Tor Weekly News — September 4th, 2013

Welcome to the tenth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the skyrocketing Tor community.

Serious network overload

<borealis> if it really is a coordinated attack from a bot twice the size of the regular tor network i'm much surprised tor is still usable at all

— borealis in #tor, 2013-09-02 18:38 UTC

The tremendous influx of new clients that started mid-August is stretching the current Tor network and software to its limits.

Several relay operators reported their relays to be saturated by the amount of connections and circuits that relays currently have to handle.

Mike Perry wishing to “compare load characteristics since 8/19 for nodes with different types of flags” issued a call to relay operators: “especially useful [are] links/graph images for connection counts, bandwidth, and CPU load since 8/19.”

It was reported on IRC that on some relays, only one circuit was successfully created out of four attempts. This unfortunately implies that clients retry to build more circuits, resulting in even more load on Tor relays.

The tor 0.2.4 series introduced a new circuit extension handshake dubbed “ntor”. This new handshake is faster (especially on the relay side) than the original circuit extension handshake, “TAP”. Roger Dingledine came up with a patch to prioritize circuit creations using ntor over TAP. Various observers reported that these overwhelming unidentified new clients were likely to be using Tor 0.2.3. Prioritizing ntor is then likely to make them less a burden for the network, and should help the network to function despite being overloaded by circuit creations.

Sathya and Isis both reported the patch to work. Nick Mathewson pointed out a few issues in the current implementation but overall it looks like a band-aid good enough for the time being.

Latest findings regarding traffic correlation attacks

Erik de Castro Lopo pointed tor-talk readers to a new well written paper named Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. To be presented at the upcoming CCS 2013 conference this November in Berlin, Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson describe their experiments on traffic correlation attacks.

This research paper follows on a long series of earlier research papers to better understand how Tor is vulnerable to adversaries controlling portions of the Tor network or monitoring users and relays at the network level.

Roger Dingledine wrote to tor-talk readers: “Yes, a big enough adversary can screw Tor users. But we knew that. I think it’s great that the paper presents the dual risks of relay adversaries and link adversaries, since most of the time when people are freaking out about one of them they’re forgetting the other one. And we really should raise the guard rotation period. If you do their compromise graphs again with guards rotated every nine months, they look way different.”

One tricky question with raising guard rotation period is: “How do we keep clients properly balanced to match the guard capacities?” It is also probably another signal for any Tails supporter that wishes to help implementing guard persistence.

“I have plans for writing a blog post about the paper, to explain what it means, what it doesn’t mean, what we should do about it, and what research questions remain open” wrote Roger. Let’s stay tuned!

A peek inside the Pirate Browser

Torrent-sharing website The Pirate Bay started shipping a custom browser — the Pirate Browser — on August 10th. They advertised using Tor to circumvent censorship but unfortunately did not provide any source code for their project.

Matt Pagan examined the contents of the package in order to get a better idea of what it was. He compared the contents of the Pirate Browser 0.6b archive using cryptographic checksums to the contents of the Tor Browser Bundle 2.3.25-12 (en-US version).

According to Matt’s findings the Pirate Browser includes unmodified versions of tor and Vidalia 0.2.20. The tor configuration contains slight deviation from the one shipped with the Tor Browser Bundle. One section labeled “Configured for speed” unfortunately shows wrong understanding of the Tor network. Roger Dingledine commented in a subsequent email: “Just for the record, the three lines here don’t help speed much (or maybe at all).”

The remaining configuration change that “probably has the biggest impact on performance“, according to Roger, excludes exit nodes from Denmark, Ireland, United Kindgom, the Netherlands, Belgium, Italy, China, Iran, Finland, and Norway. “Whether it improves or reduces performance [Roger] cannot say, though. Depends on a lot of complex variables around Internet topologies.”

The browser itself is based of Firefox 23.0, with FoxyProxy configured to use Tor only for a few specific addresses, and a few extra bookmarks.

Later, Matt also highlighted that some important extensions of the Tor Browser, namely HTTPS Everywhere, NoScript, and Torbutton were also missing from the Pirate Browser.

In any cases, the Pirate Browser is unlikely to explain the sudden influx of new Tor clients. grarpamp forwarded an email exchanged with the Pirate Browser admin contact which shows that numbers (550 000 known direct downloads) and dates (“most downloads during the first week”) do not match.

Monthly status reports for August 2013

The wave of regular monthly reports from Tor project members for the month of August has begun. Sherief Alaa released his report first, followed by reports from George Kadianakis, Lunar, Arturo Filastò, Colin C., Arlo Breault, Philipp Winter, Roger Dingledine, Karsten Loesing, and Isis Lovecruft. The latter also caught up with June, and July.

Help Desk Roundup

This week Tor help desk saw an increase in the number of users wanting to download or install Orbot. Orbot can be downloaded from the Google Play store, the Amazon App store,, and Guides on using Orbot can be found on the Guardian Project’s Orbot page, or on the Tor Project’s Android page. It looks like Orbot is currently inaccessible from the Google Play store in Iran. Please join the discussion on tor-talk if you have input about the latter.

All versions of the Tor Browser Bundle which include tor 0.2.4.x have been reported to work in Iran. This includes the latest Pluggable Transport Bundle, the 3.0 alpha series, and the 2.4 beta series. Follow our Farsi blog for more Iran related news.

Miscellaneous news

The next Tails contributors meeting will happen on IRC on September 4th at 8pm UTC (10pm CEST). “Every one interested in contributing to Tails is welcome” to join #tails-dev on the OFTC network.

Yawning Angel has been “designing a UDP based protocol to serve as the bulk data transport for something along the lines of ‘obfs3, but over UDP’.” They are soliciting feedback on their initial draft of the Lightweight Obfuscated Datagram Protocol (LODP).

Kévin Dunglas announced their work on a PHP library for the Tor Control Port, released under the MIT license.

Kathy Brade and Mark Smith have released a first patch for Mozilla’s update mechanism which “successfully updated TBB on Linux, Windows, and Mac OS ‘in the lab’ using both incremental and ‘full replace’ updates.” This is meant for the 3.x series of the Tor Browser Bundle and is still a work a progress, but this is a significant milestone toward streamlined updates for TBB users.

Erinn Clark announced that the software powering has been upgraded to version 0.12.3. Among several other improvements, this new version allowed Erinn to experiment with the often requested Git integration.

David Goulet has released the second release candidate for the 2.0 rewrite of Torsocks [43]: “Please continue to test, review and contribute it!”

Much to her surprise, Erinn Clark found a “fraudulent PGP key with [her] email address” on the keyservers. “Do not under any circumstances trust anything that may have ever been signed or encrypted with this key” of short id 0xCEE1590D. She reminded that the Tor Project official signatures are listed on the project’s website.

Philipp Winter published the final paper version of the ScrambleSuit pluggable transport, dubbed “A Polymorphic Network Protocol to Circumvent Censorship”.

This issue of Tor Weekly News has been assembled by Lunar, dope457, mttp, malaparte, mrphs, bastik, Karsten Loesing, and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!