----- Forwarded message from Lunar <lunar@torproject.org> ----- Date: Wed, 11 Sep 2013 17:21:30 +0200 From: Lunar <lunar@torproject.org> To: tor-news@lists.torproject.org, tor-talk@lists.torproject.org Subject: [tor-talk] Tor Weekly News — September, 11th 2013 User-Agent: Mutt/1.5.21 (2010-09-15) Reply-To: tor-talk@lists.torproject.org ======================================================================== Tor Weekly News September 11th, 2013 ======================================================================== Welcome to the eleventh issue of Tor Weekly News, the weekly newsletter that covers what is happening in the taut Tor community. tor 0.2.4.17-rc is out ---------------------- There are now confirmations [1] that the sudden influx of Tor clients which started mid-August [2] is indeed coming from a botnet. “I guess all that work we’ve been doing on scalability was a good idea,” wrote Roger Dingledine in a blog post about “how to handle millions of new Tor clients” [3]. On September 5th, Roger Dingledine announced the release of the third release candidate for the tor 0.2.4 series [4]. This is an emergency release “to help us tolerate the massive influx of users: 0.2.4 clients using the new (faster and safer) ‘NTor’ circuit-level handshakes now effectively jump the queue compared to the 0.2.3 clients using ‘TAP’ handshakes” [5]. It also contains several minor bugfixes and some new status messages for better monitoring of the current situation. Roger asked relay operators to upgrade to 0.2.4.17-rc [6]: “the more relays that upgrade to 0.2.4.17-rc, the more stable and fast Tor will be for 0.2.4 users, despite the huge circuit overload that the network is seeing.” For relays running Debian or Ubuntu, upgrading to the development branch can be done using the Tor project’s package repository [7]. New versions of the beta branch of the Tor Browser Bundle are also available [8] since September 6th. The next Tails release, scheduled for September 19th [9] will also contain tor 0.2.4.17-rc [10]. Hopefully, this will be the last release candidate. What looks missing at this point to declare the 0.2.4.x series stable is simply enough time to finish the release notes. [1] http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-o... [2] https://lists.torproject.org/pipermail/tor-talk/2013-September/029822.html [3] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients [4] https://lists.torproject.org/pipermail/tor-talk/2013-September/029857.html [5] https://bugs.torproject.org/9574 [6] https://lists.torproject.org/pipermail/tor-relays/2013-September/002701.html [7] https://www.torproject.org/docs/debian.html.en#development [8] https://blog.torproject.org/blog/new-tor-02417-rc-packages [9] https://mailman.boum.org/pipermail/tails-dev/2013-September/003622.html [10] https://mailman.boum.org/pipermail/tails-dev/2013-September/003621.html The future of Tor cryptography ------------------------------ After the last round of revelations from Edward Snowden, described as “explosive” by Bruce Schneier [11], several threads started on the tor-talk mailing list to discuss Tor cryptography. A lot of what has been written is speculative at this point. But some have raised concerns [12] about 1024 bit Diffie–Hellman key exchange [13]. This has already been addressed with the introduction of the “ntor” handshake [14] in 0.2.4 and Nick Mathewson encourages everybody to upgrade [15]. Another thread [16] prompted Nick to summarize [17] his views on the future of Tor cryptography. Regarding public keys, “with Tor 0.2.4, forward secrecy uses 256-bit ECC, which is certainly better, but RSA-1024 is still used in some places for signatures. I want to fix all that in 0.2.5 — see proposal 220 [18], and George Kadianakis’ draft hidden service improvements [19,20], and so forth.” Regarding symmetric keys, Nick wrote: “We’re using AES128. I’m hoping to move to XSalsa20 or something like it.” In response to a query, Nick clarifies that he doesn’t think AES is broken: only hard to implement right, and only provided in TLS in concert with modes that are somewhat (GCM) or fairly (CBC) problematic. The effort to design better cryptography for the Tor protocols is not new. More than a year ago, Nick Mathewson presented proposal 202 [21] outlining two possible new relay encryption protocols for Tor cells. Nick mentioned that he’s waiting for a promising paper to get finished here before implementation. A third question was raised [22] regarding the trust in algorithms certified by the US NIST [23]. Nick’s speculations put aside, he also emphasized that several NIST algorithms were “hard to implement correctly” [24]. Nick also plans to change more algorithms [25]: “Over the 0.2.5 series, I want to move even more things (including hidden services) to curve25519 and its allies for public key crypto. I also want to add more hard-to-implement-wrong protocols to our mix: Salsa20 is looking like a much better choice to me than AES nowadays, for instance.” Nick concluded one of his emails with the words: “these are interesting times for crypto”, which sounds like a good way to put it. [11] https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html [12] https://lists.torproject.org/pipermail/tor-talk/2013-September/029917.html [13] https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange [14] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/216-nto... [15] https://lists.torproject.org/pipermail/tor-talk/2013-September/029930.html [16] https://lists.torproject.org/pipermail/tor-talk/2013-September/029927.html [17] https://lists.torproject.org/pipermail/tor-talk/2013-September/029941.html [18] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/220-ecc... [19] https://lists.torproject.org/pipermail/tor-dev/2013-August/005279.html [20] https://lists.torproject.org/pipermail/tor-dev/2013-August/005280.html [21] https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/202-imp... [22] https://lists.torproject.org/pipermail/tor-talk/2013-September/029933.html [23] https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology [24] https://lists.torproject.org/pipermail/tor-talk/2013-September/029937.html [25] https://lists.torproject.org/pipermail/tor-talk/2013-September/029929.html Toward a better performance measurement tool -------------------------------------------- “I just finished […] sketching out the requirements and a software design for a new Torperf implementation“ announced Karsten Loesing [26] on the tor-dev mailing list. The report begins with: “Four years ago, we presented a simple tool to measure performance of the Tor network. This tool, called Torperf, requests static files of three different sizes over the Tor network and logs timestamps of various request substeps. These data turned out to be quite useful to observe user-perceived network performance over time [27]. However, static file downloads are not the typical use case of a user browsing the web using Tor, so absolute numbers are not very meaningful. Also, Torperf consists of a bunch of shell scripts which makes it neither very user-friendly to set up and run, nor extensible to cover new use cases.” The specification lays out the various requirements for the new tool, and details several experiments like visiting high profile websites with an automated graphical web browser, downloading static files, crafting a canonical web page, measuring hidden service performance, and checking on upload capacity. Karsten added “neither the requirements nor the software design are set in stone, and the implementation, well, does not exist yet. Plenty of options for giving feedback and helping out, and most parts don’t even require specific experience with hacking on Tor. Just in case somebody’s looking for an introductory Tor project to hack on.” Saytha already wrote that this was enough material to get the implementation started [28]. The project needs enough work that anyone interested should get involved. Feel free to join him! [26] https://lists.torproject.org/pipermail/tor-dev/2013-September/005386.html [27] https://metrics.torproject.org/performance.html [28] https://lists.torproject.org/pipermail/tor-dev/2013-September/005388.html More monthly status reports for August 2013 ------------------------------------------- The wave of regular monthly reports from Tor project members continued this week with Sukhbir Singh [29], Matt Pagan [30], Ximin Luo [31], mrphs [32], Pearl Crescent [33], Andrew Lewman [34], Mike Perry [35], Kelley Misata [36], Nick Mathewson [37], Jason Tsai [38], Tails [39], Aaron [40], and Damian Johnson [41]. [29] https://lists.torproject.org/pipermail/tor-reports/2013-September/000326.htm... [30] https://lists.torproject.org/pipermail/tor-reports/2013-September/000327.htm... [31] https://lists.torproject.org/pipermail/tor-reports/2013-September/000328.htm... [32] https://lists.torproject.org/pipermail/tor-reports/2013-September/000329.htm... [33] https://lists.torproject.org/pipermail/tor-reports/2013-September/000330.htm... [34] https://lists.torproject.org/pipermail/tor-reports/2013-September/000331.htm... [35] https://lists.torproject.org/pipermail/tor-reports/2013-September/000332.htm... [36] https://lists.torproject.org/pipermail/tor-reports/2013-September/000333.htm... [37] https://lists.torproject.org/pipermail/tor-reports/2013-September/000334.htm... [38] https://lists.torproject.org/pipermail/tor-reports/2013-September/000335.htm... [39] https://lists.torproject.org/pipermail/tor-reports/2013-September/000336.htm... [40] https://lists.torproject.org/pipermail/tor-reports/2013-September/000337.htm... [41] https://lists.torproject.org/pipermail/tor-reports/2013-September/000338.htm... Miscellaneous news ------------------ Not all new Tor users are computer programs! According to their latest report [42], Tails is now booted twice as much as it was six months ago (from 100,865 to 190,521 connections to the security feed). [42] https://lists.torproject.org/pipermail/tor-reports/2013-September/000336.htm... Thanks to Frenn vun der Enn [43] for setting up a new mirror [44] of the Tor project website. [43] http://enn.lu/ [44] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000351.htm... With the Google Summer of Code ending in two weeks, the students have sent their penultimate reports: Kostas Jakeliunas for the Searchable metrics archive [45], Johannes Fürmann for EvilGenius [46], Hareesan for the Steganography Browser Extension [47], and Cristian-Matei Toader for Tor capabilities [48]. [45] https://lists.torproject.org/pipermail/tor-dev/2013-September/005380.html [46] https://lists.torproject.org/pipermail/tor-dev/2013-September/005394.html [47] https://lists.torproject.org/pipermail/tor-dev/2013-September/005409.html [48] https://lists.torproject.org/pipermail/tor-dev/2013-September/005412.html Damian Johnson announced [49] that he had completed the rewrite of DocTor in Python [50], “a service that pulls hourly consensus information and checks it for a host of issues (directory authority outages, expiring certificates, etc). In the case of a problem it notifies tor-consensus-health@ [51], and we in turn give the authority operator a heads up.” [49] https://lists.torproject.org/pipermail/tor-reports/2013-September/000338.htm... [50] https://gitweb.torproject.org/doctor.git [51] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-consensus-health Matt Pagan has migrated [52] several Frequently-Asked Questions from the wiki to the official Tor website [53]. This should enable more users to find the answers they need! [52] https://svn.torproject.org/cgi-bin/viewvc.cgi/Tor?view=revision&revision=26333 [53] https://www.torproject.org/docs/faq.html In his previous call for help to collect more statistics [54], addressed to bridge operators, George Kadianakis forgot to mention that an extra line with “ExtORPort 6669” needed to be added to the tor configuration file [55]. Make sure you do have it if you are running a bridge on the tor master branch. [54] https://lists.torproject.org/pipermail/tor-relays/2013-August/002477.html [55] https://lists.torproject.org/pipermail/tor-relays/2013-September/002691.html For the upgrade of tor to the 0.2.4.x series in Tails, a tester spotted a regression while “playing with an ISO built from experimental, thanks to our Jenkins autobuilder” [56]. This marks a significant milestone in the work on automated builds [57] done by several members of the Tails team in the course of the last year! [56] https://mailman.boum.org/pipermail/tails-dev/2013-September/003617.html [57] https://labs.riseup.net/code/issues/5324 Tails’ next “low-hanging fruit” session will be on September 21st at 08:00 UTC [58]. Mark the date if you want to get involved! [58] https://mailman.boum.org/pipermail/tails-dev/2013-September/003566.html David Fifield gave some tips on how to setup a test infrastructure [59] for flash proxy [60]. [59] https://lists.torproject.org/pipermail/tor-dev/2013-September/005402.html [60] https://crypto.stanford.edu/flashproxy/ Marek Majkowski reported [61] on how one can use his fluxcapacitor tool [62] to get a test Tor network started with Chutney [63] ready in only 6.5 seconds. A vast improvement over the 5 minutes he initially had to wait [64]! [61] https://lists.torproject.org/pipermail/tor-dev/2013-September/005403.html [62] https://github.com/majek/fluxcapacitor.git [63] https://gitweb.torproject.org/chutney.git [64] https://lists.torproject.org/pipermail/tor-dev/2013-September/005413.html Eugen Leitl drew attention [65] to a new research paper which aims to analyze the content and popularity of Hidden Services by Alex Biryukov, Ivan Pustogarov, and Ralf-Philipp Weinmann from the University of Luxembourg [66]. [65] https://lists.torproject.org/pipermail/tor-talk/2013-September/029856.html [66] http://cryptome.org/2013/09/tor-analysis-hidden-services.pdf Tor Help Desk roundup --------------------- The Tor help desk had a number of emails this week asking about the recent stories in the New York Times, the Guardian, and ProPublica regarding NSA’s cryptographic capabilities. Some users asked whether there was a backdoor in Tor. Others asked if Tor’s crypto was broken. There is absolutely no backdoor in Tor. Tor project members have been vocal in the past about how tremendously irresponsible it would be to backdoor our users [67]. As it is a frequently-asked question, users have been encouraged to read how the project would respond to institutional pressure [68]. The Tor project does not have any more facts about NSA’s cryptanalysis capabilities than what has been published in newspapers. Even if there is no actual evidence that Tor encryption is actually broken, the idea is to remain on the safe side by using more trusted algorithms for the Tor protocols. See above for a more detailed write-up. [67] https://blog.torproject.org/blog/calea-2-and-tor [68] http://www.torproject.org/docs/faq.html.en#Backdoor Help the Tor community! ----------------------- Tor is about protecting everyone’s freedom and privacy. There are many ways to help [69] but getting involved in such a busy community can be daunting. Here’s a selection of tasks on which one could get started: Get tor to log the source of control port connections [70]. It would help in developing controller applications or libraries (like Stem [71]) to know which program is responsible for a given access to the control facilities of the tor daemon. Knowledge required: C programming, basic understanding of network sockets. Diagnose what is currently wrong with Tor Cloud images [72]. Tor Cloud [73] is an easy way to deploy bridges and it looks like the automatic upgrade procedure caused problems. Let’s make these virtual machines useful again for censored users. Knowledge required: basic understanding of Ubuntu system administration. [69] https://www.torproject.org/getinvolved/volunteer.html.en [70] https://bugs.torproject.org/9698 [71] https://stem.torproject.org/ [72] https://lists.torproject.org/pipermail/tor-dev/2013-September/005417.html [73] https://cloud.torproject.org/ Upcoming events --------------- Sep 29 | Colin at the Winnipeg Cryptoparty | Winnipeg, Manitoba, Canada | http://wiki.skullspace.ca/index.php/CryptoParty | Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV | Berlin, Germany | https://www.openitp.org/openitp/circumvention-tech-summit.html | Oct 09-10 | Andrew speaking at Secure Poland 2013 | Warszawa, Poland | http://www.secure.edu.pl/ This issue of Tor Weekly News has been assembled by Lunar, dope457, mttp, malaparte, harmony, Karsten Loesing, and Nick Mathewson. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [74], write down your name and subscribe to the team mailing list [75] if you want to get involved! [74] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [75] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5