Blogs

Tor Browser 6.0a5-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a5-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

It contains a bunch of noteworthy changes. We switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary. We also ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Note: There is no incremental update from 6.0a3-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a4-hardened:

Tor Browser 6.0a5-hardened -- April 28 2016

  • All Platforms
    • Update Firefox to 45.1.0esr
    • Update Tor to 0.2.8.2-alpha
    • Update Torbutton to 1.9.5.3
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Translation updates
    • Update Tor Launcher to 0.2.8.4
      • Bug 13252: Do not store data in the application bundle
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Update meek to 0.22 (tag 0.22-18371-2)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable for now
    • Bug 17506: Reenable building hardened Tor Browser with startup cache
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
  • Build System
    • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Bug 18699: Stripping fails due to obsolete Browser/components directory
    • Bug 18698: Include libgconf2-dev for our Linux builds

Tor Browser 6.0a5 is released

A new alpha Tor Browser release is available for download in the 6.0a5 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

This will probably be our last alpha release before the stable 6.0 and it contains a bunch of noteworthy changes.

First, we switched the browser to Firefox ESR 45 and rebased our old patches/wrote new ones where necessary.

Second, we ship a new Tor alpha version, 0.2.8.2, which makes meek usable again and contains a number of other improvements/stability fixes.

Third, this alpha release introduces code signing for OS X in order to cope with Gatekeeper, the OS X mechanism for allowing only authorized applications to run. There were bundle layout changes necessary to adhere to code signing requirements. Please test that everything is still working as expected if you happen to have an OS X machine. We plan to post instructions for removing the code signing parts on our website soon. This should make it easier to compare the bundles we build with the actual bundles we ship.

The fourth highlight is the fix for an installer related DLL hijacking vulnerability. This vulnerability made it necessary to deploy a newer NSIS version to create our .exe files. Please test that the installer is still working as expected if you happen to have a Windows machine.

Known issues:

  • It seems there is a bug regarding our search engine selection in non-en-US bundles. The search engines actually used are the ones contained in the respective language packs but not those we ship. There is no easy workaround for this short of disabling the language pack or adding the search engines one wants to have by hand. We are sorry for this inconvenience.
  • An other issue is an error "Unable to start tor" after upgrading from an older version, on Mac OS (Bug 18928). Quitting and restarting a second time should fix the problem.

Here is the full changelog since 6.0a4:

Tor Browser 6.0a5 -- April 28 2016

  • All Platforms

    • Update Firefox to 45.1.0esr
    • Update Tor to 0.2.8.2-alpha
    • Update Torbutton to 1.9.5.3
      • Bug 18466: Make Torbutton compatible with Firefox ESR 45
      • Translation updates
    • Update Tor Launcher to 0.2.9.1
      • Bug 13252: Do not store data in the application bundle
      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Update meek to 0.22 (tag 0.22-18371-2)
      • Bug 18371: Symlinks are incompatible with Gatekeeper signing
    • Bug 15197 and child tickets: Rebase Tor Browser patches to ESR 45
    • Bug 18900: Fix broken updater on Linux
    • Bug 18042: Disable SHA1 certificate support
    • Bug 18821: Disable libmdns support for desktop and mobile
    • Bug 18848: Disable additional welcome URL shown on first start
    • Bug 14970: Exempt our extensions from signing requirement
    • Bug 16328: Disable MediaDevices.enumerateDevices
    • Bug 16673: Disable HTTP Alternative-Services
    • Bug 17167: Disable Mozilla's tracking protection
    • Bug 18603: Disable performance-based WebGL fingerprinting option
    • Bug 18738: Disable Selfsupport and Unified Telemetry
    • Bug 18799: Disable Network Tickler
    • Bug 18800: Remove DNS lookup in lockfile code
    • Bug 18801: Disable dom.push preferences
    • Bug 18802: Remove the JS-based Flash VM (Shumway)
    • Bug 18863: Disable MozTCPSocket explicitly
    • Bug 15640: Place Canvas MediaStream behind site permission
    • Bug 16326: Verify cache isolation for Request and Fetch APIs
    • Bug 18741: Fix OCSP and favicon isolation for ESR 45
    • Bug 16998: Disable <link rel="preconnect"> for now
    • Bug 18898: Exempt the meek extension from the signing requirement as well
    • Bug 18899: Don't copy Torbutton, TorLauncher, etc. into meek profile
    • Bug 18890: Test importScripts() for cache and network isolation
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)
  • Windows

  • OS X

    • Bug 6540: Support OS X Gatekeeper
    • Bug 13252: Tor Browser should not store data in the application bundle
  • Build System

    • All Platforms
      • Bug 18127: Add LXC support for building with Debian guest VMs
      • Bug 16224: Don't use BUILD_HOSTNAME anymore in Firefox builds
    • Windows
      • Bug 17895: Use NSIS 2.51 for installer to avoid DLL hijacking
      • Bug 18290: Bump mingw-w64 commit we use
    • OS X
      • Bug 18331: Update toolchain for Firefox 45 ESR
      • Bug 18690: Switch to Debian Wheezy guest VMs
    • Linux
      • Bug 18699: Stripping fails due to obsolete Browser/components directory
      • Bug 18698: Include libgconf2-dev for our Linux builds

Tor Browser 5.5.5 is released

Tor Browser 5.5.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 38.8.0esr. Additionally, we bump NoScript to version 2.9.0.11 and HTTPS-Everywhere to 5.1.6.

Moreover, we don't advertise our help desk anymore as we are currently restructuring our user support.

Here is the full changelog since 5.5.4:

Tor Browser 5.5.5 -- April 26 2016

  • All Platforms

    • Update Firefox to 38.8.0esr
    • Update Tor Launcher to 0.2.7.9

      • Bug 10534: Don't advertise the help desk directly anymore
      • Translation updates
    • Update HTTPS-Everywhere to 5.1.6
    • Update NoScript to 2.9.0.11
    • Bug 18726: Add new default obfs4 bridge (GreenBelt)

GetTor: New Ways to Download Tor Browser

We are pleased to announce the new features available in the GetTor, a service that provides alternative ways to download Tor Browser, aimed for people who live in places with high levels of censorship (e.g. when www.torproject.org is blocked) or people who just don't want to expose the fact that they are downloading Tor Browser. This work adds important new download options and capabilities and includes improvements to the current code, deployment of new channels and providers, and some brand new features such as the GetTor API. We would also like to give special thanks to Nima Fatemi, who was in charge of the non-coding parts of this project (from funding to technical management).


Update note: we now have the gettor@torproject.org account for the XMPP channel. However, we will have the get_tor@riseup.net account enabled for a couple of more weeks just in case you are still using it.


Landing page

A GetTor landing page has been created to offer information in one place (statistics, guides, etc.). If you are interested in what is going on with GetTor, following the landing page is highly recommended.


New Distribution Channels

In the past, GetTor has distributed packages by sending the bundles -- and then, later, just links -- via email. Now there are two more ways to interact with GetTor:


  1. Using Twitter: You can send a direct message to @get_tor account (you don't need to follow the @get_tor acount). Send the word help in a direct message to receive information on how to download the Tor Browser.

  2. Using XMPP: You can send a message to gettor@torproject.org using your favorite XMPP client. Simply enter help in an XMPP message to receive information on how to download the Tor Browser.


GitHub

GitHub is now a provider of Tor Browser (in addition to Dropbox and Google Drive), and the latest version of Tor Browser may be downloaded from our Github page and our Github repository.


Support for Android

Orbot is a free proxy (i.e. an intermediary) app that empowers other apps to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by sending it through a series of computers around the world. In addition to the download options provided by Guardian Project (Google Play, F-Droid, Direct download), GetTor provides yet another way to download Orbot to your mobile device. To do this, you have to reach one of our distribution channels and specify the android command (See Examples, at the bottom of this blog post). You will then receive instructions to download Orbot's Android Application Package (APK) file from Github, Google Drive or Dropbox. Once you have downloaded the APK file you can use it to install Orbot (similar to .exe files in Windows) and start using it.


Translated Versions of Tor Browser

GetTor provides a small set of translated packages focused on its end users. The available languages are Farsi, Chinese, Turkish, and English (which is the default). If you want to use this feature in the email autoresponder, for example, you send your request to:


    Farsi: gettor+fa@torproject.org
    Chinese: gettor+zh@torproject.org
    Turkish: gettor+tr@torproject.org
    English: gettor@torproject.org


For the Twitter and XMPP channels, you just need to add the language word to the
message (e.g. linux fa will get you links for Tor Browser in Farsi).


Mirrors

There are many volunteers who use their own servers to provide mirrors of Tor Project's website. One or more of these mirrors may be not blocked in places where torproject.org is censored and could help in downloading Tor Browser. With this new release, you can request a list of these mirrors from GetTor by sending an email (or message, in case of Twitter and XMPP) with the word mirrors in the body of the text.


Statistics

Some basic but effective improvements have been made to collect anonymous data and compile meaningful statistics about GetTor usage, including requests per channel, operating system, and language. Safeguards have been implemented so that all information collected is anonymous, and it is erased on a daily basis -- we just keep the number and types of requests. Reports about this data will soon be available on GetTor's website.


RESTful API

One of GetTor's major new features is its API. In simple terms, an API is a set of rules and specifications that allow applications to communicate with each other (following these rules). This is helpful to developers who want to create new services or applications based on the information provided by the API. In this case, the GetTor API provides the following information:

  1. Links to download Tor Browser by provider, with filters for operating system and language.

  2. Links to download Tor Browser from Tor Project's website, with filters for choosing the release (latest version , etc.), operating system, and language.

  3. List of mirrors of Tor Project's website.



You can find more information on the API documentation.


Invitation to Collaborate

If you are a Tor user, a developer, good at writing content for non-technical users or anything else, we are happy to hear from you! You can use the comments section below, the tor-talk and tor-dev mailing lists, or come talk to us on IRC (#tor-dev on OFTC; our nicknames are ilv, sukhe and mrphs).


How to Ask for Tor Browser--Some Examples

To help you get started, here are a few examples of GetTor requests with different locales (languages) and operating systems:


Example 1 (Email): To get links for downloading Tor Browser in Farsi for Windows, send an email to gettor+fa@torproject.org with the word windows in the body of the message.


Example 2 (Twitter): To get links for downloading Tor Browser in English for OS X, send a Direct Message to @get_tor with the words osx on it (you don't need to follow the account).


Example 3 (XMPP): To get links for downloading Tor Browser in Chinese for Linux, send a message to gettor@torproject.org account with the words linux zh on it.


Example 4 (Email): To get links for downloading Orbot for Android, send an email to gettor@torproject.org with the word android in the body of the message.

Tor Messenger 0.1.0b6 is released

We are pleased to announce another public beta release of Tor Messenger. This release features important security updates to Instantbird. All users are highly encouraged to upgrade.

Mozilla's ESR cycle

This release of Tor Messenger is the first release based on Mozilla's ESR cycle. As with Tor Browser, all future releases will continue to pair with this cycle.

Secure Updater

We are well aware of the current pain in upgrading Tor Messenger and are actively working towards porting Tor Browser's updater patches (#14388) so that keeping Tor Messenger up to date is as seamless and easy as possible. We continue to apologize for the inconvenience.

Before upgrading, back up your OTR keys

Before upgrading to the new release, you will need to back up your OTR keys or simply generate new ones. Please see the following steps to back them up.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

OS X (Mac)

sha256sums.txt
sha256sums.txt.asc

The sha256sums.txt file containing hashes of the bundles is signed with the key 0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391).

Changelog

Here is the complete changelog since v0.1.0b5:

Tor Messenger 0.1.0b6 -- April 06, 2016

  • All Platforms
    • Use the THUNDERBIRD_45_0b3_RELEASE tag on mozilla-esr45
    • Use the THUNDERBIRD_45_0b3_RELEASE tag on comm-esr45
    • Bug 18533: Disable sending fonts or colors as part of messages
    • ctypes-otr
      • GH 68: Don't close notification bar until verification succeeds (patch by Elias Rohrer)
      • GH 71: Improve verifying from the fingerprint manager (patch by Vu Quoc Huy)
      • GH 72: Generate keys automatically after account creation (patch by Vu Quoc Huy)

Q and A with An East African Human Rights Activist

Can you tell us about your work?



I'm from East Africa. My background is in political science and I focus on the idea that consent in political systems helps build stability. I've been thinking about how to help communities circumvent or push back against information controls. When whistleblowers talk about corruption, there should be safe avenues of sharing that information without threatening their lives or their families.

How did you learn about Tor?

I didn't know that a web site could be blocked--I thought it was a problem with my computer--but then I saw in the comments section of a subreddit on Africa--it's mostly political--that some people could access a political web site. You want to know how they do it--you don't want to ask right there on reddit--so you research "access" "blocked" "website" as the key words.

This took me to Wikipedia and the article about circumvention tools. Then I learned about the routing through different servers to hide the source of a request.

I downloaded and installed Tor and it is slow--I thought it was a problem with my connection. But it worked! I could access websites that I could not access otherwise. Ethsat was blocked--a political and alternative media site that critiques the Ethiopian government and publishes info that is critical of government corruption.

[Ethsat is now blocked by CloudFlare and the site prohibits Firefox, which also means that it prohibits Tor. To circumvent this: Using the Tor browser, go to StartPage.com. Search for http://ethsat.com/, and click on the “proxy” link next to the search result. The disadvantage of this approach is that StartPage can see that a Tor IP address is visiting the website--but they won't know it's you. If you were to write your name on that website, you would de-anonymize yourself both to the website--and to StartPage. Thanks to Samdney for sharing this hack!
]

What was your reaction to CloudFlare CAPTCHAs when you first saw them?

You think the government is interfering or someone is playing around with it. You can't keep doing CAPTCHAs and they aren't working--you think something is broken here.

Doing one CAPTCHA is enough to identify if I'm human or not. [With repeated CAPTCHAs] I will run away from Tor. I won't use it. If CloudFlare really cares for security, then they should let people use Tor. Treat Tor like any other browser traffic.

What is your advice to other people in your country?

Use Tor -- For hundreds of thousands of people, it's the only way to access critical news.

Advice to other people like yourself?

You cannot purport to be fighting for society if you yourself are not secure. If you are not secure, you cannot secure others. The cobbler has no shoes. You are only as secure as your weakest browser. I most definitely would recommend Tor to frontline human rights defenders and journalists.

Any final thoughts?

Some people take it for granted that you can access any web site on the open Internet, but an Internet in which some web sites are blocked is not complete.

Other people are not as privileged--and Tor is giving them a fighting chance.

The Trouble with CloudFlare

Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system.

We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know:

1) CloudFlare uses an IP reputation system to assign scores to IP addresses that generate malicious traffic. In their blog post, they mentioned obtaining data from Project Honey Pot, in addition to their own systems. Project Honey Pot has an IP reputation system that causes IP addresses to be labeled as "malicious" if they ever send spam to a select set of diagnostic machines that are not normally in use. CloudFlare has not described the nature of the IP reputation systems they use in any detail.

2) External research has found that CloudFlare blocks at least 80% of Tor IP addresses, and this number has been steadily increasing over time.

3) That same study found that it typically took 30 days for an event to happen that caused a Tor IP address to acquire a bad reputation and become blocked, but once it happens, innocent users continued to be punished for it for the duration of the study.

4) That study also showed a disturbing increase over time in how many IP addresses CloudFlare blocked without removal. CloudFlare's approach to blocking abusive traffic is incurring a large amount of false positives in the form of impeding normal traffic, thereby damaging the experience of many innocent Tor and non-Tor Internet users, as well as impacting the revenue streams of CloudFlare's own customers by causing frustrated or blocked users to go elsewhere.

5) A report by CloudFlare competitor Akamai found that the percentage of legitimate e-commerce traffic originating from Tor IP addresses is nearly identical to that originating from the Internet at large. (Specifically, Akamai found that the "conversion rate" of Tor IP addresses clicking on ads and performing commercial activity was "virtually equal" to that of non-Tor IP addresses).

CloudFlare disagrees with our use of the word "block" when describing its treatment of Tor traffic, but that's exactly what their system ultimately does in many cases. Users are either blocked outright with CAPTCHA server failure messages, or prevented from reaching websites with a long (and sometimes endless) loop of CAPTCHAs, many of which require the user to understand English in order to solve correctly. For users in developing nations who pay for Internet service by the minute, the problem is even worse as the CAPTCHAs load slowly and users may have to solve dozens each day with no guarantee of reaching a particular site. Rather than waste their limited Internet time, such users will either navigate away, or choose not to use Tor and put themselves at risk.

Also see our new fact sheet about CloudFlare and Tor: https://people.torproject.org/~lunar/20160331-CloudFlare_Fact_Sheet.pdf

Tor 0.2.8.2-alpha is released

Tor 0.2.8.2-alpha has been released! You can download the source from the Tor website. Packages should be available over the next week or so.

Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous bugs in earlier versions of Tor, including some that prevented authorities using Tor 0.2.7.x from running correctly. IPv6 and directory support should also be much improved.

REMEMBER: This is an alpha release. Expect a lot of bugs. You should only run this release if you're willing to find bugs and report them.

Changes in version 0.2.8.2-alpha - 2016-03-28

  • New system requirements:
    • Tor no longer supports versions of OpenSSL with a broken implementation of counter mode. (This bug was present in OpenSSL 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no longer runs with, these versions.
    • Tor no longer attempts to support platforms where the "time_t" type is unsigned. (To the best of our knowledge, only OpenVMS does this, and Tor has never actually built on OpenVMS.) Closes ticket 18184.
    • Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or later (released in 2008 and 2009 respectively). If you are building Tor from the git repository instead of from the source distribution, and your tools are older than this, you will need to upgrade. Closes ticket 17732.
  • Major bugfixes (security, pointers):
    • Avoid a difficult-to-trigger heap corruption attack when extending a smartlist to contain over 16GB of pointers. Fixes bug 18162; bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. Reported by Guido Vranken.

  read more »

Syndicate content Syndicate content