Tor Weekly News — June 11th, 2014

harmony harmony01 at riseup.net
Wed Jun 11 13:29:49 UTC 2014


========================================================================
Tor Weekly News                                          June 11th, 2014
========================================================================

Welcome to the twenty-third issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.2 is out
------------------------

Version 3.6.2 of the Tor Browser has been released [1], featuring “a fix
to allow the configuration of a local HTTP or SOCKS proxy with all
included Pluggable Transports”, as well as important fixes to mitigate
recent OpenSSL vulnerabilities, among other security updates. All users
are advised to upgrade [2] as soon as possible.

  [1]: https://blog.torproject.org/blog/tor-browser-362-released
  [2]: https://www.torproject.org/download/download-easy.html

The EFF announces its 2014 Tor Challenge
----------------------------------------

As part of the wider “Reset the Net” event [3], the Electronic Frontier
Foundation has launched [4] another in its occasional series of Tor
Challenges. The goal of the campaign is to increase the Tor network’s
capacity and diversity by encouraging members of the public to run
relays, and directing them to the legal and technical guidance necessary
to do so.

So far, over 600 relays have been started (or had their capacity
increased) as part of the campaign: you can see a running total of
relays and bytes transferred on the campaign page [5]. Once you’ve set
up your relay, you can register it on the page (anonymously or credited
to your name); stickers and T-shirts are on offer for those who run
relays of a certain size or for a certain period.

If you run into trouble setting up your relay, you can also find expert
advice and discussion on the tor-relays mailing list [6] or the #tor
channel on irc.oftc.net.

  [3]: https://blog.torproject.org/blog/reset-net
  [4]: https://blog.torproject.org/blog/tor-challenge-2014
  [5]: https://www.eff.org/torchallenge/
  [6]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Tor and the “EarlyCCS” bug
--------------------------

Following April’s much-loved “Heartbleed” bug, another OpenSSL
vulnerability was discovered — nicknamed “EarlyCCS” [7] — that could
have an impact on the security of many internet services, including Tor.
Nick Mathewson explained [8] that although “Tor is comparatively
resilient to having one layer of crypto removed”, it may be affected to
the extent that “an adversary in the position to run a MITM attack on a
Tor client or relay could cause a TLS connection to be negotiated
without real encryption or authentication.”

Tor users and relay operators should make sure to update their OpenSSL
and Tor packages as soon as possible; those using a system tor (rather
than or in addition to the Tor Browser) should ensure that they restart
it once the updates are installed; otherwise they will not take effect.

  [7]: http://ccsinjection.lepidum.co.jp/
  [8]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033161.html

A new website for the directory archive
---------------------------------------

Karsten Loesing announced [9] the new CollecTor service [10], which
spins off the directory archive section from the Metrics [11] portal.

What’s different? Archive tarballs are now provided in a directory
structure rather than a single directory [12], recently published
descriptors can now be accessed much more easily [13], and the
documentation of descriptor formats [14] has been updated.

The now obsolete rsync access to metrics-archive and metrics-recent will
be discontinued on August 4, 2014.

  [9]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006942.html
 [10]: https://collector.torproject.org/
 [11]: https://metrics.torproject.org/
 [12]: https://collector.torproject.org/archive/
 [13]: https://collector.torproject.org/recent/
 [14]: https://collector.torproject.org/formats.html

More monthly status reports for May 2014
----------------------------------------

The wave of regular monthly reports from Tor project members for the
month of May continued, with reports from Karsten Loesing [15], Isis
Lovecruft (who submitted reports for both April [16] and May [17]),
George Kadianakis [18], Nicolas Vigier [19], and Roger Dingledine [20].

Roger also sent the report for SponsorF [21].

 [15]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000551.html
 [16]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000553.html
 [17]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000552.html
 [18]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000554.html
 [19]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000556.html
 [20]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000559.html
 [21]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000558.html

Miscellaneous news
------------------

The Tails developers formally announced [22] the upcoming Tails
Hackfest, inviting absolutely “anyone interested in making Tails more
usable and more secure” to join them in Paris on the 5th and 6th of July
(immediately after the Tor dev meeting) and “learn about the challenges
faced by Tails, and how you can be part of the solution”. Fuller details
of the venue and timetable can be found on the Tails website [23].

 [22]: https://tails.boum.org/news/Join_us_at_the_Tails_HackFest_2014/
 [23]: https://tails.boum.org/blueprint/HackFest_2014_Paris/

Several of Tor’s Google Summer of Code students submitted their regular
progress reports: Juha Nurmi on the ahmia.fi project [24], Israel Leiva
on the GetTor revamp [25], Amogh Pradeep on the Orbot+Orfox
project [26], Quinn Jarrell on the pluggable transport combiner [27],
Marc Juarez on the link-padding pluggable transport development [28],
Noah Rahman on the Stegotorus refactoring work [29], Sreenatha
Bhatlapenumarthi on the Tor Weather rewrite [30], Daniel Martí on the
implementation of consensus diffs [31], and Mikhail Belous on the
multicore tor daemon [32].

 [24]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000555.html
 [25]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006959.html
 [26]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006960.html
 [27]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006961.html
 [28]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000557.html
 [29]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006962.html
 [30]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006964.html
 [31]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006966.html
 [32]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006984.html

Thanks to moparisthebest [33] for running a mirror of the Tor Project
website!

 [33]: https://lists.torproject.org/pipermail/tor-mirrors/2014-June/000612.html

Roger Dingledine asked [34] the tor-relays mailing list about the
situation of Mac OS X users who would like to run Tor relays, and what
steps should be taken to make it easier for them to do so “now that the
Vidalia bundles are deprecated and hard to find”.

 [34]: https://lists.torproject.org/pipermail/tor-relays/2014-June/004642.html

Isis Lovecruft has deployed BridgeDB version 0.2.2 [35] which contains
many fixes and translation updates. The email autoresponder should not
reply with empty emails any more.

 [35]: https://gitweb.torproject.org/bridgedb.git/blob_plain/cb8b01bc:/CHANGELOG

Damian Johnson has written up [36] several ideas regarding a possible
rewrite of the ExoneraTor service [37] in Python.

 [36]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006970.html
 [37]: https://exonerator.torproject.org/

HTTPS is sometimes heavily throttled by censors, making it hard to
download the Tor Browser over an HTTPS link. Israel Leiva is asking for
feedback [38] about making the GetTor email service reply with links to
unencrypted HTTP servers as a work-around.

 [38]: https://lists.torproject.org/pipermail/tor-dev/2014-June/006977.html

Tor help desk roundup
---------------------

The help desk has been asked for information on TorCoin, a proposed
cryptocurrency. TorCoin is not affiliated with or endorsed by the Tor
Project. The Tor Project publishes guidelines on the use of its
trademark to try to prevent confusing uses of the Tor name [39].

 [39]: https://www.torproject.org/docs/trademark-faq.html.en

Easy development tasks to get involved with
-------------------------------------------

obfsproxy, the traffic obfuscator, opens the “authcookie” file for each
new incoming connection. George Kadianakis suggests that it should
instead read the file on startup and keep its content in memory during
operation [40]. obfsproxy is written in Python/Twisted. The change
should be pretty small, but if you like finding the right places that
need changing, feel free to look at the ticket and post your patch
there.

 [40]: https://bugs.torproject.org/9822

Upcoming events
---------------

June 11 19:00 UTC | little-t tor development meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
                  |
June 11 19:00 UTC | Tails contributors meeting
                  | #tails-dev, irc.oftc.net
                  | https://mailman.boum.org/pipermail/tails-dev/2014-May/005818.html
                  |
June 13 15:00 UTC | Tor Browser online meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
                  |
June 30 — Aug 4   | Tor’s Summer Dev Meeting
                  | Paris, France
                  | https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting


This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt
Pagan, Karsten Loesing, and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [41], write down your
name and subscribe to the team mailing list [42] if you want to
get involved!

 [41]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [42]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team


More information about the tor-news mailing list