Tor Weekly News — October 29th, 2014

Harmony harmony01 at
Wed Oct 29 16:21:59 UTC 2014

Tor Weekly News                                       October 29th, 2014

Welcome to the forty-third issue in 2014 of Tor Weekly News, the weekly
newsletter that covers what’s happening in the Tor community.

Tor is out

The 0.2.5.x branch of the core Tor software hit stable, with the release
of As Nick Mathewson explained [1], there have been no changes
since last week’s release, and the new features will be
familiar to readers of Tor Weekly News over the past year of
development, but highlights include “improved denial-of-service
resistance for relays, new compiler hardening options, and a system-call
sandbox for hardened installations on Linux”, as well as improvements to
transparent proxying, building and testing, pluggable transport
usability, and much more.

This release means that Tor versions in the 0.2.3.x series, which has
“received no patches or attention for some while” and “accumulated many
known flaws” [2], are now deprecated. Relay operators running these
versions must upgrade as soon as possible, or risk having their relays
rejected from the network in the near future.

Please see Nick’s release announcement for the full changelog, and
download your copy of the source code from the distribution
directory [3] or a prebuilt package from your usual repositories.


Miscellaneous news

Jacob Appelbaum announced [4] version 0.1.3 of TorBirdy, a torifying
extension for the Thunderbird email client. Among other things, this
release fixes the recently-reported “wrote:” bug [5], disables the
automatic downloading of messages from POP3 accounts, and ensures that
draft messages for IMAP accounts are stored on the local system rather
than sent over the network. However, as Jacob wrote, “it’s still
experimental”, so “use at your own risk”. See the release announcement
for a full changelog.


Anthony G. Basile announced [6] version 20141022 of tor-ramdisk, the
micro Linux distribution whose only purpose is to host a Tor server in
an environment that maximizes security and privacy. This release
addresses the recent POODLE attack [7] with updates to Tor and OpenSSL,
and also upgrades the Linux kernel.


Yawning Angel called for testing [8] of the revamped tor-fw-helper, a
tool that automates the port forwarding required (for example) by the
flash proxy [9] pluggable transport. Please see Yawning’s message for
full testing instructions and other important information: “Questions,
Comments, Feedback appreciated”.


On the Tor blog, Andrew Lewman responded [10] to the abuse of Tor by
creators of so-called “ransomware”, or malware that tries to restrict
access to users’ files unless a ransom is paid; these extortionists
sometimes ask their victims to install Tor software in order to
communicate with them over a hidden service, leading users to the
mistaken belief that The Tor Project is somehow involved. As Andrew
wrote, this software “is unrelated to The Tor Project. We didn’t produce
it, and we didn’t ask to be included in the criminal infection of any
computer.” Users may find the information provided by the BBC [11] and
Bleeping Computer [12] to be helpful in resolving the problem.


Josh Pitts posted an analysis [13] of apparently malicious behavior by a
Tor relay that was modifying binary files downloaded over Tor circuits
in which it was the exit node. As Roger Dingledine responded [14],
“we’ve now set the BadExit flag on this relay, so others won’t
accidentally run across it”.


David Fifield pointed out [15] “an apparent negative correlation between
obfs3 users and vanilla users” in the Tor Metrics portal’s bridge user
graphs [16] and wondered what might be causing it.


News from Tor StackExchange

Dodo wants to run several hidden services (HTTP, XMPP, SSH etc.), but
use just one onion address [17]. Jobiwan explained that one can forward
each port to a different service. Further information can be found at
the configuration page for hidden services [18].


Rodney Hester proxies the DirPort of his relay and saw lots of requests
to nonexistent URLs, of which the most prominent is the URL
/tor/status/all.z [19], and asks where they are coming from. Do you have
an answer? If so, please share it at Tor’s StackExchange site.


Upcoming events

  Oct 29 13:30 UTC | little-t tor development meeting
                   | #tor-dev,
  Oct 31 17:00 CET | OONI development meeting
                   | #ooni,
  Nov 03 - 07      | Roger @ WPES and CCS
                   | Phoenix, Arizona, USA
  Nov 03 18:00 UTC | Tor Browser online meeting
                   | #tor-dev,
  Nov 03 19:00 UTC | Tails contributors meeting
                   | #tails-dev (
  Nov 04 17:00 UTC | little-t tor patch workshop
                   | #tor-dev,

This issue of Tor Weekly News has been assembled by Lunar, qbi, Roger
Dingledine, and Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [20], write down your
name and subscribe to the team mailing list [21] if you want to
get involved!


More information about the tor-news mailing list