phobos's blog

We have declared end-of-life for Tor 0.2.0.x. Those Tor versions have
several known flaws, and nobody should be using them. You should upgrade.

Specifically, the big flaw in Tor <= 0.2.0.35 is that its list of
directory authorities is out of date, so you'll find it hard to learn
about the network. We're signing the network status consensus with the
old signatures for now, but we're going to stop doing that in a few weeks,
which means your Tor 0.2.0.x will fail to find the current network.

The only exception is people using Debian Lenny -- our nice Debian
packager is trying to keep that package maintained for you.

As a bonus, if you move to a newer Tor you'll get significant performance
boosts as a client, and you'll improve the performance for others as
a relay.

The original message is archived at http://archives.seul.org/or/announce/Mar-2010/msg00001.html

We've teamed up with Printfection to offer you a chance to support Tor, enhance your wardrobe, and get people to ask you, "what's with the onion?" We support many styles of mens and womens t-shirts right now, in all 31 colors Printfection offers. If you have made your own graphics, let us know and we'll add it to the store.

Printfection will ship globally and only uses your data to ship your order.

Casey Shorr, the CEO of Printfection, says,

"The Tor Project is leveraging Printfection's on-demand merchandise fulfillment technology to engage their supporters and generate additional revenue to help protect anonymity online. We're proud to be associated with such an important project."

The Tor Store can be found at http://printfection.com/torprojectstore. The full press release is here, https://www.torproject.org/press/2010-03-25-tor-store-press-release.html....

Enjoy!

At Libreplanet 2010, I was in a discussion with the MonkeySphere and EFF folks about how to encourage every website to offer ssl by default. The general idea is to stop local traffic snooping and provide more security by default. During the discussion, it came up that I disable all of the Certificate Authorities in my systems and selectively trust the ssl certificates from individual websites. I've been doing this for years. Apparently my admission was a shocking statement to many. The group asked me to document my Firefox setup and what life is like without any trusted CAs. Seth from the EFF has a quick post about possible concerns over the CAs in your browser. read more »

New releases read more »

• On February 13, we released a new stable version of Tor, 0.2.1.23. Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work again on the latest OS X, and updates the location of a directory authority.
• On February 21st, we released an update Tor stable in 0.2.1.24. Tor 0.2.1.24 makes Tor work again on the latest OS X – this time for sure!
• On February 22, we released the latest in the -alpha series, 0.2.2.9-alpha.
• On February 15th, we released an updated Tor Browser Bundle; version 1.3.2.
• On February 27th, we released an updated Tor Browser Bundle, version 1.3.3.
• On February 18th, Tor for the Nokia Maemo mobile platform was announced. https://blog.torproject.org/blog/tor-nokia-n900-maemo-gsm-telephone.

As you may have noticed, the blog is having problems keeping up with the load. It seems the blog has become very popular over the past month. Even with caching enabled, the blog can't keep up. Another reason for the issues is that we're caught in a tricky balance between making the CAPTCHA easy to pass for humans with legitimate comments versus automated comment spammers. And then there are the human comment spammers which can pass any CAPTCHA we put up with varying degrees of success. We're up to hundreds of spam comments per day. We don't want to use a third party CAPTCHA or comment service because then we're giving up all our viewers to their tracking mechanisms. There's already enough surveillance on the Internet. Therefore, comments are disabled for the next day while we assess the load on the blog.

We are working on forums, right now they are tied up in making sure they are functional without javascript. We will announce and release them when they are ready. read more »

Experts in China tell us Tor is not being singled out, that all "circumvention" tools are being subjected to the censorship regime of the Great Firewall of China as politically sensitive anniversaries come about. We also hear people in China need their privacy too, even if they never leave the Chinese Internet.

However, it appears China is getting better at blocking Tor. Here's a graph of returning users to the Tor Network from China:

However, most Tor users in China switched to non-public relays, called bridges, over the past few months. Interestingly, the GFW has also started blocking some of the more popular bridges: read more »

Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work again on the latest OS X, and updates the location of a directory authority.

Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time for sure!

The Windows and OS X bundles also come with a newer version of Polipo that fixes some stability and security problems.

People using Tor as a client should upgrade:
https://www.torproject.org/easy-download

Changes in version 0.2.1.23 - 2010-02-13
Major bugfixes (performance): read more »

• We were selecting our guards uniformly at random, and then weighting which of our guards we'd use uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.

As announced here, http://archives.seul.org/or/talk/Feb-2010/msg00033.html, we now produce rpms and debs of Tor and Vidalia for easier installation.

When using ubuntu, opensuse, fedora, centos/redhat, or debian, you can simply add our repositories to your package management application (yum, apt, apttitude, zypper, etc) and always have the latest -stable or -alpha tor and vidalia.

This is a direct result of hiring Erinn in December.