Archive

Tor Browser 5.0.2 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we updated the NoScript version we ship and included a small fix for Unity and Gnome users on Linux.

Here is the complete changelog since 5.0.1:

  • All Platforms
    • Update Firefox to 38.2.1esr
    • Update NoScript to 2.6.9.36
  • Linux
    • Bug 16860: Avoid duplicate icons on Unity and Gnome

Tor Weekly News — August 20th, 2015

Welcome to the thirty-second issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0.1 is out

The Tor Browser team put out a new stable version of the privacy-preserving browser. Version 5.0.1 fixes a crash bug in the recent 5.0 release that was hindering some users’ attempts to access popular websites like Google Maps and Tumblr. There are no other changes in this release.

Thanks to the new automatic update mechanism in the Tor Browser 5.x series, you are probably already running the upgraded version! If not, head to the project page to get your copy.

Tor talks at Chaos Communication Camp 2015

There was a heavy Tor presence at the recent Chaos Communication Camp near Zehdenick, Germany, and as usual there were some Tor-related talks by community members that are now available to watch online. Tor and Debian developer Lunar, one of the minds behind Debian’s pioneering and highly successful reproducible builds project (itself inspired by the Tor Browser team’s work in this line) gave a talk entitled “How to make your software build reproducibly”.

Tor Project Director of Communications Kate Krauss, meanwhile, participated in a talk entitled “What’s the catch?”, addressing the subject of free software projects receiving funding from State organizations, and the ways in which this does or does not affect the work of these projects.

Tor developers also participated in the “Tor Services using GNS” session of the Youbroketheinternet village. The session was about Tor using GNS as its name resolution system, and about various ways that we could integrate GNUNet and other anonymity systems with Tor. It was decided that the discussion will continue on the tor-dev mailing list.

Happy sixth birthday, Tails!

In the small hours of Sunday night, the Tails project turned six years old. It may still have most of its milk teeth, but the anonymous live operating system is already the security tool of choice for a wide range of users. It has been endorsed by Reporters Without Borders, groups campaigning against domestic violence, and the team behind the Academy Award-winning documentary CITIZENFOUR (among many others), as Voice of America reported last month.

The Tails team has laid out its vision for the next two years in its draft 2016-2017 roadmap, and you can read a summary of its current activities in the last monthly report. Congratulations to the team on reaching this anniversary!

Miscellaneous news

Hot on the heels of last week’s 2.4 release, Karsten Loesing put out version 2.5 of Onionoo, the Tor network data observatory. This release adds a new optional field named “measured” to Onionoo’s details documents. “The main idea behind this new field is that relay operators and Tor network debuggers can now figure out easily whether a relay is affected by not being measured by a sufficient number of bandwidth authorities and as a result has lower usage than it could handle”, writes Karsten. The new field is not yet shown in Onionoo web interfaces like Globe and Atlas, but it is accessible through the Onionoo API. For more details, see the relevant ticket.

David Fifield announced that the recent outage affecting meek’s Microsoft Azure backend is now resolved. Most users will have switched to the workaround version included in the most recent Tor Browser releases, but if for some reason you are still using the old configuration, it too should now be working once again.

David Stainton asked for brief code review of his Twisted-based Tor HTTP proxy. “Is this project worthy of your precious 10 minutes to review it... so I can improve the code quality?”


This issue of Tor Weekly News has been assembled by Harmony, Karsten Loesing, and George Kadianakis.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 5.0.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release fixes a crash bug that caused Tor Browser to crash on certain sites (in particular, Google Maps and Tumblr). The crash bug was a NULL pointer dereference while handling blob URIs. The crash was not exploitable.

Here is the complete changelog since 5.0:

  • All Platforms
    • Bug 16771: Fix crash on some websites due to blob URIs

Tor Weekly News — August 14th, 2015

Welcome to the thirty-first issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 5.0 and 5.5a1 are out

The Tor Browser team put out two new releases of the privacy-preserving web browser. Version 5.0, the first release in the new stable series, is based on Firefox 38ESR, “which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements”. Updates to Tor Browser are now downloaded automatically in the background, removing the need for users to go through the update wizard manually. New privacy features in this release include first-party domain bar isolation of more identifier sources, and “defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting”.

The first alpha release in the 5.5 series, meanwhile, fixes the recent pdf.js exploit to which users of 5.0a3 and 5.0a4 had been vulnerable; it also contains a refined version of the new font fingerprinting defenses in which “Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases”.

For full changelogs and download instructions, please see the team’s announcements. Both of these new releases contain important security updates, so please upgrade your Tor Browser as soon as you can.

Tails 1.5 is out

The Tails developers announced version 1.5 of the anonymous live operating system. This release disables access to the local network in Tor Browser, restricting this activity to Tails’ “unsafe browser”. It also ships with Tor Browser 5.0, and a 32-bit GRUB EFI bootloader, so “Tails should now start on some tablets with Intel Bay Trail processors, among others”.

For a list of all the changes in this release, please see the team’s announcement. This is an important security update, so please download your copy as soon as possible, either from the Tails website or via the incremental updater.

OnioNS beta testing version is out

Jesse Victors announced the first beta testing release of his Tor Summer of Privacy project, the Onion Name System (OnioNS). OnioNS is a distributed system that links hard-to-remember and hard-to-verify onion service addresses (such as “onions55e7yam27n.onion”) to domain names that are easier for humans to read and recall (like “example.tor”).

The software that comprises OnioNS is divided into three main parts: OnioNS-HS, OnioNS-client, and OnioNS-server. These are respectively intended to be run by onion services wishing to claim domain names, clients (such as Tor Browser users) wanting to visit services using these names, and the servers that let the system function. Whichever software you download will also require the OnioNS-common library in order to work.

This is a beta testing version, so Jesse warns that it is not ready to be used on production onion services and that name-claims made now may not survive in the long term. If you’re willing to give the system a try, however, please see Jesse’s message for further information, and feel free to send “feedback as to how usable the system is and areas where it could be improved” to the tor-dev mailing list, or file issues on the bug tracker of the relevant software package.

Miscellaneous news

Karsten Loesing deployed version 2.4 of Onionoo , the Tor network data observatory. This release implements an optional “effective_family” field to Onionoo details documents, listing all the relays with which the relay in question is in an effective, mutual family relationship. “The main goal here is to make it easier to detect misconfigured relay families. This can be relay operators or friendly people watching over the Tor network and reminding relay operators to fix their configurations.”

Colin Childs sent out a call for new volunteers to man the Tor help desk, which offers individual support to Tor users all over the world. If you can use Tor Browser and other Tor software with confidence and have a good understanding of the theory behind Tor, know how to use GnuPG (or are willing to learn), and are an active member of the Tor community who wants to help users on an ongoing basis, then please see Colin’s message for more details.

The Tails project sent out its monthly report for July, featuring development updates, upcoming events, and summaries of ongoing discussions.

George Kadianakis sent out the SponsorR report, and also submitted his own status report for July.

Alec Muffett revived the discussion around possible human factors to consider when devising a new and more secure system of onion addresses (such as the one suggested in proposal 224).

Sue Gardner invited active Tor community members to take part in a short survey as part of her work to devise a long-term strategic plan for the Tor Project.

Thomas White put out a call for “good guides on using Tor with common applications” to form part of a “small site dedicated to Tor usage [that] will convey, in as simple as possible terms, how to put as many applications as possible through Tor”.


This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 5.5a1 is released

The Tor Browser Team is proud to announce the first alpha release in the 5.5 series. The release is available for download in the 5.5a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox. In particular, while the recent PDF.js exploit did not affect 4.5 users, it does affect users of 5.0a3 and 5.0a4. Although the High security level of the Security Slider also prevented the exploit from working against even those users, all alpha users are still strongly encouraged to upgrade as soon as possible.

In addition to fixing these security issues, the remaining major issues with Firefox 38 from 5.0a4 were also fixed. This release also features improvements to fingerprinting defenses. In particular, we continue to refine our font fingerprinting defense that was added in 5.0a4. With this defense, Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases. Interested users are encouraged to help us refine this defense by commenting on the associated ticket in our bugtracker.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Here is the complete changelog since 5.0a4:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update NoScript to 2.6.9.34
    • Update Torbutton to 1.9.3.3
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 14429: Make sure the automatic resizing is enabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16311: Fix navigation timing in ESR 38
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 16672: Change font whitelists and configs for rendering issues (partial)

Tor Browser 5.0 is released

The Tor Browser Team is proud to announce the first stable release in the 5.0 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox. Note that the recent PDF.js exploit did not affect 4.5 users, but they should upgrade to this release immediately because numerous other potential security issues were fixed by Mozilla in this release. (Incidentally: Users who are using the 5.0-alpha series are vulnerable to the PDF.js exploit, but not if they were using the 'High' security level. Regardless, we are also upgrading 5.0-alpha users to 5.5a1 today to fix the issue as well).

This release also brings us up to date with Firefox 38-ESR, which should mean improved support for HTML5 video on Youtube, as well as a host of other improvements. Controversial and hard-to-audit binary components related to EME DRM were disabled, however.

The release also features new privacy enhancements. In particular, more identifier sources that appeared in Firefox 38 (or were otherwise disabled previously) are now isolated to the first party (URL bar) domain. This release also contains defenses from the 5.0-alpha series for keystroke (typing) fingerprinting and some instances of performance/timing fingerprinting.

Regrettably, our new defenses for font and keyboard layout fingerprinting did not stabilize in time for this release. Users who are interested in helping us improve them should try out 5.5a1.

This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.

Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing.

Here is the complete changelog since 4.5.3:

  • All Platforms
    • Update Firefox to 38.2.0esr
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to 2.6.9.34
    • Update meek to 0.20
    • Update Tor to 0.2.6.10 with patches:
      • Bug 16674: Allow FQDNs ending with a single '.' in our SOCKS host name checks.
      • Bug 16430: Allow DNS names with _ characters in them (fixes nytimes.com)
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update Torbutton to 1.9.3.2
      • Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
      • Bug 16730: Reset NoScript whitelist on upgrade
      • Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
      • Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Bug 16427: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 16200: Update Cache API usage and prefs for FF38
      • Bug 16357: Use Mozilla API to wipe permissions db
      • Bug 14429: Make sure the automatic resizing is disabled
      • Translation updates
    • Update Tor Launcher to 0.2.7.7
      • Bug 16428: Use internal update URL to block updates (instead of 127.0.0.1)
      • Bug 15145: Visually distinguish "proxy" and "bridge" screens.
      • Translation updates
    • Bug 16730: Prevent NoScript from updating the default whitelist
    • Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
    • Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent indexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
    • Bug 13247: Fix meek profile error after bowser restarts
    • Bug 16005: Relax WebGL minimal mode
    • Bug 16300: Isolate Broadcast Channels to first party
    • Bug 16439: Remove Roku screencasting code
    • Bug 16285: Disabling EME bits
    • Bug 16206: Enforce certificate pinning
    • Bug 15910: Disable Gecko Media Plugins for now
    • Bug 13670: Isolate OCSP requests by first party domain
    • Bug 16448: Isolate favicon requests by first party
    • Bug 7561: Disable FTP request caching
    • Bug 6503: Fix single-word URL bar searching
    • Bug 15526: ES6 page crashes Tor Browser
    • Bug 16254: Disable GeoIP-based search results.
    • Bug 16222: Disable WebIDE to prevent remote debugging and addon downloads.
    • Bug 13024: Disable DOM Resource Timing API
    • Bug 16340: Disable User Timing API
    • Bug 14952: Disable HTTP/2
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP & favicons respect URL bar domain isolation
    • Bug 16311: Fix navigation timing in ESR 38
  • Windows
    • Bug 16014: Staged update fails if meek is enabled
    • Bug 16269: repeated add-on compatibility check after update (meek enabled)
  • Mac OS
    • Use OSX 10.7 SDK
    • Bug 16253: Tor Browser menu on OS X is broken with ESR 38
    • Bug 15773: Enable ICU on OS X
  • Build System
    • Bug 16351: Upgrade our toolchain to use GCC 5.1
    • Bug 15772 and child tickets: Update build system for Firefox 38
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
    • Bug 15864: rename sha256sums.txt to sha256sums-unsigned-build.txt

Tails 1.5 is out

Tails, The Amnesic Incognito Live System, version 1.5, is out.

This release fixes numerous security issues and all users must upgrade as soon as possible.

New features

  • Disable access to the local network in the Tor Browser. You should now use the Unsafe Browser to access the local network.

Upgrades and changes

  • Install Tor Browser 5.0 (based on Firefox 38esr).
  • Install a 32-bit GRUB EFI boot loader. Tails should now start on some tablets with Intel Bay Trail processors among others.
  • Let the user know when Tails Installer has rejected a device because it is too small.

There are numerous other changes that might not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

Fixed problems

  • Our AppArmor setup has been audited and improved in various ways which should harden the system.
  • The network should now be properly disabled when MAC address spoofing fails.

Known issues

See the current list of known issues.

Download or upgrade

Go to the download page.

What's coming up?

The next Tails release is scheduled for September 22.

Have a look to our roadmap to see where we are heading to.

Do you want to help? There are many ways you can contribute to Tails, for example by donating. If you want to help, come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Tor Weekly News — August 8th, 2015

Welcome to the thirtieth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor 0.2.7.2-alpha is out

Nick Mathewson announced the second alpha release in the Tor 0.2.7.x series. This version includes improvements to the handling of Tor’s identity keys, which now use the Ed25519 elliptic curve signature format. It also allows onion service operators to specify a higher number of introduction points with a special configuration option, if the service is coming under heavy load, “at the cost of making it more visible that the hidden service is facing extra load”.

For full details of the many other developments in this release, please see Nick’s announcement. The source code is available as usual from Tor’s distribution directory.

Tor Browser 5.0a4 is out

The Tor Browser team put out their fourth alpha release in the 5.0 series of the privacy-preserving anonymous browser. “Most notably, this release contains an experimental defense against font fingerprinting by using an identical set of shipped fonts on all supported platforms”, wrote Georg Koppen. This version also fixes some of the issues created by the update to Firefox 38ESR, which “brings us very close to a stable Tor Browser 5.0, which we aim to release next week”.

Get your copy of the new alpha from the project page, or via the incremental updater if you are already using the alpha Tor Browser series.

Random number generation during Tor voting

One of the weaknesses of the current onion service design is that parts of it (such as the relays chosen by a service to upload its descriptor) rely on a list of Tor relays which is generated in a predictable way. This makes it possible for people with malicious intentions to insert their bad relays into the list at points of their choosing, in order to carry out attacks such as denials-of-service (as some researchers proved earlier this year). A good way of preventing this is to make Tor’s directory authorities jointly come up with a random number as part of their regular voting procedure, which is then used by onion services to choose the directories to which they will upload their descriptor information, and by clients to find those same directories. It could also be used by other systems as a shared source of randomness.

George Kadianakis published a draft proposal describing how this procedure could work. For a period of twelve hours, the directory authorities send each other a “commitment”, consisting of the hash of a 256-bit value. Once all authorities are aware of the others’ commitments, they then reveal to one another the values they committed to, for another twelve-hour period. At the end of that time, the revealed values are checked to see if they correspond to the commitments, and then they are all used to compute that day’s random value. This works because although you can use the commitment hash to verify that the value revealed is the same as the one decided upon twelve hours ago, you cannot derive the value itself from the commitment.

Please see the draft proposal in full for discussion of the finer points of the proposed system, or if you are a fan of ingenious solutions.

CameraV (aka InformaCam) is out

The Guardian Project put out a full release of CameraV (or InformaCam), a nifty smartphone application that lets you “capture and share verifiable photos and video proof on a smartphone or tablet, all the while keeping it entirely secure and private”. It allows you to prove the authenticity of your photos by using “the built-in sensors in modern smartphones for tracking movement, light and other environmental inputs, along with Wi-Fi, Bluetooth, and cellular network information to capture a snapshot of the environment around you” and bundling this information into the picture file.

As you would expect, InformaCam is fully compatible with the Guardian Project’s Tor software offerings for Android, so whether you’re a citizen journalist or a keen phone photographer who values privacy, take a look at the CameraV page and try it out for yourself!

Monthly status reports for July month 2015

The wave of regular monthly reports from Tor project members for the month of July has begun. Pearl Crescent released their report first (for work on Tor Browser development), followed by reports from David Goulet (on onion service research and development), Georg Koppen (working on Tor Browser), Isabela Bagueros (for overall project management), Karsten Loesing (working on Tor network tools and organizational tasks), Damian Johnson (on Nyx and stem development), and Juha Nurmi (on ahmia.fi development).

The students in this year’s Tor Summer of Privacy also sent updates about their progress. Donncha O’Cearbhaill gave news of the OnionBalance load-balancing project, while Jesse Victors did the same for the OnioNS DNS-like system, Cristobal Leiva for the relay web status dashboard, and Israel Leiva for continuing development of the GetTor alternative software distributor.

Finally, the Tails team published their June report, bringing updates about outreach, infrastructure, funding, and ongoing discussions relating to the anonymous live operating system.

Miscellaneous news

The participants in the recent onion service hackfest in Washington, DC published a summary of the exciting progress they made during the meeting.

Arturo Filastò announced that an OONI-related hackathon entitled “ADINA15: A Dive Into Network Anomalies” will be held on October 1-2 in the Chamber of Deputies at the Italian Parliament in Rome. “This means that you are all invited…to put your design and data analysis skills to the test!”

David Fifield published the regular summary of costs incurred by the infrastructure for meek.

Nathan Freitas explored possible routes to an Android-compatible version of Ricochet, the exciting new privacy-preserving instant messaging application based on Tor onion services.


This issue of Tor Weekly News has been assembled by BitingBird and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Syndicate content