Tor Weekly News — August, 28th 2013
dope457 at riseup.net
Wed Aug 28 12:04:01 UTC 2013
Tor Weekly News August 28th, 2013
Welcome to the ninth issue of Tor Weekly News, the weekly newsletter
that covers what is happening in the determined Tor community.
Orweb Security Advisory
On August 21st, Nathan Freitas from the Guardian Project issued security
advisory regarding a possible anonymity flaw affecting Orweb :
“The Orweb browser app is vulnerable to leak the actual IP of the device
it is on, if it loads a page with HTML5 video or audio tags on them, and
those tags are set to auto-start or display a poster frame. On some
versions of Android, the video and audio player start/load events happen
without the user requesting anything, and the request to the URL for the
media src or through image poster is made outside of the proxy
settings”, wrote Nathan.
Users who use the root mode with transparent proxying, as that handles
proxying the entire traffic of the entire device or a particular app are
NOT affected by this flaw.
Unfortunately, the problem mentioned above hasn't been fixed yet, as
there is no patch developers are happy with . According to Nathan the
temporary solution is ”switch to Firefox, with the appropriate set of
add-ons.” The Guardian Project has updated its website  with a step
by step guide on how to set this up.
“Why would anyone want a deterministic build process?”
In a blog post published last week , Mike Perry explained the
motivations behind his three months long effort to make “deterministic
builds” for the 3.0 series  of the Tor Browser Bundle.
“The short answer is: to protect against targeted attacks” introduced
Mike. With automatic remote updates becoming the norm, it becomes very
interesting for a malware to “distribute copies of itself to tens or
even hundreds of millions of machines in a single, officially signed,
instantaneous update.” The attack shifts from attacking a millions of
machines to attacking the few that are involved in “software development
and build processes”.
Be sure to read Mike's post to get the full picture.
Mike concludes with how deterministic builds can mitigate the issue: “in
[Tor] case, any individual can use our anonymity network to privately
download our source code, verify it against public signed, audited, and
mirrored git repositories, and reproduce our builds exactly, without
being subject to such targeted attacks. If they notice any differences,
they can alert the public builders/signers, hopefully using a pseudonym
or our anonymous trac account.”
Even if “it is important for Tor to set an example on this point”, Mike
hopes that Linux distributions will follow in making deterministic
packaging the norm.” It looks like at least NixOS  and now Debian 
have started working on this.
Filters and the default Tor Browser search engine
Four months ago, an anonymous reporter complained that the search engine
used by default by the Tor Browser, Startpage, had a “family filter”
enabled by default . The reporter pointed out that it was pretty
funny “for a browser that people use to evade censorship and filters”.
Another anonymous contributor quickly pointed out that the filter could
be deactivated in a few clicks in Startpage preferences.
The issue got some more attention a few days ago as Nick Mathewson
mentioned hearing reports that the filter was blocking “LGBT stuff,
which is of course serious”. Nick further identified that the filter was
blocking — among several other things — search for “The Owl and the
Pussy-Cat” , “Pussy Riot” , “Dick Cheney” ,
“Cock Robin” , ”Gerald Cock” .
Censoring 19th century poetry and repressed Russian punk bands was
enough to make Nick conclude by an euphemism: “let's kill this filter
Mike Perry had some insights: “What we're seeing here is actually a
change in Google's Safesearch. It used to be on by default and quite
a bit smarter about differentiating porn from non-porn.” Mike mailed
Startpage people to explain the problem and suggests that they leave
the filter off by default.
In the case they would leave it on, both Nick and Mike agreed that a
technical workaround should be implemented to automatically deactivate
the filters when using the Tor Browser.
Sudden rise in direct Tor users
On Tuesday 27th, Roger Dingledine drew attention to the huge increase of
Tor clients running . It seems that their number has doubled since
August 19th according to the count of directly connecting users .
According to Roger this is not just a fluke in the metrics data. The
extra load on the directory authorities is clearly visible , but it
does not look that the overall network performance are affected so far .
The cause is still unknown, but there are already speculations about the
Pirate Browser  or the new "anti-piracy" law in Russia which is in
force since August, 1st . As Roger pointed out, “some good solid
facts would sure be useful.”
Help Desk Roundup
Users continue to have trouble verifying package signatures. One user
was confused when the signature was automatically saved as a “.txt” file.
Other problems included not being running the command from the correct
directory, and downloading a signature that did not correspond with the
Users sometimes write the help desk seeking clarification about
misconceptions about Tor. Examples of such misconceptions include “Is it
true that Tor is illegal in the United States?” and “Is it true that Tor
has been compromised by the NSA?”. Using Tor is not currently illegal
anywhere. For information about the recent vulnerability, users are
advised to read the recent blog post on the subject .
David Goulet announced the first release candidate  of his rewrite
of torsocks . Several bug reports have since been fixed from early
testers. Expect a new release soon.
Not all computers currently have their clock synchronized. This means
that any timestamps in the Tor protocol can unfortunately be used to
fingerprint Tor users. Nick Mathewson would like to improve the
situation and has sent proposal 222 , aiming to eliminate “passive
timestamp exposure”, for reviews.
Karsten Loesing has made further progress on “experimenting with a client
and private bridge connected over uTP” . Reduced time for client to
bootstrap over uTP from 2 minutes to 6 seconds and more.
Orbot's new version 12.0.5 brings identity switching-by-swiping along
with a few bugfixes. It can be downloaded from Google Play  or from
the Guardian Project's channels.
GSoC students sent another wave of bi-weekly reports: Kostas Jakeliunas
on Searchable Metrics Archive , Johannes Fürmann on EvilGenius ,
Hareesan on the Steganography Browser Extension , Robert on
Stream-RTT , and Cristian-Matei Toader on Tor capabilities .
The Torservers.net crowdfunding campaign for Tor exit bandwidth ended on August 26th,
yielding “3771,84 Euro to be spread equally across our current seven
organizations” anounnced Moritz Bartl .
Kostas Jakeliunas answered George's call for help to gather more
accurate bridge statistics  by writing a step by step instructions
on how to upgrade a bridge running on a Rasberry Pi to use the tor master
branch . Lunar also pointed out that — thanks to Peter Palfrader's
work on setting up continuous integration — Debian packages for the tor
master branch were also available  and ready to be used.
Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV
| Berlin, Germany
Oct 09-10 | Andrew speaking at Secure Poland 2013
| Warszawa, Poland
This issue of Tor Weekly News has been assembled by Lunar, dope457,
mttp and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page , write down your
name and subscribe to the team mailing-list  if you want to
More information about the tor-news