Tor Weekly News — March 19th, 2014

Welcome to the eleventh issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Accessing the Tor network from China

In a new blog post How to read our China usage graphs, Roger Dingledine looks at the current situation of how Tor is able to circumvent censorship on Chinese Internet accesses. Indeed, if one only looks at the current bridge users graph, one might believe that Tor is not a solution for users in China.

“The correct interpretation of the graph is ‘obfs3 bridges have not been deployed enough to keep up with the demand in China’. So it isn’t that Tor is blocked — it’s that we haven’t done much of a deployment for obfs3 bridges or ScrambleSuit bridges, which are the latest steps in the arms race” writes Roger.

The upcoming version — currently in QA phase — of the Tor Browser will include support for the pluggable transports obfs3, FTE and Flashproxy. Having these transports ready to be used in a couple of clicks should help Chinese users.

The “obfs3” protocol is still vulnerable to active probing attacks. The deployment of its replacement, ScrambleSuit, is on-going. As Roger highlighted, “we need to get more addresses”. Several ways have been thoughts in the past, but until there is more cooperation from ISP and network operators, your can make a difference by running a bridge if you can!

On another front, work is currently on-going on the bridge distributor to improve how censored users can get a hand on bridge addresses. Yawning Angel also just released the first version of obfsclient which should help making ScrambleSuit available on Android devices. All in all, the Tor community can hope to welcome back more users from China in a near future.

Circumventing censorship through “too-big-too-block” websites

Late January, David Fifield introduced a new pluggable transport called meek. It can be described as “a transport that uses HTTP for carrying bytes and TLS for obfuscation. Traffic is relayed through a third-party server (Google App Engine). It uses a trick to talk to the third party so that it looks like it is talking to an unblocked server.” The approach is close to the GoAgent proxy that has a certain popularity in China.

With the current version, using Google App Engine, the transport requires no additional configuration. But David also mentioned that a PHP script could also be a good candidate to relay the traffic. Combined to ScrambleSuit, it could allow “a real web site with real pages and everything” to be used as a bridge if a user can provide the shared secret.

David has made available experimental versions of the Tor Browser for anyone to try. The source code has recently moved to the Tor Project’s infrastructure, and is ready for more eyes and fingers to play with it.

Switching to a single guard node?

Last October, Roger Dingledine called for research on improving Tor’s anonymity by changing guard parameters . One of these parameters is the number of guard nodes used simultaneously by a Tor client.

Following up on the paper written by Tariq Elahi et al., Roger’s blog post, and recent discussions during the winter dev. meeting, George Kadianakis made a detailed analysis of the implications of switching to a single guard node . He studied the performance implications of switching to a single guard, the performance implications of raising the minimum guard bandwidth for both clients and the overall network, and how the change would affect the overall anonymity and fingerprintability of Tor users.

Jumping to conclusions: “It seems that the performance implications of switching to 1 guard are not terrible. […] A guard bandwidth threshold of 2MB/s […] seems like it would considerably improve client performance without screwing terribly with the security or the total performance of the network. The fingerprinting problem will be improved in some cases, but still remains unsolved for many of the users […] A proper solution might involve guard node buckets”.

For a better understanding, be sure to look at George’s work which includes graphs and proper explanations.

Miscellaneous news

George Kadianakis announced obfsproxy version 0.2.7. The new release fixes an important bug “where scramblesuit would basically reject clients if they try to connect a second time after a short amount of time has passed.” Bridge operators are strongly advised to upgrade from source, pip, or the upcoming Debian packages.

The submission deadline for this year’s Google Summer of Code is the 21st: this Friday. Several students already showed up on the tor-dev mailing list, but as Damian Johnson says: “If you’re procrastinating until the last minute then please don’t!”

Tails logo contest is happily on-going. Several submissions have already been received and can be seen on the relevant blueprint.

Kelley Misata and Karen Reilly attended the South by Southwest (SXSW) Interactive festival in Austin, Texas.

Relay and bridge operators might be interested in Ramo’s first release of a Tor plugin for Nagios. It can currently check for a page fetch through the SOCKS proxy port, the hibernation state, the current bandwidth, ORPort reachability, DirPort reachability, and the bytes remaining until hibernation.

Nicolas Vigier sent his monthly report for February.

Tails won the 2014 Endpoint Security prize from Access. The prize recognizes Tails “unique positive impact on the endpoint security of at-risk users in need”. Congrats!

The Format-Transforming Encryption project at Portland State University received an unexpected 100,000 USD grant from Eric Schmidt.

Tor help desk roundup

The help desk has seen an increase in Russian language support requests amidst news that the Russian Federation began censoring a number of websites. Unfortunately, the help desk is not able to provide support in Russian for now. Changes in the number of Tor users by country can be observed on the project’s metrics page.

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!