Welcome to the twenty-third issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.2 is out

Version 3.6.2 of the Tor Browser has been released, featuring “a fix to allow the configuration of a local HTTP or SOCKS proxy with all included Pluggable Transports”, as well as important fixes to mitigate recent OpenSSL vulnerabilities, among other security updates. All users are advised to upgrade as soon as possible.

The EFF announces its 2014 Tor Challenge

As part of the wider “Reset the Net” event, the Electronic Frontier Foundation has launched another in its occasional series of Tor Challenges. The goal of the campaign is to increase the Tor network’s capacity and diversity by encouraging members of the public to run relays, and directing them to the legal and technical guidance necessary to do so.

So far, over 600 relays have been started (or had their capacity increased) as part of the campaign: you can see a running total of relays and bytes transferred on the campaign page. Once you’ve set up your relay, you can register it on the page (anonymously or credited to your name); stickers and T-shirts are on offer for those who run relays of a certain size or for a certain period.

If you run into trouble setting up your relay, you can also find expert advice and discussion on the tor-relays mailing list or the #tor channel on irc.oftc.net.

Tor and the “EarlyCCS” bug

Following April’s much-loved “Heartbleed” bug, another OpenSSL vulnerability was discovered — nicknamed “EarlyCCS” — that could have an impact on the security of many internet services, including Tor. Nick Mathewson explained that although “Tor is comparatively resilient to having one layer of crypto removed”, it may be affected to the extent that “an adversary in the position to run a MITM attack on a Tor client or relay could cause a TLS connection to be negotiated without real encryption or authentication.”

Tor users and relay operators should make sure to update their OpenSSL and Tor packages as soon as possible; those using a system tor (rather than or in addition to the Tor Browser) should ensure that they restart it once the updates are installed; otherwise they will not take effect.

A new website for the directory archive

Karsten Loesing announced the new CollecTor service, which spins off the directory archive section from the Metrics portal.

What’s different? Archive tarballs are now provided in a directory structure rather than a single directory, recently published descriptors can now be accessed much more easily, and the documentation of descriptor formats has been updated.

The now obsolete rsync access to metrics-archive and metrics-recent will be discontinued on August 4, 2014.

More monthly status reports for May 2014

The wave of regular monthly reports from Tor project members for the month of May continued, with reports from Karsten Loesing, Isis Lovecruft (who submitted reports for both April and May), George Kadianakis, Nicolas Vigier, and Roger Dingledine.

Roger also sent the report for SponsorF.

Miscellaneous news

The Tails developers formally announced the upcoming Tails Hackfest, inviting absolutely “anyone interested in making Tails more usable and more secure” to join them in Paris on the 5th and 6th of July (immediately after the Tor dev meeting) and “learn about the challenges faced by Tails, and how you can be part of the solution”. Fuller details of the venue and timetable can be found on the Tails website.

Several of Tor’s Google Summer of Code students submitted their regular progress reports: Juha Nurmi on the ahmia.fi project, Israel Leiva on the GetTor revamp, Amogh Pradeep on the Orbot+Orfox project, Quinn Jarrell on the pluggable transport combiner, Marc Juarez on the link-padding pluggable transport development, Noah Rahman on the Stegotorus refactoring work, Sreenatha Bhatlapenumarthi on the Tor Weather rewrite, Daniel Martí on the implementation of consensus diffs, and Mikhail Belous on the multicore tor daemon.

Thanks to moparisthebest for running a mirror of the Tor Project website!

Roger Dingledine asked the tor-relays mailing list about the situation of Mac OS X users who would like to run Tor relays, and what steps should be taken to make it easier for them to do so “now that the Vidalia bundles are deprecated and hard to find”.

Isis Lovecruft has deployed BridgeDB version 0.2.2 which contains many fixes and translation updates. The email autoresponder should not reply with empty emails any more.

Damian Johnson has written up several ideas regarding a possible rewrite of the ExoneraTor service in Python.

HTTPS is sometimes heavily throttled by censors, making it hard to download the Tor Browser over an HTTPS link. Israel Leiva is asking for feedback about making the GetTor email service reply with links to unencrypted HTTP servers as a work-around.

Tor help desk roundup

The help desk has been asked for information on TorCoin, a proposed cryptocurrency. TorCoin is not affiliated with or endorsed by the Tor Project. The Tor Project publishes guidelines on the use of its trademark to try to prevent confusing uses of the Tor name.

Easy development tasks to get involved with

obfsproxy, the traffic obfuscator, opens the “authcookie” file for each new incoming connection. George Kadianakis suggests that it should instead read the file on startup and keep its content in memory during operation. obfsproxy is written in Python/Twisted. The change should be pretty small, but if you like finding the right places that need changing, feel free to look at the ticket and post your patch there.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, Karsten Loesing, and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!