[tor-talk] Tor Weekly News — June 25th, 2014

Lunar lunar at torproject.org
Wed Jun 25 13:30:57 UTC 2014


========================================================================
Tor Weekly News                                          June 25th, 2014
========================================================================

Welcome to the twenty-fifth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the community around Tor,
the “fine-meshed net” [1].

   [1]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033358.html

Tor 0.2.5.5-alpha is out
------------------------

Tor 0.2.5.5-alpha was released [2], fixing “a wide variety of remaining
issues in the Tor 0.2.5.x release series, including a couple of DoS
issues, some performance regressions, a large number of bugs affecting
the Linux seccomp2 sandbox code, and various other bugfixes”, in Nick
Mathewson’s words. Among the major security improvements is an
adjustment to the way Tor decides when to close TLS connections, which
“should improve Tor’s resistance against some kinds of traffic analysis,
and lower some overhead from needlessly closed connections”.

You can download the source tarball [3], or install the package by
following the instructions for your system [4]. This release is also now
available in the Debian [5] and Tor Project [6] repositories.

   [2]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033347.html
   [3]: https://www.torproject.org/dist/
   [4]: https://www.torproject.org/docs/installguide
   [5]: http://packages.qa.debian.org/t/tor/news/20140619T120436Z.html
   [6]: https://www.torproject.org/docs/debian.html.en#development

Debian Wheezy’s tor version to be updated
-----------------------------------------

Following a suggestion by Peter Palfrader [7], Debian developers are
preparing to update the version of tor found in the Debian stable
repositories from 0.2.3.25 to 0.2.4.22. Among the chief motives for
doing so is that “about a quarter of the Tor network (just considering
the relays, not any clients), is on 0.2.3.25, presumably because they
run Debian stable. If they all upgraded to the 0.2.4.x tree, the network
as a whole would become a lot more secure as 0.2.4.x allows clients to
use stronger crypto for connections built through these nodes.” Other
benefits, including the various measures taken to defend against OpenSSL
vulnerabilities discovered earlier this year, make this an attractive
proposal.

The update [8] will be shipped in the forthcoming point release (7.6) of
Debian Wheezy, on July 12th.

   [7]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751977
   [8]: https://lists.debian.org/debian-changes/2014/06/msg00072.html

Miscellaneous news
------------------

Building on the May release of experimental Tor Browsers hardened with
AddressSanitizer (ASan) [9], Georg Koppen announced [10] a new set of
experimental Linux builds that include both AddressSanitizer and
Undefined Behaviour Sanitizer (UBSan), asking for testing and feedback.
See Georg’s message for download and build instructions, as well as a
couple of known issues.

   [9]: https://lists.torproject.org/pipermail/tor-qa/2014-May/000414.html
  [10]: https://lists.torproject.org/pipermail/tor-qa/2014-June/000428.html

Nick Mathewson reminded [11] Tor users, relay operators, and especially
hidden service administrators that tor’s 0.2.2 series is no longer
supported, and many features will soon stop working entirely; if you are
affected, then please upgrade!

  [11]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033376.html

Several of Tor’s Google Summer of Code students submitted their regular
progress reports: Daniel Martí on the implementation of consensus
diffs [12], Mikhail Belous on the multicore tor daemon [13], Juha Nurmi
on the ahmia.fi project [14], Zack Mullaly on the HTTPS Everywhere
secure ruleset update mechanism [15], Amogh Pradeep on the Orbot+Orfox
project [16], Sreenatha Bhatlapenumarthi on the Tor Weather
rewrite [17], Marc Juarez on the link-padding pluggable transport
development [18], Israel Leiva on the GetTor revamp [19], Quinn Jarrell
on the pluggable transport combiner [20], Kostas Jakeliunas on the
BridgeDB Twitter Distributor [21], and Noah Rahman on Stegotorus
security enhancement [22].

  [12]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007030.html
  [13]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007034.html
  [14]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000564.html
  [15]: https://lists.eff.org/pipermail/https-everywhere/2014-June/002147.html
  [16]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007036.html
  [17]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007037.html
  [18]: https://lists.torproject.org/pipermail/tor-reports/2014-June/000567.html
  [19]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007039.html
  [20]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007040.html
  [21]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007041.html
  [22]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007043.html

Researchers from the Internet Geographies project at the Oxford Internet
Institute produced a cartogram [23] of Tor users by country, using
archived data freely available from the Tor Project’s own Metrics
portal [24], along with an analysis of the resulting image. “As ever
more governments seek to control and censor online activities, users
face a choice to either perform their connected activities in ways that
adhere to official policies, or to use anonymity to bring about a freer
and more open Internet”, they conclude.

  [23]: http://geography.oii.ox.ac.uk/?page=tor
  [24]: https://metrics.torproject.org

Andrew Lewman reported [25] that users with email addresses at Yahoo and
AOL have been removed from the tor-relays mailing list [26], as these
addresses have been bouncing list emails.

  [25]: https://lists.torproject.org/pipermail/tor-relays/2014-June/004752.html
  [26]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Thanks to the FoDT.it webteam [27] and Maxanoo [28] for running mirrors
of the Tor Project’s website!

  [27]: https://lists.torproject.org/pipermail/tor-mirrors/2014-June/000617.html
  [28]: https://lists.torproject.org/pipermail/tor-mirrors/2014-June/000619.html

fr33tux shared [29] the slides [30] for a French-language presentation
on Tor, delivered at Université de technologie Belfort-Montbéliard. The
source code (in the LaTeX markup language) is also available [31]: “feel
free to borrow whatever you want from it!”

  [29]: https://lists.torproject.org/pipermail/tor-talk/2014-June/033337.html
  [30]: http://fr33tux.org/data/prez.pdf
  [31]: http://git.fr33tux.org/conference_tor_utbm.git

Thanks to Ximin Luo, the server component of Flashproxy [32] is now
available in Debian [33] in the “pt-websocket” package.

  [32]: https://crypto.stanford.edu/flashproxy/
  [33]: https://packages.debian.org/sid/pt-websocket

A couple of weeks ago, Roger Dingledine wondered “how many relays are
firewalling certain outbound ports (and thus messing with connectivity
inside the Tor network)”. ra has just published the results [34] of a
three-week-long test of the interconnectivity between 6730 relays.
Contacting the operators of problematic relays is probably the next step
for those who wish to keep the network at its best.

  [34]: https://bugs.torproject.org/12131#comment:11

George Kadianakis slipped on his storyteller costume to guide us [35]
through layers of the Tor core, motivated by the quest for knowledge.
That accursed riddle, “Why does Roger have so many guards?”, now has an
answer. Be prepared for a “beautiful stalagmite” and the “truly amazing”
nature of Tor!

  [35]: https://lists.torproject.org/pipermail/tor-dev/2014-June/007042.html

Tor help desk roundup
---------------------

If the Tor Browser stalls while “loading the network status”, please
double-check that the system clock is accurate; the same goes for the
timezone and daylight saving time settings. Tor needs an accurate clock
in order to prevent several classes of attacks on its protocol. It won’t
work properly when the local time does not match the one used by other
network participants.

Easy development tasks to get involved with
-------------------------------------------

When the tor daemon is configured to open a SOCKS port on a public
address, it warns about this possible configuration problem twice: once
when it reads the configuration file, and a second time when it opens
the listener. One warning should be enough. We had a friendly volunteer
two years ago who sketched out possible fixes and even wrote a patch,
but then concluded that his patch had a problem and went away. If you’re
up to some digging into tor’s configuration file handling, and want to
clean up a two-year-old patch potentially to be included in tor 0.2.6,
please find the details in the ticket [36]. It’s tagged as easy, so how
hard can it be?

  [36]: https://bugs.torproject.org/4019

Upcoming events
---------------

June 25 19:00 UTC | little-t tor development meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tor-dev/2014-May/006888.html
                  |
June 27 15:00 UTC | Tor Browser online meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tbb-dev/2014-April/000049.html
                  |
 June 30 — July 4 | Tor’s Summer Dev Meeting
                  | Paris, France
                  | https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting
                  |
        July 5-11 | Lunar @ Libre Software Meeting 2014
                  | Montpellier, France
                  | https://2014.rmll.info/?lang=en


This issue of Tor Weekly News has been assembled by harmony, Lunar,
Matt Pagan, Karsten Loesing, and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [37], write down your
name and subscribe to the team mailing list [38] if you want to
get involved!

  [37]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [38]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140625/ae9faafd/attachment.sig>


More information about the tor-talk mailing list