Archive

Tor Weekly News — July 10th, 2015

Welcome to the twenty-seventh issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tails 1.4.1 is out

The Tails team announced version 1.4.1 of the anonymous live operating system. Most notable in this release is the fix of automatic upgrades in Windows Camouflage mode, and plugging a hole in Tor Browser’s AppArmor sandbox that previously allowed it to access the list of recently-used files.

For a full list of changes, see the team’s announcement. This release contains important security updates, so head to the download page (or the automatic upgrader) as soon as possible.

Tor Browser 4.5.3 and 5.0a3 are out

The Tor Browser team put out new releases in both the stable and alpha series of the secure, private web browser. Tor Browser 4.5.3 contains updates to Firefox, OpenSSL, NoScript, and Torbutton; it also fixes a crash triggered by .svg files when the security slider was set to “High”, and backports a Tor patch that allows domain names containing underscores (a practice generally discouraged) to resolve properly. For example, users should now be able to view the website of the New York Times without problems.

Tor Browser 5.0a3, meanwhile, is the first release to be based on Firefox 38 ESR. “For this release, we performed a thorough network and feature review of Firefox 38, and fixed the most pressing privacy issues, as well as all Tor proxy safety issues that we discovered during the audit”, wrote Georg Koppen. Changes to the toolchain used to build the browser mean “we are […] especially interested in feedback if there are stability issues or broken Tor Browser bundles due to these toolchain upgrades.

These are important security releases, and you should upgrade to the new version in whichever series you prefer. Head to the download page to get your first copy of Tor Browser, or use the in-browser updater.

Tor unaffected by new OpenSSL security issue

A few days ago, the team behind the essential Internet encryption toolkit OpenSSL announced that a security issue classified as “high” would shortly be disclosed and fixed, leading to concern that another Heartbleed was on the cards. In the event, the now-disclosed CVE-2015-1793 vulnerability does not appear to affect either the Tor daemon or Tor Browser, as Nick Mathewson explained. However, you should still upgrade your OpenSSL as soon as possible, in order to protect the other software you use which may be vulnerable.

OVH is the largest and fastest-growing AS on the Tor network

nusenu observed that the hosting company OVH is both the largest autonomous system on the Tor network by number of relays, and the fastest-growing. While it’s no bad thing to have multiple relays located on the same network, it becomes a problem if any one entity (or someone who watches them closely enough) is able to observe too large a fraction of Tor traffic — they would then be in a position to harm the anonymity of Tor users.

This is what is meant by “diversity” on the Tor network. If you’re considering running a Tor relay, then as nusenu says, “choose non-top 10 ASes when adding relays (10 is an arbitrary number)”. See nusenu’s post for more information on how to select a hosting location for a stronger and more diverse Tor network.

More monthly status reports for June 2015

The wave of regular monthly reports from Tor project members for the month of June continued, with reports from Leiah Jansen (working on graphic design and branding), Georg Koppen (developing Tor Browser), Isabela Bagueros (overall project management), Sukhbir Singh (developing Tor Messenger), Arlo Breault (also working on Tor Messenger, as well as Tor Check), Colin Childs (carrying out support, localization, and outreach), and Juha Nurmi (working on onion service indexing).

Donncha O’Cearbhaill sent his third Tor Summer of Privacy status report with updates about the OnionBalance onion service load-balancing tool, while Jesse Victors did the same for the DNS-like Onion Naming System, and Israel Leiva submitted a status update for the GetTor alternative software distributor, which is also being expanded as part of TSoP, as explained in Israel’s re-introduction of the project. Cristobal Leiva also introduced his TSoP project, a web-based status dashboard for Tor relay operators

Miscellaneous news

David Fifield published the regular summary of costs incurred by the infrastructure for the meek pluggable transport over the past month. “The rate limiting of meek-google and meek-amazon has been partially effective in bringing costs down. […] meek-azure bandwidth use continues to increase, up 17% compared to the previous month. Keep in mind that our grant expires in October, so you should not count on it continuing to work after that.”

Following Donncha O’Cearbhaill’s 0.0.1 alpha release of OnionBalance, s7r called for help putting it to the test on a running onion service. One week on, there have been four million hits on the service, with hardly a murmur of complaint from OnionBalance or the service it is handling: “the same instances are running since service first started, no reboot or application restart”. See s7r’s post for more numbers.


This issue of Tor Weekly News has been assembled by the Tails team, Karsten Loesing, teor, and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Preliminary analysis of Hacking Team's slides

A few weeks ago, Hacking Team was bragging publicly about a Tor Browser exploit. We've learned some details of their proposed attack from a leaked powerpoint presentation that was part of the Hacking Team dump.

The good news is that they don't appear to have any exploit on Tor or on Tor Browser. The other good news is that their proposed attack doesn't scale well. They need to put malicious hardware on the local network of their target user, which requires choosing their target, locating her, and then arranging for the hardware to arrive in the right place. So it's not really practical to launch the attack on many Tor users at once.

But they actually don't need an exploit on Tor or Tor Browser. Here's the proposed attack in a nutshell:

1) Pick a target user (say, you), figure out how you connect to the Internet, and install their attacking hardware on your local network (e.g. inside your ISP).

2) Wait for you to browse the web without Tor Browser, i.e. with some other browser like Firefox or Chrome or Safari, and then insert some sort of exploit into one of the web pages you receive (maybe the Flash 0-day we learned about from the same documents, or maybe some other exploit).

3) Once they've taken control of your computer, they configure your Tor Browser to use a socks proxy on a remote computer that they control. In effect, rather than using the Tor client that's part of Tor Browser, you'll be using their remote Tor client, so they get to intercept and watch your traffic before it enters the Tor network.

You have to stop them at step two, because once they've broken into your computer, they have many options for attacking you from there.

Their proposed attack requires Hacking Team (or your government) to already have you in their sights. This is not mass surveillance — this is very targeted surveillance.

Another answer is to run a system like Tails, which avoids interacting with any local resources. In this case there should be no opportunity to insert an exploit from the local network. But that's still not a complete solution: some coffeeshops, hotels, etc will demand that you interact with their local login page before you can access the Internet. Tails includes what they call their 'unsafe' browser for these situations, and you're at risk during that brief period when you use it.

Ultimately, security here comes down to having safer browsers. We continue to work on ways to make Tor Browser more resilient against attacks, but the key point here is that they'll go after the weakest link on your system — and at least in the scenarios they describe, Tor Browser isn't the weakest link.

As a final point, note that this is just a powerpoint deck (probably a funding pitch), and we've found no indication yet that they ever followed through on their idea.

We'll update you with more information if we learn anything further. Stay safe out there!

Tor Project Launches World-wide Search for New Executive Director

The Tor Project is pleased to open a world-wide search for our new Executive Director. We have engaged The Wentworth Company to help us with the search process, and invite the broader Tor community and friends to share the job posting (reproduced below) among your networks. Please contact Judy Tabak, contact information below, for more information or to be considered for the job.

Thanks!


The Tor Project, one of the world’s strongest advocates for privacy and anonymous, open communications is currently seeking an experienced Executive Director to take the helm. The new Executive Director will spearhead key initiatives to make the organization even more robust in its work to advance human rights and freedoms by creating and deploying anonymity and privacy technologies, advancing their scientific and popular understanding, and encouraging their use.

The Position

The position provides the high-profile opportunity to assume the voice and face of Tor to the world, and particularly to the global community of Internet organizations dedicated to maintaining a stable, secure and private Internet. In this position, the successful candidate will be able to exercise their deep leadership experience to manage a virtual team of culturally diverse volunteer developers. The candidate will have the opportunity to draw support from their stature in the wider community of Internet privacy foundations and activist organizations to advance external development initiatives.

The Organization

Founded in 2006, this 501(c)(3) research NGO provides free software that enables anonymous Internet communication world-wide. Tor’s mission is to return control over Internet security and privacy to users. Tor’s members, users, and sponsors include governmental and nongovernmental organizations, the US Navy, Indymedia, Electronic Frontier Foundation, journalists and media organizations, corporations and law enforcement organizations.

The original Tor design paper won the Usenix Security "Test of Time" award in 2014. The Tor Project won the EFF's Pioneer Award in 2013, and the Free Software Foundation's Award for Projects of Social benefit in 2010.

The Ideal Candidate

The ideal candidate will dive head first into the activities of advocacy for the Internet privacy movement. They will enjoy exercising their strong network of connections in fundraising efforts. They will take satisfaction in establishing a highly collaborative and productive culture in a volunteer-driven, virtual organization and will appreciate the opportunity to build consensus among diverse cultural groups as they all work toward the common mission and goal. The successful candidate will have a passion for the ideals behind Internet privacy and welcome the opportunity to make strides for the cause to establish anonymous Internet communications.

The Opportunity

The successful candidate will welcome the opportunity to create an organizational culture that builds conditions and infrastructures vital for Tor’s continued success and relevance to the cause. This is a chance to be known for leadership agility at the helm of an organization on the forefront of the drive to enable free, private, non-censored Internet communication for people everywhere.

The Compensation

As leader of the Tor team, the successful candidate receives a highly competitive compensation package.

If you know someone who might be interested, please contact, or ask them to contact:
Judy Tabak
The Wentworth Company
479 West Sixth Street, San Pedro, CA 90731
(310) 732-2321
JudyTabak@wentco.com
Wentworth ReqID: 67528129

Tor Browser 5.0a3 is released

The Tor Browser Team is proud to announce the first alpha released based on Firefox 38 ESR.

As such, this release features many updates to Firefox (including several security updates), as well as to our build system and dependencies. For this release, we performed a thorough network and feature review of Firefox 38, and fixed the most pressing privacy issues, as well as all Tor proxy safety issues that we discovered during the audit.

We also updated our toolchain on OS X to use the OS X 10.7 SDK. For Linux and Windows we switched to GCC 5.1 as our new (cross)-compiler. We are therefore especially interested in feedback if there are stability issues or broken Tor Browser bundles due to these toolchain upgrades.

Besides Firefox 38 and build system changes, we also updated several components. Most notably, we bumped OpenSSL to version 1.0.1o, NoScript to version 2.6.9.27 and Torbutton to version 1.9.3.0. Included as well is a backported Tor patch to improve usability on websites, and we fixed a crash bug impacting users with the security slider level set to "High".

Here is the complete changelog since 5.0a2

  • All Platforms
    • Update Firefox to 38.1.0esr
    • Update OpenSSL to 1.0.1o
    • Update NoScript to 2.6.9.27
    • Update meek to 0.20
    • Update Torbutton to 1.9.3.0
      • Bug 16403: Set search parameters for Disconnect
      • Bug 14429: Make sure the automatic resizing is enabled
      • Bug 16427: Use internal update URL to block updates (instead of
        127.0.0.1)

      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Translation updates
    • Update Tor Launcher to 0.2.6.7
      • Bug 16428: Use internal update URL to block updates (instead of
        127.0.0.1)

      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16430: Allow DNS names with _ characters in them (fixes
      nytimes.com) (Tor patch backport)

    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16397: Fix crash related to disabling SVG
    • Bug 16403: Set search parameters for Disconnect
    • Bug 16446: Update FTE bridge #1 fingerprint
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon
      downloads.

    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38

Tor Browser 4.5.3 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.3 is based on Firefox ESR 31.8.0, which features important security updates to Firefox.

Moreover, it contains an updated OpenSSL, NoScript and Torbutton, a fix for a crash bug visible with the security slider level set to "High" and a backport of a Tor patch to improve usability on websites.

Here is the complete changelog since 4.5.2:

  • All Platforms
    • Update Firefox to 31.8.0esr
    • Update OpenSSL to 1.0.1o
    • Update NoScript to 2.6.9.27
    • Update Torbutton to 1.9.2.8
      • Bug 16403: Set search parameters for Disconnect
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Bug 16397: Fix crash related to disabling SVG
    • Bug 16403: Set search parameters for Disconnect
    • Bug 16446: Update FTE bridge #1 fingerprint
    • Bug 16430: Allow DNS names with _ characters in them (fixes
      nytimes.com) (Tor patch backport)

Tor Weekly News — July 2nd, 2015

Welcome to the twenty-sixth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Messenger Third Alpha is out

Sukhbir Singh and Arlo Breault put out a third alpha version of Tor Messenger, the Instantbird-based instant messaging client with Tor and Off-the-Record encryption enabled by default.

This release comes with packages for Windows and Mac OS X, as well as 32-bit and 64-bit Linux. Major improvements include the ability to create XMPP accounts in-band (that is, by logging in with the desired account credentials, if the chat server supports this), meaning that users no longer have to create their accounts beforehand over a non-Tor connection; usability improvements to the Off-the-Record extension; an installable Arabic language pack, courtesy of Sherief Alaa (with more languages to follow); and other network- and application-related enhancements.

However, this is still an alpha release: “there may be serious privacy leaks and other issues”, so “please DO NOT recommend Tor Messenger to end users” just yet. If you’d like to test the software out, please see Sukhbir’s announcement for download links and installation instructions, then submit your feedback on Tor’s bug tracker with the “Tor Messenger” component, or on the tor-dev mailing list or IRC channel.

OnionBalance 0.0.1 is out

Donncha O’Cearbhaill, one of the students participating in the first-ever Tor Summer of Privacy, released the first alpha version of his OnionBalance tool. OnionBalance “provides load-balancing and redundancy for Tor hidden services by distributing client requests to multiple backend Tor instances”; if you run an onion service that handles a large number of client requests, or require automatic failover in the event that some of your hardware fails or is seized, OnionBalance will help to distribute the load evenly and efficiently.

The tool is currently under heavy development, and “there are likely bugs which cause the OnionBalance service to crash or not operate correctly”. “I would very much appreciate any feedback or bug reports. In particular I would like to improve the documentation and make the tool easier for operators to install and run”, writes Donncha. Please see the release announcement for further information and installation instructions.

Tor Weekly News turns two

The first issue of Tor Weekly News was sent out on July 3rd, 2013. Since the last anniversary, we’ve reported on many positive developments in the Tor community: work by Facebook security engineers to offer a Tor onion service for the world’s largest social network; the Library Freedom Project helping American public libraries to protect their patrons’ right to free expression with Tor; a significant community-chosen donation by Reddit to the Tor Project; credits for Tor and Tails in an Academy Award-winning documentary film; and of course the daily software development, research, and innovation that ensure security and anonymity for millions of Internet users around the world. Last month we were even able to lead our hundredth issue with the wonderful news that the United Nations Special Rapporteur on freedom of opinion and expression has endorsed the Tor Project’s work in his first report to the UN Human Rights Council.

We’re always grateful for help and suggestions; if you’d like to get involved, see the information below for more details. Many thanks to everyone who has helped to write and proofread this newsletter over the past two years.

Monthly status reports for June 2015

The wave of regular monthly reports from Tor project members for the month of June has begun. Damian Johnson released his report first (with an update on Nyx development), followed by reports from Karsten Loesing (on project management and Tor network tools), Jacob Appelbaum (on outreach and advocacy), David Goulet (on onion service development), and Pearl Crescent (on development of Tor Browser and related software).

Mike Perry sent out the report for the Tor Browser team.

Miscellaneous news

Griffin Boyce offered an update on the development status of Stormy, the one-click onion service setup tool: “Right now, the scripts are undergoing third-party testing to identify any obvious bugs before sending them to security auditors”.

Chloe posted details of an experiment to detect malicious Tor relays that might be stealing usernames and passwords that are not protected by HTTPS connections.

Juha Nurmi warned that an attacker is creating fake onion addresses that resemble those of popular onion services, including ahmia.fi, and using them to interfere with the content of onion pages as clients request them. Another update gives more information about the details of the attack.


This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — June 24th, 2015

Welcome to the twenty-fifth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Adopt an onion with Nos Oignons

Alongside the thousands of individual Tor relay operators who donate their time, expertise, and resources in order to build a fast and stable Tor network, a number of Tor relay organizations (independent of the Tor Project itself) have been set up in several countries. These groups make use of the benefits that formal non-profit status brings — such as funding opportunities, resource pooling, and legal advice — to set up and operate fast, secure Tor relays, and often to represent Tor and Tor users in local-language media. Torservers.net — the Germany-based relay organization and umbrella group for these projects — currently lists fourteen partner organizations in eleven countries, with more on the way.

Nos Oignons, the French Torservers.net partner, runs five high-capacity relays on three machines that together handle a fiftieth of current Tor traffic. The bandwidth for one of these is generously provided by the registrar and hosting company Gandi, but the other two are funded by the organization itself, at a cost of around 300 euros per month. With only three months’ worth of financing left, Nos Oignons is holding its first funding drive to ensure these major relays stay online for the benefit of all Tor users.

If you donate more than 2 euros to Nos Oignons between 15th June and 15th August, you can suggest a name for their next Tor relay. The current set are named after the philosopher Herbert Marcuse, Ursula K. Le Guin’s “Ekumen” universe, and the protagonist of Walter Tevis’ novel “Mockingbird”, so use your imagination! At the end of the fundraiser, three entries will be chosen at random and the team will pick one of them; see the campaign page (or the English announcement) for information on how to take part.

Miscellaneous news

Anthony G. Basile put out version 20150616 of Tor-ramdisk, featuring updates to core software.

meejah announced that txtorcon, the Twisted-based asynchronous Tor controller, now supports David Stainton’s “tor:” endpoint parser. “This means two things: txtorcon now depends on txsocksx, and you can do "client-type" things directly with endpoints”. See meejah’s message for more details.

Jesse Victors published his second Tor Summer of Privacy status report for the OnioNS (Onion Name System) project, detailing further work to decentralize the system and improvements to event logging.

Arturo Filastò published a summary of the costs incurred by OONI’s next-generation data-processing pipeline since March.

Thanks to Ana Lucia Cortez for running a mirror of the Tor Project website and software archive!


This issue of Tor Weekly News has been assembled by Harmony and other contributors.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

How We Work

The Tor Project is driven by ideas. We believe in the right to privacy for every person on the planet. Our community—paid and volunteer—brainstorms projects that embody those ideas, like decentralized hidden messaging systems or ingenious new ways to get uncensored Internet access to people in China.

On our public wikis, we make lists of what we need to build these projects—and then we approach potential sponsors with these lists. If we’re lucky, a sponsor will pay to do the project. If not, we may make it for free.

This is true whether the potential sponsor is a government agency or anyone else.

Because of this system, some projects, like hidden services, need more funding, and we are seeking individual contributions to make this technology stronger. One day we hope to build it into many more programs—for instance, phone apps--to make them private and secure by default.

Our diverse, international community includes thousands of men and women inspired by the ideals we share. They work to support Tor and create important tools based on Tor, like Tails and Orbot (there are at least a dozen of these). Our group includes visionaries who think and talk publicly about the Internet and the future of privacy; among them: @nickm_tor, @ioerror and @RogerDingledine. @aaronsw was one of us.

We will accept no back doors to our software, ever. You can watch @ioerror talk about this at last year’s 31c3 talk in Hamburg. We believe in and build free, open source software—free as in freedom. Tor’s source code is online for everyone to see.

We are proud of our people, our work, and our ideals. We are a human rights organization. We are inventors. Our community is a workshop for the future of privacy tools; maybe even for the future of privacy.

The Tor community is open to newcomers; we hope you will join us.

Syndicate content