Tor Weekly News — May 21st, 2014
lunar at torproject.org
Wed May 21 12:54:02 UTC 2014
Tor Weekly News May 21st, 2014
Welcome to the twentieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.
Tor 0.2.4.22 is out
A new version of the Tor stable branch was released  on May 16th:
“Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5
alpha release series. These include blocking all authority signing keys
that may have been affected by the OpenSSL ‘heartbleed’ bug, choosing a
far more secure set of TLS ciphersuites by default, closing a couple of
memory leaks that could be used to run a target relay out of RAM, and
For more details, look at the full changelog . The source is
available at the usual location . Packages should be coming shortly,
if not already available .
Digital Restrictions Management and Firefox
Mozilla’s decision to support playing media with digital
restrictions  in Firefox by implementing the W3C EME specification
has raised a fair amount of controversy. Paul Crable wanted to know 
what it meant for the Tor Browser.
Mike Perry answered  that “simply removing the DRM will be trivial,
and it will be high on our list of tasks”.
But he also explained his worries regarding a “per-device unique
identifier” that Firefox would provide as part of the implementation:
“it is likely that this identifier will soon be abused by all sorts of
entities, […] quickly moving on to the advertising industry (why not
play a short device-linked DRM video with your banner ad? You get a
persistent, device-specific tracking identifier as part of the deal!). I
think it is also quite likely that many arbitrary sites will actually
deny access to users who do not provide them with such a device-id, if
only due to ease of increased revenue generation from a fully identified
Mike has raised the issue  on Mozilla’s dev-privacy mailing-list
where Henri Sivonen replied that device-identifying information
will be hashed together with a “per-origin browser-generated secret“
that “persists until the user asks the salt to be forgotten”.
So it does not look as gloom as it initially appeared. As always,
the devil is in the details.
David Goulet reported  on the status of the development of Torsocks
2.0, the library for safely using applications with Tor.
Karsten Loesing posted  on the Tor Blog to commemorate the tenth
anniversary of the first archived Tor directory, and discussed the
different ways in which the public archive of directory data is being
used for research and development.
Karsten also notified  the community of a change in the compression
algorithm used for the tarballs of archived metrics data, which has
reduced their total size from 212 gigabytes to 33 — an 85% gain!
Knock  is a variant of port-knocking that might be useful in the
future for pluggable transports. “As Knock uses two fields in the TCP
header in order to hide information and we explicitly want to be
compatible with machines sitting in typical home networks”, writes 
Julian Kirsch, “we thus created a program which tests if Knock would
work in your environment.” Please give it a try  to help the team
figure out if Knock could be deployed in the wild.
Thanks to Jesse Victors , Andrea , Nicholas Merrill , and
Martin A.  for running mirrors of the Tor Project website!
Michael Schloh von Bennewitz has been busy analyzing a disk leak  in
Tor Browser: when one copies a significant chunk of text to the
clipboard, a temporary file is created with its content. Michael found a
possible fix and is welcoming reviews .
Nicolas Vigier has been investigating  some extra connections made
by the Tor Browser on startup to the local resolver and the default port
or the SOCKS proxy.
Shawn Nock proved us once more that talking to ISP is key to run Tor
relays on high-speed links. Shawn’s exit node was abruptly shut down by
its provider  on May 15th. After a well-crafted plea explaining why
Tor is important, the provider restored the service  on the very
However, dope457 reported that their provider is now giving them trouble
for being the operator of a non-exit relay , due to a large amount
of traffic on the DNS port (53), which is being used as the ORPort by a
recently-established Tor relay , as pointed out  by Roman
Now that ICANN is “selling” top-level domain names, Anders Andersson
raised concerns  about the .onion extension used by Tor.
Fortunately, RFC6761  defines a process regarding special-use domain
names. Last November, Christian Grothoff, Matthias Wachs, Hellekin O.
Wolf, and Jacob Appelbaum submitted a request to reserve several TLDs
used in peer-to-peer systems . Hellekin sent an update  about
the procedure: “the current status quo from the IETF so far is that this
issue is not a priority”.
Tor help desk roundup
Local antivirus or firewall applications can prevent Tor from connecting
unless they are disabled. Firewall tools that have caused usability
issues in the past include Webroot SecureAnywhere AV, Kaspersky Internet
Security 2012, Sophos Antivirus for Mac, and Microsoft Security
News from Tor StackExchange
The Tor StackExchange site  now provides more than 1000 answers to
user-supplied questions. However, there are still ~130 questions 
which need a good answer, so if you happen to know one then please visit
the site and help out.
The majority of the questions are about the Tor Browser Bundle , but
hidden services also attract a large amount of attention . When it
comes to operating systems, there are 42 Windows-related questions ,
while questions about Tails  and Whonix  number nearly 50. All
your questions about Tor and related software are welcome.
Blue_Pyro uses Orweb on a mobile phone and wants to save images from
websites . Abel of Guardian recommended two options: first, a user
can use Firefox mobile with privacy enhanced options , or one can
try Orfox , a development version of a Firefox-based browser.
Easy development tasks to get involved with
Stem  is a Python controller library for Tor. It comes with
tutorials and generally has pretty good test coverage. The newly-added
example scripts, however, don’t yet have unit tests. Damian Johnson
suggested ways to add unit tests for example scripts ; if you
want to help out, learn how to get started , start writing unit
tests for the example scripts, and then comment on the ticket.
The traffic obfuscator obfsproxy  should validate command-line
arguments appropriately . Right now, it’s printing an error and
continuing, but it should really abort. This sounds like a trivial
change, but maybe there’s more to fix in the nearby code. If you like
Python and want to give it a try, there’s more information for you on
May 21 19:00 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
May 23 15:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
May 23 16:00 UTC | Pluggable transports online meeting
| #tor-dev, irc.oftc.net
May 27-28 | Tor @ Stockholm Internet Forum
| Stockholm, Sweden
This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt
Pagan, Karsten Loesing, qbi, and Georg Koppen.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page , write down your
name and subscribe to the team mailing list  if you want to
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: Digital signature
More information about the tor-news