Tor Weekly News — May 21st, 2014

Lunar lunar at
Wed May 21 12:54:02 UTC 2014

Tor Weekly News                                           May 21st, 2014

Welcome to the twentieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor is out

A new version of the Tor stable branch was released [1] on May 16th:
“Tor backports numerous high-priority fixes from the Tor 0.2.5
alpha release series. These include blocking all authority signing keys
that may have been affected by the OpenSSL ‘heartbleed’ bug, choosing a
far more secure set of TLS ciphersuites by default, closing a couple of
memory leaks that could be used to run a target relay out of RAM, and
several others.”

For more details, look at the full changelog [2]. The source is
available at the usual location [3]. Packages should be coming shortly,
if not already available [4].


Digital Restrictions Management and Firefox

Mozilla’s decision to support playing media with digital
restrictions [5] in Firefox by implementing the W3C EME specification
has raised a fair amount of controversy. Paul Crable wanted to know [6]
what it meant for the Tor Browser.

Mike Perry answered [7] that “simply removing the DRM will be trivial,
and it will be high on our list of tasks”.

But he also explained his worries regarding a “per-device unique
identifier” that Firefox would provide as part of the implementation:
“it is likely that this identifier will soon be abused by all sorts of
entities, […] quickly moving on to the advertising industry (why not
play a short device-linked DRM video with your banner ad? You get a
persistent, device-specific tracking identifier as part of the deal!). I
think it is also quite likely that many arbitrary sites will actually
deny access to users who do not provide them with such a device-id, if
only due to ease of increased revenue generation from a fully identified

Mike has raised the issue [8] on Mozilla’s dev-privacy mailing-list
where Henri Sivonen replied that device-identifying information
will be hashed together with a “per-origin browser-generated secret“
that “persists until the user asks the salt to be forgotten”.
So it does not look as gloom as it initially appeared. As always,
the devil is in the details.


Miscellaneous news

David Goulet reported [9] on the status of the development of Torsocks
2.0, the library for safely using applications with Tor.


Karsten Loesing posted [10] on the Tor Blog to commemorate the tenth
anniversary of the first archived Tor directory, and discussed the
different ways in which the public archive of directory data is being
used for research and development.


Karsten also notified [11] the community of a change in the compression
algorithm used for the tarballs of archived metrics data, which has
reduced their total size from 212 gigabytes to 33 — an 85% gain!


Knock [12] is a variant of port-knocking that might be useful in the
future for pluggable transports. “As Knock uses two fields in the TCP
header in order to hide information and we explicitly want to be
compatible with machines sitting in typical home networks”, writes [13]
Julian Kirsch, “we thus created a program which tests if Knock would
work in your environment.” Please give it a try [14] to help the team
figure out if Knock could be deployed in the wild.


Thanks to Jesse Victors [15], Andrea [16], Nicholas Merrill [17], and
Martin A. [18] for running mirrors of the Tor Project website!


Michael Schloh von Bennewitz has been busy analyzing a disk leak [19] in
Tor Browser: when one copies a significant chunk of text to the
clipboard, a temporary file is created with its content. Michael found a
possible fix and is welcoming reviews [20].


Nicolas Vigier has been investigating [21] some extra connections made
by the Tor Browser on startup to the local resolver and the default port
or the SOCKS proxy.


Shawn Nock proved us once more that talking to ISP is key to run Tor
relays on high-speed links. Shawn’s exit node was abruptly shut down by
its provider [22] on May 15th. After a well-crafted plea explaining why
Tor is important, the provider restored the service [23] on the very
same day!


However, dope457 reported that their provider is now giving them trouble
for being the operator of a non-exit relay [24], due to a large amount
of traffic on the DNS port (53), which is being used as the ORPort by a
recently-established Tor relay [25], as pointed out [26] by Roman


Now that ICANN is “selling” top-level domain names, Anders Andersson
raised concerns [27] about the .onion extension used by Tor.
Fortunately, RFC6761 [28] defines a process regarding special-use domain
names. Last November, Christian Grothoff, Matthias Wachs, Hellekin O.
Wolf, and Jacob Appelbaum submitted a request to reserve several TLDs
used in peer-to-peer systems [29]. Hellekin sent an update [30] about
the procedure: “the current status quo from the IETF so far is that this
issue is not a priority”.


Tor help desk roundup

Local antivirus or firewall applications can prevent Tor from connecting
unless they are disabled. Firewall tools that have caused usability
issues in the past include Webroot SecureAnywhere AV, Kaspersky Internet
Security 2012, Sophos Antivirus for Mac, and Microsoft Security

News from Tor StackExchange

The Tor StackExchange site [31] now provides more than 1000 answers to
user-supplied questions. However, there are still ~130 questions [32]
which need a good answer, so if you happen to know one then please visit
the site and help out.

The majority of the questions are about the Tor Browser Bundle [33], but
hidden services also attract a large amount of attention [34]. When it
comes to operating systems, there are 42 Windows-related questions [35],
while questions about Tails [36] and Whonix [37] number nearly 50. All
your questions about Tor and related software are welcome.


Blue_Pyro uses Orweb on a mobile phone and wants to save images from
websites [38]. Abel of Guardian recommended two options: first, a user
can use Firefox mobile with privacy enhanced options [39], or one can
try Orfox [40], a development version of a Firefox-based browser.


Easy development tasks to get involved with

Stem [41] is a Python controller library for Tor. It comes with
tutorials and generally has pretty good test coverage. The newly-added
example scripts, however, don’t yet have unit tests. Damian Johnson
suggested ways to add unit tests for example scripts [42]; if you
want to help out, learn how to get started [43], start writing unit
tests for the example scripts, and then comment on the ticket.


The traffic obfuscator obfsproxy [44] should validate command-line
arguments appropriately [45]. Right now, it’s printing an error and
continuing, but it should really abort. This sounds like a trivial
change, but maybe there’s more to fix in the nearby code. If you like
Python and want to give it a try, there’s more information for you on
the ticket.


Upcoming events

May 21 19:00 UTC | little-t tor development meeting
                 | #tor-dev,
May 23 15:00 UTC | Tor Browser online meeting
                 | #tor-dev,
May 23 16:00 UTC | Pluggable transports online meeting
                 | #tor-dev,
May 27-28        | Tor @ Stockholm Internet Forum
                 | Stockholm, Sweden

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt
Pagan, Karsten Loesing, qbi, and Georg Koppen.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [46], write down your
name and subscribe to the team mailing list [47] if you want to
get involved!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the tor-news mailing list