Archive - 2010
Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work again on the latest OS X, and updates the location of a directory authority.
Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time for sure!
The Windows and OS X bundles also come with a newer version of Polipo that fixes some stability and security problems.
People using Tor as a client should upgrade:
Changes in version 0.2.1.23 - 2010-02-13
Major bugfixes (performance): read more »
- We were selecting our guards uniformly at random, and then weighting which of our guards we'd use uniformly at random. This imbalance meant that Tor clients were severely limited on throughput (and probably latency too) by the first hop in their circuit. Now we select guards weighted by currently advertised bandwidth. We also automatically discard guards picked using the old algorithm. Fixes bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
We're always working on expanding the number of different devices and platforms where Tor runs. Today we've published an installation document that should help users of the Nokia N900 telephone to use the Tor network.
Tor is configured as a client by default. The Tor status applet will also run privoxy and configure the system wide preferences appropriately while Tor is enabled. Transparent proxying is not possible with the default N900 kernels at this time.
Please note that this is an experimental configuration. The web browser on the N900 does not have the protections that Torbutton provides.
For basic circumvention needs this configuration should be usable out of the box. At the moment, we're not seriously investigating Torbutton support for the N900 mobile web browser. If there is significant user demand for a mobile Torbutton this may change. read more »
As announced here, http://archives.seul.org/or/talk/Feb-2010/msg00033.html, we now produce rpms and debs of Tor and Vidalia for easier installation.
When using ubuntu, opensuse, fedora, centos/redhat, or debian, you can simply add our repositories to your package management application (yum, apt, apttitude, zypper, etc) and always have the latest -stable or -alpha tor and vidalia.
This is a direct result of hiring Erinn in December.
New releases, new hires, new funding
On January 19, 2010 we released the latest in the -stable series, Tor 0.2.1.22-stable.
Tor 0.2.1.22 fixes a critical privacy problem in bridge directory authorities -- it would tell you its whole history of bridge descriptors if you make the right directory request. This stable update also rotates two of the seven v3 directory authority keys and locations. read more »
New releases, new hires, new funding
Erinn Clark joins Tor to develop, enhance, and upgrade our package build system. Her initial goals are to configure, maintain, and automate builds of tor and vidalia for Windows, OS X, ubuntu, debian, centos, fedora, and opensuse systems. Secondary goals are to develop a builtbot system that includes as many disparate operating systems as possible, including Apple OS X and Microsoft
Windows flavors. read more »
Apple responded to my bug report about a broken openssl. I've since built test packages for OS X 10.5 and 10.6 users. Their response is:
Thank you for your report of this issue with Tor.
The issue you're seeing is because the current versions of the development tools were created before the OpenSSL security fix, and so do not include the "SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION" definition in the OpenSSL headers.
You can work around this issue by supplying the definition to Tor directly, for example by compiling Tor using
CPPFLAGS='-DSSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION=0x0010' ./configure && make
This will work on both Leopard and Snow Leopard.
If you have an Intel (i386) Mac, use the normal i386 packages for Tor 0.2.2.8-alpha release at https://www.torproject.org/download.
If you have a PowerPC (ppc) Mac AND are running OS X 10.5 or 10.6, use these packages: read more »
The EFF has recently released a browser fingerprinting test suite that they call Panopticlick. The idea is that in normal operation, your browser leaks a lot of information about its configuration which can be used to uniquely fingerprint you independent of your cookies.
Because of how EFF's testing tool functions, it has created some confusion and concern among Tor users, so I wanted to make a few comments to try to clear things up. read more »
Apple OS X Security Update 2010-001 removes OpenSSL renegotation, http://support.apple.com/kb/HT1222. We've filed a bug report with Apple on this issue. Their standard response so far is http://support.apple.com/kb/HT4004.
In the meanwhile, we have bug #1225 open, https://bugs.torproject.org/flyspray/index.php?do=details&id=1225. Add yourself to the Notifications if you want updates as they happen. A fine explanation of why Tor is not affected by the TLS renegotiation bug can be found at https://bugs.torproject.org/flyspray/index.php?do=details&id=1225&area=c...
Packages for testing are available at:
READ THIS FINE PRINT: read more »
- These will only work on OSX 10.5 and 10.6 (both i386 and powerpc). Tor fails to compile when using the 10.4 libraries and static openssl.
- Tor-0.2.2.8-alpha-i386-Bundle.dmg is compiled to replace the tor