Tor Weekly News — April 2nd, 2014

Lunar lunar at
Wed Apr 2 12:32:45 UTC 2014

Tor Weekly News                                          April 2nd, 2014

Welcome to the thirteenth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor Project website redesign takes two steps forward

Andrew Lewman put out two calls for help with the ongoing Tor Project
website redesign: one for the sponsor page [1], and another for the
download area [2]. Both were immediately met with proposals and design
suggestions from the www-team mailing list: Olssy produced two
mock-ups [3] of the sponsorship page as possible models for further
work, while William Papper and Lance Tuller have been working on a
repository [4] for the download page, with comments from other list
members on topics such as the use of Javascript and possible layout

If you’d like to give the website redesign further momentum, please see
the dedicated project page on the wiki [5] for open tickets and advice
on how to contribute, then come to the www-team mailing list [6] and
join in!


QR codes for bridge addresses

Since most pocket computers (sometimes called “phones”) and laptops
began incorporating cameras, QR codes [7] have become a ubiquitous way
to enter short sequences of data into our devices. URLs are the
canonical example, but the process also works for Bitcoin addresses or
OpenPGP fingerprints [8].

Bridges are the standard tool for circumventing filters that prevent
access to the Tor network. Users currently enter bridge addresses in Tor
by copy/pasting from the BridgeDB web page [9] or auto-responder email.
But manually giving IP addresses and fingerprints to Orbot on
keyboard-less devices is an error-prone process.

QR codes might be a solution to this problem. They could also enable
peer-to-peer exchange among friends, or circumvention strategies
involving IPv6 addresses and paper. According to Isis Lovecruft, adding
QR codes to the BridgeDB web interface would be easy [10]. Would any
reader feel like hacking Orbot [11] or the Tor Launcher [12] Firefox
extension (see relevant documentation [13] and API [14])?


Client identification in hidden service applications

Applications behind hidden services currently cannot easily
differentiate between client connections. Tor will make a different
local TCP connection for each connections it receives, but the software
is unable to tell if they are coming from the same circuit. Harry
SeventyOne felt [15] the latter would be useful to enable applications
for diagnostic log analysis, identifying traffic trends, rate-limiting
or temporarily blocking operations coming from the same client.

Harry sent a very rough patch to the Tor development mailing which
enables circuit distinction by using a different source IP address from
the IPv4 localhost pool ( for each circuit. Nick Mathewson
liked the idea [16] and gave several comments about the preliminary
patch. Hopefully this work will make the life of hidden service
operators easier in the future.


Monthly status reports for March 2014

The wave of regular monthly reports from Tor project members for the
month of March has begun. Georg Koppen released his report first [17],
followed by reports from Pearl Crescent [18], Damian Johnson [19],
Sherief Alaa [20], Nick Mathewson [21], Matt Pagan [22], Lunar [23], and
Karsten Loesing [24].

Lunar also reported help desk statistics [25].


Miscellaneous news

An extensive guide to hacking on Tor Browser was posted [26] to the Tor
Project’s wiki by Mike Perry. Among other things, it covers the
browser’s build instructions, design principles and testing procedures,
as well as a summary of how browser team members organize and
communicate. If you’d like to get involved in Tor Browser development,
please take a look!


Nicholas Hopper followed up [27,28] on George Kadianakis’ research on
switching to a single guard. He used Aaron Johnson’s TorPS simulator to
find out the “typical” bandwidth for a client. The conclusions match
George’s: a single guard and a bandwidth cutoff of 2 Mbit/s would
improve over the current situation. George subsequently sent an initial
draft proposal [29] to start the formal process.


BridgeDB version 1.6 was deployed on March 26th [30]. Thanks to Isis
Lovecruft, users should now be able to solve the CAPTCHA again [31]. A
custom solution is now used instead of Google’s reCAPTCHA services which
will give more flexibility in the future.


John Brooks presented [32] Torsion, “a ready-to-use hidden service
instant messaging client”. “I’m looking for people to try it out,
validate my ideas and implementation, and help plan the future”, wrote
John. You can consult the design documentation and build instructions on
Github [33]; please share your comments with the community!


Martin Weinelt shared [34] a plugin [35] that generates graphs in the
Munin network monitoring tool [36] from data provided by Tor, using
Stem [37]. “At the moment it supports a connection graph, getting its
data from orconn-status. More graphs are possible, but not yet
implemented. Ideas are welcome,” wrote Martin.


Amid the ongoing censorship of internet services in Turkey, there were
reports that the Tor Project’s website was unavailable over connections
supplied by some Turkish ISPs [38]. Feel free to try one of the
mirrors [39]!


Karsten Loesing published [40] a draft of a guide [41] to running a blog
over a Tor hidden service using the Jekyll static site generator [42].
“The intended audience are bloggers who can handle a terminal window but
who don’t know the typical pitfalls of securely setting up a web server
over a hidden service”, he wrote. However, the guide is in its first
stages, and “may contain severe problems harming your privacy!” Feedback
on its content, wording, and layout would be greatly appreciated.

  [41]: http://csxeeumg5ynu2rk7.onion/

Yawning Angel called [43] for help with testing obfsclient 0.0.2 [44], a
C++ implementation of the obfs3 and ScrambleSuit pluggable transports:
“This is mostly a bug fix release that addresses issues found in
testing/actual use […] Questions, comments, feedback appreciated as


Michael Rogers has been “working on a messaging app that uses Tor hidden
services to provide unlinkability (from the point of view of a network
observer) between users and their contacts”. But as “users know who
their contacts are”, the mutual anonymity provided by hidden services is
not a requirement. Michael asked [45] how hidden services performance
could be improved for this use case.


On the Tor Blog, Sukhbir Singh posted [46] a round-up of the various
methods by which users can download and run the Tor Browser, covering
download mirrors, GetTor, bridge address distribution, and pluggable
transports usage. If you’re having trouble acquiring or using a copy of
the Tor Browser, please look here for links and guidance.


Mike Perry discovered [47] “that the Linux kernel appears to have a leak
in how it applies transproxy rules to the TCP CLOSE_WAIT shutdown
condition under certain circumstances”. Be sure to look at Mike’s email
if you use Tor’s TransProxy feature. velope later improved [48] the
original mitigating firewall rule.


As part of the ongoing project to rewrite the Tor Weather service,
Sreenatha Bhatlapenumarthi and Karsten Loesing collaborated [49] to
produce a Python script that enables it to determine whether or not
relay operators have fulfilled the requirements [50] for a free Tor


Lukas Erlacher announced the avaibility of OnionPy [51], “a Python
wrapper for OnionOO with support for transparently caching OnionOO
replies in memcached”. It should be useful to the on-going rewrite of
the Tor Weather service [52].


The deadline for submissions to the Tails logo contest passed on March
31st; you can review all of the proposed designs, from the minimalist to
the psychedelic, on the Tails website [53].


Tor help desk roundup

The help desk often gets confusing reports that after being directed to
download the latest Tor Browser version by a flashing TorBrowserButton,
users still sometimes see a message that their Tor Browser is out of
date. This happens when the new Tor Browser version was installed over
the previous one. Fortunately the underlying bug [54] will be fixed in
the next Tor Browser release. We recommend extracting each Tor Browser
update to an empty directory rather than overwriting the old one, to
prevent similar unexpected behaviors. The longer-term solution for
issues like this is an auto-updating Tor Browser [55].


News from Tor StackExchange

saurav wanted to know the total bandwidth of all guard nodes in the
current network [56]. gacar pointed to the bandwidth.csv file [57] and
explained the format of the file.


Tor’s StackExchange site is doing a self-evaluation [58]. If you have an
account, please log in and evaluate the questions as well as their
answers. It helps to improve the answers and the site in general.

Furthermore, if you happen to visit the site, check the list of
unanswered questions [59]. If you know an answer, please share your
knowledge with the people.


Upcoming events

April 1-4        | Civil Rights Defenders’ Days
                 | Stockholm, Sweden
Apr  2 19:00 UTC | little-t tor development meeting
                 | #tor-dev,
Apr  4 17:00 UTC | Pluggable transports online meeting
                 | #tor-dev,
Apr  4 18:00 UTC | Tor Browser online meeting
                 | #tor-dev,
Apr  9 20:00 UTC | Tails contributors meeting
                 | #tails-dev,
Apr 10 10:00 EDT | Andrew speaking at F.ounders NYC
                 | New York City, New York, USA

This issue of Tor Weekly News has been assembled by Lunar, harmony,
David Fifield, Matt Pagan, qbi and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [60], write down your
name and subscribe to the team mailing list [61] if you want to
get involved!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the tor-news mailing list