Tor Weekly News — July 10th, 2015

Harmony harmony01 at riseup.net
Fri Jul 10 11:58:48 UTC 2015


========================================================================
Tor Weekly News                                          July 10th, 2015
========================================================================

Welcome to the twenty-seventh issue in 2015 of Tor Weekly News,
the weekly newsletter that covers what’s happening in the Tor community.

Contents
--------

 1. Tails 1.4.1 is out 
 2. Tor Browser 4.5.3 and 5.0a3 are out
 3. Tor unaffected by new OpenSSL security issue
 4. OVH is the largest and fastest-growing AS on the Tor network
 5. More monthly status reports for June 2015
 6. Miscellaneous news
 7. Upcoming events

Tails 1.4.1 is out 
------------------

The Tails team announced [1] version 1.4.1 of the anonymous live
operating system. Most notable in this release is the fix of automatic
upgrades in Windows Camouflage mode, and plugging a hole in Tor
Browser’s AppArmor sandbox that previously allowed it to access the list
of recently-used files.

For a full list of changes, see the team’s announcement. This release
contains important security updates, so head to the download page [2]
(or the automatic upgrader) as soon as possible. 

  [1]: https://tails.boum.org/news/version_1.4.1/
  [2]: https://tails.boum.org/download/

Tor Browser 4.5.3 and 5.0a3 are out
-----------------------------------

The Tor Browser team put out new releases in both the stable and alpha
series of the secure, private web browser. Tor Browser 4.5.3 [3]
contains updates to Firefox, OpenSSL, NoScript, and Torbutton; it also
fixes a crash triggered by .svg files when the security slider was set
to “High”, and backports a Tor patch that allows domain names containing
underscores (a practice generally discouraged) to resolve properly. For
example, users should now be able to view the website of the New York
Times without problems.

Tor Browser 5.0a3 [4], meanwhile, is the first release to be based on
Firefox 38 ESR. “For this release, we performed a thorough network and
feature review of Firefox 38, and fixed the most pressing privacy
issues, as well as all Tor proxy safety issues that we discovered during
the audit”, wrote Georg Koppen. Changes to the toolchain used to build
the browser mean “we are […] especially interested in feedback if there
are stability issues or broken Tor Browser bundles due to these
toolchain upgrades.

These are important security releases, and you should upgrade to the new
version in whichever series you prefer. Head to the download page [5] to
get your first copy of Tor Browser, or use the in-browser updater.

  [3]: https://blog.torproject.org/blog/tor-browser-453-released
  [4]: https://blog.torproject.org/blog/tor-browser-50a3-released
  [5]: https://www.torproject.org/download/download-easy.html

Tor unaffected by new OpenSSL security issue
--------------------------------------------

A few days ago, the team behind the essential Internet encryption
toolkit OpenSSL announced [6] that a security issue classified as “high”
would shortly be disclosed and fixed, leading to concern that another
Heartbleed [7] was on the cards. In the event, the now-disclosed
CVE-2015-1793 vulnerability does not appear to affect either the Tor
daemon or Tor Browser, as Nick Mathewson explained [8]. However, you
should still upgrade your OpenSSL as soon as possible, in order to
protect the other software you use which may be vulnerable.

  [6]: https://mta.openssl.org/pipermail/openssl-announce/2015-July/000037.html
  [7]: https://lists.torproject.org/pipermail/tor-news/2014-April/000040.html
  [8]: https://lists.torproject.org/pipermail/tor-dev/2015-July/009050.html

OVH is the largest and fastest-growing AS on the Tor network
------------------------------------------------------------

nusenu observed [9] that the hosting company OVH is both the largest
autonomous system [10] on the Tor network by number of relays, and the
fastest-growing. While it’s no bad thing to have multiple relays located
on the same network, it becomes a problem if any one entity (or someone
who watches them closely enough) is able to observe too large a fraction
of Tor traffic — they would then be in a position to harm the anonymity
of Tor users.

This is what is meant by “diversity” on the Tor network. If you’re
considering running a Tor relay, then as nusenu says, “choose non-top 10
ASes when adding relays (10 is an arbitrary number)”. See nusenu’s post
for more information on how to select a hosting location for a stronger
and more diverse Tor network.

  [9]: https://lists.torproject.org/pipermail/tor-relays/2015-July/007310.html
 [10]: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)

More monthly status reports for June 2015
-----------------------------------------

The wave of regular monthly reports from Tor project members for the
month of June continued, with reports from Leiah Jansen [11] (working on
graphic design and branding), Georg Koppen [12] (developing Tor
Browser), Isabela Bagueros [13] (overall project management), Sukhbir
Singh [14] (developing Tor Messenger), Arlo Breault (also working on Tor
Messenger, as well as Tor Check) [15], Colin Childs [16] (carrying out
support, localization, and outreach), and Juha Nurmi [17] (working on
onion service indexing).

Donncha O’Cearbhaill sent his third Tor Summer of Privacy status
report [18] with updates about the OnionBalance onion service
load-balancing tool, while Jesse Victors did the same [19] for the
DNS-like Onion Naming System, and Israel Leiva submitted a status
update [20] for the GetTor alternative software distributor, which is
also being expanded as part of TSoP, as explained in Israel’s
re-introduction of the project [21]. Cristobal Leiva also introduced his
TSoP project, a web-based status dashboard for Tor relay operators [22]

 [11]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000865.html
 [12]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000866.html
 [13]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000867.html
 [14]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000868.html
 [15]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000870.html
 [16]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000871.html
 [17]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000873.html
 [18]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000869.html
 [19]: https://lists.torproject.org/pipermail/tor-dev/2015-July/009049.html
 [20]: https://lists.torproject.org/pipermail/tor-reports/2015-July/000872.html
 [21]: https://lists.torproject.org/pipermail/tor-dev/2015-July/009034.html
 [22]: https://lists.torproject.org/pipermail/tor-dev/2015-July/009036.html

Miscellaneous news
------------------

David Fifield published the regular summary of costs [23] incurred by
the infrastructure for the meek pluggable transport over the past month.
“The rate limiting of meek-google and meek-amazon has been partially
effective in bringing costs down. […] meek-azure bandwidth use continues
to increase, up 17% compared to the previous month. Keep in mind that
our grant expires in October, so you should not count on it continuing
to work after that.”

 [23]: https://lists.torproject.org/pipermail/tor-dev/2015-July/009030.html

Following Donncha O’Cearbhaill’s 0.0.1 alpha release of
OnionBalance [24], s7r called for help [25] putting it to the test on a
running onion service. One week on [26], there have been four million
hits on the service, with hardly a murmur of complaint from OnionBalance
or the service it is handling: “the same instances are running since
service first started, no reboot or application restart”. See s7r’s post
for more numbers.

 [24]: https://lists.torproject.org/pipermail/tor-talk/2015-July/038312.html
 [25]: https://lists.torproject.org/pipermail/tor-talk/2015-July/038314.html
 [26]: https://lists.torproject.org/pipermail/tor-talk/2015-July/038373.html

Upcoming events
---------------

  Jul 12 19:00 UTC | Tails low hanging fruit session
                   | #tails-dev, irc.oftc.net
                   | https://mailman.boum.org/pipermail/tails-project/2015-July/000244.html
                   |
  Jul 13 17:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
                   |
  Jul 13 18:00 UTC | Tor Browser meeting
                   | #tor-dev, irc.oftc.net
                   |
  Jul 14 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
                   | https://lists.torproject.org/pipermail/tor-dev/2015-June/008979.html
                   |
  Jul 15 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
                   | https://lists.torproject.org/pipermail/tor-dev/2015-June/008979.html
                   |
  Jul 22 02:00 UTC | Pluggable transports/bridges meeting
                   | #tor-dev, irc.oftc.net


This issue of Tor Weekly News has been assembled by the Tails team,
Karsten Loesing, teor, and Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [27], write down your
name and subscribe to the team mailing list [28] if you want to
get involved!

 [27]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [28]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team


More information about the tor-news mailing list