Tor Weekly News — October 23th, 2013

Lunar lunar at torproject.org
Wed Oct 23 13:04:59 UTC 2013 

========================================================================
Tor Weekly News                                       October 23th, 2013
========================================================================

Welcome to the seventeenth issue of Tor Weekly News, the weekly
newsletter that covers what is happening in the guarding Tor community.

Tor’s anonymity and guards parameters
-------------------------------------

In a lengthly blog post [1], Roger Dingledine looked back on three
research papers published in the past year. Some of them have been
covered and most of the time misunderstood by the press. A good recap of
the research problems, what the findings mean and possible solutions
hopefully will help everyone understand better.

Introduced in 2005 [2], entry guards were added to recognise that “some
circuits are going to be compromised, but it’s better to increase your
probability of having no compromised circuits at the expense of also
increasing the proportion of your circuits that will be compromised if
any of them are.” Roger “originally picked ‘one or two months’ for guard
rotation” but the initial parameters called for more in-depth
research [3].

That call was heard by “the Tor research community [4], and it’s great
that Tor gets such attention. We get this attention because we put so
much effort into making it easy [5] for researchers to analyze Tor.” In
his writing Roger highlights the finding of three papers. Two of them
published at WPES 2012 and Oakland 2013, and another upcoming at
CCS 2013.

These research efforts highlighted several issues in the way Tor handles
entry guards. Roger details five complementary fixes: using fewer
guards, keeping the same guards for longer, better handling of brief
unreachability of a guard, making the network bigger, and smarter
assignment of the guard flag to relays. Some will require further
research to identify the best solution. There are also other aspects
regarding systems which don’t currently record guards such as Tails, how
pluggable transports could prevent attackers from recognising Tor users,
or enhancing measurements from the bandwidth authorities…

The whole blog post is insightful and is a must read for everyone who
wishes to better understand some of Tor’s risk mitigation strategies. It
is also full of little and big things where you could make a difference!

   [1] https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
   [2] https://blog.torproject.org/blog/top-changes-tor-2004-design-paper-part-2
   [3] https://blog.torproject.org/blog/research-problem-better-guard-rotation-parameters
   [4] http://freehaven.net/anonbib/
   [5] https://research.torproject.org/

Hidden Service research
-----------------------

George Kadianakis posted a list of items that need work in the Hidden
Service area [6]. Despite not being exhaustive, the list contains many
items that might help with upgrading the Hidden Service design, be it
around security, performance, guard issues or “petname” systems.

Help and comments are welcome!

   [6] https://lists.torproject.org/pipermail/tor-dev/2013-October/005637.html

Usability issues in existing OTR clients
----------------------------------------

The consensus after the first round of discussions and research done in
the prospect of providing a new secure instant-messaging Tor bundle [7]
is to use Mozilla Instantbird at its core. Arlo Breault sent out a draft
plan [8] on how to do so.

Instantbird currently lacks a core feature to turn it into the Tor
Messenger: support for the OTR [9] protocol for encrypted chat. Now is
thus a good time to gather usability issues in existing OTR clients.

Mike Perry kicked off the discussion [10] by pointing out several
deficiencies regarding problems with multiple clients, key management
issues, and other sub-optimal behaviour.

Ian Goldberg — original author of the pervasive OTR plugin for Pidgin —
pointed out [11] that at least one of the behaviour singled out by Mike
was “done on purpose. The thing it’s trying to prevent is that Alice and
Bob are chatting, and Bob ends OTR just before Alice hits Enter on her
message. If Alice’s client went to ‘Not private’ instead of ‘Finished’,
Alice’s message would be sent in the clear, which is undesirable.
Switching to ‘Finished’ makes Alice have to actively acknowledge that
the conversation is no longer secure.”

This tradeoff is a good example of how designing usable and secure user
interfaces can be hard. Usability, in itself, is an often overlooked
security feature. Now is a good time to contribute your ideas!

   [7] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive
   [8] https://lists.torproject.org/pipermail/tor-dev/2013-October/005616.html
   [9] https://otr.cypherpunks.ca/
  [10] https://lists.torproject.org/pipermail/tor-dev/2013-October/005636.html
  [11] https://lists.torproject.org/pipermail/tor-dev/2013-October/005640.html

Tor Help Desk Roundup
---------------------

The Tor Help Desk continues to be bombarded with help requests from
users behind university proxies who cannot use ORPort bridges or the
Pluggable Transports Browser to circumvent their network’s firewall.
Although the cases are not all the same, bridges on port 443 or port 80
do not always suffice to circumvent such proxies.

Ubuntu 13.10 (Saucy Salamander) was released this week. One user
reported their Tor Browser Bundle behaving unusually after updating
their Ubuntu operating system. This issue was resolved by switching to
the Tor Browser Bundle 3. Another user asked when Tor APT repositories
would have packages for Saucy Salamander. Since then, packages for the
latest version of Ubuntu have been made available from the usual
deb.torproject.org.

Miscellaneous news
------------------

Tails has issued a call for testing [12] of its upcoming 0.21 release.
The new version contains two security fixes regarding access to the Tor
control port and persistent settings [13] among other improvements and
package updates [14]. “Test wildly!” as the Tails team wrote.

  [12] https://tails.boum.org/news/test_0.21-rc1/
  [13] https://git-tails.immerda.ch/tails/plain/wiki/src/doc/first_steps/persistence/upgrade.mdwn?h=bugfix/safer-persistence
  [14] https://git-tails.immerda.ch/tails/plain/debian/changelog?id=0.21-rc1

Andrew Lewman was invited to speak at SECURE Poland 2013 [15] and sent a
report on his trip [16] to Warsaw.

  [15] http://www.secure.edu.pl/
  [16] https://lists.torproject.org/pipermail/tor-reports/2013-October/000364.html

Tails developers are looking for Mac and PC hardware with UEFI [17]. If
you have some spare hardware, please consider a donation!

  [17] https://tails.boum.org/news/Mac_and_PC_UEFI_hardware_needed/

Ximin Luo has been the first to create a ticket with 5 digits [18] on
Tor tracker. At the current rate, ticket #20000 should happen by the end
of 2015… Or will the project’s continued growth make this happen sooner?

  [18] https://bugs.torproject.org/10000

Roger Dingledine reported [19] on his activities for September and
October.  Arturo Filastò also reported [20] on his September.

  [19] https://lists.torproject.org/pipermail/tor-reports/2013-October/000365.html
  [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000366.html

Runa Sandvik continues her work on the new, more comprehensible Tor User
Manual [21]. The first draft is already out [22]. Please review and
contribute.

  [21] https://lists.torproject.org/pipermail/tor-dev/2013-October/005649.html
  [22] https://bugs.torproject.org/5811

Aaron published a branch with his work on a Tor exit scanner based on
OONI [23].

  [23] https://github.com/TheTorProject/ooni-probe/tree/feature/tor_test_template

Upcoming events
---------------

Oct 25    | Matt @ EPIC and Public Citizen’s CryptoParty
          | Washington, DC, USA
          | https://epic.org/events/cryptoparty/
          |
Nov 04    | Workshop on Privacy in the Electronic Society
          | Berlin, Germany
          | http://wpes2013.di.unimi.it/
          |
Nov 04-05 | 20th ACM Conference on Computer and Communications Security
          | Berlin, Germany
          | http://www.sigsac.org/ccs/CCS2013/


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
dope457, George Kadianakis, Philipp Winter and velope.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [24], write down your name
and subscribe to the team mailing list [25] if you want to get involved!

  [24] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [25] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-news/attachments/20131023/e5c68b98/attachment.sig>

More information about the tor-news mailing list