Blogs

Pluggable transports bundles 2.4.18-rc-1-pt1 and 2.4.18-rc-2-pt1 with Firefox 17.0.11esr

There are new Pluggable Transports Tor Browser Bundles with Firefox 17.0.11esr. They are made from the Tor Browser Bundle 2.4.18-rc-1 release of November 19, except for the 64-bit GNU/Linux bundle, which is made from the 2.4.18-rc-2 release of November 20.

Pluggable Transports bundle download

Tor Weekly News — December 4th, 2013

Welcome to the twenty-third issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

Next-Generation Hidden Services reach draft proposal state

Nick Mathewson has been working on turning a “revamp of the hidden services protocol” into a formal proposal. Last Saturday, Nick blessed the tor-dev mailing list with a post of the current draft for proposal 224, dubbed “Next-Generation Hidden Services in Tor”.

Nick currently lists 25 different people who made writing the new proposal possible, and there will be probably some more to add before the proposal reaches completion. We will spare the reader a full list, but Tor Weekly News’ archives attest that George Kadianakis deserves a special mention for his repeated efforts to move things forward.

The proposal aims to replace “the current rend-spec.txt, rewritten for clarity and for improved design.” The most user visible change from the current hidden services protocol is the new address format. In order to prevent the enumeration of hidden services, the new protocol derives a “blinded key” (section 1.3) from an Ed25519 master identity key. The blinding operation operates on the full key (and not just a truncated hash, as before). With a base 32 encoding of the entire 256 bits (section 1.2), “a new name following this specification might look like: a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rffdw9jmntwkdsd.onion”. Other encodings might still be worth consideration as long as they make valid hostnames.

Less visible changes include the departure from RSA1024, DH1024, and SHA1 to prefer Ed25519, Curve25519, and SHA256 as the cryptographic primitives (section 0.3).

The selection of directories responsible for a hidden service will now depend on a periodic “collaboratively generated random value” provided by the Tor directory authorities. This way the directories of a hidden service are not predictable in advance, which prevents targeted denial of service attacks (see ticket #8244 and proposal 225 for a possible scheme).

The new proposal also introduces the possibility of keeping the master identity key offline (section 1.7).

The proposal is completely unfinished when it comes to scaling hidden services to multiple hosts (section 1.5). There have been discussions on this topic, but there is no final decision on what the final scheme should be. The problem with naive scaling schemes is that information about the number of hidden service nodes can leak to adversarial clients or introduction points.

In order to move the proposal forward from the current draft, Nick Mathewson told the readers: “I’d like to know what doesn’t make sense, what I need to explain better, and what I need to design better. I’d like to fill in the gaps and turn this into a more full document. I’d like to answer the open questions. Comments are most welcome, especially if they grow into improvements.” The document is still sprinkled with many TODO items, so feel free to jump in if you want to help!

Tor relay operators meeting at 30C3

Moritz Bartl announced that a meeting of Tor relay operators and organizations will be held as part of the first day of the 30th Chaos Communication Congress in Hamburg on the 27th December. He asked major relay operators and Torservers.net partner organizations to prepare some slides explaining their activities; the German partner organization, Zwiebelfreunde e.V., will hold its own meeting directly afterwards.

Monthly status reports for November 2013

The wave of regular monthly reports from Tor project members for the month of November has begun. Pearl Crescent released their report first , followed by reports from Sherief Alaa, Lunar, Colin C., Nick Mathewson, George Kadianakis, Arlo Breault, and Ximin Luo.

Miscellaneous news

The first release candidate for Tails 0.22 is out. The new version features a browser based on Firefox 24 and has reached beta stage for incremental updates, among other things. Tests are most welcome, as always!

The Tails team called for translators to help with the strings both for Tails 0.22, as well as for the new incremental upgrade software. The strings for translation are now available in the Tails Git repository, and hopefully should also be up on Transifex soon.

Damian Johnson sent out a link to a recording of his talk on the Tor ecosystem at TA3M in Seattle.

David Goulet called for assistance with the code-review process for the Torsocks 2.0 release candidate, and offered some guidance on where to begin.

Erinn Clark and Peter Palfrader upgraded the Tor Bug Tracker & Wiki to Trac version 1.0.

intrigeri began compiling a glossary of words that Tails and its developers use for particular concepts, to assist contributors who might not be familiar with these special meanings.

In order to remove “a full database of relays on our already overloaded metrics machine”, Karsten Loesing is asking for those using the “relay-search service” to speak up before the decommissioning of the service by the end of the year.

Philipp Winter followed up on his experiments in exit scanning and released exitmap, which uses Stem to control the tor daemon in creating circuits to all exit nodes.

Orchid, a Tor client implementation written in pure Java, silently reached the 1.0 milestone on November 27th. Nathan Freitas is looking for comment from the community as he is “thinking about having Orbot use it by default, and then offering ARM and x86 binaries as add-on enhancements.” His main argument is that it “would make the core Tor on Android experience more lightweight for client only use.”

The Electronic Frontier Foundation helped a student group in Iowa convince their university that they should be allowed to hold discussions about Tor on campus. The EFF’s open letter to universities and their “Myths and Facts About Tor” document make useful advocacy material.

Tor help desk roundup

Multiple users asked about using Tor for PC gaming. Tor can only transport TCP, which is how web pages are transmitted. Many video games rely on UDP or other protocols to transport data because of the lower latency. Information these games transport over protocols besides TCP would not be sent over Tor. Also any software used with Tor needs to be tested for proxy obedience. Untested applications might send information without using Tor even if they appear to be configured correctly, and
without the user realizing it.


This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, dope457, George Kadianakis, Nick Mathewson, sqrt2 and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — November 27th, 2013

Welcome to the twenty-second issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

Round of updated Tor Browser Bundles

Mozilla put out an urgent security release of the stable Firefox branch with version 17.0.11esr. The stable version of the Tor Browser Bundle has been updated accordingly. The 2.4 release candidate also received an update, together with the latest incarnation of tor 0.2.4.18-rc. Both were then given a further update due to an issue on 64 bit GNU/Linux systems.

The 3.0 branch saw the release of 3.0rc1 which — on top of updating its base software — fixed a build reproducibility issue on Windows, and a few other small fixes.

An updated version of Tails and the pluggable transport bundle are still in the making at the time of writing.

Tor is looking for a Browser Hacker and an Extension Developer!

Mike Perry wrote a blog post to announce two new positions available at the Tor Project: “We are looking for a C++ browser developer to work on our Firefox-based browser, and a Firefox extension developer to work on our growing number of Firefox extensions. Our ideal candidates would be comfortable in both roles, but we are also interested in hearing from people with either skillset.”

Look at the job descriptions for more details and how to apply for these exciting opportunities to make Tor software even better.

“Safeplug”

Roman Mamedov reported that the Californian company Cloud Engines is now shipping a device called the “Safeplug”. Exactly how the device works is unclear, but according to their FAQ, it looks like a router which transparently directs its client connections through Tor.

Such an approach is known to be flawed. Sean Alexandre was prompt in reminding everyone that “application protocols can still reveal your identity”, and quoted the warning on Tor’s download page: “To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.”

Aaron Gibson detailed other concerns, namely the absence of source code or design documents, the mandatory router registration procedure, issues with the automatic update system, and the terms of service. He also criticized the “torified everything” approach and outlined an alternative which he had discussed with Roger Dingledine: “providing a captive portal that would instruct a user to download a copy of TBB and use the local router device as a first hop into the Tor network, perhaps by configuring the device as a bridge.”

On the upside, Andrew Lewman views the product as “a fine test case for consumer-level torouter market analysis. It would be great to learn 6 months from now how many they sold and a summary of customer feedback.” Despite having “lots of concerns”, Andrew is “trying to discuss them with Cloud Engines” and praised the community for “doing a fine job of raising questions”.

Miscellaneous news

Nick Mathewson gave the number 223 to Esfandiar Mohammadi’s proposal titled “Ace: Improved circuit-creation key exchange”.

Matt Pagan reported on his trip to Washington, D.C., USA for the Rally Against Mass Surveillance. He gave an account of his talk during the cryptoparty and the march that happened the next day.

Arturo Filastò sent his report about his activities in October.

Nathan Freitas reported on his efforts to use GeckoView on Android 4.4, which can be seen as the “first step towards Tor Browser on Android”.

Kevin Dyer announced a new release of a pluggable transport powered by Format-Transforming Encryption. Cross-platform builds of the pluggable transport Tor Browser Bundle are available for download for the adventurous.

Tor help desk roundup

Echoing the tor-talk thread summarized above, multiple people asked whether or not the Tor Project could recommend the Safeplug device.

An OS X user asked if it was always necessary to open the Tor Browser folder in order to start the Tor Browser Bundle. It is possible to create an alias in Mac OS or a shortcut in Windows to the “Start Tor Browser” script and place that alias or shortcut in a convenient place,
such as the Desktop.


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, harmony, Philipp Winter, and dope457.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor is looking for a Browser Hacker and an Extension Developer!

The Tor Project has two browser-related job openings available!

We are looking for a C++ browser developer to work on our Firefox-based browser, and a Firefox extension developer to work on our growing number of Firefox extensions. Our ideal candidates would be comfortable in both roles, but we are also interested in hearing from people with either skillset.

On the C++ side, your tasks would include implementing new Firefox APIs and browser behavior changes; looking for and resolving web privacy issues; fixing bugs; responding on short notice to security issues; and helping to merge patches upstream.

On the extension development side, your primary tasks will include writing patches and UI improvements for Tor Birdy, Torbutton, HTTPS-Everywhere, Tor Launcher, and an OTR plugin for InstantBird. These improvements will primarily revolve around improving usability, Tor configuration, and security for our users.

Instructions on how to apply to the C++ position can be found on the browser hacker job posting. If you would prefer to focus on extension development, you should apply to the extension developer position.

Tor Browser Bundle 3.0rc1 Released

The first release candidate in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.0rc1/.

This release includes important security updates to Firefox.

Unfortunately, we have decided to remove the PDF.JS addon from this bundle, as the version available for Firefox 17 has stopped receiving updates. Built-in PDF support should return when we transition to Firefox 24 in the coming weeks.

This release should also fix a build reproducibility issue on Windows. All platform binaries should once again be identically reproducible from source by anyone using git tag tbb-3.0rc1-release.

  • All Platforms:
    • Update Firefox to 17.0.11esr
    • Update Tor to 0.2.4.18-rc
    • Remove unsupported PDF.JS addon from the bundle
    • Bug #7277: TBB's Tor client will now omit its timestamp in the TLS handshake.
    • Update Torbutton to 1.6.4.1
      • Bug #10002: Make the TBB3.0 blog tag our update download URL for now
  • Windows
    • Bug #10102: Patch binutils to remove nondeterministic bytes in compiled binaries
  • Linux
    • Bug #10049: Fix architecture check to work from outside TBB's directory
    • Bug #10126: Remove libz and firefox-bin, and strip unstripped binaries
    • Misc: Disable Firefox updater during compile time (in addition to pref)

64-bit GNU/Linux Tor Browser Bundles updated

It turns out that the 64-bit bundles were a bit crashy because of a change in the way they were built. This change has been reverted and I've updated the stable and RC versions of the 2.x series of GNU/Linux Tor Browser Bundles.

Direct links:
Stable 64-bit GNU/Linux Tor Browser Bundle (sig)
RC 64-bit GNU/Linux Tor Browser Bundle (sig)

Tor Browser Bundle (2.3.25-16); suite=linux

  • Update 64-bit Linux's mozconfig to --disable-optimize so Tor Browser will
    stop crashing (closes: #10195)

Tor Browser Bundle (2.4.18-rc-2); suite=linux

  • Update 64-bit Linux's mozconfig to --disable-optimize so Tor Browser will
    stop crashing (closes: #10195)

Tor Weekly News — November 20th, 2013

Welcome to the twenty-first issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

tor 0.2.4.18-rc is out

On the 16th of November, Roger Dingledine released the fourth release candidate for the tor 0.2.4.x series . As Roger puts it: “It takes a variety of fixes from the 0.2.5.x branch to improve stability, performance, and better handling of edge cases.” Readers curious for more details can look at the announcement for the complete list of changes.

The source is available as well as updated Debian packages. All relay operators should upgrade. Updated Tor Browser Bundles are in the making and should be available shortly.

USB Sticks for Tails

It is often recommended to run Tails from a read-only medium in order to prevent any malware to permanently mess with the system. “CD is best, but many devices these days don’t have an optical drive, and handling CDs is not as convenient as a USB stick” wrote Moritz Bartl on tor-talk.

It looks like one of the very few specific brand of USB sticks available in Germany that had a proper hardware protection switch can no longer be used to boot Tails. Moritz ended up contacting various Chinese suppliers. “Even there, the selection of sticks with write protection is very limited” but eventually one model was found acceptable. Moritz intend to re-sell a bulk of them at the upcoming 30C3 in Hamburg.

Feel free to join the discussion or contact Moritz privately for more details.

New version of check.torproject.org

On the 15th of November, regular users of the Tor Browser Bundle have probably noticed a change in their preferred welcome page. Andrew Lewman had just switched check.torproject.org to a new version written by Arlo Breault in Go. The new codebase should allow the service to better handle the increasingly high number of connections. Several fixes were also made during the reimplementation regarding wording, translations and other meaningful details.

Please report any issues you encounter to the “Tor Check” component of the Tor bug tracker.

Current state of the proposals

In 2007, Tor developers settled on a formal process for changes in Tor specifications or other major changes. At this heart of this process in the “proposal” documents that are discussed on the tor-dev mailing list and archived in the “torspec” Git repository.

Last week, Nick Mathewson took a closer look at what have changed since the last round up he did in June last year. Since then, 16 proposals has been implemented in tor 0.2.3, 0.2.4 and 0.2.5 and two have been superseded or deemed unhelpful.

Nick subsequently posted a review of all “open”, “needs-revision”, and “needs-research” proposals. They are many different tasks to be picked by someone who wishes to help Tor in these 42 proposals, be it by doing research, code, leading discussions or more in-depth analysis.

Miscellaneous news

Radu Rădeanu came up with a workaround for Tor users on Ubuntu 13.10 which temporarily fixes keyboard bug in 64-bit Tor Browser Bundles when used in combination with IBus.

Roger Dingledine called for help in the collection of the new Tor related articles in the press. “According to the website the last time there was a meaningful article about Tor was July 1st. This is very far from the case.” If you want to help, just edit the wiki page.

Firefox 24 is soon going to replace version 17 as “stable” supported release by Mozilla. intrigeri has completed his work in updating Tails’ browser to the point where it “is good enough for Tails 0.22”. Builds from the “feature/ff24” are available for wider testing.

Andreas Jonsson released initial sandboxed version of the TBB 3.0 series which is ready for testing. This security feature should prevent an exploit from stealing user data : the Tor Browser will not be allowed to execute any programs, nor will it be allowed to read or modify data on disk except in the users “downloads”-folder and its own profile. The sandbox is currently only supported on OS X 10.9 “but making it work all the way down to 10.6 is not unlikely”.

Check Mike Perry’s latest report to see what he has been up to in October.

Tor help desk roundup

Users have asked the help desk for support connecting to IRC through Tor. There are some guides on sending IRC traffic through Tor on the wiki (1, 2). Tails also comes with Pidgin preconfigured for IRC. However, it will not matter if the IRC client is correctly configured if the if the intended IRC network blocks all Tor users. For example, users trying to connect to synIRC through Tor will receive a message telling them their computer is part of a botnet.

Users will occasionally ask for support using Tor on ChromeOS. ChromeOS is based on Linux, so it is theoretically possible to run the Linux Tor Browser Bundle on ChromeOS. In practice, the Chromebook prevents users from executing new software on their computers without putting their Chromebook into developer mode, and making other modifications to their device. Anyone who has successfully run the Tor Browser Bundle on ChromeOS is invited to describe their experiences on the Tor Project wiki. As of this writing, there is no documented way of running Tor Browser Bundle on ChromeOS.


This issue of Tor Weekly News has been assembled by Lunar, dope457, Matt Pagan, and Andreas Jonsson.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

New Tor Browser Bundles with Firefox 17.0.11esr and Tor 0.2.4.18-rc

Firefox 17.0.11esr has been released with several security fixes and the stable and RC Tor Browser Bundles have been updated

There is also a new Tor 0.2.4.18-rc release and the RC bundles have been updated to include that as well.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-15)

  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)

Tor Browser Bundle (2.4.18-rc-1)

  • Update Tor to 0.2.4.18-rc
  • Update Firefox to 17.0.11esr
  • Update NoScript to 2.6.8.5
  • Remove PDF.js since it is no longer supported in Firefox 17
  • Fix paths so Mac OS X 10.9 can find the geoip file. Patch by David Fifield.
    (closes: #10092)
Syndicate content Syndicate content