======================================================================== Tor Weekly News November 6th, 2013 ======================================================================== Welcome to the nineteenth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the up-to-date Tor community. Tails 0.21 is out ----------------- The Tails developers anounced the 34th release [1] of the live system based on Debian and Tor that preserves the privacy and anonymity of its users. The new version fixes two holes that gave too much power to the POSIX user running the desktop: Tor control port cannot be directly accessed anymore to disallow configuration changes and IP address retrieval, and the persistence settings now requires privileged access. On top of these specific changes, the release include security fixes [2] from the Firefox 17.0.10esr release and for a few other Debian packages. More visible improvements include the ability to persist printer settings, support for running from more SD card reader types, and a panel launcher for the password manager. For the curious, more details can be found in the full changelog [3]. As with every releases: be sure to upgrade! [1] https://tails.boum.org/news/version_0.21/ [2] https://tails.boum.org/security/Numerous_security_holes_in_0.20.1/ [3] https://git-tails.immerda.ch/tails/plain/debian/changelog New Tor Browser Bundles based on Firefox 17.0.10esr --------------------------------------------------- Erinn Clark released new versions of the Tor Browser Bundle [4] on November 1st. The previously “beta” bundles have moved to the “release candidate” stage and are almost identical to the stable ones, except for the version of the tor daemon. A couple of days later, David Fifield also released updated “pluggable transport“ bundles [5]. The new bundles include all security fixes from Firefox 17.0.10esr [6], and updated versions of libpng, NoScript and HTTPS Everywhere. It also contains a handful of improvements and fixes to the Tor Browser patches. Users of older version of the Tor Browser bundles should already have been reminded to upgrade by the notification system. Don't forget about it! This should be the last bundles based on the 17 branch of Firefox as it is going to be superseded by the 24 branch as the new long-term supported version in 6 weeks. Major progress has already been made by Mike Perry and Pearl Crescent to update the Tor Browser changes and review the new code base [7]. [4] https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-17010esr [5] https://blog.torproject.org/blog/pluggable-transports-bundles-2417-rc-1-pt1-... [6] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firef... [7] https://trac.torproject.org/projects/tor/query?keywords=~ff24-esr Monthly status reports for October 2013 --------------------------------------- The wave of regular monthly reports from Tor project members for the month of October has begun early this time to reach the tor-reports mailing-list: Damian Johnson [8], Linus Nordberg [9], Karsten Loesing [10], Philipp Winter [11], Ximin Luo [12], Lunar [13], Kelley Misata [14], Matt Pagan [15], Sherief Alaa [16], Nick Mathewson [17], Pearl Crescent [18], George Kadianakis [19], Colin Childs [20], Arlo Breault [21], and Sukhbir Singh [22]. [8] https://lists.torproject.org/pipermail/tor-reports/2013-October/000367.html [9] https://lists.torproject.org/pipermail/tor-reports/2013-October/000369.html [10] https://lists.torproject.org/pipermail/tor-reports/2013-October/000370.html [11] https://lists.torproject.org/pipermail/tor-reports/2013-November/000371.html [12] https://lists.torproject.org/pipermail/tor-reports/2013-November/000372.html [13] https://lists.torproject.org/pipermail/tor-reports/2013-November/000373.html [14] https://lists.torproject.org/pipermail/tor-reports/2013-November/000374.html [15] https://lists.torproject.org/pipermail/tor-reports/2013-November/000375.html [16] https://lists.torproject.org/pipermail/tor-reports/2013-November/000376.html [17] https://lists.torproject.org/pipermail/tor-reports/2013-November/000377.html [18] https://lists.torproject.org/pipermail/tor-reports/2013-November/000378.html [19] https://lists.torproject.org/pipermail/tor-reports/2013-November/000379.html [20] https://lists.torproject.org/pipermail/tor-reports/2013-November/000380.html [21] https://lists.torproject.org/pipermail/tor-reports/2013-November/000381.html [22] https://lists.torproject.org/pipermail/tor-reports/2013-November/000382.html Tor Help Desk Roundup --------------------- One person asked why the lock icon on the Tor Project's website was not outlined in green. Sites that use HTTPS can purchase different types of SSL certificates. Some certificate issuers offer certificates that supply ownership information, such as the physical address of the website operator, for a higher price. Sites that use these certificates get the lock icon by their URL outlined in green. The Tor Project adds protection to the validity of our SSL certificate a different way, by supplying our SSL certificate fingerprint on our FAQ page [23]. You can double check that fingerprint on any of the Tor Project's mirror pages as well [24]. One person wanted to known why a website they were visiting over Firefox was telling them that they were not using Tor, even though Vidalia told them that Tor was running. By default, the Tor Browser Bundle does not anonymize all the traffic on your computer. Only the traffic you send through the Tor Browser Bundle will be anonymized. If you have Firefox and the Tor Browser open at the same time, the traffic you send through Firefox will not be anonymous. Using Firefox and Tor Browser Bundle at the same time is not a great idea because the two interfaces are almost identical, and it is easy to get the two browsers mixed up, even if you know what you are doing. [23] https://www.torproject.org/docs/faq.html.en#SSLcertfingerprint [24] https://torproject.org/getinvolved/mirrors.html.en Miscellaneous news ------------------ The third beta release of TorBirdy has been released [25] as version 0.1.2. Among several other fixes and improvements it restores proper usage of Tor when used with Thunderbird 24. Be sure to upgrade [26]! [25] https://blog.torproject.org/blog/torbirdy-012-our-third-beta-release [26] https://www.torproject.org/dist/torbirdy/torbirdy-0.1.2.xpi starlight reported [27] on running a Tor relays with the daemon compiled with the AddressSanitizer [28] memory error detector available since GCC 4.8 [27] https://lists.torproject.org/pipermail/tor-relays/2013-October/003187.html [28] https://code.google.com/p/address-sanitizer/ Isis Lovecruft has sent two proposals [29] for improvements to BridgeDB. One is finished and addresses the switch to a “Distributed Database System and RDBMS”. The second is still in draft stage and “specifies a system for social distribution of the centrally-stored bridges within BridgeDB”. [29] https://lists.torproject.org/pipermail/tor-dev/2013-November/005713.html Karsten Loesing announced [30] the availability of a new tech report he wrote with Steven J. Murdoch, and Rob Jansen: “Evaluation of a libutp- based Tor Datagram Implementation” [31]. Be sure to have a look if you are interested in one of the “promising approach to overcome Tor’s performance-related problems”. [30] https://lists.torproject.org/pipermail/tor-dev/2013-October/005700.html [31] https://research.torproject.org/techreports/libutp-2013-10-30.pdf SiNA Rabbani has been asking [32] for comments on two documents he wrote about how use cases and design of a “point-and-click” hidden service blogging tool, as part of the Cute Otter project [33]. [32] https://lists.torproject.org/pipermail/tor-dev/2013-October/005703.html [33] https://trac.torproject.org/projects/tor/attachment/wiki/org/sponsors/Otter/... David Goulet released third rc of Torsocks 2.0.0 [34] with a lot of fixes and improvements. Available to download from GitHub [35] and also as Debian package from the experimental distribution [36]. [34] https://lists.torproject.org/pipermail/tor-dev/2013-November/005728.html [35] https://github.com/dgoulet/torsocks/archive/v2.0.0-rc3.tar.gz [36] http://packages.debian.org/experimental/torsocks Christian is working on a new round of improvements for Globe [37], a web application to learn about relays and bridges of the Tor network. The project seems close to be mature enough to replace Atlas [38] according to some. [37] https://lists.torproject.org/pipermail/tor-dev/2013-November/005725.html [38] https://lists.torproject.org/pipermail/tor-dev/2013-November/005735.html A discussion on the tor-relays mailing list prompted Roger Dingledine to ask about changing the current default exit policy [39] of the tor daemon. The current “restricted exit node” policy has been in place since 2003. As this has surprised some operators, switching the default policy to “middle node” is under consideration. [39] https://lists.torproject.org/pipermail/tor-relays/2013-November/003240.html Upcoming events --------------- Nov 05-07 | 20th ACM Conference on Computer and Communications Security | Berlin, Germany | http://www.sigsac.org/ccs/CCS2013/ | Dec 27-30 | Tor @ 30th Chaos Communication Congress | Hamburg, Germany | https://events.ccc.de/congress/2013/ This issue of Tor Weekly News has been assembled by Lunar, dope457, Matt Pagan, and Philipp Winter. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [40], write down your name and subscribe to the team mailing list [41] if you want to get involved! [40] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [41] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk