Tor Weekly News — June 11th, 2014
harmony01 at riseup.net
Wed Jun 11 13:29:49 UTC 2014
Tor Weekly News June 11th, 2014
Welcome to the twenty-third issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tor Browser 3.6.2 is out
Version 3.6.2 of the Tor Browser has been released , featuring “a fix
to allow the configuration of a local HTTP or SOCKS proxy with all
included Pluggable Transports”, as well as important fixes to mitigate
recent OpenSSL vulnerabilities, among other security updates. All users
are advised to upgrade  as soon as possible.
The EFF announces its 2014 Tor Challenge
As part of the wider “Reset the Net” event , the Electronic Frontier
Foundation has launched  another in its occasional series of Tor
Challenges. The goal of the campaign is to increase the Tor network’s
capacity and diversity by encouraging members of the public to run
relays, and directing them to the legal and technical guidance necessary
to do so.
So far, over 600 relays have been started (or had their capacity
increased) as part of the campaign: you can see a running total of
relays and bytes transferred on the campaign page . Once you’ve set
up your relay, you can register it on the page (anonymously or credited
to your name); stickers and T-shirts are on offer for those who run
relays of a certain size or for a certain period.
If you run into trouble setting up your relay, you can also find expert
advice and discussion on the tor-relays mailing list  or the #tor
channel on irc.oftc.net.
Tor and the “EarlyCCS” bug
Following April’s much-loved “Heartbleed” bug, another OpenSSL
vulnerability was discovered — nicknamed “EarlyCCS”  — that could
have an impact on the security of many internet services, including Tor.
Nick Mathewson explained  that although “Tor is comparatively
resilient to having one layer of crypto removed”, it may be affected to
the extent that “an adversary in the position to run a MITM attack on a
Tor client or relay could cause a TLS connection to be negotiated
without real encryption or authentication.”
Tor users and relay operators should make sure to update their OpenSSL
and Tor packages as soon as possible; those using a system tor (rather
than or in addition to the Tor Browser) should ensure that they restart
it once the updates are installed; otherwise they will not take effect.
A new website for the directory archive
Karsten Loesing announced  the new CollecTor service , which
spins off the directory archive section from the Metrics  portal.
What’s different? Archive tarballs are now provided in a directory
structure rather than a single directory , recently published
descriptors can now be accessed much more easily , and the
documentation of descriptor formats  has been updated.
The now obsolete rsync access to metrics-archive and metrics-recent will
be discontinued on August 4, 2014.
More monthly status reports for May 2014
The wave of regular monthly reports from Tor project members for the
month of May continued, with reports from Karsten Loesing , Isis
Lovecruft (who submitted reports for both April  and May ),
George Kadianakis , Nicolas Vigier , and Roger Dingledine .
Roger also sent the report for SponsorF .
The Tails developers formally announced  the upcoming Tails
Hackfest, inviting absolutely “anyone interested in making Tails more
usable and more secure” to join them in Paris on the 5th and 6th of July
(immediately after the Tor dev meeting) and “learn about the challenges
faced by Tails, and how you can be part of the solution”. Fuller details
of the venue and timetable can be found on the Tails website .
Several of Tor’s Google Summer of Code students submitted their regular
progress reports: Juha Nurmi on the ahmia.fi project , Israel Leiva
on the GetTor revamp , Amogh Pradeep on the Orbot+Orfox
project , Quinn Jarrell on the pluggable transport combiner ,
Marc Juarez on the link-padding pluggable transport development ,
Noah Rahman on the Stegotorus refactoring work , Sreenatha
Bhatlapenumarthi on the Tor Weather rewrite , Daniel Martí on the
implementation of consensus diffs , and Mikhail Belous on the
multicore tor daemon .
Thanks to moparisthebest  for running a mirror of the Tor Project
Roger Dingledine asked  the tor-relays mailing list about the
situation of Mac OS X users who would like to run Tor relays, and what
steps should be taken to make it easier for them to do so “now that the
Vidalia bundles are deprecated and hard to find”.
Isis Lovecruft has deployed BridgeDB version 0.2.2  which contains
many fixes and translation updates. The email autoresponder should not
reply with empty emails any more.
Damian Johnson has written up  several ideas regarding a possible
rewrite of the ExoneraTor service  in Python.
HTTPS is sometimes heavily throttled by censors, making it hard to
download the Tor Browser over an HTTPS link. Israel Leiva is asking for
feedback  about making the GetTor email service reply with links to
unencrypted HTTP servers as a work-around.
Tor help desk roundup
The help desk has been asked for information on TorCoin, a proposed
cryptocurrency. TorCoin is not affiliated with or endorsed by the Tor
Project. The Tor Project publishes guidelines on the use of its
trademark to try to prevent confusing uses of the Tor name .
Easy development tasks to get involved with
obfsproxy, the traffic obfuscator, opens the “authcookie” file for each
new incoming connection. George Kadianakis suggests that it should
instead read the file on startup and keep its content in memory during
operation . obfsproxy is written in Python/Twisted. The change
should be pretty small, but if you like finding the right places that
need changing, feel free to look at the ticket and post your patch
June 11 19:00 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
June 11 19:00 UTC | Tails contributors meeting
| #tails-dev, irc.oftc.net
June 13 15:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
June 30 — Aug 4 | Tor’s Summer Dev Meeting
| Paris, France
This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt
Pagan, Karsten Loesing, and Roger Dingledine.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page , write down your
name and subscribe to the team mailing list  if you want to
More information about the tor-news