Tor Weekly News — April 8th, 2015
Welcome to the fourteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.
Tor 0.2.5.12 and 0.2.6.7 are out
Roger Dingledine announced new releases in both the stable and alpha series of the core Tor software. Tor 0.2.5.12 and 0.2.6.7 both contain fixes for two security bugs that could be used either to crash onion services, or clients trying to visit onion services. The releases also make it harder for attackers to overwhelm onion services by launching lots of introductions. For full details, please see the release announcement.
The bugs fixed in these releases are not thought to affect the anonymity of Tor clients or onion services. However, they could be annoying if exploited, so onion service operators should upgrade as soon as possible, while Tor Browser users will be updated with the upcoming Tor Browser stable release.
Tor Summer of Privacy — apply now!
Some of Tor’s most active contributors and projects got their start thanks to Google’s Summer of Code, in which the Tor Project has successfully participated for a number of years. This year, Google have decided to focus on encouraging newer, smaller projects, so rather than miss out on the benefits of this kind of intense coding program, Tor is launching its own Summer of Privacy, as Kate Krauss announced on the Tor blog.
The format is the same as before: students have the opportunity to work on new or existing open-source privacy projects, with financial assistance from the Tor Project and expert guidance from some of the world’s most innovative privacy and security engineers.
If that appeals to you (or someone you know), then see Kate’s announcement and the official TSoP page for more information on the program and how to apply. Applications close on the 17th of this month, so don’t leave it too late!
Should onion services disclose how popular they are?
Even on the non-private web, it is not possible by default to determine how popular a certain website is. Search engines and third-party tracking toolbars might be able to estimate the number of visitors a website gets, but otherwise the information is only available to the site’s operators or to groups who are able to measure DNS requests (as well as anyone in a position to eavesdrop on those two).
On the tor-dev mailing list, George Kadianakis posted a detailed exploration of this issue considered from the perspective of Tor onion services. If improvements and additions to the onion service design would as a side effect give an observer an idea of how popular a certain service is, should this be considered a security risk?
Some of the arguments put forward for the inclusion of popularity-leaking features are that they enable the collection of useful statistics; that they allow further optimization of the onion service design; and that concealing onion service popularity might not be necessary or even possible.
On the other hand, disclosing popularity might help an adversary decide where to aim its attacks; it may not actually offer significant performance or research benefits; and it may surprise onion service users and operators who assume that onionspace popularity is no easier to discover than on the non-private web.
“I still am not 100% decided here, but I lean heavily towards the ‘popularity is private information and we should not reveal it if we can help it’ camp, or maybe in the ‘there needs to be very concrete positive outcomes before even considering leaking popularity’”, writes George. “Hence, my arguments will be obviously biased towards the negatives of leaking popularity. I invite someone from the opposite camp to articulate better arguments for why popularity-hiding is something worth sacrificing.”
Please see George’s analysis for in-depth explanations of all these points and more, and feel free to contribute with your own thoughts.
More monthly status reports for March 2015
The wave of regular monthly reports from Tor project members for the month of March continued, with reports from Georg Koppen (for work on Tor Browser), David Goulet and George Kadianakis (working on onion services), Griffin Boyce (with news on secure software distribution, onion service setup, and Tails), Sherief Alaa (with updates about support and Arabic localization), Leiah Jansen (working on communication and graphic design), Sebastian Hahn (improving testability and fixing website issues), and Sukhbir Singh (for work on TorBirdy and Tor Messenger).
Nathan Freitas announced version 15 beta 1 of Orbot, which is “functionality complete”. “The main area for testing is using the Apps VPN mode while switching networks and/or in bad coverage, as well as using it in combination with Meek or Obfs4, for example. Also, the implementation is bit different between Android 4.x and 5.x, so please report any difference you might see there.”
Nathan also shared Amogh Pradeep’s analysis of the network calls made in the latest version of the Firefox for Android source code, “to get our Orfox effort started again”.
This week in Tor history
A year ago this week, Nathan Freitas reported that the number of Orbot users in Turkey had quadrupled in the previous month, after an order by the Turkish government to block access to several popular social media websites led to a surge in Tor connections. This week, the same thing happened (albeit more briefly), leading to another increase in Tor use within Turkey.
The best time to prepare for these censorship events is before they happen — and that includes letting people around you know what they should do to ensure their freedom of expression remains uninterrupted. Show them the Tor animation and Tor brochures, help them install Tor Browser and Orbot, and teach them how to configure their social media applications to connect over Tor. If you make a habit of browsing over Tor, you may not even have to take any notice when things get blocked!
This issue of Tor Weekly News has been assembled by Harmony, nicoo, and Roger Dingledine.
Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!