[tor-talk] Tor Weekly News -- April 4th, 2016

TWN twn0 at gmx.de
Mon Apr 4 18:44:49 UTC 2016


========================================================================
Tor Weekly News                                          April 4th, 2016
========================================================================

Welcome to the 5th 2016 issue of the Tor Weekly News, bringing you a
collection of Tor-related news at least a couple times per month!

Contents
--------

   1. OONI Explorer released
   2. Tor Browser 5.5.4 and 6.0a4 released
   3. Tor 0.2.8.2-alpha released
   4. Tor statement on Apple and backdoors
   5. CloudFlare debate roundup
   6. Miscellaneous News

OONI Explorer released
----------------------

The Open Observatory of Network Interference (OONI) develops free
software to detect irregular internet conditions. There are currently 15
tests in the suite [1]; one measures DNS consistency, another measures
HTTP consistency, others check if Tor is blocked, and some try to detect
HTTP-aware middleboxes between the client and the server. Volunteers
around the world can run this software [2] and report the results back
to OONI, who makes the dataset freely available. Over the last three
years, more than 8.5 million network measurements from 93 countries have
been collected.

The newly released OONI Explorer [3] provides a browsable web interface
to the collected dataset. The Highlights page [4] presents a short
analysis of some interesting anomalies which might be worthy of further
research, and the blog post [5] has more details.

   [1]: https://github.com/TheTorProject/ooni-spec/tree/master/test-specs
   [2]: https://ooni.torproject.org/
   [3]: https://explorer.ooni.torproject.org/world/
   [4]: https://explorer.ooni.torproject.org/highlights/
   [5]: https://blog.torproject.org/blog/ooni-explorer-censorship-and-other-network-anomalies-around-world

Tor Browser 5.5.4 and 6.0a4 released
------------------------------------

The most recent ESR version of Firefox (38.7.1) disables the Graphite
font rendering library (there have been a number of recent
vulnerabilities in it). Graphite was previously disabled in Tor Browser
if you had the security slider set at "Medium-High" or "High," but now
it is disabled for everyone (stable [6], unstable [7], and
unstable-hardened [8]) so you won't see it mentioned.

   [6]: https://blog.torproject.org/blog/tor-browser-554-released
   [7]: https://blog.torproject.org/blog/tor-browser-60a4-released
   [8]: https://blog.torproject.org/blog/tor-browser-60a4-hardened-released

Tor 0.2.8.2-alpha released
--------------------------

There's a new alpha release [9] of "little t tor" that includes a bunch
of bugfixes and new features.

   [9]: https://blog.torproject.org/blog/tor-0282-alpha-released

Tor statement on Apple and backdoors
------------------------------------

Much has been written after Apple publicly denounced the FBI's request
to develop and sign an iOS update that would let the FBI unlock iPhones
in their possession. While Apple rejected this particular demand, the
saga has cast a light on the single point of failure that is Apple's
signing key. Tor's Leif Ryge wrote a piece [10] for Ars Technica
pointing out that many pieces of software are built with such single
points of failure (for example, a Debian system will accept as genuine
an update signed by any of several developer keys it knows about).

Tor put out a statement [11] in solidarity with Apple's position and to
review the ongoing efforts taken to eliminate single points of failure
(deterministic builds, for example, mean a compromised build machine
can't insert what would be a hard-to-detect backdoor during the build
process).

  [10]: http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/
  [11]: https://blog.torproject.org/blog/statement-tor-project-software-integrity-and-apple

Cloudflare debate roundup
-------------------------

Tor Browser users are probably familiar with the CAPTCHAs CloudFlare
presents to users from IP addresses deemed to have a negative
reputation. There's a 58-point-long aggregation of thoughts from all
sides here [12]. Cloudflare put out a blog post [13] on March 30, and
Tor responded [14] on March 31.

  [12]: https://trac.torproject.org/projects/tor/ticket/18361#comment:144
  [13]: https://blog.cloudflare.com/the-trouble-with-tor/
  [14]: https://blog.torproject.org/blog/trouble-cloudflare

Miscellaneous News
------------------

There was a Tor presence at LibrePlanet 2016: David Goulet reports on
his discussion [15] with some activists in Mexico who depend on Tor to
stay safe from a surveillance-equipped triple threat of corporations,
government, and cartels. The Library Freedom Project ("a partnership
among librarians, technologists, attorneys, and privacy advocates which
aims to make real the promise of intellectual freedom in libraries") won
the FSF's Award for Projects of Social Benefit [16].

  [15]: https://lists.torproject.org/pipermail/tor-project/2016-March/000197.html
  [16]: https://twitter.com/libraryfreedom/status/711303975073619968

Wired has a piece [17] on the Autonomy Cube [18], the
Tor-Relay-as-sculpture from Trevor, Leif, and Jake presently installed
in four museums around the world.

  [17]: http://www.wired.com/2016/04/sculpture-lets-museums-amplify-tors-anonymity-network/
  [18]: http://paglen.com/index.php?l=work&s=cube

There was a mailing list discussion about building a router/gateway that
only allows Tor traffic. Lunar [19] and Rusty Bird [20] posted some
setups; both approaches basically creating a firewall whitelist of Tor
relay IPs from the consensus.

  [19]: https://lists.torproject.org/pipermail/tor-dev/2016-March/010538.html
  [20]: https://github.com/rustybird/corridor

Yawning developed and released a Firefox addon [21] that detects
CloudFlare CAPTCHAs and automatically tries to fetch the page from
archive.is.

  [21]: https://lists.torproject.org/pipermail/tor-dev/2016-March/010604.html

Nick posted some ideas [22] on improving design and modularity in Tor.

  [22]: https://lists.torproject.org/pipermail/tor-dev/2016-March/010646.html

A TV producer is looking to interview [23] an "ordinary" Tor user. "I
think they want someone in the US they can follow around who uses Tor
for what they consider an interesting use case that fits the idea, 'Tor
is for everyone!'"

  [23]: https://lists.torproject.org/pipermail/tor-project/2016-March/000205.html

The Logan Symposium posted their talk recordings [24]; they're all
really good, but the most Tor-related one is this discussion [25]
between the developers of a few Tor-enabled operating systems (Tails,
Qubes, and Subgraph).

  [24]: https://www.youtube.com/playlist?list=PLS_7b8Iu1oBGXgCt1y3-i8lUD4gFI2u7S
  [25]: https://www.youtube.com/watch?v=Nol8kKoB-co

Colophon
--------

This issue of Tor Weekly News has been assembled by jl. If you're
interested in contributing, see the wiki page [26] :)

  [26]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews



More information about the tor-talk mailing list