======================================================================== Tor Weekly News April 4th, 2016 ========================================================================
Welcome to the 5th 2016 issue of the Tor Weekly News, bringing you a collection of Tor-related news at least a couple times per month! Contents -------- 1. OONI Explorer released 2. Tor Browser 5.5.4 and 6.0a4 released 3. Tor 0.2.8.2-alpha released 4. Tor statement on Apple and backdoors 5. CloudFlare debate roundup 6. Miscellaneous News OONI Explorer released ---------------------- The Open Observatory of Network Interference (OONI) develops free software to detect irregular internet conditions. There are currently 15 tests in the suite [1]; one measures DNS consistency, another measures HTTP consistency, others check if Tor is blocked, and some try to detect HTTP-aware middleboxes between the client and the server. Volunteers around the world can run this software [2] and report the results back to OONI, who makes the dataset freely available. Over the last three years, more than 8.5 million network measurements from 93 countries have been collected. The newly released OONI Explorer [3] provides a browsable web interface to the collected dataset. The Highlights page [4] presents a short analysis of some interesting anomalies which might be worthy of further research, and the blog post [5] has more details. [1]: https://github.com/TheTorProject/ooni-spec/tree/master/test-specs [2]: https://ooni.torproject.org/ [3]: https://explorer.ooni.torproject.org/world/ [4]: https://explorer.ooni.torproject.org/highlights/ [5]: https://blog.torproject.org/blog/ooni-explorer-censorship-and-other-network-anomalies-around-world Tor Browser 5.5.4 and 6.0a4 released ------------------------------------ The most recent ESR version of Firefox (38.7.1) disables the Graphite font rendering library (there have been a number of recent vulnerabilities in it). Graphite was previously disabled in Tor Browser if you had the security slider set at "Medium-High" or "High," but now it is disabled for everyone (stable [6], unstable [7], and unstable-hardened [8]) so you won't see it mentioned. [6]: https://blog.torproject.org/blog/tor-browser-554-released [7]: https://blog.torproject.org/blog/tor-browser-60a4-released [8]: https://blog.torproject.org/blog/tor-browser-60a4-hardened-released Tor 0.2.8.2-alpha released -------------------------- There's a new alpha release [9] of "little t tor" that includes a bunch of bugfixes and new features. [9]: https://blog.torproject.org/blog/tor-0282-alpha-released Tor statement on Apple and backdoors ------------------------------------ Much has been written after Apple publicly denounced the FBI's request to develop and sign an iOS update that would let the FBI unlock iPhones in their possession. While Apple rejected this particular demand, the saga has cast a light on the single point of failure that is Apple's signing key. Tor's Leif Ryge wrote a piece [10] for Ars Technica pointing out that many pieces of software are built with such single points of failure (for example, a Debian system will accept as genuine an update signed by any of several developer keys it knows about). Tor put out a statement [11] in solidarity with Apple's position and to review the ongoing efforts taken to eliminate single points of failure (deterministic builds, for example, mean a compromised build machine can't insert what would be a hard-to-detect backdoor during the build process). [10]: http://arstechnica.com/security/2016/02/most-software-already-has-a-golden-key-backdoor-its-called-auto-update/ [11]: https://blog.torproject.org/blog/statement-tor-project-software-integrity-and-apple Cloudflare debate roundup ------------------------- Tor Browser users are probably familiar with the CAPTCHAs CloudFlare presents to users from IP addresses deemed to have a negative reputation. There's a 58-point-long aggregation of thoughts from all sides here [12]. Cloudflare put out a blog post [13] on March 30, and Tor responded [14] on March 31. [12]: https://trac.torproject.org/projects/tor/ticket/18361#comment:144 [13]: https://blog.cloudflare.com/the-trouble-with-tor/ [14]: https://blog.torproject.org/blog/trouble-cloudflare Miscellaneous News ------------------ There was a Tor presence at LibrePlanet 2016: David Goulet reports on his discussion [15] with some activists in Mexico who depend on Tor to stay safe from a surveillance-equipped triple threat of corporations, government, and cartels. The Library Freedom Project ("a partnership among librarians, technologists, attorneys, and privacy advocates which aims to make real the promise of intellectual freedom in libraries") won the FSF's Award for Projects of Social Benefit [16]. [15]: https://lists.torproject.org/pipermail/tor-project/2016-March/000197.html [16]: https://twitter.com/libraryfreedom/status/711303975073619968 Wired has a piece [17] on the Autonomy Cube [18], the Tor-Relay-as-sculpture from Trevor, Leif, and Jake presently installed in four museums around the world. [17]: http://www.wired.com/2016/04/sculpture-lets-museums-amplify-tors-anonymity-network/ [18]: http://paglen.com/index.php?l=work&s=cube There was a mailing list discussion about building a router/gateway that only allows Tor traffic. Lunar [19] and Rusty Bird [20] posted some setups; both approaches basically creating a firewall whitelist of Tor relay IPs from the consensus. [19]: https://lists.torproject.org/pipermail/tor-dev/2016-March/010538.html [20]: https://github.com/rustybird/corridor Yawning developed and released a Firefox addon [21] that detects CloudFlare CAPTCHAs and automatically tries to fetch the page from archive.is. [21]: https://lists.torproject.org/pipermail/tor-dev/2016-March/010604.html Nick posted some ideas [22] on improving design and modularity in Tor. [22]: https://lists.torproject.org/pipermail/tor-dev/2016-March/010646.html A TV producer is looking to interview [23] an "ordinary" Tor user. "I think they want someone in the US they can follow around who uses Tor for what they consider an interesting use case that fits the idea, 'Tor is for everyone!'" [23]: https://lists.torproject.org/pipermail/tor-project/2016-March/000205.html The Logan Symposium posted their talk recordings [24]; they're all really good, but the most Tor-related one is this discussion [25] between the developers of a few Tor-enabled operating systems (Tails, Qubes, and Subgraph). [24]: https://www.youtube.com/playlist?list=PLS_7b8Iu1oBGXgCt1y3-i8lUD4gFI2u7S [25]: https://www.youtube.com/watch?v=Nol8kKoB-co Colophon -------- This issue of Tor Weekly News has been assembled by jl. If you're interested in contributing, see the wiki page [26] :) [26]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
