Archive

Tor Browser Bundle 1.1.9 is released.

It includes the following changes:

Update Tor to 0.2.1.12-alpha
Update Firefox to 3.0.6
Update Vidalia to 0.1.11

It's available at https://www.torproject.org/torbrowser/

Our fine green t-shirts have been a hit over the past few years. By the sheer number of requests we've received for another color, it appears not everyone is comfortable wearing the conversation starting green. We now have black t-shirts. Just like the green shirts, these are Fruit of the Loom "tagless" 100% cotton t-shirts. They have the Tor logo and domain name on the front, nothing on the back.

The conditions for receiving them are still the same: read more »

I was asked the other day why we don't advocate for just Tor as the one tool to rule them all. My glib answer is "of course we do, however the larger the toolbox, the better off the world."

Expanding on that notion, the various anonymity, privacy, and circumvention tools target different people and use cases. Tor advocates for Anonymity first, circumvention second. It would be very naive of us to think that we can solve all use cases. In fact, it would be silly of us to try to dictate the needs of any user. The larger the ecosystem of privacy and anonymity tools, the more options for users, and the better off we are as a whole. read more »

A growing number of people want to use Tor in low-bandwidth contexts (e.g. modems or shared Internet cafes in the Middle East) and mobile contexts (start up a Tor client, use it for a short time, and then stop it again). Currently Tor is nearly unusable in these situations, because it spends too many bytes fetching directory info. This post summarizes the steps we've taken so far to reduce directory overhead, and explains the steps that are coming next.

First, what do I mean by "directory info"? Part of the Tor design is the _discovery_ component: how clients learn about the available Tor relays, along with their keys, locations, exit policies, and so on. Tor's solution so far uses a few trusted directory authorities that sign and distribute official lists of the relays that make up the Tor network. read more »

Tor 0.2.1.12-alpha features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit). It also
includes a big pile of minor bugfixes and cleanups.

https://www.torproject.org/download.html.en

Changes in version 0.2.1.12-alpha - 2009-02-08
Security fixes:

• Fix an infinite-loop bug on handling corrupt votes under certain
  circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
  a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed
  input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.

Minor bugfixes:

• Let controllers actually ask for the "clients_seen" event for read more »

Tor 0.2.0.34 features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have
many known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download.html

Changes in version 0.2.0.34 - 2009-02-08
Security fixes: read more »

• Fix an infinite-loop bug on handling corrupt votes under certain
        circumstances. Bugfix on 0.2.0.8-alpha.
• Fix a temporary DoS vulnerability that could be performed by
        a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
• Avoid a potential crash on exit nodes when processing malformed
  

Releases
Tor 0.2.1.8-alpha (released December 8) fixes some crash bugs in earlier alpha releases, builds better on unusual platforms like Solaris and old OS X, and fixes a variety of other issues.
http://archives.seul.org/or/talk/Dec-2008/msg00129.html

Tor Browser Bundle 1.1.6 (released December 2) and 1.1.7 (released December 12) update Tor to 0.2.1.8-alpha, include a new version of Firefox, and attempt to wrestle with the "AllowMultipleInstances=false" design that could allow us to run Tor Browser Bundle alongside a normal Firefox.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.9-alpha (released December 25) fixes many more bugs, some of them security-related.
http://archives.seul.org/or/talk/Jan-2009/msg00029.html

Bug fixes
Security fixes in the Tor 0.2.1.8-alpha release: read more »

Tor 0.2.0.33 fixes a variety of bugs that were making relays less useful
to users. It also finally fixes a bug where a relay or client that's
been off for many days would take a long time to bootstrap.

This update also fixes an important security-related bug reported by
Ilja van Sprundel. You should upgrade. (We'll send out more details
about the bug once people have had some time to upgrade.)

https://www.torproject.org/download.html

Changes in version 0.2.0.33 - 2009-01-21
Security fixes:

• Fix a heap-corruption bug that may be remotely triggerable on
  some platforms. Reported by Ilja van Sprundel.

Major bugfixes:

• When a stream at an exit relay is in state "resolving" or
  "connecting" and it receives an "end" relay cell, the exit relay
  would silently ignore the end cell and not close the stream. If
  the client never closes the circuit, then the exit relay never read more »