Archive

Tor 0.2.6.8 is released

Hi, I've just put out a new stable Tor release. It is not a high-urgency item for most clients and relays, but directory authorities should upgrade. Right now, the source is available on the website, and packages should become available one their maintainers build them.

Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and fixes an authority-side bug in assigning the HSDir flag. All directory authorities should upgrade.

Changes in version 0.2.6.8 - 2015-05-21
  • Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
    • Revert commit that made directory authorities assign the HSDir flag to relay without a DirPort; this was bad because such relays can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix on tor-0.2.6.3-alpha.
  • Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
    • Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on a client authorized hidden service. Fixes bug 15823; bugfix on 0.2.1.6-alpha.
  • Minor features (geoip):
    • Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
    • Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database.

Study: What is the value of anonymous communication?

Drexel University researchers in Philadelphia, Pennsylvania are recruiting Tor users for an interview study to see how they use Tor while creating things online—how they write blog posts, edit Wikipedia articles, contribute to open source projects on GitHub, post on discussion forums, comment on news articles, Tweet, write reviews, and many other things.

The researchers want to investigate the ways in which various limits, like CAPTCHAs, or even blocking access to sites entirely, inhibit or don’t inhibit Tor users’ ability to create things online. They hope to identify times when people are forced to modify their behavior to achieve the privacy they want. They want to measure the value of anonymous participation and then begin to talk to service providers and others to optimize the participation of Tor users.

“By understanding the contributions that Tor users make, we can help make a case for the value of anonymity online,” said Associate Professor Rachel Greenstadt, an investigator on the study.

The researchers are also interested in hearing from Tor users about other impediments to their anonymous participation that they have encountered while online.

“It’s critical for online projects to support contributions from anyone eager to participate,” said Assistant Professor Andrea Forte, principal investigator.

For more information about joining the study, see: The Tor Study (http://andreaforte.net/tor.html)

Tor Weekly News — May 14th, 2015

Welcome to the nineteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor 0.2.7.1-alpha is out

Nick Mathewson announced the first alpha release in the Tor 0.2.7.x series. The most notable new feature in this release is the ability to create, delete, control, and get information about onion services and their descriptors via a Tor controller. It also fixes a bug that assigned the HSDir flag to relays that would not function properly as directories, affecting the availability of some onion services over the past few weeks.

The source code is available as usual from the distribution directory; as with any alpha release, “please expect bugs”.

Tails 1.4 is out

The Tails team announced version 1.4 of the anonymous live operating system. Most notable in this release is the inclusion of Tor Browser 4.5, meaning Tails users can now take advantage of the security slider, enhanced anti-tracking protection, and other exciting new features in the latest stable Tor Browser series.

Another user-facing enhancement is the addition of Paperkey, a program that lets you back up the secret part of your GPG key on the one storage medium that never goes out of fashion.

For a full list of changes, see the team’s announcement. This release contains important security updates, so head to the download page (or the incremental updater) as soon as possible.

Tor Cloud is retired

The Tor Cloud project, which offered prospective Tor relay operators an easy way of setting up a bridge relay on Amazon’s EC2 cloud computing platform, has been discontinued, as Karsten Loesing explained on the Tor blog.

“The main reason for discontinuing Tor Cloud is the fact that software requires maintenance, and Tor Cloud is no exception”, wrote Karsten. Several serious bugs have rendered Tor Cloud unusable, and no solution could be found for its continued maintenance, so the service will no longer be offered for new relays.

This doesn’t mean, however, that existing Tor Cloud relays will be shut down as well — those will continue to run as long as their operators want them to. Similarly, everyday Tor Browser users do not need to worry about this announcement: it will have no effect on the working of software that uses the Tor network.

If you want to help grow the Tor network and strengthen the protection it offers to Internet users around the world, but don’t have the resources to set up a relay from scratch, please consider donating to a Tor relay organization like Torservers.net, Nos Oignons, or another of their partners. These experienced Tor relay operators will run the services on your behalf, ensuring they stay secure, efficient, and up-to-date. Please see the organizations’ donation pages for more details!

Relay operators: please enable IPv6!

“We still have a depressingly low number of relays that support IPv6 (currently only ~120 of ~1900 relays)”, wrote Moritz Bartl in a post to the tor-relays mailing list. If your host supports the new protocol, enabling it on your Tor relay is as simple as a change to your torrc file: please see Moritz’ post for the full details.

More monthly status reports for April 2015

The wave of regular monthly reports from Tor project members for the month of April continued, with reports from Karsten Loesing (coordinating translations and reports for SponsorO, researching onion service statistics, and developing Onionoo), Noel Torres (responding to Tor help desk requests), Sukhbir Singh (developing Tor Messenger), Isabela Bagueros (overall project management), and Arlo Breault (also working on Tor Messenger).

David Goulet sent out the report for the SponsorR team, who are researching Tor onion services and working on improvements to their security and stability.

Miscellaneous news

meejah announced version 0.13.0 of txtorcon, the Twisted-based asynchronous Tor controller. This version brings with it speed improvements, as well as support for “basic” and “stealth” onion service authentication; see meejah’s announcement for full details.

The Tails team published their monthly report for April 2015. Take a look for news of recent development work, summaries of ongoing discussions, upcoming events, and more.

Lunar gave an interview (in French) to lundimatin on the subject of the French government’s “Bill on Intelligence” and what it means for the Tor network.

Jacob Appelbaum took part in a panel discussion at re:publica 15 entitled “A Deeper Frontier of Freedom: The State of the Deepweb”.


This issue of Tor Weekly News has been assembled by Harmony, the Tails team, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Stem Release 1.4

in

Greetings wonderful carbon-based residents of the Internet. I'm pleased to announce the 1.4.0 release of Stem!

What is Stem, you ask? For those who aren't familiar with it Stem is a Python library for interacting with Tor. With it you can script against your relay, descriptor data, or even write applications similar to Nyx and Vidalia.

https://stem.torproject.org/

So what's new in this release?


Ephemeral Hidden Services and Descriptors

Tor's 0.2.7.1 release is bringing with it new hidden service capabilities, most notably ADD_ONION and HSFETCH. Ephemeral hidden services let you easily operate a hidden service that never touches disk.

This latest Tor release also brought with it the ability to retrieve a hidden service's descriptor information. Stem knows how to parse, validate, and decrypt these documents.


Faster Descriptor Parsing

When reading descriptors without validation (which is the new default), documents are now lazily parsed. This provides a very substantial speedup depending on the document's type...

  • Server descriptors: 27% faster
  • Extrainfo descriptors: 71% faster
  • Microdescriptors: 43% faster
  • Consensus: 37% faster

Prefer to keep validation? No problem! Just include 'validate = True' and
you'll be good to go.


As always this is just the tip of the iceberg. For a full rundown on the myriad of improvements and fixes in this release see...

https://stem.torproject.org/change_log.html#version-1-4

Tor Browser 5.0a1 is released

The first alpha release in the new 5.0 series of the Tor Browser is now available from our extended downloads page as well as the distribution directory.

Tor Browser 5.0a1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

In addition to including all of the fixes that were present in the 4.5.1 release, this alpha release also features some additional privacy defenses.

In particular, this release re-enables the automatic window resizing fingerprinting defense that first appeared in 4.5a4. This defense can be disabled by setting the about:config pref extensions.torbutton.resize_windows to false, but please first report any issues you encounter on the feature's trac ticket.

This release also introduces a new defense against various forms of performance fingerprinting and time-based side channel attacks. A handful of new attacks have been published recently that take advantage of Javascript's high-performance timers to determine hardware performance, perform keystroke fingerprinting, extract history information, and even steal sensitive data from memory. Because this defense reduces the resolution of time available to Javascript to 100 milliseconds for all time sources, and to 250 milliseconds for keypress event timestamps, we are especially interested in hearing any reports about issues with HTML5 video, animation, or game sites. Hopefully you will have as much fun testing this defense as we will!

Here is the complete list of changes since Tor Browser 4.5:

  • All Platforms
    • Update Firefox to 31.7.0esr
    • Update meek to 0.18
    • Update Tor Launcher to 0.2.7.5
      • Translation updates only
    • Update Torbutton to 1.9.2.5
      • Bug 15837: Show descriptions if unchecking custom mode
      • Bug 15927: Force update of the NoScript UI when changing security level
      • Bug 15915: Hide circuit display if it is disabled.
      • Bug 14429: Improved automatic window resizing
      • Translation updates
    • Bug 15945: Disable NoScript's ClearClick protection for now
    • Bug 15933: Isolate by base (top-level) domain name instead of FQDN
    • Bug 15857: Fix file descriptor leak in updater that caused update failures
    • Bug 15899: Fix errors with downloading and displaying PDFs
    • Bug 15773: Enable ICU on OS X
    • Bug 1517: Reduce precision of time for Javascript
    • Bug 13670: Ensure OCSP requests respect URL bar domain isolation
    • Bug 13875: Improve the spoofing of window.devicePixelRatio
  • Windows
    • Bug 15872: Fix meek pluggable transport startup issue with Windows 7
  • Build System
    • Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds

Tor Browser 4.5.1 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.5.1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.

The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.

We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.

With this release, 4.0 users will now be updated automatically to the 4.5 series.

Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.

Here is the list of changes since 4.5:

  • All Platforms
    • Update Firefox to 31.7.0esr
    • Update meek to 0.18
    • Update Tor Launcher to 0.2.7.5
      • Translation updates only
    • Update Torbutton to 1.9.2.3
      • Bug 15837: Show descriptions if unchecking custom mode
      • Bug 15927: Force update of the NoScript UI when changing security level
      • Bug 15915: Hide circuit display if it is disabled.
      • Translation updates
    • Bug 15945: Disable NoScript's ClearClick protection for now
    • Bug 15933: Isolate by base (top-level) domain name instead of FQDN
    • Bug 15857: Fix file descriptor leak in updater that caused update failures
    • Bug 15899: Fix errors with downloading and displaying PDFs
  • Windows
    • Bug 15872: Fix meek pluggable transport startup issue with Windows 7
  • Build System
    • Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
    • Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds

New Project Manager and Director of Communications for Tor

Tor has hired two new people— a Project Manager and a Director of Communications—to help the group stay on track, build its user base, and explain its work to the world.

Isabela Bagueros is the new project manager at Tor. She is joining Tor to coordinate its development teams and help them define their roadmaps, keep track of priorities, and ensure that Tor is always thinking “user first” while building things.

Isabela is from Brazil, where in the late 1990s she started to play with free software; in the early 2000s, she joined the information democratization movement that was growing quickly with the increase of Internet access around the world.

Isabela has volunteered with Indymedia, SFCCP (San Francisco Community Colocation Project), and other free software/hacker collectives around the world. She worked for Brazil’s Federal Government at the Ministry of Communications digital inclusion program, and later coordinated the project to migrate Presidential Palace IT infrastructure to free software. Before joining Tor, she was a Product Manager at Twitter, where she worked for over four years on the Internationalization and Growth teams, respectively.

Bagueros says that she has been a Tor user “since I can't remember” and she strongly believes in the right to privacy and keeping the Internet free, as in “Liberdade.”

Said Tor Project interim Executive Director Roger Dingledine, “Isabela’s background in the free software community has let her get up to speed on our work really quickly, as well as adapt to our communications and development styles."

“We have many different projects going on at once, and we rely on Isabela to help prioritize and schedule them so we can keep our funders and other communities involved and informed about our progress. Not only do we value her organizational prowess, but she also has a background in helping to make technology more usable by ordinary people, so we're excited to have her play a larger role in getting Tor to a wider audience,” said Dingledine.

Kate Krauss is Tor’s first Director of Communications, where she is sharing news about Tor’s unique technical projects with the outside world.

Kate will also be reaching out to groups of human rights activists to teach them about Tor, and is studying efforts to restrict privacy in countries across the globe. She also hopes to launch Tor Journalist Camp, where journalists who cover Tor can learn about the technical workings of the Tor Network, Tor hidden services, and Tor’s many other projects—and the ideas about privacy that underpin them.

Kate was an early member of the activist group ACT UP, where she led a California statewide coalition that doubled funding for an AIDS medication fund and spurred the reorganization of the state’s HIV funding priorities. One of the first US activists to embrace international AIDS advocacy, she was a key US strategist behind the campaign to get AIDS drugs into African countries in the late 1990s.

As director of the small advocacy group the AIDS Policy Project, Kate organized successful campaigns that freed a number of human rights defenders in China. Her work also helped secure some $90 million in aid for China's HIV/AIDS programs from the Global Fund to Fight AIDS, TB, and Malaria. Later, at Physicians for Human Rights, her media work supported the successful campaign to reauthorize the $48 billion President’s Emergency Plan for AIDS Relief.

Kate began her anti-censorship career in an anonymous art collective covered in ARTFORUM, ARTNews, and Newsweek, as Girl #1. She became interested in information security issues while helping Chinese human rights defenders who were being surveilled.

She has placed front-page articles in the New York Times, the Washington Post, the Wall Street Journal, and other major outlets and has written opinion pieces for the Washington Post, the International Herald Tribune, and other newspapers.

Said Dingledine, “There are so many journalists out there who are excited about Tor but don't know where to start. Having Kate helps us keep them informed and coordinated. As Tor continues to go mainstream, her communication skills are critical to helping us get there. Tor’s wide diversity of users--from civic-minded individuals and ordinary consumers to activists, journalists, and companies—is part of its security. Kate is critical to helping us reach all of these audiences at once.”

Tails 1.4 is out

Tails, The Amnesic Incognito Live System, version 1.4, is out.

This release fixes numerous security issues and all users must upgrade as soon as possible.

New features

  • Tor Browser 4.5 now has a security slider that you can use to disable browser features, such as JavaScript, as a trade-off between security and usability. The security slider is set to low by default to provide the same level of security as previous versions and the most usable experience.

    We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits.

  • Tails OpenPGP Applet now has a shortcut to the gedit text editor, thanks to Ivan Bliminse.

  • Paperkey lets you print a backup of your OpenPGP secret keys on paper.

Upgrades and changes

  • Tor Browser 4.5 protects better against third-party tracking. Often when visiting a website, many connections are created to transfer both the content of the main website (its page, images, and so on) and third-party content from other websites (advertisements, Like buttons, and so on). In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits. And these circuits are not reused when visiting a different website. This prevents third-party websites from correlating your visits to different websites.

  • Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website. This prevents the website from suddenly changing language, behavior, or logging you out.

  • Disconnect is the new default search engine. Disconnect provides Google search results to Tor users without captchas or bans.

  • Better support for Vietnamese in LibreOffice through the installation of fonts-linuxlibertine.

  • Disable security warnings when connecting to POP3 and IMAP ports that are mostly used for StartTLS nowadays.

  • Support for more printers through the installation of printer-driver-gutenprint.

  • Upgrade Tor to 0.2.6.7.

  • Upgrade I2P to 0.9.19 that has several fixes and improvements for floodfill performance.

  • Remove the obsolete #i2p-help IRC channel from Pidgin.

  • Remove the command line email client mutt and msmtp.

There are numerous other changes that might not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

Fixed problems

  • Make the browser theme of the Windows 8 camouflage compatible with the Unsafe Browser and the I2P Browser.

  • Remove the Tor Network Settings... from the Torbutton menu.

  • Better support for Chromebook C720-2800 through the upgrade of syslinux.

  • Fix the localization of Tails Upgrader.

  • Fix the OpenPGP key servers configured in Seahorse.

  • Prevent Tor Browser from crashing when Orca is enabled.

Known issues

  • Claws Mail stores plaintext copies of all emails on the remote IMAP server, including those that are meant to be encrypted. If you send OpenPGP encrypted emails using Claws Mail and IMAP, make sure to apply one of the workarounds documented in our security announcement.

  • See the current list of known issues.

Download or upgrade

Go to the download page.

What's coming up?

The next Tails release is scheduled for June 30.

Have a look to our roadmap to see where we are heading to.

Do you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Syndicate content