Welcome to the seventh issue of Tor Weekly News, the weekly newsletter that covers what is happening in the fast-paced Tor community.

New Tor Browser Bundle releases

Mozilla released Firefox version 17.0.8esr on August 6th, fixing several release critical bugs. Three days later, the stable, beta and alpha versions of the Tor Browser Bundle were updated, along with Tails
(see below).

The stable 2.3.25-11 and 2.4.15-beta-2 also updates HTTPS Everywhere, PDF.js, NoScript and libpng to their latest version. Both bundles had a localization issue which was fixed in the subsequently released 2.3.25-12 and 2.4.16-beta-1.

Before updating your browser to the latest version, please pause and admire the enhanced download page. Kudos to J.M. Todaro for the design and patches and Andrew for the final integration.

The pluggable transports bundles have also been updated to 2.4.15-beta-2-pt1. Like previously, they contains flash proxy and obfsproxy configured to run by default. Using flash proxy requires a few extra steps, as before.

For more experimental matters, the new 3.0 series has seen the release of alpha3. On top of the previous updates, several other small improvements were made: in the new launcher and build system, in fingerprinting fixes and in a possible anonymity threat for Windows users coming from cloud anti-virus solutions. This is another opportunity to play with the new build system that should produce byte-to-byte identical results. Please have a try and report any discrepancies with Mike Perry’s builds.

Tails 0.20 has been released

The 32nd release of Tails is out. It fixes several security issues, and all users are advised to upgrade.

Among other small bugfixes, minor improvements and translation updates, this release tightens the security around Pidgin — by removing support for protocols other than IRC and XMPP — and restricting access to the ptrace(2) system call for unprivileged users.

Download, burn, and upgrade!

New release candidate for the 0.2.4 tor branch

Roger Dingledine announced the release of tor 0.2.4.16-rc, the latest incarnation of the 0.2.4 series. This release include several major and minor bugfixes.

The most important one is probably a crash that can be triggered remotely via badly formatted INTRODUCE1 cells. Roger advises: “Anybody running a hidden service on the experimental 0.2.4.x branch should upgrade”.

Erinn Clark has updated the beta version of the Tor Browser Bundle for a wider audience of testers.

About Tor Browser usability

Last week events sparked a good amount of discussions on Tor Browser usability. Several discussions on tor-talk and in other places revolved around the idea that “JavaScript should be disabled by default”. scarp wrote a good summary on why it is not so simple: “I understand that JavaScript was enabled globally in the Tor Browser Bundle for usability reasons as well as to prevent browser fingerprinting. […] If the torproject were to disable it by default, that would not ensure that users are protected in the future by similar methods. Sites can be written in a way that if you do not allow JavaScript they simply won’t work at all. If I was writing an exploit I’d do this to frustrate users so hopefully they enable JavaScript and accept my exploit.“ Roger Dingledine also improved the relevant question in Tor FAQ.

One possible solution to satisfy contradicting requirements would be to
add a “security slider” that would allow users to easily trade off
web compatibility over security. The slider would have three or four different positions that would gradually deactivate more and more features of the browser. One has to understand that the “most secure” should probably disable loading of any pictures. This also impacts the Tor Browser anonymity set but this is probably a trade off that can be afforded given the actual size of the Tor Browser user base.

scarp had also pined another big usability problem related to updating: “This exploit wasn’t new. […] Users running the latest Tor Browser Bundle didn’t have any issues as their browsers had been patched. It is inappropriate for a web browser to not be automatically updated.” Nick Mathewson recapitulated the latest plan that was discussed during the last summer dev. meeting to simply build upon Firefox update mechanism. The next step is to do a proper review. Hopefully, given it is “mature and widespread” and has been “proven to update Firefox”, we will not “run screaming for the hills” when looking at the disadvantages.

On a more general level, an unexpected comment came from Brendan Eich (Mozilla’s chief technology officer) on Twitter: “Maybe we should just adopt, support, and bundle Tor in Firefox...” David Dahl subsequently opened a bug report in Mozilla’s tracker to discuss a way forward. Mike Perry commented on a thread on the liberationtech mailing list: “In short, I am excited by this news, and I look forward to improving our communication and cooperation with Mozilla
on this front.”

Tails 2013 summit

The Tails team has sent a report on their 2013 development summit for which “a bunch of people spend a dozen days together in July”.

Read the report in full for all the details. Some highlights: task tracking have been moved to Redmine, tasks fit for new contributors has been better identified, progress has been made to move Tails to the current Debian stable release, the roadmap has been updated.

Communication channels are going to change a little bit “to ease involvement of new contributors, to make more workload sharing possible, and to be able to provide better user support”. As a start a new user support mailing list was created. Subscribe if you have questions or want to help fellow Tails users.

A lot of discussions revolved around “the growth of the project: given the growing number of users and our super-short release cycle, it is a challenge to keep the project sustainable and maintainable in the mid/long term.” Give the current project exposure, the report rightfully concludes: “Tails is living decisive times, so we expect the next year to be pretty interesting. You can perhaps make the difference, so do not hesitate joining the dance!”.

Three new proposals

On Monday, Nick Mathewson robbed everyone of his “I’m a little teapot” performance by releasing the following three new proposals:

Proposal 219 has been written a year ago by Ondrej Mikle. It is currently at draft stage. Its goal is to make Tor support any DNS query type and also support full DNSSEC resolution. The latter is important as it provides “protection against DNS cache-poisoning attacks” but is made tricky given a routine hostname resolution with DNSSEC “can require dozens of round trips across a circuit”.

In another draft proposal, Nick Mathewson describes a plan for a smooth transition from the current 1024-bit RSA keys used for router identity and TLS links to Ed25519-SHA-512 keys. Several small details still have to be ironed out. This proposal does not address hidden service keys. They will have to be addressed in another proposal once an agreement has been reached regarding the best crypto scheme.

Now that the ntor onionskin handshake has been implemented in 0.2.4, we could get better forward secrecy by having clients stop sending CREATE_FAST cells. Nick Mathewson has issued proposal 221 to detail the reasons and the implications of such change.

All these proposals are now up for discussions on the tor-dev mailing list.

Miscellaneous news

Jens Kubieziel researched how to get a GnuPG version for Windows in a secure way, something needed for users that would like to properly verify the Tor Browser Bundle signatures on Windows systems.

George Kadianakis wrote on how to deploy your very own pluggable transport explaining what to do before, while and after coding a new pluggable transport. Given they were designed to be “pluggable”, “it should be easy to write new [ones]”. So be sure to read these advices and start experimenting!

A new round of GSoC reports arrived to the tor-dev mailing list: Johannes Fürmann about EvilGenius, Cristian-Matei Toader about Tor capabilities, Hareesan about the Steganography Browser Extension, and Kostas Jakeliunas about the searchable metrics archive. All of them seems to be making good progress. Let’s wish them success for the last six weeks!

More reports came from the July 2013 wave: the Tor Help Desk by Runa Sandvik, and Moritz Bartl.

Andrew Lewman gave a talk during the US National Network to End Domestic
Violence’s (NNEDV) annual technology summit. His presentation
covered “a quick overview of Tor, why I’m here talking about domestic
violence and intimate partner abuse, and what we’re doing to help.”. Be
sure to read his report in full.

Thanks to Paul Templeton from CoffsWiFi, and nsane for running new Tor website mirrors.

Several people are trying to assemble localization teams for Tails: Miriam Matar for Arabic, irregulator for Greek, hemlockii for Turkish. Tails policy regarding website translations specifies that “a team of translators, not just one person, is necessary”, so please join if you can help!

Help Desk Roundup

Below is a summary of some frequent questions received at the Tor help desk this past week:

Users are frequently confused by the message they receive from GetTor. Currently the Tor Browser Bundle is too large to send over GetTor, so users instead receive three mirrors with a link to a page with all available translations of the Tor Browser Bundle. Many users email the help desk unsure of what this page means or which package they need.

A number of users asked whether or not they needed to disable JavaScript in the Tor Browser Bundle. While the vulnerability in Firefox does not affect the latest Tor Browser Bundle, disabling JavaScript globally will reduce one’s risk of being affected by future JavaScript exploits. Users were asked to choose for themselves between greater protection inside the browser or a browsing experience with more functionality enabled.

This issue of Tor Weekly News has been assembled by Lunar, malaparte, mttp, Phoul, Tails developers, David Fifield, Nick Mathewson, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!