Welcome to the 6th issue of Tor Weekly News, the weekly newsletter that covers what is happening in the resilient Tor community.

Large hidden services provider compromised, attacks older TBB versions

Andrew Lewman wrote: “Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor network.”

It turned out that Freedom Hosting, a company specializing in hosting websites accessible through Tor hidden services, was compromised. As Andrew puts it, “From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers.” Andrew also reiterated that “the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research”.

The Tor Browser is currently based on Mozilla Firefox 17 ESR. With the help of Mozilla and other researchers it was understood that the exploit used a vulnerability in Firefox JavaScript engine to attack Windows users of the Tor Browser Bundle. This vulnerability was fixed in Firefox 17.0.7 ESR and subsequently in versions 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013) 3.0alpha2 (released June 30 2013) and 2.4.15-beta-1 (released July 8 2013).

Users running updated versions, and those who have disabled JavaScript, are not affected by the exploit.

Roger Dingledine issued a security advisory with advice to mitigate future issues: “be sure you’re running a recent enough Tor Browser Bundle”, “be sure to keep up-to-date in the future”, “consider disabling JavaScript”, “consider switching to a “live system” approach like Tails”, “be aware that many other vectors remain for vulnerabilities in Firefox”. It is strongly advised to read the advisory in full.

The versions of Firefox used in Pluggable Transport bundles are still vulnerable. Replacements have been built, with credit to David Fifield, but they are yet to be released.

The press is running many stories covering these events, several containing false information. A better example is Kevin Poulsen’s article published in Wired on August, 5th. It did however assert “the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle”, in-fact most recent Tor Browser Bundle releases, with the exception of Pluggable Transports bundles, contained the patched version of Firefox ESR.

Monthly status reports for July 2013

The wave of regular monthly reports from Tor project members for the month of July has begun. Philipp Winter was first this time, followed by reports from Arlo Breault, Nick Mathewson, Noel David Torress Taño, Colin C., Sherief Alaa, Karsten Loesing, Damian Johnson, Mike Perry, George Kadianakis, and Andrew Lewman.

Miscellaneous news

Tails developers issued a call for testing of the first release candidate of the upcoming 0.20 [21]. Send them your reports!

Security researcher Jason Geffner presented a new tool to route all TCP/IP and DNS traffic through the Tor network on Windows called Tortilla during Black Hat USA 2013 and subsequently on the tor-talk mailing list. Binary and source code are available and are awaiting reviews by the community.

Wendell announced the first release of Tor.framework, a “Cocoa framework that allows developers to write apps for Mac OS X and iOS that work over the Tor onion routing network”. No comments have been made yet. Feel free to look at the source code, review and experiment.

Jerzy Łogiewa asked on tor-talk if Tor hidden services could be made to work near the speed of the standard web. Arian Sanusi replied that speed of light was actually the limiting factor for latency issues: “if relays were homogeneous distributed among the globe, two random relays will be 1/4 earth circumference apart on average. […] That’s 400ms from finite speed of light. Switches, routers and relays along the way will add to that.”

Thanks to Michael Marz and Neo for running new mirrors of the Tor website.

This issue of Tor Weekly News has been assembled by dope457, malaparte, Lunar, harmony, and Yawning.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing-list if you want to get involved!