Tor Blog | The Tor Project

New Release: Tor Browser 10.5a13

Tor Browser 10.5a13 is now available from the Tor Browser Alpha download page and also from our distribution directory.

5 comments

New Release: Tor Browser 10.0.15

Tor Browser 10.0.15 is now available from the Tor Browser download page and also from our distribution directory.

Onionize your Workflow with the Onion Guide Fanzine

One way we help human rights defenders and organizations take back their right to privacy online is by helping them to use and set up onion services. Last year, thanks to the support of Digital Defenders Partnership, we wrote a series of Onion Guides intended to make it easier for our partners to correctly and safely set up their own onion services.

19 comments

New Release: Tor Browser 10.0.14

Tor Browser 10.0.14 is now available from the Tor Browser download page and also from our distribution directory.

28 comments

Get a TLS certificate for your onion site

We are happy to share the news of another important milestone for .onion services! You can now get DV certificates for your v3 onion site using HARICA, a Root CA Operator founded by Academic Network (GUnet), a civil society nonprofit from Greece.

New Release: Tor Browser 10.5a12 (Android Only)

Tor Browser 10.5a12 is now available from the Tor Browser Alpha download page and also from our

14 comments

New Alpha Release: Tor 0.4.6.1-alpha

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.6.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely next week.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It improves client circuit performance, adds missing features, and improves some of our DoS handling and statistics reporting. It also includes numerous smaller bugfixes.

Below are the changes since 0.4.5.7. (Note that this release DOES include the fixes for the security bugs already fixed in 0.4.5.7.)

Changes in version 0.4.6.1-alpha - 2021-03-18

Major features (control port, onion services):
- Add controller support for creating version 3 onion services with client authorization. Previously, only v2 onion services could be created with client authorization. Closes ticket 40084. Patch by Neel Chauhan.
Major features (directory authorityl):
- When voting on a relay with a Sybil-like appearance, add the Sybil flag when clearing out the other flags. This lets a relay operator know why their relay hasn't been included in the consensus. Closes ticket 40255. Patch by Neel Chauhan.

Sign now: European initiative for a ban on biometric mass surveillance

The “Reclaim Your Face” coalition has launched a European Citizens’ Initiative for a ban on biometric mass surveillance. Individuals can sign the petition for a ban on biometric mass surveillance. Organizations can get involved, too.

New releases (with security fixes): Tor 0.3.5.14, 0.4.4.8, and 0.4.5.7

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.5.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser coming next week.

Also today, Tor 0.3.5.14 (changelog) and Tor 0.4.4.8 (changelog) have also been released; you can find them (and source for older Tor releases) at https://dist.torproject.org.

These releases fix a pair of denial-of-service issues, described below. One of these issues is authority-only. The other issue affects all Tor instances, and is most damaging on directory authorities and relays. We recommend that everybody should upgrade to one of these versions once packages are available.

Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier versions of Tor.

One of these vulnerabilities (TROVE-2021-001) would allow an attacker who can send directory data to a Tor instance to force that Tor instance to consume huge amounts of CPU. This is easiest to exploit against authorities, since anybody can upload to them, but directory caches could also exploit this vulnerability against relays or clients when they download. The other vulnerability (TROVE-2021-002) only affects directory authorities, and would allow an attacker to remotely crash the authority with an assertion failure. Patches have already been provided to the authority operators, to help ensure network stability.

We recommend that everybody upgrade to one of the releases that fixes these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available to you.

This release also updates our GeoIP data source, and fixes a few smaller bugs in earlier releases.

Changes in version 0.4.5.7 - 2021-03-16

Major bugfixes (security, denial of service):
- Disable the dump_desc() function that we used to dump unparseable information to disk. It was called incorrectly in several places, in a way that could lead to excessive CPU usage. Fixes bug 40286; bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- 001 and CVE-2021-28089.
- Fix a bug in appending detached signatures to a pending consensus document that could be used to crash a directory authority. Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 and CVE-2021-28090.
Minor features (geoip data):
- We have switched geoip data sources. Previously we shipped IP-to- country mappings from Maxmind's GeoLite2, but in 2019 they changed their licensing terms, so we were unable to update them after that point. We now ship geoip files based on the IPFire Location Database instead. (See https://location.ipfire.org/ for more information). This release updates our geoip files to match the IPFire Location Database as retrieved on 2021/03/12. Closes ticket 40224.

How to contribute to the Tor metrics timeline

The metrics timeline is a database of news and events that may affect Tor Metrics graphs. This post is about how you can contribute to the timeline and help keep it up to date.

6 comments

Upcoming Events

May 26, 2021

PrivChat #4 - 25th Anniversary of Onion Routing

To celebrate the 25th anniversary of the academic publication of onion routing, we're holding PrivChat #4 on May 26 at 18:00 UTC with host Gabriella Coleman and panelists Roger Dingledine and Nick Mathewson. Stay tuned for more details!

June 07, 2021 - June 11, 2021

Rightscon (with Tor panel!)

July 12, 2021 - July 16, 2021

Privacy Enhancing Technologies Symposium (PETS)

August 27, 2021

Free and Open Communications on the Internet (FOCI) workshop

See All Upcoming Events

Recent Updates

Dreaming At Dusk

New release: Tor 0.4.5.8

We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.4.5.8 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes from the 0.4.6.x series.

Changes in version 0.4.5.8 - 2021-05-10

Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
- Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.
Minor features (compilation, backport from 0.4.6.3-rc):
- Make the autoconf script build correctly with autoconf versions 2.70 and later. Closes part of ticket 40335.

New release candidate: Tor 0.4.6.3-rc

There's a new release candidate available for download. If you build Tor from source, you can download the source code for Tor 0.4.6.3-rc from the download page on the website. Packages should be available over the coming weeks, with a new Tor Browser release likely next week.

Tor 0.4.6.3-rc is the first release candidate in its series. It fixes a few small bugs from previous versions, and adds a better error message when trying to use (no longer supported) v2 onion services.

Though we anticipate that we'll be doing a bit more clean-up between now and the stable release, we expect that our remaining changes will be fairly simple. There will likely be at least one more release candidate before 0.4.6.x is stable.

Changes in version 0.4.6.3-rc - 2021-05-10

Major bugfixes (onion service, control port):
- Make the ADD_ONION command properly configure client authorization. Before this fix, the created onion failed to add the client(s). Fixes bug 40378; bugfix on 0.4.6.1-alpha.
Minor features (compatibility, Linux seccomp sandbox):
- Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.

Check the status of Tor services with status.torproject.org

The Tor Project now has a status page which shows the state of our major services.