[tor-talk] Tor Weekly News — March 19th, 2014

Wed Mar 19 12:48:03 UTC 2014

========================================================================
Tor Weekly News                                         March 19th, 2014
========================================================================

Welcome to the eleventh issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Accessing the Tor network from China
------------------------------------

In a new blog post “How to read our China usage graphs” [1], Roger
Dingledine looks at the current situation of how Tor is able to
circumvent censorship on Chinese Internet accesses. Indeed, if one only
looks at the current bridge users graph [2], one might believe that Tor
is not a solution for users in China.

“The correct interpretation of the graph is ‘obfs3 bridges have not been
deployed enough to keep up with the demand in China’. So it isn’t that
Tor is blocked — it’s that we haven’t done much of a deployment for
obfs3 bridges or ScrambleSuit bridges, which are the latest steps in the
arms race” writes Roger.

The upcoming version — currently in QA phase [3] — of the Tor Browser
will include support for the pluggable transports [4] obfs3 [5], FTE [6]
and Flashproxy [7]. Having these transports ready to be used in a couple
of clicks should help Chinese users.

The “obfs3” protocol is still vulnerable to active probing attacks.  The
deployment of its replacement, ScrambleSuit [8], is on-going.  As Roger
highlighted, “we need to get more addresses”. Several ways have been
thoughts in the past [9], but until there is more cooperation from ISP
and network operators, your can make a difference by running a
bridge [10] if you can!

On another front, work is currently on-going on the bridge
distributor [11] to improve how censored users can get a hand on bridge
addresses. Yawning Angel also just released [12] the first version of
obfsclient [13] which should help making ScrambleSuit available on
Android devices. All in all, the Tor community can hope to welcome back
more users from China in a near future.

   [1]: https://blog.torproject.org/blog/how-to-read-our-china-usage-graphs
   [2]: https://metrics.torproject.org/users.html?graph=userstats-bridge-country&start=2011-10-18&end=2014-01-16&country=cn#userstats-bridge-country
   [3]: https://lists.torproject.org/pipermail/tor-qa/2014-March/000364.html
   [4]: https://www.torproject.org/docs/pluggable-transports.html
   [5]: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/refs/heads/master:/doc/obfs3/obfs3-protocol-spec.txt
   [6]: https://fteproxy.org/
   [7]: https://crypto.stanford.edu/flashproxy/
   [8]: http://www.cs.kau.se/philwint/scramblesuit/
   [9]: https://blog.torproject.org/blog/strategies-getting-more-bridge-addresses
  [10]: https://lists.torproject.org/pipermail/tor-relays/2014-February/003886.html
  [11]: https://gitweb.torproject.org/bridgedb.git
  [12]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006476.html
  [13]: https://github.com/Yawning/obfsclient

Circumventing censorship through “too-big-too-block” websites
-------------------------------------------------------------

Late January, David Fifield introduced [14] a new pluggable transport
called “meek” [15]. It can be described as “a transport that uses HTTP
for carrying bytes and TLS for obfuscation. Traffic is relayed through a
third-party server (Google App Engine). It uses a trick to talk to the
third party so that it looks like it is talking to an unblocked server.”
The approach is close to the GoAgent [16] proxy that has a certain
popularity in China.

With the current version, using Google App Engine, the transport
requires no additional configuration. But David also mentioned that a
PHP script [17] could also be a good candidate to relay the traffic.
Combined to ScrambleSuit [18], it could allow “a real web site with real
pages and everything” to be used as a bridge if a user can provide the
shared secret.

David has made available experimental versions [19] of the Tor Browser
for anyone to try. The source code [20] has recently moved [21] to the
Tor Project’s infrastructure, and is ready for more eyes and fingers to
play with it.

  [14]: https://lists.torproject.org/pipermail/tor-dev/2014-January/006159.html
  [15]: https://trac.torproject.org/projects/tor/wiki/doc/meek
  [16]: https://trac.torproject.org/projects/tor/wiki/doc/GoAgent
  [17]: https://bugs.torproject.org/10984
  [18]: http://www.cs.kau.se/philwint/scramblesuit/
  [19]: https://lists.torproject.org/pipermail/tor-qa/2014-February/000340.html
  [20]: https://gitweb.torproject.org/pluggable-transports/meek.git
  [21]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006506.html

Switching to a single guard node?
---------------------------------

Last October, Roger Dingledine called for research on improving Tor’s
anonymity by changing guard parameters [22]. One of these parameters is
the number of guard nodes used simultaneously by a Tor client.

Following up on the paper written by Tariq Elahi et al. [23], Roger’s
blog post, and recent discussions during the winter dev. meeting, George
Kadianakis made a detailed analysis of the implications of switching to
a single guard node [24]. He studied the performance implications of
switching to a single guard, the performance implications of raising the
minimum guard bandwidth for both clients and the overall network, and
how the change would affect the overall anonymity and fingerprintability
of Tor users.

Jumping to conclusions: “It seems that the performance implications of
switching to 1 guard are not terrible. […] A guard bandwidth threshold
of 2MB/s […] seems like it would considerably improve client performance
without screwing terribly with the security or the total performance of
the network. The fingerprinting problem will be improved in some cases,
but still remains unsolved for many of the users […] A proper solution
might involve guard node buckets [25]”.

For a better understanding, be sure to look at George’s work which
includes graphs and proper explanations.

  [22]: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters 
  [23]: http://freehaven.net/~arma/cogs-wpes.pdf
  [24]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006458.html
  [25]: https://bugs.torproject.org/9273#comment:4

Miscellaneous news
------------------

George Kadianakis announced [26] obfsproxy version 0.2.7. The new
release fixes an important bug [27] “where scramblesuit would basically
reject clients if they try to connect a second time after a short amount
of time has passed.” Bridge operators are strongly advised to upgrade
from source [28], pip [29], or the upcoming Debian packages.

  [26]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004074.html
  [27]: https://bugs.torproject.org/11100
  [28]: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/commit/6cdbc64
  [29]: https://pypi.python.org/pypi/obfsproxy/0.2.7

The submission deadline for this year’s Google Summer of Code [30] is
the 21st: this Friday. Several students already showed up on the tor-dev
mailing list, but as Damian Johnson says [31]: “If you’re
procrastinating until the last minute then please don’t!”

  [30]: https://blog.torproject.org/blog/tor-google-summer-code-2014
  [31]: https://lists.torproject.org/pipermail/tor-dev/2014-March/006498.html

Tails logo contest [32] is happily on-going. Several submissions have
already been received and can be seen on the relevant blueprint [33].

  [32]: https://tails.boum.org/news/
  [33]: https://tails.boum.org/blueprint/logo/

Kelley Misata and Karen Reilly attended the South by Southwest (SXSW)
Interactive festival [34] in Austin, Texas.

  [34]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000485.html

Relay and bridge operators might be interested in Ramo’s first
release [35] of a Tor plugin for Nagios [36]. It can currently check for
a page fetch through the SOCKS proxy port, the hibernation state, the
current bandwidth, ORPort reachability, DirPort reachability, and the
bytes remaining until hibernation.

  [35]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004062.html
  [36]: https://github.com/goodvikings/tor_nagios

Nicolas Vigier sent his monthly report for February [37].

  [37]: https://lists.torproject.org/pipermail/tor-reports/2014-March/000486.html

Tails won the 2014 Endpoint Security prize [38] from Access. The prize
recognizes [39] Tails “unique positive impact on the endpoint security
of at-risk users in need”. Congrats!

  [38]: https://twitter.com/accessnow/status/441043400708857856
  [39]: https://www.accessnow.org/prize

The Format-Transforming Encryption project at Portland State University
received [40] an unexpected 100,000 USD grant from Eric Schmidt.

  [40]: http://www.oregonlive.com/silicon-forest/index.ssf/2014/03/psu_professor_wins_surprise_10.html

Tor help desk roundup
---------------------

The help desk has seen an increase in Russian language support requests
amidst news that the Russian Federation began censoring a number of
websites. Unfortunately, the help desk is not able to provide support in
Russian for now. Changes in the number of Tor users by country can be
observed on the project’s metrics page [41].

  [41]: https://metrics.torproject.org/users.html

Upcoming events
---------------

Mar 19 19:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tor-dev/2014-March/006513.html
                 |
Mar 22-23        | Tor @ LibrePlanet 2014
                 | Cambridge, Massachusetts, USA
                 | http://libreplanet.org/2014/
                 |
Apr 11 11:00 EDT | Roger @ George Mason University
                 | Washington, DC, USA
                 | http://today.gmu.edu/64330/

This issue of Tor Weekly News has been assembled by Lunar,
Matt Pagan and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [42], write down your
name and subscribe to the team mailing list [43] if you want to
get involved!

  [42]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [43]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140319/a4c0d7af/attachment.sig>