There's a new Tor 0.2.4.15-rc out and all of the packages have been updated. This is a release candidate and will become the new Tor stable soon, so please test these extensively!
Regular packages can be found here:
Tor Browser Bundles are here:
Tor Browser Bundle (2.4.15-beta-1)
- Update Tor to 0.2.4.15-rc
- Update NoScript to 188.8.131.52
Join us for a public hack day on Friday, July 26, 2013 in Munich, Germany. Thank you to our hosts at the Technische Universität München (http://www.tum.de).
The agenda and conversations will be determined by you and Tor's team of developers and researchers - so bring your ideas, questions, projects and technical expertise with you!
This event is open to the public and free of charge - no RSVP necessary.
Friday, July 26, 2013
Start Time: 10:00 am
Location: LRZ building, Sminarraum (H.E. 008), Bolzmannstrabe 1, 85748 Garching,
Germany. NOTE: the room is to the right of the main entrance.
For questions please contact email@example.com
Over the past 24 hours https://check.torproject.org has been unavailable due to excessive DNS queries to the exitlist service. It seems there are a number of individuals and companies with commercial products relying upon this volunteer service. We finally hit the point where we couldn't keep up with the queries and simply disabled the service.
This is a volunteer service offered as a proof of concept. We strongly encourage people to run their own. The code is available at https://svn.torproject.org/svn/check/trunk/.
The new Tor Browser 3.0 alpha series includes a new way to detect "tor or not" locally, without relying on a single point of failure service. This is the first step towards finally retiring check.torproject.org for good.
As of 09:00 on 04 July 2013, the service is re-enabled. We reserve the right to take it down as needed without notice.
Welcome to the very first issue of Tor Weekly News, the weekly newsletter meant to cover what is happening in the vibrant Tor community.
Deterministic, independently reproduced builds of Tor Browser Bundle
The build system, first adopted for the release of 3.0 alpha 1, uses Gitian to enable anyone to produce byte-identical Tor Browser Bundle binary packages from source. This represents a major improvement in the security of the Tor software build and distribution processes against targeted attacks. The motivations and technical details of this work will appear in future Tor Project blog posts.
Minor progress on datagram-based transport
As Steven Murdoch explained in 2011, in the current implementation of Tor, “when a packet gets dropped or corrupted on a link between two Tor nodes, […], all circuits passing through this pair of nodes will be stalled, not only the circuit corresponding to the packet which was dropped.” This is because traffic from multiple circuits heading into an OR node are multiplexed by default into a single TCP connection. However, when the reliability and congestion control requirements of TCP streams are enforced (by the operating system) on this multiplexed connection, a situation is created in which one poor quality circuit can disproportionately slow down the others.
This shortcoming could be worked around by migrating Tor from TCP to a datagram-based transport protocol. Nick Mathewson opened #9165 to track progress on the matter.
Late last year, Steven Murdoch began an experimental Tor branch using uTP, a protocol “which provides reliable, ordered delivery while maintaining minimum extra delay”, and is already used by uTorrent for peer-to-peer connections. Nick Mathewson finally got to review his work and wrote several comments on #9166. The code isn’t close to production-quality right now; it is just good enough for performance testing.
Yawning Angel sent out a request for comments on the very first release of obfsproxyssh, a pluggable transport that uses the ssh wire protocol to hide Tor traffic. Its behavior would appear to potential eavesdroppers to be “identical to a user sshing to a host, authenticating with a RSA public/private key pair and opening a direct-tcp channel to the ORPort of the bridge.”
The announcement contains several open issues and questions. Feel free to have a look and voice your comments!
Crowdfunding for Tor exit relays and bridges
Moritz Bartl announced that he has started a crowdfunding campaign for Tor exit relays and bridges.
The donations will be distributed equally among all Torservers.net partner organizations (Zwiebelfreunde e.V., DFRI, Nos Oignons, Swiss Privacy Foundation, Frënn vun der Ënn and NoiseTor).
For a faster and better network, chip in and spread the word!
Tails 0.19 is out, new stable Tor Browser Bundles
On Wednesday, June 26, two of the most popular Tor projects both made new releases: the Tor Browser Bundle, and Tails, The Amnesiac Incognito Live System. Users are encouraged to upgrade as soon as possible.
The stable Tor Browser Bundle was updated to version 2.3.25-10, and includes fixes from upstream Firefox 17.0.7esr. Tails 0.19 includes the new stable Tor Browser, along with an updated 3.9.5 kernel and minor security improvements to wireless, GNOME and GnuPG defaults.
Jenkins + Stem catching their first regression
Quoting Damian Johnson’s June status report: “Our automated
Jenkins test runs caught their first instance of tor regression. This
concerned LOADCONF’s behavior after merging a branch for ticket #6752”.
A new ticket was opened after Damian properly identified the issue.
First round of reports from GSoC projects
Johannes Fürmann reported on his project, a virtual network environment intended to simulate censorship for OONI (dubbed “Evil Genius”, after Descartes). Hareesan reported on the steganography browser addon. Cristian-Matei Toader is working on adding capabilities-based sandboxing to Tor on Linux, using the kernel’s seccomp syscall filtering mechanism. Chang Lan implemented a HTTP proxy-based transport using CONNECT as the first step in his efforts to implement a general Tor-over-HTTP pluggable transport.
Monthly status reports for June 2013
The wave of regular monthly reports from Tor project members for the month of June has begun. Damian Johnson’s was the first, followed soon after by reports from Philipp Winter, Colin C., Nick Mathewson, Lunar, Moritz Bartl, Jason Tsai, Andrew Lewman, Sherief Alaa, Kelley Misata, Matt Pagan, and Andrea Shepard.
Tor on StackExchange
The proposed StackExchange Q&A page for Tor has left the “initial definition” stage and has entered the “commitment” stage on Area 51. During this stage, interested users are asked to digitally “sign” the proposal with their name to help ensure the site will have an active community during its critical early days.
Forensic analysis of the Tor Browser Bundle
On Friday, June 28, Runa Sandvik published Tor Tech Report 2013-06-001, titled Forensic Analysis of the Tor Browser Bundle on OS X, Linux, and Windows, as part of a deliverable project for two Tor sponsors. The report is a detailed write-up of the forensic experiments Sandvik has been documenting on her blog, the goal of which was “to identify traces left behind by the Tor Browser Bundle after extracting, using, and deleting the bundle”.
In short, each platform indeed retains forensic traces of the existence of the Tor Browser Bundle. Many “are related to default operating system settings, some of which the bundle might not be able to remove. We therefore propose the creation of a document which lists steps our users can take to mitigate these traces on the different operating systems.”
Of course, Tor Browser Bundle users wishing to take immediate action to prevent the creation of forensic traces are not out of luck: “the easiest way to avoid leaving traces on a computer system is to use The Amnesiac Incognito Live System (Tails).”
Miscellaneous development news
Leo Unglaub ran into some trouble with a dependency just as he was about to publish the work-in-progress code for his Vidalia replacement.
Nick Mathewson did some analysis on possible methods for reducing the volume of fetched directory information, by running some scripts over the last month of consensus directories.
A vulnerability affecting microdescriptors in Tor?
On Friday, June 28 an anonymous individual contacted Tor developers over Twitter claiming to have found a vulnerability in the way microdescriptors are validated by Tor clients which would allow “determination of the source and end-point of a given [victim’s] tor connection with little more than a couple relays and some rogue directory authorities [both controlled by the adversary].”
Detailed testing by Nick Mathewson could not reproduce the behavior in the Tor client that was claimed to enable such an attack. After a lengthy Twitter debate with Mathewson, the reporter disappeared, no bugs have been filed, and it appears the vulnerability was nothing of the sort. Without being able to verify the existence of the claimed vulnerability, Mathewson concluded that the reporter’s described attack was equivalent “at worst… to the ‘request filtering’ attack… which has defenses”.
The issue was also mentioned (and likewise dismissed) on the security mailing list, Full Disclosure.
For anyone interested in reporting vulnerabilities in Tor software, please avoid following that example. Until a process gets documented, the best way to report the discovery of a vulnerability is to get in touch with one of the Tor core developers using encrypted email.
This issue of Tor Weekly News has been assembled by Lunar, dope457, moskvax, Mike Perry, Nick Mathewson, mttp, and luttigdev.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteer writers who watch the Tor community and report about what is going on. Please see the project page and write down your name if you want to get involved!
In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. They have been independently reproduced by at least 3 public builders using independent machines, and the Tor Package Archive contains all three builder's GPG signatures of the sha256sums.txt file in the package directory.
To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha2-release (commit c0242c24bed086cc9c545c7bf2d699948792c1e3). These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!
I will be writing a two part blog series explaining why this is important, and describing the technical details of how it was accomplished in the coming week or two. For now, a brief explanation can be found on the Liberation Technologies mailing list archive.
- All Platforms:
- Update Firefox to 17.0.7esr
- Update Tor to 0.2.4.14-alpha
- Include Tor's GeoIP file
- This should fix custom torrc issues with country-based node restrictions
- Fix several build determinism issues
- Include ChangeLog in bundles
- Fix many crash issues by disabling Direct2D support for now.
- Bug 8987: Disable TBB's 'Saved Application State' disk records on OSX 10.7+
- Use Ubuntu's 'hardening-wrapper' to build our Linux binaries
Major Known Issues
- Windows XP users may still experience crashes due to Bug 9084.
- Transifex issues are still causing problems with missing translation text in some bundles
All of the Tor Browser Bundles have been updated with the new Firefox 17.0.7esr. There is also a new Tor 0.2.4.14-alpha release and all of the packages have been updated with that as well.
Tor Browser Bundle (2.3.25-10)
- Update Firefox to 17.0.7esr
- Update zlib to 1.2.8
- Update HTTPS Everywhere to 3.2.2
- Update NoScript to 184.108.40.206
Tor Browser Bundle (2.4.15-alpha-1)
- Update Tor to 0.2.4.14-alpha
- Update Firefox 17.0.7esr
- Update zlib to 1.2.8
- Update libpng to 1.5.16
- Update HTTPS Everywhere to 4.0development.8
- Update NoScript to 220.127.116.11
Tails, The Amnesic Incognito Live System, version 0.19, is out.
All users must upgrade as soon as possible.
Notable user-visible changes include:
- New features
- Linux 3.9.5-1.
- Iceweasel 17.0.7esr + Torbrowser patches.
- Unblock Bluetooth, Wi-Fi, WWAN and WiMAX; block every other type of wireless device.
- Fix write access to boot medium at the block device level.
- tails-greeter l10n-related fixes.
- gpgApplet: partial fix for clipboard emptying after a wrong passphrase was entered.
- Minor improvements
- Drop GNOME proxy settings.
- Format newly created persistent volumes as ext4.
- GnuPG: don't connect to the keyserver specified by the key owner.
- GnuPG: locate keys only from local keyrings.
- Upgrade live-boot and live-config to the 3.0.x final version from Wheezy.
- Localization: many translation updates all over the place.
- Test suite
- Re-enable previously disabled boot device permissions test.
See the online Changelog for technical details.
No new known issue but longstanding known issues.
I want to try it / to upgrade!
See the Getting started page.
As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.
What's coming up?
The next Tails release is scheduled for early August.
Have a look to our roadmap to see where we are heading to.
Would you want to help? As explained in our "how to contribute" documentation, there are many ways you can contribute to Tails. If you want to help, come talk to us!
A number of users have noticed that Facebook is blocking connections from the Tor network. Facebook is not blocking Tor deliberately. However, a high volume of malicious activity across Tor exit nodes triggered Facebook's site integrity systems which are designed to protect people who use the service. Tor and Facebook are working together to find a resolution.
For further questions please contact us at firstname.lastname@example.org.
Update from Facebook on June 18, 2013, 2:30 PM EST: Facebook's site integrity systems detected automated malicious activity coming from a significant number of Tor exit nodes. In order to protect people while we investigated the problem, access via these nodes was temporarily suspended. This issue has now been resolved and Tor access routes to Facebook restored.