[tor-talk] Tor Weekly News — March 5th, 2014

Lunar lunar at torproject.org
Wed Mar 5 13:26:26 UTC 2014

Tor Weekly News                                          March 5th, 2014

Welcome to the ninth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor is out

Roger Dingledine announced the release of Tor [1], whose major
new feature is the forced inclusion of at least one NTor-capable relay
in any given three-hop circuit as a defence against adversaries who
might be able to break 1024-bit encryption; this feature was first seen
in the latest alpha release ( three weeks ago [2], but is
here incorporated into the current stable series.

You can find full details of this release’s other features and bugfixes
in Roger’s announcement.

   [1]: https://lists.torproject.org/pipermail/tor-talk/2014-March/032242.html
   [2]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032150.html

Tor in Google Summer of Code 2014

As has been the case over the past several years, Tor will once again be
participating [3] in Google’s annual Summer of Code program — aspiring
software developers have the chance to work on a Tor-related project
with financial assistance from Google and expert guidance from a core
Tor Project member. Several prospective students have already contacted
the community with questions about the program, and Damian Johnson took
to the Tor Blog to give a brief summary of what students can expect from
the Summer of Code [4], and what the Tor Project expects from its

In particular, Damian encouraged potential applicants to discuss their
ideas with the community on the tor-dev mailing list or IRC channel
before submitting an application: “Communication is essential to success
in the summer of code, and we’re unlikely to accept students we haven’t
heard from before reading their application.”

If you are hoping to contribute to Tor as part of the Summer of Code
program, please have a look through Damian’s advice and then, as he
says, “come to the list or IRC channel and talk to us!”

   [3]: https://www.google-melange.com/gsoc/org2/google/gsoc2014/tor
   [4]: https://blog.torproject.org/blog/tor-google-summer-code-2014

Two ways to help with Tails development

One of the most interesting upcoming additions to the Tails operating
system is the ability to thwart attempts at tracking the movements of
network-enabled devices by spoofing the MAC address on each boot. As
part of the testing process for this new feature, the Tails developers
have released [5] an experimental disk image which turns it on by
default, alongside a step-by-step guide to trying it out and reporting
any issues encountered. However, as the developers state, “this is a
test image. Do not use it for anything other than testing this feature.”
If you are willing to take note of this caveat, please feel free to
download the test image and let the community know what you find.

Turning to the longer-term development of the project, the team also
published a detailed set of guidelines for anyone who wants to help
improve Tails itself by contributing to the development of Debian [6],
the operating system on which Tails is based. They include advice on the
relationship between the two distributions, tasks in need of attention,
and channels for discussing issues with the Tails community; if you are
keen on the idea of helping two free-software projects at one stroke,
please have a look!

   [5]: https://tails.boum.org/news/spoof-mac/
   [6]: https://tails.boum.org/contribute/how/debian/

Monthly status reports for February 2014

The wave of regular monthly reports from Tor project members for the
month of February has begun. Georg Koppen released his report first [7],
followed by reports from Sherief Alaa [8], Pearl Crescent [9], Nick
Mathewson [10], Colin C. [11], Lunar [12], Kelley Misata [13], Damian
Johnson [14], George Kadianakis [15], Philipp Winter [16], and Karsten
Loesing [17].

Lunar also reported on behalf of the help desk [18], while Mike Perry
did the same on behalf of the Tor Browser team [19], and Arturo Filastò
for the OONI team [20].

   [7]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000464.html
   [8]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000465.html
   [9]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000466.html
  [10]: https://lists.torproject.org/pipermail/tor-reports/2014-February/000467.html
  [11]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000468.html
  [12]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000471.html
  [13]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000472.html
  [14]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000474.html
  [15]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000475.html
  [16]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000476.html
  [17]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000478.html
  [18]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000469.html
  [19]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000473.html
  [20]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000477.html

Miscellaneous news

Members of the Prosecco research team released a new attack on the TLS
protocol [21] — dubbed “Triple Handshake” — allowing impersonation of a
given client when client authentication is in use together with session
resumption and renegotiation. Nick Mathewson published a detailed
analysis of why Tor is not affected [22], and also outlines future
changes to make Tor resistant to even more potential TLS issues.

  [21]: https://secure-resumption.com/
  [22]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006372.html

Mike Perry announced [23] the start of a weekly Tor Browser developer’s
meeting, to be held on #tor-dev on irc.oftc.net. These meetings are
tentatively scheduled for 19:00 UTC on Wednesdays. Details on the format
and flow of the meetings can be found on the tor-dev and tbb-dev [24]
mailing lists.

  [23]: https://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.html
  [24]: https://lists.torproject.org/cgi-bin/mailman/listinfo/tbb-dev

Roger Dingledine and Nick Mathewson were among the signatories of an
open letter [25] published by the EFF which offers ten principles for
technology companies to follow in protecting users from illegal

  [25]: https://www.eff.org/deeplinks/2014/02/open-letter-to-tech-companies

Nick Mathewson also detailed [26] a change in the way that the core Tor
development team will use the bugtracker’s “milestone” feature to
separate tickets marked for resolution in a given Tor version from those
that can be deferred to a later release.

  [26]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006341.html

Nick then sent out the latest in his irregular series of Tor proposal
status updates [27], containing summaries of each open proposal,
guidance for reviewers, and notes for further work. If you'd like to
help Tor’s development by working on one of these proposals, start here!

  [27]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006342.html

On the subject of proposals, two new ones were sent to the tor-dev list
for review: proposal 228 [28], which offers a way for relays to prove
ownership of their onion keys as well as their identity key, and
proposal 229 [29] based on Yawning Angel’s unnumbered submission from
last week, which concerns improvements to the SOCKS5 protocol for
communication between clients, Tor, and pluggable transports.

  [28]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006304.html
  [29]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006340.html

Nicholas Merrill wrote [30] to the Liberationtech list to announce that
xmpp.net now lists XMPP servers that are reachable over hidden
services [31], and that xmpp.net’s server scanner works with these as

  [30]: https://mailman.stanford.edu/pipermail/liberationtech/2014-February/013041.html
  [31]: https://xmpp.net/reports.php#onions

Patrick Schleizer announced [32] the release of version 8 of
Whonix [33] —  an operating system focused on anonymity, privacy and
security based on the Tor anonymity network, Debian and security by
isolation. The curious should take a look at the long changelog.

  [32]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032227.html
  [33]: https://www.whonix.org/

Kelley Misata wrote up an account [34] of her talk “Journalists —
Staying Safe in a Digital World”, which she delivered at the
Computer-Assisted Reporting Conference in Baltimore.

  [34]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000470.html

Having co-authored a paper in 2012 on usability issues connected with
the Tor Browser Bundle [35], Greg Norcie drew attention [36] to a
follow-up study named “Why Johnny Can’t Blow the Whistle” [37], which
focuses on verifying the conclusions of the earlier tests while
exploring a number of other possible usability improvements. The study
was, however, carried out before the release of Tor Browser version 3,
which improved the bundle’s usability based on earlier suggestions.

  [35]: http://petsymposium.org/2012/papers/hotpets12-1-usability.pdf
  [36]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032205.html
  [37]: http://www.norcie.com/papers/torUSEC.pdf

Mac OS X users will be thrilled to learn that the next Tor Browser
Bundle will be shipped as a DMG (disk image) [38] instead of the
previous unusual .ZIP archive [39].

  [38]: https://people.torproject.org/~mikeperry/images/TBBDMG.png
  [39]: https://bugs.torproject.org/4261

David Rajchenbach-Teller from Mozilla reached out [40] to the Tor
Browser developers about their overhaul of the Firefox Session Restore
mechanism. This is another milestone in the growing collaboration
between the Tor Project and Mozilla.

  [40]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032204.html

On the “anonymity is hard” front, David Fifield reported [41] a
fingerprinting issue on the Tor Browser. Fallback charsets can be used
to learn the user locale as they vary from one to another. The next
release of the Tor Browser will use “windows-1252” for all locales, as
this matches the impersonated “User-Agent” string (Firefox — English
version — on Windows) that it already sends in its HTTP headers.

  [41]: https://bugs.torproject.org/10703

Yawning Angel called for help [42] in testing and reviewing
obfsclient-0.0.1rc2, the second obfsclient release candidate this week:
“assuming nothing is broken, this will most likely become v0.0.1, though
I may end up disabling Session Ticket handshakes.”

  [42]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006358.html

David Fifield published [43] a guide to patching meek, an HTTP pluggable
transport, so that it can be used to send traffic via Lantern [44], a
censorship circumvention system which “acts as an HTTP proxy and proxies
your traffic through trusted friends.”

  [43]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006356.html
  [44]: https://www.getlantern.org/

Fortasse started a discussion [45] on tor-talk about using HTTPS
Everywhere to redirect Tor Browser users to .onion addresses when
available. Several people commented regarding the procedure, its
security, or how it could turn the Tor Project or the EFF into some kind
of registrar.

  [45]: https://lists.torproject.org/pipermail/tor-talk/2014-February/032220.html

anonym has been busy [46] adapting the configuration interface from the
Tor Browser — called “Tor Launcher” — to Tails’ needs. Preliminary
results can already be seen in the images built from the experimental
branch [47].

  [46]: https://mailman.boum.org/pipermail/tails-dev/2014-February/005023.html
  [47]: http://nightly.tails.boum.org/build_Tails_ISO_experimental/

Ramo wrote [48] to announce their Nagios plugin project [49] to the
relay operator community. Lunar pointed out a complementary probe named
“check_tor.py” [50].

  [48]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004007.html
  [49]: https://github.com/goodvikings/tor_nagios/
  [50]: http://anonscm.debian.org/gitweb/?p=users/lunar/check_tor.git;a=blob;f=README;hb=HEAD

Virgil Griffith sent a draft proposal [51] for changes to improve the
latency of hidden services when using the “Tor2web” mode. Roger
Dingledine commented [52] that one of the proposed changes actually
opened a new research question regarding the actual latency benefits.

  [51]: https://lists.torproject.org/pipermail/tor-dev/2014-February/006344.html
  [52]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006347.html

David Goulet released the fourth candidate of his Torsocks rewrite [53].
This new version comes after “a big code review from Nick and help from
a lot of people contributing and testing”. But more reviews and testing
are now welcome!

  [53]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006371.html

Tor help desk roundup

Often users email the help desk when the Tor Browser’s Tor client fails
somehow. There are many ways for the Tor Browser to fail in such a way
that the Tor log is inaccessible. Since antivirus programs, firewalls,
system clock skew, proxied internet connections, and internet censorship
have all been known to cause Tor failures, it is not always easy to
determine the source of the problem. Thankfully, the Tor Browser team is
working on making the logs easier to access in case of failures
(#10059 [54], #10603 [55]).

  [54]: https://trac.torproject.org/projects/tor/ticket/10059
  [55]: https://trac.torproject.org/projects/tor/ticket/10603

News from Tor StackExchange

Janice needs to be able to connect from an IP address in a specific city
and wanted to know if Tor can be used to do so [56]. Several users
suggested that this is not possible with Tor. For city-level IP
addresses, it might better to use other services like a proxy or a
tunnel, provided one does not require anonymity.

  [56]: https://tor.stackexchange.com/q/1485/88

The Tor Browser Bundle sets the default font to Times New Roman 16pt and
allows pages to use their own fonts. User joeb likes to change the
settings and wondered how this increases the possibility to fingerprint
a user [57]. gacar suggested that this will facilitate fingerprinting
attacks. Several important sites use font probing to fingerprint their
users [58], and changing the default fonts is likely to make a user
stand out from the common anonymity set.

  [57]: https://tor.stackexchange.com/q/1619/88
  [58]: https://www.cosic.esat.kuleuven.be/fpdetective/#results

Kristopher Ives wondered [59] if Tor uses some kind of compression.
Several users searched the source code archives for “gzip” [60] and
found code which deals with directory information. Jens Kubieziel argued
that Tor operates on encrypted data and compressing encrypted data
usually results in a increase in size, so it makes no sense to compress
this data.

  [59]: https://tor.stackexchange.com/q/1598/88
  [60]: https://gitweb.torproject.org/tor.git?a=search&h=HEAD&st=grep&s=gzip

Stackexchange uses bounties to award higher reputations to answers. By
using this one can attract attention and get better answers or an answer
at all. The question about using DNSSEC and DNScrypt over Tor [61] is
probably the first to receive a bounty: an answer to this question would
be rewarded with 50 points. However, they have not been earned yet, so
if you know an answer, please enlighten the rest of the community.

  [61]: https://tor.stackexchange.com/q/1503/88

Upcoming events

Mar 03-07        | Tor @ Financial Cryptography and Data Security 2014
                 | Barbados
                 | http://fc14.ifca.ai/
Mar 05 18:00 UTC | Tor Weather development meeting
                 | #tor-dev, irc.oftc.net
                 | https://trac.torproject.org/projects/tor/wiki/doc/weather-in-2014
Mar 05 19:00 UTC | Tor Browser development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tbb-dev/2014-February/000000.html
Mar 05 20:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006366.html
Mar 05 21:00 UTC | Tails contributors meeting
                 | #tails-dev, irc.oftc.net
                 | https://mailman.boum.org/pipermail/tails-dev/2014-February/004934.html
Mar 07-11        | Karen and Kelley @ SXSW 2014
                 | Austin, Texas, USA
                 | http://schedule.sxsw.com/2014/events/event_IAP19728
Mar 07 17:00 UTC | Tor Instant Messaging Bundle development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006369.html
Mar 22-23        | Tor @ LibrePlanet 2014
                 | Cambridge, Massachusetts, USA
                 | http://libreplanet.org/2014/

This issue of Tor Weekly News has been assembled by harmony, Lunar, qbi,
Matt Pagan, Karsten Loesing, Mike Perry, dope457, and Philipp Winter.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [62], write down your
name and subscribe to the team mailing list [63] if you want to
get involved!

  [62]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [63]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140305/863c8e48/attachment.sig>

More information about the tor-talk mailing list