Tor Weekly News — April 30th, 2014

Lunar lunar at
Wed Apr 30 13:13:31 UTC 2014

Tor Weekly News                                         April 30th, 2014

Welcome to the seventeenth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor is released

The latest incarnation of the current development branch of Tor, dubbed, was released on April 26th [1]. This release brings
mainly security and performance improvements for clients and relays.

As a preventive measure (there being no evidence that the keys have been
compromised), authority signing keys that were used while susceptible to
the OpenSSL “heartbleed” bug are now blacklisted.

Other improvements include fixing two expensive functions on busy
relays, better TLS ciphersuite preference lists, support for run-time
hardening on compilers that support AddressSanitizer [2], and more work
on the Linux sandbox code. There are also several usability fixes for
clients (especially clients that use bridges), two new TransPort
protocols supported (one on OpenBSD, one on FreeBSD), and various other

As Nick Mathewson wrote: “This release marks end-of-life for Tor
0.2.2.x; those Tor versions have accumulated many known flaws”.

Source code is available at the usual location [3] and binary packages
have already started to be updated.


Introducing the 2014 Google Summer of Code projects

As announced in February [4], Tor is once again participating in
Google’s Summer of Code program, allowing students and aspiring
developers the chance to work on a Tor-related project with funding from
Google and expert guidance from Tor Project members. After several
months of coordination and discussion, this summer’s successful
proposals have now been chosen, and some of the students took to the
tor-dev mailing list to introduce themselves and their upcoming work.

Juha Nurmi [5] will continue to work on the already-operational
hidden service search engine, while Marc Juarez [6] will be
“implementing the building blocks for a future padding-based website
fingerprinting countermeasure as a pluggable transport”. Daniel
Martí [7] has taken up the challenge of implementing proposal 140 [8],
which aims to considerably reduce the size of the network consensus data
that Tor clients fetch every hour, and Israel Leiva [9] plans to spruce
up the neglected GetTor service, which allows users to download the Tor
Browser Bundle even if the Tor website and its mirrors are inaccessible.
Amogh Pradeep [10] will be contributing to the Guardian Project’s
development of Orfox, a new Android web browser to be used with Orbot,
while Kostas Jakeliunas [11] returns to Tor GSoC to construct a new
BridgeDB distributor, serving bridge addresses to users in censored
areas over Twitter, and possibly other channels as well. Quinn
Jarrell [12] will be working on building a pluggable transports combiner
that “will allow transports to be chained together to form more
varieties of transports and make them harder to detect and block”.
Sreenatha Bhatlapenumarthi [13] will pick up the effort of rewriting Tor

You can read more about each proposal in the respective introductory
messages and their replies; a full list of accepted projects is
available on the Google Summer of Code website [14]. As Daniel wrote,
“comments are very welcome”!


Miscellaneous news

Meejah released version 0.9.2 of txtorcon [15] — the Tor controller
library for the Twisted Python framework: “this release adds a few minor
bug-fixes and a few API enhancements”.


The Tails team is looking for enthusiasts equipped with a Bluetooth
keyboard and mouse [16] to ensure that Tails works properly with such


Matthew Finkel forwarded a copy of the email that was sent to bridge
operators [17] to warn them about the “Heartbleed” vulnerability, and
the actions that should be taken as a result. If you know any bridge
operator who might not have filled in their contact information, please
forward the message!


Karsten Loesing has been working on switching Onionoo — the web service
to retrieve information about the Tor network — to use the Gson library
instead of plain string concatenation to format its JSON output. As the
change might break some applications, client authors should test their
applications [18] and see if everything still works as it should.


Tor help desk roundup

The help desk has been asked why the Tor Project’s hidden service site
mirrors are offline. The sites were taken down during the fallout from
the Heartbleed security vulnerability. New hidden service addresses were
not generated. The sysadmin team has expressed that they no longer wish
to maintain these services [19].


News from Tor StackExchange

Kristopher Ives is working on a card game using Tor. Each user accepts
inbound connections through hidden services, and also needs to make
outbound connections [20]. Tom Ritter acknowledged it was possible to
use only one Tor daemon to do both.


Dan gets the error message “Cannot load XPCOM” whenever Tor Browser is
started [21]. Jens Kubieziel pointed to the discussion at #10789 [22].
The culprit is WebRoot Internet Security as it prevents the proper
loading of all browser components; either uninstalling it or adding DLL
files to the whitelist has helped other users [23].


Upcoming events

Apr 30 19:00 UTC | little-t tor development meeting
                 | #tor-dev,
May  2 15:00 UTC | Tor Browser online meeting
                 | #tor-dev,
May 27-28        | Tor @ Stockholm Internet Forum
                 | Stockholm, Sweden

This issue of Tor Weekly News has been assembled by Lunar, harmony,
Matt Pagan, qbi, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [24], write down your
name and subscribe to the team mailing list [25] if you want to
get involved!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the tor-news mailing list