[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tor-talk] Tor Weekly News — January 21st, 2015

Tor Weekly News                                       January 21st, 2015

Welcome to the third issue in 2015 of Tor Weekly News, the weekly
newsletter that covers what’s happening in the boring [1] Tor community.

  [1]: https://guardianproject.info/2015/01/02/2015-is-the-year-of-bore-sec/

Tor Browser 4.0.3 and 4.5a3 are out

Georg Koppen announced two new releases by the Tor Browser team. Version
4.0.3 [2] of the privacy-preserving browser is based on Firefox
31.4.0esr, and also contains updates to NoScript, meek, and Tor

The third release in the 4.5-alpha series [3] allows the secure
in-browser update mechanism to handle signed update files, and will
reject unsigned ones from now on. It also restores functionality for
meek, which was broken in previous 4.5-alpha releases, and offers other
improvements and bugfixes — please see Georg’s announcement for the full

These releases contain important security updates, so users of both the
stable and alpha series should upgrade as soon as possible. Furthermore,
Tor Browser 4.5a3 is signed by a new Tor Browser Developers signing key
rather than the personal key of an individual developer. If you want to
verify your download of the new alpha (and you should!), you will need
to retrieve the new key (fingerprint EF6E 286D DA85 EA2A 4BA7 DE68 4E2C
6E87 9329 8290) from a keyserver before doing so.

  [2]: https://blog.torproject.org/blog/tor-browser-403-released
  [3]: https://blog.torproject.org/blog/tor-browser-45a3-released

Miscellaneous news

Anthony G. Basile announced [4] version 20150114 of Tor-ramdisk, the
uClibc-based micro Linux distribution whose only purpose is to host a
Tor relay in an environment that maximizes security and privacy. This
release includes updates to Tor, Libevent, and other key software.

  [4]: https://lists.torproject.org/pipermail/tor-talk/2015-January/036526.html

Nik announced [5] oppy, an onion proxy implemented in Python: “oppy
works like a regular Tor client”, though “there are a number of
simplifications made, with the major ones primarily centering around
circuit management/build logic and how and when network status documents
are collected”. Nik also asked for suggestions on how to take the
project forward: “Whether or not I continue hacking on oppy to make it a
solid piece of software (rather than just a prototype) or just leave it
as is as a reference depends on whether or not the Tor development
community sees any real uses or future potential for the project”.

  [5]: https://lists.torproject.org/pipermail/tor-dev/2015-January/008174.html

meejah announced [6] a new one-to-one encrypted and anonymous voice chat
feature for “carml” [7], the command-line Tor control utility: “ [It]
essentially cross-connects the mic + speakers of each side via an Opus +
OGG stream over a single Tor TCP connection.” As meejah warns, it is
“NOT FOR REAL USE at all yet”, but if you have experience with gstreamer
and/or OGG then please see meejah’s message for some unresolved

  [6]: https://lists.torproject.org/pipermail/tor-dev/2015-January/008166.html
  [7]: https://github.com/meejah/carml.git

Following suggestions from Sebastian Urbach [8] and grarpamp [9],
Karsten Loesing altered [10] the main unit of data rate measurement for
the Tor Metrics portal [11] from MiB/s (mebibytes per second) to the
more common Gbit/s (gigabits per second).

  [8]: https://lists.torproject.org/pipermail/tor-relays/2015-January/006240.html
  [9]: https://lists.torproject.org/pipermail/tor-relays/2015-January/006248.html
 [10]: https://bugs.torproject.org/14257
 [11]: https://metrics.torproject.org/

Philipp Winter published [12] preliminary statistics and analysis
obtained by running a Go implementation of Doctor’s [13] sybil-hunting
script over archived consensuses: “I’ll have a more detailed analysis at
some point in the future.”

 [12]: https://lists.torproject.org/pipermail/tor-dev/2015-January/008156.html
 [13]: https://gitweb.torproject.org/doctor.git/

The Tails team published [14] instructions for running an nginx
webserver as a hidden service using a copy of Tails: “Feedback is

 [14]: https://mailman.boum.org/pipermail/tails-dev/2015-January/007919.html

Thanks to Frédéric Cornu [15] for running a mirror of the Tor Project’s
website and software!

 [15]: https://lists.torproject.org/pipermail/tor-mirrors/2015-January/000850.html

This week in Tor history

A year ago this week [16], the “Spoiled Onions” project [17] published
its preliminary technical report. The goal of the project was to monitor
Tor exit relays in order to “expose, document, and thwart malicious or
misconfigured relays”; the researchers turned up 65 such relays over the
course of their investigation, with the culprits engaging in attacks
such as “SSH and HTTPS MitM, HTML injection, SSL stripping, and traffic
sniffing”, or unintentionally interfering with traffic as a result of
upstream censorship.

Events such as the RELAY_EARLY traffic confirmation attack [18] and the
sybil attacks late last year [19] have only highlighted the importance
of monitoring for malicious relays in the Tor network. The bad-relays
mailing list [20] serves as a reporting channel for Tor community
members who believe particular relays are up to no good (messages sent
to the list are not publicly visible, for various reasons [21]); David
Fifield has been experimenting with data visualizations of significant
network events [22]; and Philipp Winter, a “Spoiled Onions” co-author,
has been working on additional tools (such as the above-mentioned Go
sybil hunter and “zoossh”, a speedy Tor network document parser [23]) to
make these checks more efficient — to give only a few examples of recent
work by the community on this issue.

 [16]: https://lists.torproject.org/pipermail/tor-news/2014-January/000029.html
 [17]: http://www.cs.kau.se/philwint/spoiled_onions/
 [18]: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
 [19]: https://lists.torproject.org/pipermail/tor-consensus-health/2014-December/005381.html
 [20]: https://lists.torproject.org/cgi-bin/mailman/listinfo/bad-relays
 [21]: https://lists.torproject.org/pipermail/tor-news/2014-August/000057.html
 [22]: https://lists.torproject.org/pipermail/tor-dev/2015-January/008095.html
 [23]: https://gitweb.torproject.org/user/phw/zoossh.git/

Upcoming events

  Jan 21 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Jan 22 17:30 JST | Jacob @ Free Software Initiative of Japan
                   | Tokyo, Japan
                   | http://www.fsij.org/monthly-meetings/2015/Jan.html
  Jan 26 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
  Jan 26 18:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
  Jan 27 18:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net
  Feb 03 20:00 UTC | Tails contributors meeting
                   | #tails-dev, irc.oftc.net
                   | https://mailman.boum.org/pipermail/tails-dev/2015-January/007860.html

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [24], write down your
name and subscribe to the team mailing list [25] if you want to
get involved!

 [24]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [25]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to