Delivery-Date: Wed, 18 Jun 2014 07:11:51 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by moria.seul.org (Postfix) with ESMTPS id 0A0B11E0B9E
	for <archiver@seul.org>; Wed, 18 Jun 2014 07:11:49 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 7814F3016A;
	Wed, 18 Jun 2014 11:11:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 1C38B2FD9E;
 Wed, 18 Jun 2014 11:05:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id z3OU96AIXwSm; Wed, 18 Jun 2014 11:05:07 +0000 (UTC)
Received: from mail.potager.org (quatre.potager.org [91.194.60.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.potager.org",
 Issuer "StartCom Class 2 Primary Intermediate Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id C4DC62F940;
 Wed, 18 Jun 2014 11:05:06 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1]) with ESMTPSA id 2B5A1C2B012
Date: Wed, 18 Jun 2014 13:04:56 +0200
From: Lunar <lunar@torproject.org>
To: tor-news@lists.torproject.org, tor-talk@lists.torproject.org
Message-ID: <20140618110456.GH2495@loar>
Mail-Followup-To: tor-news@lists.torproject.org, tor-talk@lists.torproject.org
MIME-Version: 1.0
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: [tor-talk] =?utf-8?q?Tor_Weekly_News_=E2=80=94_June_18th=2C_2014?=
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1993632601725515857=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============1993632601725515857==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="AqCDj3hiknadvR6t"
Content-Disposition: inline


--AqCDj3hiknadvR6t
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Tor Weekly News                                          June 18th, 2014
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Welcome to the fiftieth issue of Tor Weekly News, the weekly newsletter
that covers what is happening in the Tor community.

Tails 1.0.1 is out
------------------

The Tails developers announced=C2=A0[1] the first point release in the Tails
1.0 series, following their decision=C2=A0[2] to postpone the release of
Tails 1.1 (which will be based on Wheezy, the latest stable version of
Debian).

This release contains no major new features, but does fix numerous
security issues=C2=A0[3] present in 1.0, so all Tails users should upgrade =
as
soon as possible.

  [1]:=C2=A0https://tails.boum.org/news/version_1.0.1/
  [2]:=C2=A0https://mailman.boum.org/pipermail/tails-dev/2014-May/005917.ht=
ml
  [3]:=C2=A0https://tails.boum.org/security/Numerous_security_holes_in_1.0/=
index

Collecting statistics from Tor exits in a privacy-sensitive manner
------------------------------------------------------------------

Optimizing the Tor network to better support the most common use-cases
could make a real difference to its perceived usability. Unfortunately,
Tor is an anonymity network. Understanding what the most common
use-cases are, in a way that does not endanger its users, is far from
being a trivial problem.

There have been some cases of inconsiderate spying on Tor network users
in the past=C2=A0[4]. This is one of the motivations for the Tor Project to
provide and research properly anonymized statistics through the
Metrics=C2=A0[5] and CollecTor=C2=A0[6] portals.

Tariq Elahi, George Danezis, and Ian Goldberg are working on new
solutions to tackle the problem of collecting statistics from Tor exits
in a privacy-sensitive manner. Tariq announced=C2=A0[7] the PrivEx system,
which =E2=80=9Cpreserves the security and privacy properties of anonymous
communication networks, even in the face of adversaries that can
compromise data collection nodes or coerce operators to reveal
cryptographic secrets and keys=E2=80=9D.

The introduction of the detailed tech report [8] gives a general
description of the solution: =E2=80=9CPrivEx collects aggregated statistics=
 to
provide insights about user behaviour trends by recording aggregate
usage of the anonymity network. To further reduce the risk of
inadvertent disclosures, it collects only information about destinations
that appear in a list of known censored websites. The aggregate
statistics are themselves collected and collated in a privacy-friendly
manner using secure multiparty computation primitives, enhanced and
tuned to resist a variety of compulsion attacks and compromises.
Finally, the granularity of the statistics is reduced=C2=A0[=E2=80=A6] to f=
oil
correlation attacks.=E2=80=9D

PrivEx=E2=80=99s threat model is described in section 3, and matches the cu=
rrent
mode of operation of the Tor network, relying on a set of mostly honest
collectors while being able to cope with a limited number of malicious
nodes. Two variants are described: one =E2=80=9Cis secure in the
honest-but-curious setting but can be disrupted by a misbehaving actor=E2=
=80=9D
while =E2=80=9Cthe other is secure in the covert adversary setting in that
misbehaving servers can be identified=E2=80=9D, but is more computationally
expensive.

Tariq mentions that implementations of the two variants of PrivEx
described in the tech report have been created and should soon be
released to the community. The researchers expect to =E2=80=9Cstart by roll=
ing
out our own PrivEx-enabled exits in the Tor network and begin collecting
destination visit statistics=E2=80=9D around the =E2=80=9CJune-August timef=
rame=E2=80=9D.
Section 6 contains an analysis of the overhead in both CPU and bandwidth
of the two PrivEx variants, and the requirements seem reasonable.

Given how much privacy matters to the Tor community and to all network
users, the researchers wants =E2=80=9Ca measure of confidence that collecti=
ng
data with PrivEx is inherently good and is being done in a responsible
and intelligent manner=E2=80=9D. They are therefore asking the =E2=80=9Ccom=
munity at
large=E2=80=9D to review the design of the proposal, and its implementation=
 once
released.

If no fundamental flaws are discovered in the process, the Tor community
might finally be able to enjoy better network statistics in the
not-too-distant future.

  [4]:=C2=A0http://www.ifca.ai/pub/fc11/wecsr11/soghoian.pdf
  [5]:=C2=A0https://metrics.torproject.org/
  [6]:=C2=A0https://collector.torproject.org/
  [7]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-June/006999=
=2Ehtml
  [8]:=C2=A0http://cacr.uwaterloo.ca/techreports/2014/cacr2014-08.pdf

Upcoming developments in pluggable transports
---------------------------------------------

In a new blog post [9], George Kadianakis reported on some recent
pluggable transports developments. Some =E2=80=94 like the release of Tor
Browser 3.6 [10], the deprecation of obfs2 [11], the new meek
transport [12], or the recently-written =E2=80=9CChild=E2=80=99s Garden Of =
Pluggable
Transports=E2=80=9D guide [13] should already be known to regular readers o=
f Tor
Weekly News.

It was previously impossible to use pluggable transports at the same
time as an HTTP or SOCKS proxy=C2=A0[14]. The release of Tor Browser
3.6.2 [15] is the first to include work by Yawning Angel which solves
this deficiency.

However, ScrambleSuit, released last winter, has not yet been included
in Tor Browser. The pluggable transport team is considering skipping its
deployment in favor of a new protocol, dubbed =E2=80=9Cobfs4=E2=80=9D [16],=
 which is
=E2=80=9Clike ScrambleSuit (with regards to features and threat model), but=
 it=E2=80=99s
faster and autofixes some of the open issues=E2=80=9D.

George also mentions that enabling pluggable transports to work over
IPv6 is on the team=E2=80=99s radar. As advanced deep packet inspection (DP=
I) on
IPv6 is less common, it should buy some more time for users on censored
networks.

  [9]: https://blog.torproject.org/blog/recent-and-upcoming-developments-pl=
uggable-transports
 [10]: https://blog.torproject.org/blog/tor-browser-36-released
 [11]: https://trac.torproject.org/projects/tor/ticket/10314
 [12]:=C2=A0https://trac.torproject.org/projects/tor/wiki/doc/meek
 [13]: https://trac.torproject.org/projects/tor/wiki/doc/AChildsGardenOfPlu=
ggableTransports
 [14]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/232-p=
luggable-transports-through-proxy.txt
 [15]: https://blog.torproject.org/blog/tor-browser-362-released
 [16]: https://github.com/Yawning/obfs4

Miscellaneous news
------------------

David Fifield updated=C2=A0[17] the experimental Tor Browser builds that
include the meek pluggable transport=C2=A0[18]. The new packages are based =
on
Tor Browser version 3.6.2.

 [17]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-June/03322=
9.html
 [18]:=C2=A0https://people.torproject.org/~dcf/pt-bundle/3.6.2-meek-1/

meejah announced=C2=A0[19] a new release of txtorcon =E2=80=94 a Twisted-ba=
sed
asynchronous Tor control protocol implementation. Version 0.10.0 adds
support for Twisted=E2=80=99s endpoint strings. meejah explains: =E2=80=9Ct=
his means
that ANY Twisted program that uses endpoints can accept =E2=80=98onion:=E2=
=80=99 strings
to bring up a hidden services easily=C2=A0[=E2=80=A6]. Typically, no code c=
hanges to
the application should be needed=C2=A0[=E2=80=A6].=E2=80=9D

 [19]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-June/007006=
=2Ehtml

The Tails team reported=C2=A0[20] progress on code, documentation,
infrastructure, discussions, funding, and outreach matters for May. The
report also mentions Tails=E2=80=99 position regarding the discontinuation =
of
TrueCrypt.

 [20]:=C2=A0https://tails.boum.org/news/report_2014_05/

Following up on his earlier promise=C2=A0[21], Karsten Loesing shut down=C2=
=A0[22]
the Tor Metrics portal=E2=80=99s relay-search service, and in doing so redu=
ced
the size of the metrics database from 95 gigabytes to a mere 3. =E2=80=9CIf=
 the
metrics website shows you funny numbers in the next couple of days,
please let me know=E2=80=9D, wrote Karsten.

 [21]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2013-December/00=
5948.html
 [22]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-June/007007=
=2Ehtml

Andrew Lewman reported=C2=A0[23] on his activities for May. Sebastian G.
subsequently opened two discussions on the tor-talk mailing list=C2=A0[24]:
one regarding the challenges of integrating Tor into millions of
products=C2=A0[25] and another on how US legislation is preventing the Tor
Project, Inc. from receiving donations from certain countries=C2=A0[26].

 [23]:=C2=A0https://lists.torproject.org/pipermail/tor-reports/2014-June/00=
0563.html
 [24]:=C2=A0https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
 [25]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-June/03325=
4.html
 [26]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-June/03325=
5.html

Several GSoC students reported on the progress of their projects: Kostas
Jakeliunas on the BridgeDB Twitter distributor=C2=A0[27], Juha Nurmi for
ahmia.fi=C2=A0[28], and Zack Mullaly on the HTTPS Everywhere secure ruleset
update mechanism=C2=A0[29].

 [27]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-June/006988=
=2Ehtml
 [28]:=C2=A0https://lists.torproject.org/pipermail/tor-reports/2014-June/00=
0562.html
 [29]:=C2=A0https://lists.eff.org/pipermail/https-everywhere/2014-June/0021=
28.html

Lukas Erlacher has released OnionPy 0.1.5=C2=A0[30]. =E2=80=9CIf you are pl=
anning to
make something in python that uses the tor network status, accessing
Onionoo=C2=A0[31] using OnionPy might be exactly what you need=E2=80=9D, Lu=
kas wrote.

 [30]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-June/007018=
=2Ehtml
 [31]:=C2=A0https://onionoo.torproject.org/

The Tails developers suggested=C2=A0[32] that Tails translation teams using
git, rather than the online Transifex platform, should begin signing
their email pull requests with OpenPGP keys, to ensure that the process
is not open to exploitation.

 [32]:=C2=A0https://mailman.boum.org/pipermail/tails-l10n/2014-June/001293.=
html

Drupal.org, the main website for the development community around the
free and open-source web platform Drupal, subscribes to a blacklist that
includes Tor exit nodes, making it difficult for Tor users to interact
with the site. AohRveTPV explained the problem=C2=A0[33], and asked for
=E2=80=9Cideas on how to actually achieve better Drupal.org support for Tor
users=E2=80=9D.

 [33]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-June/03325=
0.html

Chris Double described=C2=A0[34] a detailed but experimental method for usi=
ng
Tor with Firefox OS, the mobile operating system from Mozilla. =E2=80=9CThi=
s is
just a proof of concept. Don=E2=80=99t depend on this=C2=A0[=E2=80=A6] Idea=
lly Tor would be
integrated with Firefox OS so that you can start and stop it as a
service and maybe whitelist or blacklist sites that should and shouldn=E2=
=80=99t
use Tor. I hope to do some of this over time or hope someone else gets
excited enough to work on it too.=E2=80=9D

 [34]:=C2=A0http://bluishcoder.co.nz/2014/06/12/using-tor-with-firefox-os.h=
tml

Tor help desk roundup
---------------------

The help desk has received some complaints regarding the default window
size of the Tor Browser. To prevent window size fingerprinting, the
browser window size has been set to a multiple of 100 pixels according
to the detected screen resolution. Taskbars in the user workspace making
selecting an appropriate window size slightly more complicated though;
more details are available on the bug=E2=80=99s ticket=C2=A0[35].

 [35]:=C2=A0https://bugs.torproject.org/9268

News from Tor StackExchange
---------------------------

bk201 found some random-looking domain names in the logs of some network
software. These connection attempts disappeared when Tor was
closed=C2=A0[36], so bk201 wants to know what they are. Lunar explained that
they are requests for non-existent domain names. Tor wants to find out
if some DNS servers send fake answers. This feature was added in
2007=C2=A0[37].

 [36]:=C2=A0https://tor.stackexchange.com/q/3324/88
 [37]:=C2=A0https://gitweb.torproject.org/tor.git/blob/HEAD:/ReleaseNotes#l=
6663

user1747 often visits web sites which provide their services both within
the visible web and as a hidden service (DuckDuckGo might serve as an
example). Does the Tor Browser Bundle (TBB) automatically switch to a
hidden service in this case=C2=A0[38]? mirimir explained that there is no
connection between DNS and the names of hidden services, so TBB doesn=E2=80=
=99t
know about this hidden service and can=E2=80=99t connect automatically. use=
r2949
pointed to a plugin=C2=A0[39], similar to HTTPS Everywhere, that forwards a
request to a hidden service if it is available.

 [38]:=C2=A0https://tor.stackexchange.com/q/3262/88
 [39]:=C2=A0https://github.com/chris-barry/darkweb-everywhere

Upcoming events
---------------

June 18 19:00 UTC | little-t tor development meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tor-dev/2014-May=
/006888.html
                  |
June 20 15:00 UTC | Tor Browser online meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tbb-dev/2014-Apr=
il/000049.html
                  |
June 20 16:00 UTC | Pluggable transports online meeting
                  | #tor-dev, irc.oftc.net
                  | https://lists.torproject.org/pipermail/tor-dev/2014-Apr=
il/006764.html
                  |
June 30 =E2=80=94 Jul 4   | Tor=E2=80=99s Summer Dev Meeting
                  | Paris, France
                  | https://trac.torproject.org/projects/tor/wiki/org/meeti=
ngs/2014SummerDevMeeting


This issue of Tor Weekly News has been assembled by harmony, Lunar, the
Tails developers, Matt Pagan, Karsten Loesing, and qbi.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page=C2=A0[40], write down your
name and subscribe to the team mailing list=C2=A0[41] if you want to
get involved!

 [40]:=C2=A0https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [41]:=C2=A0https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

--AqCDj3hiknadvR6t
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJToXJXAAoJEEgU3sIrMHw8DuwP/jE+ZY6YygSNKDkwW/98ENw3
pLkMGwHxvvjMNUh5JQOx2CGYO15FzZw/4tNNX2x9v/Xu9AV5rYIGuY2ZUND0RyZj
0f07p/4tjE/zm5b8GexxA2PbowYFfFWw0zBgKuep6uPDRjNLCrzbH/EdGqGjEG4G
bcEmnkPqAZ5Hg7aNMDkjdR5U8s6H+fBH/BGxKoRc4p7z2XNMy6NNCjjPjtsDr5Aa
kyb2dLPgGPBpZUSwJlS5RH4uAXnVr9GOu40yO53wl7L8j2H/Pe0TcukbvfluBWz+
fMLJ5VnQJqTOpKKvSkqBf1JZVm40F3A4S9dltE8Yudjty0Bn861RHpP42WY32zTL
aCsYyo0zwBMr89ZRS3gUUwE3LXqCFfiCspiS5T2EFsrGk1stEAB7NPi/YVp+k8oR
MWitqc+gjldeaxGjn11bodlAbj1w9m4K89VrJliEfNXW/yg5nqn8Mn9WNE8KdUld
sdMV0nEOWr7U21VxSKClNyPzdUegWRYkKmSs4/3UwuC+RLUNT6YqemkkhII7BIru
g/cQMlzGAdhIT6oUAyisqqxW//78UhrVCvzczvexG4D7Hr0oKUocvalQwtHqk3f4
FptkGTUpb90TBcAK6c+VTqtfhG3AGTXw9VepVL8yXU4t7pGbOOD3QEuePUql7hn5
lFhaSzRJv24eMspAD0JZ
=qr+v
-----END PGP SIGNATURE-----

--AqCDj3hiknadvR6t--

--===============1993632601725515857==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============1993632601725515857==--

