tor weekly news

Tor Weekly News — October 31st, 2015

Welcome to the thirty-seventh issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

IETF reserves .onion as a Special-Use Domain Name

Several years of effort by Tor Project members and contributors bore fruit this week when the Internet Engineering Task Force, which develops and promotes voluntary standards for Internet technologies, recognized the .onion suffix as a special-use domain name.

As Jacob Appelbaum, who led the charge along with Facebook security engineer Alec Muffett, explained: “IETF name reservations are part of a lesser known process that ensures a registered Special-Use Domain Name will not become a Top Level Domain (TLD) to be sold by the Internet Corporation For Assigned Names and Numbers (ICANN).” In other words, it will not be possible for domain registrars to sell web addresses ending in .onion; if it were, it would create problems for Tor’s hidden service system, which uses that suffix to allow users to run anonymous and censorship-resistant web services accessible via the Tor Browser.

Another benefit of the name reservation is that it will now be possible to buy Extended Validation (EV) SSL certificates for .onion domains, a system which Facebook has trialled on its own popular hidden service.

“We think that this is a small and important landmark in the movement to build privacy into the structure of the Internet”, wrote Jacob. Congratulations to all those who spent time drafting this proposal and advocating for its adoption.

Tor proposal updates

Tor’s body of development proposals, documents that plan for improvements and changes in Tor’s software ecosystem, has seen some additions, updates, and reviews over the past week.

Nick Mathewson published proposal 256, which examines methods for revoking the long-lived public keys used by Tor relays and directory authorities in the event that they are compromised, or the operator believes there is a significant possibility that they have been compromised. Andrea Shepard wrote proposal 258, explaining how directory authorities could mitigate the risk of denial-of-service (DOS) attacks by classifying the types of directory requests they receive and setting thresholds for each. Nick and Andrea together published proposal 257, which identifies the different functions performed by directory authorities and examines how the risk of DOS attacks could be reduced by “isolating the security-critical, high-resource, and availability-critical pieces of our directory infrastructure from one another”.

George Kadianakis published a review of all the open proposals relevant to next-generation hidden services, giving a summary of each one along with its current status, “so that researchers and developers have easier access to them”.

Proposal 250, which specifies how directory authorities can come up with a shared random value every day, and which George describes as “a prerequisite” for all other work on next-gen hidden services, was itself updated to reflect changes in the implementation, which is almost finished, as David Goulet explained. Finally, Tim Wilson-Brown (teor) published a revised version of the as-yet unnumbered proposal for “rendevous single onion services”, “an alternative design for single onion services, which trade service-side location privacy for improved performance, reliability, and scalability”.

If you have any comments on these or other Tor proposals, feel free to post your thoughts to the tor-dev mailing list.

Miscellaneous news

The Tor BSD Diversity Project, “an effort to extend the use of the BSD Unixes into the Tor ecosystem, from the desktop to the network”, announced the release of an OpenBSD port of Tor Browser 5.0.3, its sixth Tor Browser release for BSD systems. See attila’s announcement for download instructions, as well as a report on the TDP’s other development and advocacy activities.

Tor’s Metrics team, “a group of Tor people who care about measuring and analyzing things in the public Tor network”, now has its own public mailing list and wiki page, as Karsten Loesing announced. There is a simple step to complete before you can post freely to the list, but anyone interested in “measurements and analysis” is welcome to listen in on discussions, and to check the team’s roadmap and workflow on the wiki page.

“In an attempt to make Pluggable Transports more accessible to other people, and to have a spec that is more applicable and useful to other projects that seek to use Pluggable Transports for circumvention”, Yawning Angel drafted a rewrite of the pluggable transports spec document. No behavior changes are specified in this rewrite, but “unless people have serious objections, this will replace the existing PT spec, to serve as a stop-gap while the next revision of the PT spec (that does alter behavior) is being drafted/implemented”.

Simone Bassano published a report on the OONI hackathon that took place in Rome at the start of October. A working beta version of MeasurementKit and progress on NetworkMeter, as well as ways to make use of censorship data, were among the outcomes.

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — October 24th, 2015

Welcome to the thirty-sixth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tails 1.6 is out

Tails 1.6, a minor release of the anonymous live operating system, was put out one month ago on September 22, following a Firefox security announcement. As well as Tor Browser 5.0.3, this release includes updates to key software, and fixes to important security issues. All Tails users must upgrade as soon as possible, if they haven’t already done so; see the announcement for download instructions.

Orfox reaches Beta

The Orfox team released the first beta version of the Tor Browser-like Android web browser on Google Play and the Guardian Project F-Droid repos. This is a public testing release, so as usual please do not rely on it for strong anonymity just yet.

If you want to stay updated with this effort, keep an eye on the team’s homepage. The project is trying to improve communications with both Mozilla and the Tor Browser team in order to have as much work merged upstream as possible!

Final Tor Summer of Privacy reports

The “southern hemisphere” schedule for Tor’s first-ever Summer of Privacy came to an end, and the two remaining students submitted their final progress reports. Israel Leiva’s revamp of GetTor, the alternative Tor software distributor, now supports additional content delivery networks including Github and Google Drive, xmpp requests (with Twitter compatibility on the way), multiple languages, and more. Israel will continue to work on GetTor as a regular contributor, so expect more progress reports from this important project.

Cristóbal Leiva’s relay web status dashboard, erebus, now includes core frontend and backend functionality, along with a basic UI and full code documentation. Cristóbal will also be continuing to work on his project over the coming months. Congratulations to both on finishing the season with their projects in such good shape!

Monthly status reports for September 2015

Tor Project members submitted their regular monthly status reports for September. Griffin Boyce gave an account of his activities over the summer; Pearl Crescent worked on development of Tor Browser; Karsten Loesing helped organize the Tor Metrics team and develop the network tools; Sebastian Hahn worked on donation- and outreach-related website improvements; Georg Koppen coded and reviewed for the latest Tor Browser releases; Damian Johnson worked on Nyx, Stem, DocTor, and code review for metrics-lib; Leiah Jansen completed graphic designs for Tor’s website and for a campaign T-shirt; Colin Childs organized the new support team and coordinated translations; the Tor Browser team put out new alpha and stable releases; and George Kadianakis worked on Tor network security.

George also sent out the report for SponsorR, while Isabela Bagueros sent out a progress report for SponsorU.

Miscellaneous news

David Fifield sent out the regular summary of costs for the meek pluggable transport. David also announced that the Microsoft Azure backend for meek is now rate-limited to the same speed as the Amazon and Google bridges, as the free grant has expired.

Karsten Loesing announced that the upcoming version 3.0 of the Onionoo protocol will support searching for relays by space-separated fingerprints (e.g. “9695 DFC3 5FFE B861 329B 9F1A B04C 4639 7020 CE31”) in addition to unseparated ones.

There is currently no standard definition of “membership” in the Tor Project, although there are various “membership-like” features such as internal mailing lists, LDAP accounts, and email addresses. Now that the Tor community is growing much more rapidly, a discussion was held at the recent Tor dev meeting to try and come up with some criteria against which a contributor can be categorized as a Tor Project “member”. Discussion is still ongoing, but a summary of the ideas so far is available on the wiki.

On Thursday, Jacob Appelbaum, Trevor Paglen, and Leif Ryge unveiled the latest exhibit at the Edith-Russ-Haus für Medienkunst in Oldenburg, Germany — an “Autonomy Cube”, comprising a fast Tor exit relay housed in a transparent case. Until January 3rd, visitors to the gallery can use the Cube’s network to access the Internet over Tor, or just contemplate all the encrypted traffic passing right under their noses on its way around the world. In the basement below the exhibition space, a reading room and video gallery will explore some of the installation’s themes in greater depth, and the whole exhibition will be accompanied by a book of essays.

This issue of Tor Weekly News has been assembled by Harmony, Lunar, Amogh Pradeep, teor, Karsten Loesing, and the Tails developers.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — September 10th, 2015

Welcome to the thirty-fifth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Introducing the tor-teachers list

Just as the the Tor network itself grows and evolves through the efforts of volunteer relay operators in numerous countries, information about how and why users should make use of the protections that Tor offers is also spread by an informal network of teachers and activists working in many different communities around the world. Tor talks and trainings are often a feature of free public privacy events like cryptoparties, as well as Internet security workshops put on by groups and organizations especially in need of online privacy in their activities.

Until now, Tor teachers have had no central meeting-place to share advice, compare experiences, or make future plans, so Alison Macrina and Nima Fatemi this week announced the creation of the tor-teachers mailing list. According to Alison, whose Library Freedom Project is itself engaged in teaching Tor and other online privacy tools to librarians and library patrons across America (and beyond), “this list is for all the awesome people around the world who are teaching Tor to their communities, who want to work collectively with other teachers of Tor to support each other, build community, and make our work even better”. Topics of discussion will range from “visionary stuff” like the philosophical underpinnings of the right to free expression and inquiry, to more prosaic Tor-related questions such as “how to use the darn thing” and how best to convey this to users from all backgrounds.

If this sounds like the sort of thing you either would like to be doing or are already an old hand at, you are most welcome to join! Visit the list-info page to sign up. As with almost all of Tor’s mailing lists, messages are publicly visible and archived, so you can take a look at current discussions to see if you want to get involved. Good luck!

Miscellaneous news

Luke Millanta announced the launch of OnionView, a web service which utilizes Tor relay data, gathered using the Onionoo network status protocol, to plot the location of active Tor nodes onto an interactive map of the world. Created in collaboration with Tor’s Measurement team, OnionView’s relay database is updated every thirty minutes to help ensure map accuracy. Join the developers in the #tor-dev IRC channel to become involved in future work on OnionView.

This issue of Tor Weekly News has been assembled by Harmony and Luke Millanta.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — September 4th, 2015

Welcome to the thirty-fourth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0.2 and 5.5a2 are out

The Tor Browser team announced new stable and alpha releases of the privacy-preserving web browser. Version 5.0.2 fixes a bug that was causing the browser’s launcher icons in the Ubuntu Unity and GNOME desktops to be duplicated, and includes a newer version of the NoScript add-on. Version 5.5a2 incorporates these updates along with another small crash bug fix from the stable series.

Both new releases include important security updates to their respective Firefox versions, so please ensure you upgrade as soon as possible. If you are already running a recent Tor Browser, it has probably updated itself already; if not, head to the project page to download your copy now.

Final reports from two Summer of Privacy students

Two of the developers participating in Tor’s first-ever Summer of Privacy coding season, Jesse Victors and Donncha O’Cearbhaill, submitted their final progress reports after months of intensive development.

Jesse’s DNS-like naming system for onion services is already in a testable state. “All of the infrastructure for OnioNS is in place”, and while a few protocols are still to be finished, “the client-side and HS-side software is pretty reliable and stable at this point”, with support for Debian, Ubuntu, Mint, and Fedora. Development will continue into the future, and “once the OnioNS software is fully ready, no modifications to Tor should be necessary to merge OnioNS into the Tor network”.

Donncha’s project, the onion service load-balancing manager OnionBalance, has also seen one testing release, and the next steps in development are to package the software for Debian, clarify the documentation, and implement “smartcard / HSM support master service key storage and signing”. “I’ll continue developing OnionBalance so that if possible, it can facilitate some form of load balancing and redundancy with next-gen hidden services”.

Congratulations to Jesse and Donncha on getting their innovative projects to this stage, and thanks to the mentors and coordinators who have made the Summer of Privacy a success. The southern-hemisphere development timetable is still ongoing, however, so stay tuned for updates from Israel and Cristóbal Leiva on their TSoP projects.

Should cloud-based Tor relays be rejected?

Observing that “we sometimes see attacks from relays that are hosted on cloud platforms”, Philipp Winter investigated the actual benefit to the Tor network that these relays provide. He found that in an average consensus from July 2015, “cloud-hosted relays contributed only around 0.8% of bandwidth” (with the caveat that “this is just a lower bound”). Rejecting such relays from the consensus might force attackers to jump through more hoops, but would mean “obtaining the netblocks that are periodically published by all three (and perhaps more) cloud providers”.

Tim Wilson-Brown (teor) wondered about the effect this might have on Tor developers and researchers who would like to use cloud-based relays, while nusenu requested that any rejection be publicly documented “so volunteers don’t waste their time and money setting up blacklisted relays”.

Miscellaneous news

Karsten Loesing announced version 2.6 of Onionoo, the Tor network data observatory. This release adds two new relay family-related fields to details documents that, together with the “effective_family” field introduced in version 2.4, replace the older “family” field, which is now deprecated. These new fields support different family-mapping use-cases that may be required by Tor network tools such as Atlas, Globe, and Roster. “The current ‘family’ field will stay available until Atlas and Globe are updated. If I should also wait for other clients to be updated, please let me know.”

After several television appearances over the past few years, Tor made its literary debut last month in the fourth installment of the late Stieg Larsson’s Millennium series. A warm Tor community welcome to Lisbeth Salander — though a subscription to Tor Weekly News might clear up some of her misconceptions

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — August 30th, 2015

Welcome to the thirty-third issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Hash visualizations to protect against onion phishing

Unlike URLs on the non-private web, the .onion addresses used by Tor hidden services are not handed out by any central authority — instead, they are derived by the hidden services themselves based on their cryptographic key information. This means that they are typically quite hard for humans to remember, unless the hidden service operator — whether by chance or by making repeated attempts — hits upon a memorable string, as in the case of Facebook’s hidden service.

“The problem”, writes George Kadianakis, is that due to these user-unfriendly strings, “many people don’t verify the whole onion address, they just trust the onion link or verify the first few characters. This is bad since an attacker can create a hidden service with a similar onion address very easily”, then trick users into visiting that address instead for a variety of malicious purposes. This species of attack that has already been seen in the wild. After discussions with other researchers in this area, George drew up a proposal to incorporate visual information into the verification process: “So when TBB connects to a hidden service, it uses the onion address to generate a randomart or key poem and makes them available for the user to examine.”

As with all new development proposals, however, there are many unanswered questions. What kind of visualization would work best? Should there also be an auditory component, like a randomly-generated tune? How should the feature be made available to users without confusing those who have no idea what it is or why it’s needed? In short, “Some real UX research needs to be done here, before we decide something terrible.”

If you have clear and constructive feedback to offer on this unusual but important proposal, please send it to the tor-dev mailing list.

Tor-enabled Debian mirrors

Richard Hartmann, Peter Palfrader, and Jonathan McDowell have set up the first official onion service mirrors of the Debian operating system’s software package infrastructure. This means that it is now possible to update your Debian system without the update information or downloaded packages leaving the Tor network at all, preventing a network adversary from discovering information about your system. A follow-up post by Richard includes guidance on using apt-transport-tor with the new mirrors.

These services are only the first in what should hopefully become a fully Tor-enabled system mirroring “the complete package lifecycle, package information, and the website”. “This service is not redundant, it uses a key which is stored on the local drive, the .onion will change, and things are expected to break”, wrote Richard, but if you are interested in trying out the new infrastructure, see the write-ups for further information.

Miscellaneous news

David Fifield announced that his 17-minute PETS talk on the theory and practice of “domain fronting”, which is the basis for Tor’s innovative and successful meek pluggable transport, is now available to view online.

Arturo Filastò announced that registration for ADINA15, the upcoming OONI hackathon at the Italian Parliament in Rome, is now open. If you’re interested in hacking on internet censorship data in this rarified location, with the possibility of “interesting prizes” for the winning teams, see Arturo’s mail for the full details.

Arturo also sent out the OONI team’s July status report, while Tor Summer of Privacy progress updates were submitted by Israel Leiva, Cristobal Leiva, and Jesse Victors.

Fabio Pietrosanti issued an open call for developers interested in working on GlobaLeaks, the open-source anonymous whistleblowing software. “Are you interested in making the world a better place by putting your development skills to use in a globally used free software project? Do you feel passionate about using web technologies for developing highly usable web applications?” If so, please see Fabio’s message for more information.

News from Tor StackExchange

saurav created a network using the Shadow simulator and started with 40 guard and 40 exit nodes. After a simulation was performed, another 40/40 nodes were added. saurav then noticed that the more recent nodes had a higher probability of being selected. Can you explain why this is the case? The users of Tor’s Q&A page will be happy to know.

This issue of Tor Weekly News has been assembled by qbi, Lunar, nicoo, and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — August 20th, 2015

Welcome to the thirty-second issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0.1 is out

The Tor Browser team put out a new stable version of the privacy-preserving browser. Version 5.0.1 fixes a crash bug in the recent 5.0 release that was hindering some users’ attempts to access popular websites like Google Maps and Tumblr. There are no other changes in this release.

Thanks to the new automatic update mechanism in the Tor Browser 5.x series, you are probably already running the upgraded version! If not, head to the project page to get your copy.

Tor talks at Chaos Communication Camp 2015

There was a heavy Tor presence at the recent Chaos Communication Camp near Zehdenick, Germany, and as usual there were some Tor-related talks by community members that are now available to watch online. Tor and Debian developer Lunar, one of the minds behind Debian’s pioneering and highly successful reproducible builds project (itself inspired by the Tor Browser team’s work in this line) gave a talk entitled “How to make your software build reproducibly”.

Tor Project Director of Communications Kate Krauss, meanwhile, participated in a talk entitled “What’s the catch?”, addressing the subject of free software projects receiving funding from State organizations, and the ways in which this does or does not affect the work of these projects.

Tor developers also participated in the “Tor Services using GNS” session of the Youbroketheinternet village. The session was about Tor using GNS as its name resolution system, and about various ways that we could integrate GNUNet and other anonymity systems with Tor. It was decided that the discussion will continue on the tor-dev mailing list.

Happy sixth birthday, Tails!

In the small hours of Sunday night, the Tails project turned six years old. It may still have most of its milk teeth, but the anonymous live operating system is already the security tool of choice for a wide range of users. It has been endorsed by Reporters Without Borders, groups campaigning against domestic violence, and the team behind the Academy Award-winning documentary CITIZENFOUR (among many others), as Voice of America reported last month.

The Tails team has laid out its vision for the next two years in its draft 2016-2017 roadmap, and you can read a summary of its current activities in the last monthly report. Congratulations to the team on reaching this anniversary!

Miscellaneous news

Hot on the heels of last week’s 2.4 release, Karsten Loesing put out version 2.5 of Onionoo, the Tor network data observatory. This release adds a new optional field named “measured” to Onionoo’s details documents. “The main idea behind this new field is that relay operators and Tor network debuggers can now figure out easily whether a relay is affected by not being measured by a sufficient number of bandwidth authorities and as a result has lower usage than it could handle”, writes Karsten. The new field is not yet shown in Onionoo web interfaces like Globe and Atlas, but it is accessible through the Onionoo API. For more details, see the relevant ticket.

David Fifield announced that the recent outage affecting meek’s Microsoft Azure backend is now resolved. Most users will have switched to the workaround version included in the most recent Tor Browser releases, but if for some reason you are still using the old configuration, it too should now be working once again.

David Stainton asked for brief code review of his Twisted-based Tor HTTP proxy. “Is this project worthy of your precious 10 minutes to review it... so I can improve the code quality?”

This issue of Tor Weekly News has been assembled by Harmony, Karsten Loesing, and George Kadianakis.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — August 14th, 2015

Welcome to the thirty-first issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0 and 5.5a1 are out

The Tor Browser team put out two new releases of the privacy-preserving web browser. Version 5.0, the first release in the new stable series, is based on Firefox 38ESR, “which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements”. Updates to Tor Browser are now downloaded automatically in the background, removing the need for users to go through the update wizard manually. New privacy features in this release include first-party domain bar isolation of more identifier sources, and “defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting”.

The first alpha release in the 5.5 series, meanwhile, fixes the recent pdf.js exploit to which users of 5.0a3 and 5.0a4 had been vulnerable; it also contains a refined version of the new font fingerprinting defenses in which “Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases”.

For full changelogs and download instructions, please see the team’s announcements. Both of these new releases contain important security updates, so please upgrade your Tor Browser as soon as you can.

Tails 1.5 is out

The Tails developers announced version 1.5 of the anonymous live operating system. This release disables access to the local network in Tor Browser, restricting this activity to Tails’ “unsafe browser”. It also ships with Tor Browser 5.0, and a 32-bit GRUB EFI bootloader, so “Tails should now start on some tablets with Intel Bay Trail processors, among others”.

For a list of all the changes in this release, please see the team’s announcement. This is an important security update, so please download your copy as soon as possible, either from the Tails website or via the incremental updater.

OnioNS beta testing version is out

Jesse Victors announced the first beta testing release of his Tor Summer of Privacy project, the Onion Name System (OnioNS). OnioNS is a distributed system that links hard-to-remember and hard-to-verify onion service addresses (such as “onions55e7yam27n.onion”) to domain names that are easier for humans to read and recall (like “example.tor”).

The software that comprises OnioNS is divided into three main parts: OnioNS-HS, OnioNS-client, and OnioNS-server. These are respectively intended to be run by onion services wishing to claim domain names, clients (such as Tor Browser users) wanting to visit services using these names, and the servers that let the system function. Whichever software you download will also require the OnioNS-common library in order to work.

This is a beta testing version, so Jesse warns that it is not ready to be used on production onion services and that name-claims made now may not survive in the long term. If you’re willing to give the system a try, however, please see Jesse’s message for further information, and feel free to send “feedback as to how usable the system is and areas where it could be improved” to the tor-dev mailing list, or file issues on the bug tracker of the relevant software package.

Miscellaneous news

Karsten Loesing deployed version 2.4 of Onionoo , the Tor network data observatory. This release implements an optional “effective_family” field to Onionoo details documents, listing all the relays with which the relay in question is in an effective, mutual family relationship. “The main goal here is to make it easier to detect misconfigured relay families. This can be relay operators or friendly people watching over the Tor network and reminding relay operators to fix their configurations.”

Colin Childs sent out a call for new volunteers to man the Tor help desk, which offers individual support to Tor users all over the world. If you can use Tor Browser and other Tor software with confidence and have a good understanding of the theory behind Tor, know how to use GnuPG (or are willing to learn), and are an active member of the Tor community who wants to help users on an ongoing basis, then please see Colin’s message for more details.

The Tails project sent out its monthly report for July, featuring development updates, upcoming events, and summaries of ongoing discussions.

George Kadianakis sent out the SponsorR report, and also submitted his own status report for July.

Alec Muffett revived the discussion around possible human factors to consider when devising a new and more secure system of onion addresses (such as the one suggested in proposal 224).

Sue Gardner invited active Tor community members to take part in a short survey as part of her work to devise a long-term strategic plan for the Tor Project.

Thomas White put out a call for “good guides on using Tor with common applications” to form part of a “small site dedicated to Tor usage [that] will convey, in as simple as possible terms, how to put as many applications as possible through Tor”.

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — August 8th, 2015

Welcome to the thirtieth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor is out

Nick Mathewson announced the second alpha release in the Tor 0.2.7.x series. This version includes improvements to the handling of Tor’s identity keys, which now use the Ed25519 elliptic curve signature format. It also allows onion service operators to specify a higher number of introduction points with a special configuration option, if the service is coming under heavy load, “at the cost of making it more visible that the hidden service is facing extra load”.

For full details of the many other developments in this release, please see Nick’s announcement. The source code is available as usual from Tor’s distribution directory.

Tor Browser 5.0a4 is out

The Tor Browser team put out their fourth alpha release in the 5.0 series of the privacy-preserving anonymous browser. “Most notably, this release contains an experimental defense against font fingerprinting by using an identical set of shipped fonts on all supported platforms”, wrote Georg Koppen. This version also fixes some of the issues created by the update to Firefox 38ESR, which “brings us very close to a stable Tor Browser 5.0, which we aim to release next week”.

Get your copy of the new alpha from the project page, or via the incremental updater if you are already using the alpha Tor Browser series.

Random number generation during Tor voting

One of the weaknesses of the current onion service design is that parts of it (such as the relays chosen by a service to upload its descriptor) rely on a list of Tor relays which is generated in a predictable way. This makes it possible for people with malicious intentions to insert their bad relays into the list at points of their choosing, in order to carry out attacks such as denials-of-service (as some researchers proved earlier this year). A good way of preventing this is to make Tor’s directory authorities jointly come up with a random number as part of their regular voting procedure, which is then used by onion services to choose the directories to which they will upload their descriptor information, and by clients to find those same directories. It could also be used by other systems as a shared source of randomness.

George Kadianakis published a draft proposal describing how this procedure could work. For a period of twelve hours, the directory authorities send each other a “commitment”, consisting of the hash of a 256-bit value. Once all authorities are aware of the others’ commitments, they then reveal to one another the values they committed to, for another twelve-hour period. At the end of that time, the revealed values are checked to see if they correspond to the commitments, and then they are all used to compute that day’s random value. This works because although you can use the commitment hash to verify that the value revealed is the same as the one decided upon twelve hours ago, you cannot derive the value itself from the commitment.

Please see the draft proposal in full for discussion of the finer points of the proposed system, or if you are a fan of ingenious solutions.

CameraV (aka InformaCam) is out

The Guardian Project put out a full release of CameraV (or InformaCam), a nifty smartphone application that lets you “capture and share verifiable photos and video proof on a smartphone or tablet, all the while keeping it entirely secure and private”. It allows you to prove the authenticity of your photos by using “the built-in sensors in modern smartphones for tracking movement, light and other environmental inputs, along with Wi-Fi, Bluetooth, and cellular network information to capture a snapshot of the environment around you” and bundling this information into the picture file.

As you would expect, InformaCam is fully compatible with the Guardian Project’s Tor software offerings for Android, so whether you’re a citizen journalist or a keen phone photographer who values privacy, take a look at the CameraV page and try it out for yourself!

Monthly status reports for July month 2015

The wave of regular monthly reports from Tor project members for the month of July has begun. Pearl Crescent released their report first (for work on Tor Browser development), followed by reports from David Goulet (on onion service research and development), Georg Koppen (working on Tor Browser), Isabela Bagueros (for overall project management), Karsten Loesing (working on Tor network tools and organizational tasks), Damian Johnson (on Nyx and stem development), and Juha Nurmi (on development).

The students in this year’s Tor Summer of Privacy also sent updates about their progress. Donncha O’Cearbhaill gave news of the OnionBalance load-balancing project, while Jesse Victors did the same for the OnioNS DNS-like system, Cristobal Leiva for the relay web status dashboard, and Israel Leiva for continuing development of the GetTor alternative software distributor.

Finally, the Tails team published their June report, bringing updates about outreach, infrastructure, funding, and ongoing discussions relating to the anonymous live operating system.

Miscellaneous news

The participants in the recent onion service hackfest in Washington, DC published a summary of the exciting progress they made during the meeting.

Arturo Filastò announced that an OONI-related hackathon entitled “ADINA15: A Dive Into Network Anomalies” will be held on October 1-2 in the Chamber of Deputies at the Italian Parliament in Rome. “This means that you are all invited…to put your design and data analysis skills to the test!”

David Fifield published the regular summary of costs incurred by the infrastructure for meek.

Nathan Freitas explored possible routes to an Android-compatible version of Ricochet, the exciting new privacy-preserving instant messaging application based on Tor onion services.

This issue of Tor Weekly News has been assembled by BitingBird and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — July 22nd, 2015

Welcome to the twenty-ninth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

More TSoP status reports

The students in this year’s Tor Summer of Privacy continued work on their respective projects, as their status reports show.

Jesse Victors made significant progress on his DNS-like Onion Naming System (OnioNS) project at the recent onion service development meeting in Washington, DC. Many bugs were fixed and the software is now in a demonstration-ready state. The issue of implementing a global source of randomness, which is important for the next generation of onion services as well as for OnionNS, was also worked on. “The server-to-server communication needs a few bug fixes, but most of that code is in place. As soon as that is complete, I should be about ready for a beta test.”

Israel Leiva sent the first report on his GetTor enhancement project. GetTor now distributes links to copies of Tor Browser hosted on Github as well as Dropbox, and the text of the autoresponder was expanded with more information. Upcoming additions include a Google Drive script, distribution of mirror links, and the promotion of Github to the default download source.

Cristobal Leiva also sent his first report, for the relay web status dashboard project. A prototype UI has been created and development milestones have been prioritized: “Over the next two weeks I’ll be coding the graph and log components”.

Finally, Donncha O’Cearbhaill’s OnionBalance load-balancing system has been enhanced with unit tests, and has received some real-world testing courtesy of s7r .

Exciting progress all round!

Miscellaneous news

The Guardian Project announced new releases of Chatsecure and Orbot. Chatsecure v14.2.0 is “all about squashing bugs, reducing memory and improving network stability”, while Orbot 15.0.3-RC-3 features “overall improvements to system and server stability, improvements to Apps VPN mode support…improved launch and hidden service API for third-party app interaction”, and updates to Tor and OpenSSL.

Anthony G. Basile announced a new release of tor-ramdisk, the micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Version 20150714 includes updates to the distribution’s core software.

Nick Mathewson published proposal 248 , which offers a migration path for “finally removing our old Ed25519 keys”.

Following the recent outage of meek-azure, David Fifield published a workaround for those who want to use this backend.

The Tails team is planning a sprint in November, possibly face-to-face, focusing on porting Tails to the current stable release of Debian, Jessie. “If you want to join the fun, let me know. If you’re interested in having a face-to-face sprint to work on this in November, let me know. If these dates don’t work for you, let me know”, wrote intrigeri.

The Intercept’s Micah Lee published a detailed beginner’s guide to secure online chat, including how to configure your chat client to use Tor.

For those who wish the modern world looked more like “Johnny Mnemonic” than “CITIZENFOUR”: you can hear Keanu Reeves narrating an unexpectedly soothing animation about the “Deep Web” and Tor onion services as part of Alex Winter’s upcoming documentary film on the subject.

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — July 15th, 2015

Welcome to the twenty-eighth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Caspar Bowden

Caspar Bowden, a leading advocate for many years in the field of civil liberties, and a member of the Tor Project, Inc.’s board of directors, has died after a short illness. As the Tor Project wrote in a statement, Caspar “was a passionate supporter of universal human rights, including the right to privacy”: “The world has lost a voice of tremendous moral courage.”

A Caspar Bowden Legacy Fund has been established “to promote advocacy for privacy as a universal human right and privacy enhancing technologies as one means to protect it”, in accordance with Caspar’s request “that we work to ensure equal protection regardless of nationality”. If you would like to make a contribution to this fund in Caspar’s memory, please see the web page for further details.

The Tor Project launches its search for a new Executive Director

Following the departure of long-time Executive Director Andrew Lewman earlier this year, the Tor Project, Inc. has opened a world-wide search for its new Executive Director. As Wendy Seltzer, a member of the board of directors, writes: “We have engaged The Wentworth Company to help us with the search process, and invite the broader Tor community and friends to share the job posting among your networks. If you are or know a great leader with a passion for anonymous communication and free software, please contact Judy Tabak at Wentworth (judytabak at, other contact details in the posting) for more information or to be considered for the job.”

Tor is out

Nick Mathewson put out a new release in the current Tor stable series. Version contains a fix for a regression introduced in that made it difficult for clients to access onion services under certain circumstances — for example, if a hidden service restarts after a client connects, the same client would have been unable to connect again until the next hour. This version also “bulletproofs the cryptography init process, and fixes a bug when using the sandbox code with some older versions of Linux”.

“Everyone running an older version, especially an older version of 0.2.6, should upgrade”, writes Nick. Source code is downloadable from the distribution directory; packages will become available as their packagers package them.

New onion service-related proposals

A gathering of experts in Tor onion service research and development resulted (among other things) in two new Tor proposals for improving the anonymity and efficiency of services hosted inside the Tor network.

John Brooks and George Kadianakis expanded John’s earlier suggestion that the roles of “hidden service directory” and “introduction point” could be merged in the next generation of onion services, into what is now proposal 246. This innovation would simplify the relevant code, reduce load on the network, and limit the number of relays that can observe the service’s activity or serve as a fingerprint for an observer.

George also wrote up draft proposal 247, which tries to prevent “guard discovery attacks” (where an adversary is able to work out which Tor relay is being contacted directly by the target client, thereby allowing them to attack that relay itself and deanonymize the client) by making the attack significantly more costly to perform, using “vanguards”. By enabling a Tor configuration option, the service operator could pin the second and third hops (the “vanguards” in question) of their circuits for a longer period. A would-be attacker is then forced to carry out “a Sybil attack and two coercion attacks” before succeeding, as opposed to the current situation “where the Sybil attack is trivial to pull off, and only a single coercion attack is required”. “I consider this issue very important and any feedback is greatly appreciated”, wrote George.

This is privacy development at the most advanced level, and the waters are very much uncharted: there may be major design flaws, improvements, and counter-arguments lurking up ahead. If this is an area in which you feel you have a contribution to make, by all means take a look at the proposals, and then pitch in on the tor-dev mailing list!

ExoneraTor gets an update

The ExoneraTor service lets you use historical Tor network data to quickly determine whether or not a particular IP address was being used by a public Tor relay on a given date. This is useful if, for example, you’re the administrator of a web service that received malicious traffic on that date, and you want to find out if the IP address will be useful to your investigation of the problem.

After much discussion and feedback on the tor-relays list, Karsten Loesing and Julius Mittenzwei have updated ExoneraTor to offer a simpler, more intuitive service without unnecessary details that might confuse a non-specialist. Searches are now restricted to full days, rather than precise timestamps, to avoid most issues relating to timezone differences (ExoneraTor’s results are given in UTC, and searchers might forget to make adjustments for their local timezone); the form allowing searchers to check whether a relay permitted exit traffic to a target address and port has been replaced by an “Exit” column indicating whether or not any exit traffic was allowed by that relay, again for the sake of simplicity; and the overall look of the service has been streamlined, with clearer, non-technical explanations of Tor and Exonerator, and a translation into German (with more languages planned).

“Please give it a try, including the tricky edge cases where you expect it to break”, wrote Karsten. “And if you have any further feedback,” please send it to the tor-relays mailing list.

The Vegas plan continues to roll out

The “Vegas plan” — a reorganization of Tor’s active contributors into a more focused team-based structure, named after the fair city in which it was developed — continues to roll out, with the Measurement, Community, Networks, and Applications teams holding their first or second IRC meetings this week. Isabela Bagueros, Tor’s project manager, writes: “Keep an eye out for teams’ updates, and for things that can be done better; feedback will be key for making this successful, and that is why we will have a check-in during our next dev meeting. So follow up, participate, bring feedback!”

If you aren’t already working with one of the new teams, and feel you should be, please check in on IRC or the mailing lists, and someone will help direct you to the right place.

Miscellaneous news

The upcoming IETF Meeting in Prague will have a DNS Operations meeting on 20th July that will discuss both the draft proposal to reserve .onion as a special-use domain suffix (about which Tor Weekly News has written before), and other proposals for related projects like I2P and Gnunet. If you're going to Prague, consider attending this meeting and humming in support of reserving .onion and these other domains!

After a hiatus in activity on the tor-mirrors list, Sebastian Hahn updated the file used to build the directory of mirrors on the Tor Project website with changes made in the last few months. “If you notice any unexpected entries or think you should be on the list but aren’t, I’ll check what the problem is.”

This issue of Tor Weekly News has been assembled by Karsten Loesing, Tom Ritter, Wendy Seltzer, Isabela Bagueros, nicoo, and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Syndicate content Syndicate content