Archive

New releases, new hires, new funding
Erinn Clark joins Tor to develop, enhance, and upgrade our package build system. Her initial goals are to configure, maintain, and automate builds of tor and vidalia for Windows, OS X, ubuntu, debian, centos, fedora, and opensuse systems. Secondary goals are to develop a builtbot system that includes as many disparate operating systems as possible, including Apple OS X and Microsoft
Windows flavors. read more »

Apple responded to my bug report about a broken openssl. I've since built test packages for OS X 10.5 and 10.6 users. Their response is:

Thank you for your report of this issue with Tor.

The issue you're seeing is because the current versions of the development tools were created before the OpenSSL security fix, and so do not include the "SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION" definition in the OpenSSL headers.

You can work around this issue by supplying the definition to Tor directly, for example by compiling Tor using

CPPFLAGS='-DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010' ./configure && make

This will work on both Leopard and Snow Leopard.

If you have an Intel (i386) Mac, use the normal i386 packages for Tor 0.2.2.8-alpha release at https://www.torproject.org/download.

If you have a PowerPC (ppc) Mac AND are running OS X 10.5 or 10.6, use these packages: read more »

The EFF has recently released a browser fingerprinting test suite that they call Panopticlick. The idea is that in normal operation, your browser leaks a lot of information about its configuration which can be used to uniquely fingerprint you independent of your cookies.

Because of how EFF's testing tool functions, it has created some confusion and concern among Tor users, so I wanted to make a few comments to try to clear things up. read more »

Apple OS X Security Update 2010-001 removes OpenSSL renegotation, http://support.apple.com/kb/HT1222. We've filed a bug report with Apple on this issue. Their standard response so far is http://support.apple.com/kb/HT4004.

In the meanwhile, we have bug #1225 open, https://bugs.torproject.org/flyspray/index.php?do=details&id=1225. Add yourself to the Notifications if you want updates as they happen. A fine explanation of why Tor is not affected by the TLS renegotiation bug can be found at https://bugs.torproject.org/flyspray/index.php?do=details&id=1225&area=c...

Packages for testing are available at:
https://www.torproject.org/dist/testing/

READ THIS FINE PRINT: read more »

1. These will only work on OSX 10.5 and 10.6 (both i386 and powerpc). Tor fails to compile when using the 10.4 libraries and static openssl.
2. Tor-0.2.2.8-alpha-i386-Bundle.dmg is compiled to replace the tor
   

The latest in the Tor Browser series, version 1.3.1 is released. This includes updates to Firefox, Pidgin, and Tor.

Tor 0.2.1.22 rotates two of the seven v3 directory authority keys and
locations, due to a security breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html

It also fixes a privacy problem in bridge directory authorities -- it
would tell you its whole history of bridge descriptors if you make the
right directory request.

Everybody should upgrade:
https://www.torproject.org/easy-download

The changelog is:

1.3.1: Released 2010-01-22
update Firefox to 3.5.7
update Pidgin to 2.6.5
update Tor to 0.2.1.22

alpha fixes a huge client-side performance bug, as well
as laying the groundwork for further relay-side performance fixes. It
also starts cleaning up client behavior with respect to the EntryNodes,
ExitNodes, and StrictNodes config options.

This release also rotates two directory authority keys, due to a security
breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html

Everybody should upgrade:
https://www.torproject.org/download.html.en

Changes in version 0.2.2.7-alpha - 2010-01-19
o Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.

o Major features (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we'd use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we read more »

Tor 0.2.1.22 rotates two of the seven v3 directory authority keys and
locations, due to a security breach of some of the Torproject servers:
http://archives.seul.org/or/talk/Jan-2010/msg00161.html

It also fixes a privacy problem in bridge directory authorities -- it
would tell you its whole history of bridge descriptors if you make the
right directory request.

Everybody should upgrade:
https://www.torproject.org/easy-download

Changes in version 0.2.1.22 - 2010-01-19
o Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.

o Major bugfixes:
- Stop bridge directory authorities from answering dbg-stability.txt
directory queries, which would let people fetch a list of all
bridge identities they track. Bugfix on 0.2.1.6-alpha.

I attended the speech given by Secretary Clinton on Jan 21, 2010, http://www.state.gov/secretary/rm/2010/01/135519.htm. Most of it was a rehashing of what many of us already know and believe, but it's still good to hear the US Govt "gets it" and is trying to promote the openness on which the Internet has thrived. You can watch the full speech at http://netfreedom.state.gov. Interestingly, someone got to ask the anonymity question before me,

QUESTION: You talked about anonymity on line and how we have to prevent that. But you also talk about censorship by governments. And I’m struck by – having a veil of anonymity in certain situations is actually quite beneficial. So are you looking to strike a balance between that and this emphasis on censorship? read more »