Welcome to the ninth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the determined Tor community.

Orweb Security Advisory

On August 21st, Nathan Freitas from the Guardian Project issued security advisory regarding a possible anonymity flaw affecting Orweb:

“The Orweb browser app is vulnerable to leak the actual IP of the device it is on, if it loads a page with HTML5 video or audio tags on them, and those tags are set to auto-start or display a poster frame. On some versions of Android, the video and audio player start/load events happen without the user requesting anything, and the request to the URL for the media src or through image poster is made outside of the proxy settings”, wrote Nathan.

Users who use the root mode with transparent proxying, as that handles proxying the entire traffic of the entire device or a particular app are NOT affected by this flaw.

Unfortunately, the problem mentioned above hasn't been fixed yet, as there is no patch developers are happy with. According to Nathan the temporary solution is ”switch to Firefox, with the appropriate set of add-ons.” The Guardian Project has updated its website with a step by step guide on how to set this up.

“Why would anyone want a deterministic build process?”

In a blog post published last week, Mike Perry explained the motivations behind his three months long effort to make “deterministic builds” for the 3.0 series of the Tor Browser Bundle.

“The short answer is: to protect against targeted attacks” introduced Mike. With automatic remote updates becoming the norm, it becomes very interesting for a malware to “distribute copies of itself to tens or even hundreds of millions of machines in a single, officially signed, instantaneous update.” The attack shifts from attacking a millions of machines to attacking the few that are involved in “software development and build processes”.

Be sure to read Mike's post to get the full picture.

Mike concludes with how deterministic builds can mitigate the issue: “in [Tor] case, any individual can use our anonymity network to privately download our source code, verify it against public signed, audited, and mirrored git repositories, and reproduce our builds exactly, without being subject to such targeted attacks. If they notice any differences, they can alert the public builders/signers, hopefully using a pseudonym or our anonymous trac account.”

Even if “it is important for Tor to set an example on this point”, Mike hopes that Linux distributions will follow in making deterministic packaging the norm.” It looks like at least NixOS and now Debian have started working on this.

Filters and the default Tor Browser search engine

Four months ago, an anonymous reporter complained that the search engine

used by default by the Tor Browser, Startpage, had a “family filter” enabled by default. The reporter pointed out that it was pretty funny “for a browser that people use to evade censorship and filters”. Another anonymous contributor quickly pointed out that the filter could be deactivated in a few clicks in Startpage preferences.

The issue got some more attention a few days ago as Nick Mathewson mentioned hearing reports that the filter was blocking “LGBT stuff, which is of course serious”. Nick further identified that the filter was blocking — among several other things — search for “The Owl and the Pussy-Cat”, “Pussy Riot”, “Dick Cheney”, “Cock Robin”, ”Gerald Cock”.

Censoring 19th century poetry and repressed Russian punk bands was enough to make Nick conclude by an euphemism: “let's kill this filter hard”.

Mike Perry had some insights: “What we're seeing here is actually a change in Google's Safesearch. It used to be on by default and quite a bit smarter about differentiating porn from non-porn.” Mike mailed Startpage people to explain the problem and suggests that they leave the filter off by default.

In the case they would leave it on, both Nick and Mike agreed that a technical workaround should be implemented to automatically deactivate the filters when using the Tor Browser.

Sudden rise in direct Tor users

On Tuesday 27th, Roger Dingledine drew attention to the huge increase of Tor clients running. It seems that their number has doubled since August 19th according to the count of directly connecting users.

According to Roger this is not just a fluke in the metrics data. The extra load on the directory authorities is clearly visible, but it does not look that the overall network performance are affected so far.

The cause is still unknown, but there are already speculations about the Pirate Browser or the new “anti-piracy” law in Russia which is in force since August 1st. As Roger pointed out, “some good solid facts would sure be useful.”

Help Desk Roundup

Users continue to have trouble verifying package signatures. One user was confused when the signature was automatically saved as a “.txt” file. Other problems included not being running the command from the correct directory, and downloading a signature that did not correspond with the downloaded file.

Users sometimes write the help desk seeking clarification about misconceptions about Tor. Examples of such misconceptions include “Is it true that Tor is illegal in the United States?” and “Is it true that Tor has been compromised by the NSA?”. Using Tor is not currently illegal anywhere. For information about the recent vulnerability, users are advised to read the recent blog post on the subject.

Miscellaneous news

David Goulet announced the first release candidate of his rewrite of torsocks. Several bug reports have since been fixed from early testers. Expect a new release soon.

Not all computers currently have their clock synchronized. This means that any timestamps in the Tor protocol can unfortunately be used to fingerprint Tor users. Nick Mathewson would like to improve the situation and has sent proposal 222, aiming to eliminate “passive timestamp exposure”, for reviews.

Karsten Loesing has made further progress on “experimenting with a client and private bridge connected over uTP”. Reduced time for client to bootstrap over uTP from 2 minutes to 6 seconds and more.

Orbot's new version 12.0.5 brings identity switching-by-swiping along with a few bugfixes. It can be downloaded from Google Play or from the Guardian Project's channels.

GSoC students sent another wave of bi-weekly reports: Kostas Jakeliunas on Searchable Metrics Archive, Johannes Fürmann on EvilGenius, Hareesan on the Steganography Browser Extension, Robert on Stream-RTT, and Cristian-Matei Toader on Tor capabilities.

The Torservers.net crowdfunding campaign for Tor exit bandwidth ended on August 26th, yielding “3771,84 Euro to be spread equally across our current seven organizations” anounnced Moritz Bartl.

Kostas Jakeliunas answered George's call for help to gather more accurate bridge statistics by writing step by step instructions on how to upgrade a bridge running on a Rasberry Pi to use the tor master branch. Lunar also pointed out that — thanks to Peter Palfrader's work on setting up continuous integration — Debian packages for the tor master branch were also available and ready to be used.

This issue of Tor Weekly News has been assembled by Lunar, dope457, mttp and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing-list if you want to get involved!