Welcome to the sixth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tails 0.22.1 is out

The Tails team cut its 36th release on February 4th. Their Debian-based live operating system continues to provide anonymity by ensuring that all outgoing connections are routed through Tor, and privacy by ensuring that no traces are left without the user’s knowledge.

Tails 0.22.1 contains security fixes to Firefox, NSS, and Pidgin. It also brings an updated Linux kernel and several fixes for regressions and small issues.

While advertised as a minor version, the new incremental upgrades are a major usability improvement. Previously, upgrading Tails basically meant installing Tails again by downloading the image and putting it on a DVD or a USB stick. Users who store persistent data in their Tails instance then had to use this new medium to upgrade the stick with their data. A tedious process, to say the least. Now, with incremental upgrades, Tails users with USB sticks will be prompted to perform a few clicks, wait, and reboot to get their system up-to-date.

One usability change might surprise long time Tails users: the browser now has to be manually opened when Tor has successfully reached the network.

As always, be sure to upgrade! Users of Tails 0.22 on USB sticks can do so easily by running the Tails Upgrader application in the Tails menu.

Tor Browser Bundle 3.5.2 is released

The Tor Browser team delivers a new Tor Browser Bundle. Version 3.5.2 brings Tor users important security fixes from Firefox and contains fixes to the “new identity” feature, window size rounding, and the welcome screen with right-to-left language, among others.

The curious can take a peek at the changelog for more details. Every Tor user is encouraged to upgrade as soon possible. Jump to the download page!

Call to bridge operators to deploy ScrambleSuit

In the beginning there was Tor. When censors started filtering every known relay address, bridges were invented as a way to access the Tor network through unlisted relays. Deep packet inspection systems then started to filter Tor based on its traffic signature, so pluggable transports and obfucation protocols were designed in order to prevent bridge detection.

Currently, obfuscation is achieved through “obfs2” and “obfs3”. obfs2 is flawed; it’s detectable by deep packet inspection and is being phased out. obfs3 is unfortunately still vulnerable to active probing attacks. As obfs3 bridges are open to anyone, an attacker who uses a traffic classifier and finds an unclassified connection can figure out if it’s Tor simply by trying to connect through the same destination.

ScrambleSuit comes to the rescue. On top of making the traffic harder to recognize by timing or volume characteristics, ScrambleSuit requires a shared secret between the bridge and the client. A censor looking at the connection won’t have this secret, and therefore be unable to connect to the bridge and confirm that it’s Tor.

obfsproxy 0.2.6 was released last week and adds ScrambleSuit to the set of available pluggable transports. Bridge operators are now called to update their software and configuration. At least Tor 0.2.5.1-alpha is required. The latest version of obfsproxy can be installed from source, pip and Debian unstable.

There must be a critical mass of bridges before ScrambleSuit is made available to the Tor users who need it, so please help!

More status reports for January 2014

The wave of regular monthly reports from Tor project members for the month of January continued. Kevin P Dyer, Nick Mathewson, Georg Koppen, Karsten Loesing, Jacob Appelbaum, Arturo Filastò, Isis Lovecruft and Nicolas Vigier all released their reports this week.

Roger Dingledine has also sent the report to SponsorF.

Miscellaneous news

Most Tor developers will gather next week in Reykjavík, Iceland for the 2014 winter meeting. Expect a drop in activity on the usual communication channels while everyone is busy with face-to-face conversations. See upcoming events for activities open to the larger Tor community.

David Fifield is looking for testers for experimental 3.5.2 browser bundles with tor-fw-helper. “tor-fw-helper is a tool that uses UPnP or NAT-PMP to forward a port automatically” — something that flashproxy requires. David is “interested in finding out how likely it is to work”.

David Goulet gave us an update on the development of Torsocks 2.x. He hopes to perform a “full on release” after the Tor developers meeting.

”The Trying Trusted Tor Traceroutes project is coming closer to the next data review (03/2014)” wrote Sebastian Urbach. If you are a relay operator, please help find out how Tor performs against network-level attackers. The team now has a scoreboard with feedback for the participants.

One relay started to act funny regarding its advertised bandwidth. Roger Dingledine quickly reported his worries to the tor-talk mailing list. A couple of hours later Hyoung-Kee Choi accounted that one of the students from his research group had made a mistake while experimenting on the Tor bandwidth scanner. Directory authorities are now restricting its usage in the consensus.

On February 11th, the Tor Project participated on The Day We Fight Back, a global day of mobilization against NSA mass surveillance.

Tor help desk roundup

Tor supporters are often curious about the legal risks involved in running a Tor relay. The Tor Project is not aware of any country where running Tor is a punishable offense. Running a bridge relay or a non-exit relay is the best way to grow the Tor network without being exposed to additional legal scrutiny. The decision to run an exit relay should be made only after carefully reviewing the best practices. Unlike non-exit and bridge operators, exit relay operators need to be prepared to respond to abuse complaints.

Users continue to express interest in a 64-bit Tor Browser Bundle for Windows. Work to provide this new variant is on-going.

News from Tor StackExchange

strugee is running a Fast, Running and Valid relay and wonders when the relay will get the V2Dir flag. weasel answered that relays should “get the V2Dir flag simply by publishing a DirPort”, but that Tor will not always publish a DirPort: the full list can be found in the source code.

Ivar noted that the site How’s my SSL thinks that the SSL configuration of the Tor Browser is bad and wondered how the situation could be improved. Jens Kubieziel explained some settings for about:config and pointed to a more detailed blog post. Sam Whited also pointed out some settings for Firefox and noted that Firefox 27 improved the rating to “probably good” which will help the Tor Browser in the future.

fred set up a relay on a Windows machine where µTorrent is used besides Tor. When Tor is enabled many trackers become unreachable, but come back as soon as the relay is disabled. An explanation to this behaviour has yet to be found, don’t hesitate to chime in.

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, Paul Feitzinger, qbi, Roger Dingledine and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to
get involved!