Archive

Tor Weekly News — August 30th, 2015

Welcome to the thirty-third issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Hash visualizations to protect against onion phishing

Unlike URLs on the non-private web, the .onion addresses used by Tor hidden services are not handed out by any central authority — instead, they are derived by the hidden services themselves based on their cryptographic key information. This means that they are typically quite hard for humans to remember, unless the hidden service operator — whether by chance or by making repeated attempts — hits upon a memorable string, as in the case of Facebook’s hidden service.

“The problem”, writes George Kadianakis, is that due to these user-unfriendly strings, “many people don’t verify the whole onion address, they just trust the onion link or verify the first few characters. This is bad since an attacker can create a hidden service with a similar onion address very easily”, then trick users into visiting that address instead for a variety of malicious purposes. This species of attack that has already been seen in the wild. After discussions with other researchers in this area, George drew up a proposal to incorporate visual information into the verification process: “So when TBB connects to a hidden service, it uses the onion address to generate a randomart or key poem and makes them available for the user to examine.”

As with all new development proposals, however, there are many unanswered questions. What kind of visualization would work best? Should there also be an auditory component, like a randomly-generated tune? How should the feature be made available to users without confusing those who have no idea what it is or why it’s needed? In short, “Some real UX research needs to be done here, before we decide something terrible.”

If you have clear and constructive feedback to offer on this unusual but important proposal, please send it to the tor-dev mailing list.

Tor-enabled Debian mirrors

Richard Hartmann, Peter Palfrader, and Jonathan McDowell have set up the first official onion service mirrors of the Debian operating system’s software package infrastructure. This means that it is now possible to update your Debian system without the update information or downloaded packages leaving the Tor network at all, preventing a network adversary from discovering information about your system. A follow-up post by Richard includes guidance on using apt-transport-tor with the new mirrors.

These services are only the first in what should hopefully become a fully Tor-enabled system mirroring “the complete package lifecycle, package information, and the website”. “This service is not redundant, it uses a key which is stored on the local drive, the .onion will change, and things are expected to break”, wrote Richard, but if you are interested in trying out the new infrastructure, see the write-ups for further information.

Miscellaneous news

David Fifield announced that his 17-minute PETS talk on the theory and practice of “domain fronting”, which is the basis for Tor’s innovative and successful meek pluggable transport, is now available to view online.

Arturo Filastò announced that registration for ADINA15, the upcoming OONI hackathon at the Italian Parliament in Rome, is now open. If you’re interested in hacking on internet censorship data in this rarified location, with the possibility of “interesting prizes” for the winning teams, see Arturo’s mail for the full details.

Arturo also sent out the OONI team’s July status report, while Tor Summer of Privacy progress updates were submitted by Israel Leiva, Cristobal Leiva, and Jesse Victors.

Fabio Pietrosanti issued an open call for developers interested in working on GlobaLeaks, the open-source anonymous whistleblowing software. “Are you interested in making the world a better place by putting your development skills to use in a globally used free software project? Do you feel passionate about using web technologies for developing highly usable web applications?” If so, please see Fabio’s message for more information.

News from Tor StackExchange

saurav created a network using the Shadow simulator and started with 40 guard and 40 exit nodes. After a simulation was performed, another 40/40 nodes were added. saurav then noticed that the more recent nodes had a higher probability of being selected. Can you explain why this is the case? The users of Tor’s Q&A page will be happy to know.


This issue of Tor Weekly News has been assembled by qbi, Lunar, nicoo, and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 5.5a2 is released

A new release for the alpha Tor Browser is available for download in the 5.5a2 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Additionally, we included the crash bug fix that was already available in the stable series and a small fix for Unity and Gnome users on Linux. Also, we updated the NoScript version we ship.

Here is the complete changelog since 5.5a1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
    • Bug 16771: Fix crash on some websites due to blob URIs
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome

Tor Browser 5.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we updated the NoScript version we ship and included a small fix for Unity and Gnome users on Linux.

Here is the complete changelog since 5.0.1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome

Tor Weekly News — August 20th, 2015

Welcome to the thirty-second issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0.1 is out

The Tor Browser team put out a new stable version of the privacy-preserving browser. Version 5.0.1 fixes a crash bug in the recent 5.0 release that was hindering some users’ attempts to access popular websites like Google Maps and Tumblr. There are no other changes in this release.

Thanks to the new automatic update mechanism in the Tor Browser 5.x series, you are probably already running the upgraded version! If not, head to the project page to get your copy.

Tor talks at Chaos Communication Camp 2015

There was a heavy Tor presence at the recent Chaos Communication Camp near Zehdenick, Germany, and as usual there were some Tor-related talks by community members that are now available to watch online. Tor and Debian developer Lunar, one of the minds behind Debian’s pioneering and highly successful reproducible builds project (itself inspired by the Tor Browser team’s work in this line) gave a talk entitled “How to make your software build reproducibly”.

Tor Project Director of Communications Kate Krauss, meanwhile, participated in a talk entitled “What’s the catch?”, addressing the subject of free software projects receiving funding from State organizations, and the ways in which this does or does not affect the work of these projects.

Tor developers also participated in the “Tor Services using GNS” session of the Youbroketheinternet village. The session was about Tor using GNS as its name resolution system, and about various ways that we could integrate GNUNet and other anonymity systems with Tor. It was decided that the discussion will continue on the tor-dev mailing list.

Happy sixth birthday, Tails!

In the small hours of Sunday night, the Tails project turned six years old. It may still have most of its milk teeth, but the anonymous live operating system is already the security tool of choice for a wide range of users. It has been endorsed by Reporters Without Borders, groups campaigning against domestic violence, and the team behind the Academy Award-winning documentary CITIZENFOUR (among many others), as Voice of America reported last month.

The Tails team has laid out its vision for the next two years in its draft 2016-2017 roadmap, and you can read a summary of its current activities in the last monthly report. Congratulations to the team on reaching this anniversary!

Miscellaneous news

Hot on the heels of last week’s 2.4 release, Karsten Loesing put out version 2.5 of Onionoo, the Tor network data observatory. This release adds a new optional field named “measured” to Onionoo’s details documents. “The main idea behind this new field is that relay operators and Tor network debuggers can now figure out easily whether a relay is affected by not being measured by a sufficient number of bandwidth authorities and as a result has lower usage than it could handle”, writes Karsten. The new field is not yet shown in Onionoo web interfaces like Globe and Atlas, but it is accessible through the Onionoo API. For more details, see the relevant ticket.

David Fifield announced that the recent outage affecting meek’s Microsoft Azure backend is now resolved. Most users will have switched to the workaround version included in the most recent Tor Browser releases, but if for some reason you are still using the old configuration, it too should now be working once again.

David Stainton asked for brief code review of his Twisted-based Tor HTTP proxy. “Is this project worthy of your precious 10 minutes to review it... so I can improve the code quality?”


This issue of Tor Weekly News has been assembled by Harmony, Karsten Loesing, and George Kadianakis.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 5.0.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release fixes a crash bug that caused Tor Browser to crash on certain sites (in particular, Google Maps and Tumblr). The crash bug was a NULL pointer dereference while handling blob URIs. The crash was not exploitable.

Here is the complete changelog since 5.0:

  • All Platforms
    • Bug 16771: Fix crash on some websites due to blob URIs

Tor Weekly News — August 14th, 2015

Welcome to the thirty-first issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0 and 5.5a1 are out

The Tor Browser team put out two new releases of the privacy-preserving web browser. Version 5.0, the first release in the new stable series, is based on Firefox 38ESR, “which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements”. Updates to Tor Browser are now downloaded automatically in the background, removing the need for users to go through the update wizard manually. New privacy features in this release include first-party domain bar isolation of more identifier sources, and “defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting”.

The first alpha release in the 5.5 series, meanwhile, fixes the recent pdf.js exploit to which users of 5.0a3 and 5.0a4 had been vulnerable; it also contains a refined version of the new font fingerprinting defenses in which “Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases”.

For full changelogs and download instructions, please see the team’s announcements. Both of these new releases contain important security updates, so please upgrade your Tor Browser as soon as you can.

Tails 1.5 is out

The Tails developers announced version 1.5 of the anonymous live operating system. This release disables access to the local network in Tor Browser, restricting this activity to Tails’ “unsafe browser”. It also ships with Tor Browser 5.0, and a 32-bit GRUB EFI bootloader, so “Tails should now start on some tablets with Intel Bay Trail processors, among others”.

For a list of all the changes in this release, please see the team’s announcement. This is an important security update, so please download your copy as soon as possible, either from the Tails website or via the incremental updater.

OnioNS beta testing version is out

Jesse Victors announced the first beta testing release of his Tor Summer of Privacy project, the Onion Name System (OnioNS). OnioNS is a distributed system that links hard-to-remember and hard-to-verify onion service addresses (such as “onions55e7yam27n.onion”) to domain names that are easier for humans to read and recall (like “example.tor”).

The software that comprises OnioNS is divided into three main parts: OnioNS-HS, OnioNS-client, and OnioNS-server. These are respectively intended to be run by onion services wishing to claim domain names, clients (such as Tor Browser users) wanting to visit services using these names, and the servers that let the system function. Whichever software you download will also require the OnioNS-common library in order to work.

This is a beta testing version, so Jesse warns that it is not ready to be used on production onion services and that name-claims made now may not survive in the long term. If you’re willing to give the system a try, however, please see Jesse’s message for further information, and feel free to send “feedback as to how usable the system is and areas where it could be improved” to the tor-dev mailing list, or file issues on the bug tracker of the relevant software package.

Miscellaneous news

Karsten Loesing deployed version 2.4 of Onionoo , the Tor network data observatory. This release implements an optional “effective_family” field to Onionoo details documents, listing all the relays with which the relay in question is in an effective, mutual family relationship. “The main goal here is to make it easier to detect misconfigured relay families. This can be relay operators or friendly people watching over the Tor network and reminding relay operators to fix their configurations.”

Colin Childs sent out a call for new volunteers to man the Tor help desk, which offers individual support to Tor users all over the world. If you can use Tor Browser and other Tor software with confidence and have a good understanding of the theory behind Tor, know how to use GnuPG (or are willing to learn), and are an active member of the Tor community who wants to help users on an ongoing basis, then please see Colin’s message for more details.

The Tails project sent out its monthly report for July, featuring development updates, upcoming events, and summaries of ongoing discussions.

George Kadianakis sent out the SponsorR report, and also submitted his own status report for July.

Alec Muffett revived the discussion around possible human factors to consider when devising a new and more secure system of onion addresses (such as the one suggested in proposal 224).

Sue Gardner invited active Tor community members to take part in a short survey as part of her work to devise a long-term strategic plan for the Tor Project.

Thomas White put out a call for “good guides on using Tor with common applications” to form part of a “small site dedicated to Tor usage [that] will convey, in as simple as possible terms, how to put as many applications as possible through Tor”.


This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 5.5a1 is released

The Tor Browser Team is proud to announce the first alpha release in the 5.5 series. The release is available for download in the 5.5a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox. In particular, while the recent PDF.js exploit did not affect 4.5 users, it does affect users of 5.0a3 and 5.0a4. Although the High security level of the Security Slider also prevented the exploit from working against even those users, all alpha users are still strongly encouraged to upgrade as soon as possible.

In addition to fixing these security issues, the remaining major issues with Firefox 38 from 5.0a4 were also fixed. This release also features improvements to fingerprinting defenses. In particular, we continue to refine our font fingerprinting defense that was added in 5.0a4. With this defense, Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases. Interested users are encouraged to help us refine this defense by commenting on the associated ticket in our bugtracker.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Here is the complete changelog since 5.0a4:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update NoScript to 2.6.9.34
    • Update Torbutton to 1.9.3.3
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 14429: Make sure the automatic resizing is enabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16311: Fix navigation timing in ESR 38
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 16672: Change font whitelists and configs for rendering issues (partial)

Tor Browser 5.0 is released

The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).

This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.

The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.

Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

Here is the complete changelog since 4.5.3:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.34
    • Update meek to 0.20
    • Update Tor to 0.2.6.10 with patches:
      • Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
      • Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update Torbutton to 1.9.3.2
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 15910: Disable Gecko Media Plugins for now
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results.
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
    • Bug 16311: Fix navigation timing in ESR 38
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
    • Bug 15773: Enable ICU on OS X
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
    • Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt
Syndicate content