Tor Browser 10.5 is now available from the Tor Browser download page and also from our distribution directory.

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.6.6 on the download page.

Tor Browser 10.5a17 is now available from the Tor Browser download page and also from our distribution directory.

The journey to improve the user experience of connecting to the Tor network starts with Tor Browser 10.5, which will be released later this month. This release is the first in an upcoming series of releases helping censored users seamlessly access the open internet.

Tor Browser 10.0.18 is now available from the Tor Browser download page and also from our distribution directory.

After months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.6.5 on the download page. Packages should be available within the next several weeks, with a new Tor Browser around the end of the week.

Because this release includes security fixes, we are also releasing updates for our other supported releases. You can find their source at https://dist.torproject.org:

• 0.3.5.15 (gpg signature) (ChangeLog)
• 0.4.4.9 (gpg signature) (ChangeLog) [Note that 0.4.4.9 hits end-of-life tomorrow; this is the last supported 0.4.4.9 release.]
• 0.4.5.9 (gpg signature) (ChangeLog)

Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x series includes numerous features and bugfixes, including a significant improvement to our circuit timeout algorithm that should improve observed client performance, and a way for relays to report when they are overloaded.

This release also includes security fixes for several security issues, including a denial-of-service attack against onion service clients, and another denial-of-service attack against relays. Everybody should upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.

Below are the changes since 0.4.5.8. For a list of changes since 0.4.6.4-rc, see the ChangeLog file.

Changes in version 0.4.6.5 - 2021-06-14

• Major bugfixes (security):
  • Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams. Previously, clients failed to validate which hop sent these cells: this would allow a relay on a circuit to end a stream that wasn't actually built with it. Fixes bug 40389; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- 003 and CVE-2021-34548.
• Major bugfixes (security, defense-in-depth):
  • Detect more failure conditions from the OpenSSL RNG code. Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

Tor Browser 10.5a16 is now available from the Tor Browser download page and also from our distribution directory.

We're excited to announce that Snowflake will be shipped as one of the default bridge options with stable versions of Tor Browser later this month. Snowflake is a pluggable transport that uses a combination of domain fronting and peer-to-peer WebRTC connections between clients and volunteers to circumvent Internet censorship.