The slider would have three or four
different positions that would gradually deactivate more and more
features of the browser. One has to understand that the “most secure”
should probably disable loading of any pictures. This also impacts the
Tor Browser anonymity set but this is probably a trade off that can be
afforded given the actual size of the Tor Browser user base.

scarp had also pined another big usability problem related to updating:
“This exploit wasn’t new. […] Users running the latest Tor Browser
Bundle didn’t have any issues as their browsers had been patched. It is
inappropriate for a web browser to not be automatically updated.” Nick
Mathewson went back [20] on the latest plan that was discussed during
the last summer dev. meeting [21] to simply build upon Firefox update
mechanism. The next step is to do a proper review. Hopefully, given it
is “mature and widespread” and has been “proven to update Firefox”, we
will not “run screaming for the hills” when looking at the

On a more general level, an unexpected comment came from Brendan Eich
(Mozilla’s chief technology officer) on Twitter [22]: “Maybe we should
just adopt, support, and bundle Tor in Firefox...”  David Dahl
subsequently opened a bug report in Mozilla’s tracker to discuss a way
forward [23]. Mike Perry commented on a thread [24] on the
liberationtech mailing list: “In short, I am excited by this news, and I
look forward to improving our communication and cooperation with Mozilla
on this front.”


Tails 2013 summit

The Tails team has sent a report on their 2013 development summit [25]
for which “a bunch of people spend a dozen days together in July”.

Read the report in full for all the details. Some highlights: task
tracking have been moved to Redmine [26], tasks fit for new contributors
has been better identified [27], progress has been made to move Tails to
the current Debian stable release [28], the roadmap has been
updated [29].

Communication channels are going to change a little bit “to ease
involvement of new contributors, to make more workload sharing possible,
and to be able to provide better user support”. As a start a new user
support mailing list was created [30]. Subscribe if you have questions
or want to help fellow Tails users.

A lot of discussions revolved around “the growth of the project: given
the growing number of users and our super-short release cycle, it is a
challenge to keep the project sustainable and maintainable in the
mid/long term.” Give the current project exposure, the report rightfully
concludes: “Tails is living decisive times, so we expect the next year
to be pretty interesting. You can perhaps make the difference, so do not
hesitate joining the dance [31]!”.


Three new proposals

On Monday, Nick Mathewson robbed everyone of his “I’m a little teapot”
performance [32] by releasing the following three new proposals:

Proposal 219 [33] has been written a year ago by Ondrej Mikle. It is
currently at draft stage. Its goal is to make Tor support any DNS query
type and also support full DNSSEC resolution. The latter is important as
it provides “protection against DNS cache-poisoning attacks” but is made
tricky given a routine hostname resolution with DNSSEC “can require
dozens of round trips across a circuit”.

In another draft proposal [34], Nick Mathewson describes a plan for a
smooth transition from the current 1024-bit RSA keys used for router
identity and TLS links to Ed25519-SHA-512 [35] keys. Several small
details still have to be ironed out.  This proposal does not address
hidden service keys. They will have to be addressed in another proposal
once an agreement has been reached regarding the best crypto
scheme [36].

Now that the ntor onionskin handshake [37] has been implemented in
0.2.4, we could get better forward secrecy by having clients top sending
CREATE_FAST cells. Nick Mathewson has issued proposal 221 [38] to detail
the reasons and the implications of such change.

All these proposals are now up for discussions on the tor-dev mailing


Miscellaneous news

Jens Kubieziel researched how to get a GnuPG version for Windows in a
secure way [39], something needed for users that would like to properly
verify the Tor Browser Bundle signatures on Windows systems.


George Kadianakis wrote on “how to deploy your very own pluggable
transport” [40] explaining what to do before, while and after coding a
new pluggable transport. Given they were designed to be “pluggable”, “it
should be easy to write new [ones]”. So be sure to read these advices
and start experimenting!


A new round of GSoC reports arrived to the tor-dev mailing list:
Johannes Fürmann about EvilGenius [41], Cristian-Matei Toader about Tor
capabilities [42], Hareesan about the Steganography Browser
Extension [43], and Kostas Jakeliunas about the searchable metrics
archive [44]. All of them seems to be making good progress. Let’s wish
them success for the last six weeks!


More reports came from the July 2013 wave: the Tor Help Desk by Runa
Sandvik [45], and Moritz Bartl [46].


Andrew Lewman gave a talk during the US National Network to End Domestic
Violence’s (NNEDV) annual technology summit. His presentation [47]
covered “a quick overview of Tor, why I’m here talking about domestic
violence and intimate partner abuse, and what we’re doing to help.”. Be
sure to read his report [48] in full.


Thanks to Paul Templeton from CoffsWiFi [49], and nsane [50] for running
new Tor website mirrors.


Several people are trying to assemble localization teams for Tails:
Miriam Matar for Arabic [51], irregulator for Greek [52], hemlockii for
Turkish [53]. Tails policy regarding website translations [54] specifies
that “a team of translators, not just one person, is necessary”, so
please join if you can help!


Help Desk Roundup

Below is a summary of some frequent questions received at the Tor help
desk this past week:

Users are frequently confused by the message they receive from GetTor.
Currently the Tor Browser Bundle is too large to send over GetTor, so
users instead receive three mirrors with a link to a page with all
available translations of the Tor Browser Bundle. Many users email the
help desk unsure of what this page means or which package they need.

A number of users asked whether or not they needed to disable JavaScript
in the Tor Browser Bundle. While the vulnerability in Firefox does not
affect the latest Tor Browser Bundle, disabling JavaScript globally will
reduce one’s risk of being affected by future JavaScript exploits. Users
were asked to choose for themselves between greater protection inside
the browser or a browsing experience with more functionality enabled.

Upcoming event

Aug 14    | Roger at 22nd USENIX Security Symposium
          | Washington, DC, USA

This issue of Tor Weekly News has been assembled by Lunar, malaparte,
mttp, Phoul, Tails developers, David Fifield, Nick Mathewson, and
Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [55], write down your
name and subscribe to the team mailing list [56] if you want to
get involved!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the tor-news mailing list