Tor Weekly News — February 4th, 2014

Lunar lunar at
Wed Feb 5 12:28:49 UTC 2014

Tor Weekly News                                       February 4th, 2014

Welcome to the fifth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

News from the browser team front

Mike Perry has a detailed report [1] about what the growing Tor
Browser team has been up to. Among the good news, new fingerprinting
defenses are getting close to be merged for “screen resolution, default
character sets, site permissions, and local service enumeration”. Some
other changes that will reduce the attack surface include “disabling
addon update requests for addons that should not update, a potential fix
for a disk leak in the browser’s video cache, […], and a potential fix
to prevent the Flash plugin from being loaded into the browser at all
until the user actually requests to use it.”

Most censored users currently have to use a separate browser bundle
dubbed “pluggable transports bundle”. This has proven quite inconvenient
for both users and those trying to support them. Mike
reports progress on “unifying the pluggable transport bundles with the
official bundles, so that both censored and uncensored users can use the
same bundles. […] The progress is sufficient that we are very likely to
be able to deploy a 3.6-beta1 release in February to test these unified

Another important topic is how the privacy fixes in the Tor Browser
can benefit a wider userbase. The team has “continued the merge
process with Mozilla, and have worked to ensure that every patch of
ours is on their radar […]. Two patches, one for an API we require to
manage the Tor subprocess, and another to give us a filter to remove
potentially dangerous drag-and-drop events to the desktop have already
been merged. Next steps will include filing more bugs, continual
contact with their development team, and touching up patches as

There are even more things to smile about in the report. Read it in full
for the whole picture.


Key revocation in next generation hidden services

It looks like every public-key infrastructure [2] struggles with how to
handle key revocation. Hidden services are no different. The current
design completely ignored preventing a stolen key from being reused by
an attacker.

With the on-going effort to create a new protocol for hidden
services [3], now seems to be a good time for George Kadianakis to raise
this issue [4]. In the past there was little control for the hidden
services operators over their secret key. The new design enables offline
management operations which include key revocation.

As George puts it, currently well-known solutions “are always messy and
don’t work really well (look at SSL’s OCSP [5] and CRLs [6]).” So how
can “the legitimate Hidden Service can inform a client that its keys got

In his email, George describes two solutions, one relying on the
directory authorities, the other on hidden service directories. Both
have drawbacks, so perhaps further research is necessary.

In the same thread, Nick Hopper suggested [7] a scheme that uses
multiple hidden service directories to cross-certify their revocation
lists. This gives more confidence to the user, since the adversary now
has to compromise multiple hidden service directories.

Please join the discussion if you have ideas to share!


Help needed to remove DNS leaks from Mumble

Mumble [8] is a “low-latency, high quality voice chat software primarily
intended for use while gaming”.

It’s proven to be a reliable solution for voice chat among multiple
parties over Tor. Matt and Colin have worked on a documentation on how
to setup both the client and the server side [9] for Tor users.

But the client is currently safely usable only on Linux system with
torsocks and on Tails. On other operating systems, the Mumble client
will unfortunately leak the address of the server to the local DNS
resolver [10].

The changes that need to be made to the Mumble code are less trivial
than one would think. Matt describe the issue in more details in his
call for help [11]. Have a look if you are up to some C++/Qt hacking.


Monthly status reports for January 2014

The wave of regular monthly reports from Tor project members for the
month of January has begun. Damian Johnson [12] released his report
first, followed by reports from Philipp Winter [13], Sherief
Alaa [14], the Tor Browser team from Mike Perry [15], Colin C. [16], the
help desk [17], Matt [18]. Lunar [19], George Kadianakis [20], and Pearl
Crescent [21].


Miscellaneous news

Nick Mathewson came up [22] with a Python script [23] to convert the new
MaxMind GeoIP2 binary database to the format used by Tor for its
geolocation database.


Thanks to John Ricketts from Quintex Alliance Consulting [24] for
providing another mirror for the Tor Project’s website and software.


Abhiram Chintangal and Oliver Baumann are reporting [25] progress on
their rewrite [26] of the Tor Weather service.


Andreas Jonsson gave an update [27] on how Mozilla is moving to a
multi-process model for Firefox [28] and how this should positively
affect the possibility of sandboxing the Tor Browser in the future.


As planned [29], to help “developers to analyze the directory protocol
and for researchers to understand what information is available to
clients to make path selection decisions”, Karsten Loesing has made [30]
microdescriptor archives available on the metrics website.


Christian has deployed [31] a test platform [32] for the JavaScript-less
version of Globe, a tool to retrieve information about the Tor network
and its relays.


In an answer to Shadowman’s questions about pluggable transports, George
Kadianakis wrote a detailed reply on how Tor manages pluggable
transports [33], both on the server side an on the client side.


Arthur D. Edelstein has advertised a GreaseMonkey script [34] to enable
Tor Browser to access YouTube videos without having JavaScript enabled.
Please be aware of the security risks that GreaseMonkey might
introduce [35] before using such a solution.


Andrew Lewman reports on his trip to Washington DC [36] where he met
Spitfire Strategies to learn about “Tor’s brand, media presence, and
ideas for the future”. For a short excerpt: “It’s interesting to get
critiques on all our past media appearances; what was good and what
could be better. Overall, the team there are doing a great job.”


Lunar accounted [37] for Tor’s presence at FOSDEM, one of the largest
free software event in Europe. The project had a small booth [38] shared
with Mozilla and there was even a relay operator meetup [39].


Yan Zhu has released [40] the first version of HTTPS Everywhere for
Firefox Mobile. A good news for users of the upcoming Orfox [41].


Tor help desk roundup

Users often want to know if Tor can make them appear to be coming from a
particular country. Although doing so can reduce one’s anonymity, it is
documented on our FAQ page [42].

Orbot users have noticed that installing Orbot to their SD storage can
cause Orbot to stop functioning correctly. Installing Orbot to the
internal storage has resolved issues for a few users.


News from Tor StackExchange

Rhin is looking for hidden services hosting services. Jens pointed them
to [43] but it looks like no there are no gratis hidden
services hosters currently available.


Vijay kudal wanted to know how to change the current circuit within
shell scripts [44]. Jens Kubieziel gave an answer using expect and
hexdump [45].


Roya saw replying contradictory information [46]
with Atlas about the exit node being used. It seems to be a bug in check
occuring when multiple nodes are using the same IP address [47].


Upcoming events

Feb 8     | Aaron Gibson Presenting Tor @ New Media Inspiration 2014
          | Prague, Czech Republic
Feb 8     | Colin Childs Presenting Tor @ CryptoParty, Winnipeg
          | Winnipeg, Canada
Feb 9     | Privacy SOS CryptoParty @ NorthEastern University in Boston
          | Boston, Massachusetts, United States

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
qbi, George Kadianakis, Colin, Sandeep, Paul Feitzinger and
Karsten Loesing.

TWN is a community newsletter. It can’t rest upon a single pair of
shoulders at all times, especially when those shoulders stand behind a
booth for two days straight. So if you want to continue reading TWN, we
really need your help! Please see the project page [48] and say “hi” on
the team mailing list [49].

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the tor-news mailing list