Welcome to the sixth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the community around Tor, “your online an-onionising software”.

The 2015 Tor UX Sprint

Many open-source privacy tools struggle with questions of usability: so much effort goes into ensuring they are secure that few resources are left over to work on the user experience. But as Linda Lee and David Fifield write, “usability is critical to security”: user interface issues “can degrade user experience, cause confusion, or even cause people to accidentally deanonymize themselves”.

To explore, and hopefully solve, some of these problems, a group of Tor developers, designers, users, and researchers met at UC Berkeley at the start of the month. As part of the weekend, users were asked to walk through the process of installing and running Tor Browser, noting aloud their assumptions and reactions as they went.

Issues and “stopping points” (where users find the process too difficult to continue) discovered during these sessions were noted, and have been assigned tickets on Tor’s bug tracker. For more details of the event and its outcomes, please see Linda and David’s post; “if you are interested in helping to improve the usability of Tor Browser, get in touch by email or IRC”.

Tor and the Library Freedom Project

As Tor Weekly News reported last September, Massachusetts librarian and activist Alison Macrina has been leading a campaign to educate colleagues and library patrons on the state of digital surveillance and the use of privacy-preserving software such as Tor and Tails. As Alison and April Glaser wrote at the time, “libraries provide access to information and protect patrons’ right to explore new ideas, no matter how controversial or subversive”.

These initial workshops formed the basis for the Library Freedom Project, which has just received a grant from the Knight Foundation to expand its activities beyond the New England region. In a guest post on the Tor blog, Alison introduced the project, the motivations behind it, and its plans for the next few years, as well as suggesting some possible areas for collaboration with the Tor community in the future: “One specific way that librarians can help the Tor Project is with usability issues – we have lots of experience helping ordinary users with common usability problems […] Librarians can also run dev sprints, help update documentation, and generally advocate for tools that help safeguard privacy and anonymity.”

For more information on the Library Freedom Project, or to propose your own ideas, please see the project’s website. Thanks to Alison and colleagues for this important work!

Vidalia laid to rest

Now that Vidalia, the graphical user interface for Tor, has been completely unmaintained ”for too long to be a recommended solution”, Sebastian Hahn has removed the last links to Vidalia-related content from the Tor Project website. If you are still using a version of Tor Browser (outside of Tails) that contains Vidalia, it is almost certainly too old to be safe, so please upgrade as soon as possible.

Vidalia is still shipped in the latest version of Tails, however, so the Tails team has been working on a simple interface to replace one of the most-missed features of the defunct program, the circuit visualization window. The Tor Browser team have already implemented a similar per-site circuit diagram in the current 4.5-alpha series, so there should soon be no reason at all for users to continue controlling their Tor through Vidalia.

More monthly status reports for January 2015

The wave of regular monthly reports from Tor project members for the month of January continued, with reports from George Kadianakis, Pearl Crescent, Michael Schloh von Bennewitz, Nick Mathewson, Karsten Loesing, and Arlo Breault.

Mike Perry reported on behalf of the Tor Browser team, and George Kadianakis sent out the report for SponsorR.

Miscellaneous news

George Kadianakis linked to the technical report produced by the team working on statistics related to the amount of hidden service usage on the Tor network; Karsten Loesing added some more information regarding the fraction of network activity this represents. These are advanced calculations, so if you’re not experienced in data science but want to know more about this topic, the team will be back shortly with a more “casual-reader-friendly” analysis of the results.

“Fresh off a round of real-world intensive testing and debugging using spotty 2.5G coverage in the foothills of the Himalayas”, Nathan Freitas of the ever-intrepid Guardian Project announced the first release candidate for version 14.1 of ChatSecure, the “most private” messaging client for Android and iOS, featuring numerous improvements to usability, stability, and network handling. Please see Nathan’s announcement for the full changelog.

Nathan also shared a “very early” incarnation of PLUTO, “a simplified means for developers to include traffic obfuscation capabilities into their applications” with initial support for obfs4 and meek. “We think many apps could utilize this approach to defeat DPI filtering, and that this would be useful to offer decoupled from the way Tor integrates it”.

David Fifield posted a tutorial for configuring the meek pluggable transport to work with hard-to-block HTTPS websites interested in helping censored Tor users, rather than the large content delivery networks it currently uses, along with the regular summary of the costs incurred by meek’s infrastructure last month: “meek has so far been a smashing success. It’s the #2 pluggable transport behind obfs3 and it moved over 5 TB of traffic last month. But the costs are starting to get serious.” If you have ideas for supporting this vitally important anti-censorship tool, please see David’s message for more details.

Also in meek news, Across The Great FireWall published a Chinese-language introduction to the concepts underpinning this pluggable transport. Other resources (in Chinese and other languages) are listed on the wiki.

Nick Mathewson took to the Tor blog to explain exactly what Tor design proposals are for and how they are written, and offered status updates (and review recommendations) for some new and still-open proposals.

Nick also asked relay operators to contribute their advice to a relay hardening guide that could be shipped with Tor.

Arturo Filastò asked for help in coming up with a roadmap for the future of the Open Observatory of Network Interference, asking for opinions on a range of possible development, deployment, and research projects. Feel free to let the ooni-dev list know which of the ideas catches your attention.

After soliciting feedback on including newer pluggable transports in Tails, the Tails team decided to focus on obfs4 and then (“tentatively”) meek for upcoming versions of the anonymous live operating system.

Tom “TvdW” van der Woerdt wrote a detailed report on his experience implementing a Tor client from scratch in the Go programming language, following Tor’s specification document. One instance of “GoTor” briefly broke the Tor relay speed record with 250 megabytes/second, but Tom ultimately decided that Go isn’t the right language for such a thing, as its library support doesn’t make it easy enough to do. Thanks to Tom for running the experiment, and catching some specification errors in the process!

Even though Tor Browser is not vulnerable to the recent WebRTC IP attack proof-of-concept proof-of-concept, Mike Perry nevertheless invited “interested parties to try harder to bypass Tor in a stock Firefox using WebRTC and associated protocols (RTSP, SCTP) with media.peerconnection.enabled set to false”, before a plan to enable WebRTC-based QRCode bridge address resolution and sharing in Tor Launcher is implemented.

Shadow, the tool by Rob Jansen that allows full Tor network simulation, now has a new website. As Rob wrote: “The new website still uses the Jekyll engine, and is a stripped down customized version of the open source SOLID theme. Please send me feedback if you have it.”

Jillian York of the EFF discussed the problems of over-reliance on US government funding — and the dearth of other funding streams — for anti-surveillance tools, including Tor.

Seven of the eleven activists arrested last year in Spain for, amongst other things, having had email accounts with the technical collective Riseup — longtime Tor allies and operators of one of the directory authorities — have been released from prison. As Riseup wrote following the arrests, “security is not a crime”: “Giving up your basic right to privacy for fear of being flagged as a terrorist is unacceptable.”

Easy development tasks to get involved with

Two problems confronting Mac users who want to download Tor Browser are the “disk image” format and Apple’s Gatekeeper security system. If these users try to run Tor Browser directly from the disk image window that opens after downloading, they will receive an error telling them “Firefox is already running”, and if they correctly move the program to the Applications folder, Gatekeeper will prevent them from running it directly anyway.

If you have access to a machine running the latest version of Mac OS X, and want to spend ten minutes making life easier for Tor users, the Tor Browser download page would benefit from screenshots showing users how to drag the program to the Applications folder, and how to disable Gatekeeper by control-clicking on the Tor Browser icon when running for the first time. Please see the relevant bug ticket for a nice set of example screenshots; your contribution will be gratefully received!

This issue of Tor Weekly News has been assembled by Harmony, Roger Dingledine, Kate Krauss, and David Fifield.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!