Tor Weekly News — August, 28th 2013

dope457 dope457 at
Wed Aug 28 12:04:01 UTC 2013

Tor Weekly News                                        August 28th, 2013

Welcome to the ninth issue of Tor Weekly News, the weekly newsletter 
that covers what is happening in the determined Tor community.

Orweb Security Advisory

On August 21st, Nathan Freitas from the Guardian Project issued security 
advisory regarding a possible anonymity flaw affecting Orweb [1]:

“The Orweb browser app is vulnerable to leak the actual IP of the device 
it is on, if it loads a page with HTML5 video or audio tags on them, and 
those tags are set to auto-start or display a poster frame. On some 
versions of Android, the video and audio player start/load events happen 
without the user requesting anything, and the request to the URL for the 
media src or through image poster is made outside of the proxy 
settings”, wrote Nathan.

Users who use the root mode with transparent proxying, as that handles 
proxying the entire traffic of the entire device or a particular app are 
NOT affected by this flaw.

Unfortunately, the problem mentioned above hasn't been fixed yet, as
there is no patch developers are happy with [2]. According to Nathan the 
temporary solution is ”switch to Firefox, with the appropriate set of 
add-ons.” The Guardian Project has updated its website [3] with a step 
by step guide on how to set this up.


“Why would anyone want a deterministic build process?”

In a blog post published last week [4], Mike Perry explained the 
motivations behind his three months long effort to make “deterministic 
builds” for the 3.0 series [5] of the Tor Browser Bundle.

“The short answer is: to protect against targeted attacks” introduced 
Mike. With automatic remote updates becoming the norm, it becomes very 
interesting for a malware to “distribute copies of itself to tens or 
even hundreds of millions of machines in a single, officially signed, 
instantaneous update.” The attack shifts from attacking a millions of 
machines to attacking the few that are involved in “software development 
and build processes”.

Be sure to read Mike's post to get the full picture.

Mike concludes with how deterministic builds can mitigate the issue: “in 
[Tor] case, any individual can use our anonymity network to privately 
download our source code, verify it against public signed, audited, and 
mirrored git repositories, and reproduce our builds exactly, without 
being subject to such targeted attacks. If they notice any differences, 
they can alert the public builders/signers, hopefully using a pseudonym 
or our anonymous trac account.”

Even if “it is important for Tor to set an example on this point”, Mike
hopes that Linux distributions will follow in making deterministic 
packaging the norm.” It looks like at least NixOS [6] and now Debian [7] 
have started working on this.


Filters and the default Tor Browser search engine

Four months ago, an anonymous reporter complained that the search engine
used by default by the Tor Browser, Startpage, had a “family filter” 
enabled by default [8]. The reporter pointed out that it was pretty 
funny “for a browser that people use to evade censorship and filters”. 
Another anonymous contributor quickly pointed out that the filter could 
be deactivated in a few clicks in Startpage preferences.

The issue got some more attention a few days ago as Nick Mathewson
mentioned hearing reports that the filter was blocking “LGBT stuff, 
which is of course serious”. Nick further identified that the filter was 
blocking — among several other things — search for “The Owl and the 
Pussy-Cat” [9], “Pussy Riot” [10], “Dick Cheney” [11],
“Cock Robin” [12], ”Gerald Cock” [13].

Censoring 19th century poetry and repressed Russian punk bands was 
enough to make Nick conclude by an euphemism: “let's kill this filter 

Mike Perry had some insights: “What we're seeing here is actually a
change in Google's Safesearch. It used to be on by default and quite
a bit smarter about differentiating porn from non-porn.” Mike mailed
Startpage people to explain the problem and suggests that they leave 
the filter off by default.

In the case they would leave it on, both Nick and Mike agreed that a
technical workaround should be implemented to automatically deactivate
the filters when using the Tor Browser.


Sudden rise in direct Tor users

On Tuesday 27th, Roger Dingledine drew attention to the huge increase of
Tor clients running [14]. It seems that their number has doubled since
August 19th according to the count of directly connecting users [15]. 

According to Roger this is not just a fluke in the metrics data. The 
extra load on the directory authorities is clearly visible [16], but it 
does not look that the overall network performance are affected so far [17].

The cause is still unknown, but there are already speculations about the 
Pirate Browser [18] or the new "anti-piracy" law in Russia which is in 
force since August, 1st [19]. As Roger pointed out, “some good solid 
facts would sure be useful.”


Help Desk Roundup

Users continue to have trouble verifying package signatures. One user 
was confused when the signature was automatically saved as a “.txt” file. 
Other problems included not being running the command from the correct 
directory, and downloading a signature that did not correspond with the 
downloaded file. 

Users sometimes write the help desk seeking clarification about 
misconceptions about Tor. Examples of such misconceptions include “Is it 
true that Tor is illegal in the United States?” and “Is it true that Tor 
has been compromised by the NSA?”. Using Tor is not currently illegal 
anywhere. For information about the recent vulnerability, users are 
advised to read the recent blog post on the subject [20].


Miscellaneous news

David Goulet announced the first release candidate [21] of his rewrite 
of torsocks [22]. Several bug reports have since been fixed from early 
testers. Expect a new release soon.


Not all computers currently have their clock synchronized. This means 
that any timestamps in the Tor protocol can unfortunately be used to 
fingerprint Tor users. Nick Mathewson would like to improve the 
situation and has sent proposal 222 [23], aiming to eliminate “passive 
timestamp exposure”, for reviews.


Karsten Loesing has made further progress on “experimenting with a client 
and private bridge connected over uTP” [24]. Reduced time for client to 
bootstrap over uTP from 2 minutes to 6 seconds and more.


Orbot's new version 12.0.5 brings identity switching-by-swiping along 
with a few bugfixes. It can be downloaded from Google Play [25] or from
the Guardian Project's channels.


GSoC students sent another wave of bi-weekly reports: Kostas Jakeliunas 
on Searchable Metrics Archive [26], Johannes Fürmann on EvilGenius [27], 
Hareesan on the Steganography Browser Extension [28], Robert on 
Stream-RTT [29], and Cristian-Matei Toader on Tor capabilities [30].


The crowdfunding campaign for Tor exit bandwidth ended on August 26th,
yielding “3771,84 Euro to be spread equally across our current seven
organizations” anounnced Moritz Bartl [31].


Kostas Jakeliunas answered George's call for help to gather more 
accurate bridge statistics [32] by writing a step by step instructions
on how to upgrade a bridge running on a Rasberry Pi to use the tor master 
branch [33]. Lunar also pointed out that — thanks to Peter Palfrader's 
work on setting up continuous integration — Debian packages for the tor 
master branch were also available [34] and ready to be used.


Upcoming events

Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV
          | Berlin, Germany
Oct 09-10 | Andrew speaking at Secure Poland 2013
          | Warszawa, Poland

This issue of Tor Weekly News has been assembled by Lunar, dope457, 
mttp and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [35], write down your
name and subscribe to the team mailing-list [36] if you want to
get involved!


More information about the tor-news mailing list