Tor Weekly News — May 28th, 2014

Lunar lunar at
Wed May 28 14:13:38 UTC 2014

Tor Weekly News                                           May 28th, 2014

Welcome to the twenty-first issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

OnionShare and tor’s ControlPort

Micah Lee published OnionShare [1], a program that “makes it simple to
share a file securely using a password-protected Tor hidden service”. It
originally ran only in Tails, but has now been made compatible with
other GNU/Linux distros, Windows, and OS X. As part of that process,
Micah wondered [2] about the best way to make the program work with a
Tor Browser or system tor process, as “I would really like to not be in
the business of distributing Tor myself”. meejah [3] and David
Stainton [4] responded with relevant details of the Stem [5] and
txtorcon [6] controller libraries, which allow this kind of operation to
take place via tor’s ControlPort.


The “Tor and HTTPS” visualization made translatable

Lunar announced [7] the creation of a repository [8] for an
SVG+Javascript version of the EFF’s interactive “Tor and HTTPS”
visualization [9], which has proven useful in explaining to users the
types of data that can be leaked or intercepted, and by whom, when using
Tor or HTTPS (or both, or neither). As Lunar wrote, “The good news is
that it’s translatable”: copies have so far been published in over
twenty languages. The amount of translation required is very small, so
if you’d like to contribute in your language then download the POT
file [10] and submit a patch!


A Child’s Garden of Pluggable Transports

David Fifield published [11] “A Child’s Garden of Pluggable
Transports” [12], a detailed visualization of different pluggable
transport protocols, including “aspects of different transports that I
think are hard to intuit, such as what flash proxy rendezvous looks
like, and how transports look under the encrypted layer that is visible
to a censor”. A few other transports supported by Tor [13] are not yet
discussed in the guide; “if you know how to run any of those transports,
and you know an effective way to visualize it, please add it to the
page”, wrote David.


Miscellaneous news

Anthony G. Basile released [14] version 20140520 of tor-ramdisk [15],
the micro Linux distribution “whose only purpose is to host a Tor server
in an environment that maximizes security and privacy”. The new version
upgrades Tor to version, which “adds an important block to
authority signing keys that were used on authorities vulnerable to the
“heartbleed” bug in OpenSSL”, among other fixes; upgrading “is strongly


Cure53 audited the security [16] of the Onion Browser [17], a web
browser for iOS platforms tunneling traffic through Tor. From the
conclusion: “we believe that the Onion Browser project is on the right
track, however there is still a long way ahead for the project to be
appropriately ‘ripe’ for usage in actually privacy-relevant and
critically important scenarios.” All reported issues should have been
fixed in release 1.5 [18] on May 14th.


A new pluggable transport, currently named obfs4 [19], is being crafted
by Yawning Angel: “obfs4 is ScrambleSuit with djb crypto. Instead of
obfs3 style UniformDH and CTR-AES256/HMAC-SHA256, obfs4 uses a
combination of Curve25519, Elligator2, HMAC-SHA256, XSalsa20/Poly1305
and SipHash-2-4”. The feature set offered by obfs4 is comparable to
ScrambleSuit, with minor differences. Yawning is now asking the
community for comments, reviews, and tests [20].


Stem now offers a control interpreter, “a new method for interacting
with Tor’s control interface that combines an interactive python
interpreter with raw access similar to telnet” [21]. Damian Johnson
wrote a new tutorial [22] to give an overview of what can be done with


Also on the controller front, Yawning Angel hacked on or-applet [23], a
Gtk+ system tray applet to monitor Tor circuits.


Arlo Breault is making progress on the Tor Instant Messenger Bundle: a
minimalistic user interface for OTR encryption in Instantbird [24], one
of the key features missing from the finished software, has now been


Nicolas Vigier has been working [25] on improving the Mbox sandboxing
environment [26] to test the Tor Browser for disk or network leaks.


Israel Leiva published [27] the initial version of a design
proposal [28] for the “Revamp GetTor” Google Summer of Code project,
having concluded that a full rewrite is needed.


Juha Nurmi submitted [29] the first weekly report for the GSoC


kzhm sent out [30] instructions for installing obfsproxy on Fedora 20,
to go with those for other Linux distributions [31].


AddressSanitizer [32] (ASan) is a powerful memory error detector:
software built with such technology makes it a lot harder to exploit
programming errors related to memory management. Happily, Georg Koppen
has announced [33] the first test packages of the Tor Browser built with
ASan hardening.


Karsten Loesing is planning on spinning off the directory archive from
the metrics portal [34].


Tor help desk roundup

Multiple Mac OS X users complained that despite seeing the
“Congratulations” welcome page, they were unable to reach any website
with the Tor Browser. It appears that with a recent update, the Sophos
anti-virus solution interferes with the Tor Browser. In order to be able
to use the Tor Browser again, one must open Sophos Anti-Virus, then
“Preferences”, and in the “Web Protection” panel position all switches
to off.

News from Tor StackExchange

yohann2008 doesn’t want their hidden service to be indexed by search
engines [35]. puser suggested using a robots.txt file [36], as on a
normal webpage. Jens Kubieziel later received confirmation on the IRC
channel of [37] that this search engine does indeed respect the
robots.txt; however, it is unknown whether others do.


Herbalist saw the following line in their log file [38] and wonders what
it could mean: “Rejecting INTRODUCE1 on non-OR or non-edge circuit
7503”. If you can unravel this mystery, please submit your answer to the


Easy development tasks to get involved with

The metrics website displays graphs on bridge users by pluggable
transport [39], but we’d like to have another graph with total pluggable
transport usage [40]. Karsten Loesing outlined the steps for adding such
a graph, which require some knowledge of R and ggplot2. If you enjoy
writing R and want to add this new graph to the metrics website, give it
a try and post your results on the ticket.


Upcoming events

 May  28 19:00 UTC | little-t tor development meeting
                   | #tor-dev,
 May  30 15:00 UTC | Tor Browser online meeting
                   | #tor-dev,
 Jun  06 17:30 EDT | Tails 1.0 Launch Party
                   | Washington, DC, USA

This issue of Tor Weekly News has been assembled by Lunar, harmony, qbi,
and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [41], write down your
name and subscribe to the team mailing list [42] if you want to
get involved!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the tor-news mailing list