Tor Browser 5.0a4 is released

The Tor Browser Team is proud to announce the second alpha release based on Firefox 38 ESR. This release is also the fourth and final alpha in the 5.0 series. The release is available for download in the 5.0a4 distribution directory and on the alpha download page.

Most notably, this release contains an experimental defense against font fingerprinting by using an identical set of shipped fonts on all supported platforms. We've also updated the versions of several Tor Browser components, including updating Tor to The 5.0-stable release will be based on Tor 0.2.6-latest, however.

Last but not least we fixed a lot of important bugs that were due to our switch to Firefox 38 ESR, including issues with major websites such as Twitter. This release brings us very close to a stable Tor Browser 5.0, which we aim to release next week. Unless we hear about additional issues, not much will change between 5.0a4 and 5.0-stable, aside from the Tor version and possibly the font defense.

Here is the complete changelog since 5.0a3

  • All Platforms
    • Update Tor to with patches
      • Bug 15482: Don't allow circuits to change while a site is in use
    • Update OpenSSL to 1.0.1p
    • Update HTTPS-Everywhere to 5.0.7
    • Update NoScript to
    • Update Torbutton to
      • Bug 16268: Show Tor Browser logo on About page
      • Bug 16639: Check for Updates menu item can cause update download failure
      • Bug 15781: Remove the sessionstore filter
      • Bug 15656: Sync privacy.resistFingerprinting with Torbutton pref
      • Translation updates
    • Bug 16884: Prefer IPv6 when supported by the current Tor exit
    • Bug 16488: Remove "Sign in to Sync" from the browser menu
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 16662: Enable network.http.spdy.* prefs in meek-http-helper
    • Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
    • Bug 15703: Isolate mediasource URIs and media streams to first party
    • Bug 16429+16416: Isolate blob URIs to first party
    • Bug 16632: Turn on the background updater and restart prompting
    • Bug 16528: Prevent IndexedDB Modernizr site breakage on Twitter and elsewhere
    • Bug 16523: Fix in-browser JavaScript debugger
    • Bug 16236: Windows updater: avoid writing to the registry
    • Bug 16005: Restrict WebGL minimal mode a bit (fixup)
    • Bug 16625: Fully disable network connection prediction
    • Bug 16495: Fix SVG crash when security level is set to "High"
  • Build System
    • Bug 15864: Rename sha256sums.txt to sha256sums-unsigned-build.txt

A technical summary of the Usenix fingerprinting paper

Albert Kwon, Mashael AlSabah, and others have a paper entitled Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services at the upcoming Usenix Security symposium in a few weeks. Articles describing the paper are making the rounds currently, so I'm posting a technical summary here, along with explanations of the next research questions that would be good to answer. (I originally wrote this summary for Dan Goodin for his article at Ars Technica.) Also for context, remember that this is another research paper in the great set of literature around anonymous communication systems—you can read many more at

"This is a well-written paper. I enjoyed reading it, and I'm glad the researchers are continuing to work in this space.

First, for background, run (don't walk) to Mike Perry's blog post explaining why website fingerprinting papers have historically overestimated the risks for users:
and then check out Marc Juarez et al's followup paper from last year's ACM CCS that backs up many of Mike's concerns:

To recap, this new paper describes three phases. In the first phase, they hope to get lucky and end up operating the entry guard for the Tor user they're trying to target. In the second phase, the target user loads some web page using Tor, and they use a classifier to guess whether the web page was in onion-space or not. Lastly, if the first classifier said "yes it was", they use a separate classifier to guess which onion site it was.

The first big question comes in phase three: is their website fingerprinting classifier actually accurate in practice? They consider a world of 1000 front pages, but and other onion-space crawlers have found millions of pages by looking beyond front pages. Their 2.9% false positive rate becomes enormous in the face of this many pages—and the result is that the vast majority of the classification guesses will be mistakes.

For example, if the user loads ten pages, and the classifier outputs a guess for each web page she loads, will it output a stream of "She went to Facebook!" "She went to Riseup!" "She went to Wildleaks!" while actually she was just reading posts in a Bitcoin forum the whole time? Maybe they can design a classifier that works well when faced with many more web pages, but the paper doesn't show one, and Marc Juarez's paper argues convincingly that it's hard to do.

The second big question is whether adding a few padding cells would fool their "is this a connection to an onion service" classifier. We haven't tried to hide that in the current Tor protocol, and the paper presents what looks like a great classifier. It's not surprising that their classifier basically stops working in the face of more padding though: classifiers are notoriously brittle when you change the situation on them. So the next research step is to find out if it's easy or hard to design a classifier that isn't fooled by padding.

I look forward to continued attention by the research community to work toward answers to these two questions. I think it would be especially fruitful to look also at true positive rates and false positives of both classifiers together, which might show more clearly (or not) that a small change in the first classifier has a big impact on foiling the second classifier. That is, if we can make it even a little bit more likely that the "is it an onion site" classifier guesses wrong, we could make the job of the website fingerprinting classifier much harder because it has to consider the billions of pages on the rest of the web too."

Tor Exit Nodes in Libraries - Pilot (phase one)

Hello Tor Community!

We first introduced you to the Library Freedom Project back in February after we won the Knight News Challenge on Libraries. Since then, we’ve been hard at work bringing privacy education to libraries across the United States, with stops in the UK and Ireland, virtual trainings in Canada and Australia, and more plans to visit international libraries in the works.

Today, we're excited to announce a new initiative, a collaboration between the Library Freedom Project and Tor Project: Tor exit relays in libraries. Nima Fatemi, the Tor Project member who's already helped Library Freedom Project in a number of ways, is our main partner on this project. This is an idea whose time has come; libraries are our most democratic public spaces, protecting our intellectual freedom, privacy, and unfettered access to information, and Tor Project creates software that allows all people to have these rights on the internet. We're excited to combine our efforts to help libraries protect internet freedom, strengthen the Tor network, and educate the public about how Tor can help protect their right to digital free expression.

Libraries have been committed to intellectual freedom and privacy for decades, outlining these commitments in the ALA Core Values of Librarianship, the Freedom to Read Statement, and the ALA Code of Ethics. They're also centers of education in their local communities, offering free classes on a variety of subjects, including computer instruction. Libraries serve a diverse audience; many of our community members are people who need Tor but don't know that it exists, and require instruction to understand and use it.

Some of these patrons are part of vulnerable groups, like domestic violence survivors, racial and ethnic minorities, student activists, or queer and trans communities. Others belong to local law enforcement or municipal government. All of them could benefit from learning about Tor in a trusted, welcoming environment like the library.

Bringing Tor exit relays into libraries would not only be a powerful symbolic gesture demonstrating our commitment to a free internet, but also a practical way to help the Tor network, and an excellent opportunity to help educate library patrons, staff, boards of trustees, and other stakeholders about the importance of Tor. For libraries that have already installed Tor Browser on library PCs, running a relay is the obvious next step toward supporting free expression in their communities and all over the world.

As public internet service providers, libraries are shielded from some of the legal concerns that an individual exit relay operator might face, such as trying to explain to law enforcement that the traffic leaving her exit is not her own. Furthermore, libraries are protected from DMCA takedowns by safe harbor provisions. Importantly, librarians know their rights and are ready to fight back when those rights are challenged.

In order to begin this new project, we needed a pilot, and we had just the library in mind – Kilton Library in Lebanon, New Hampshire, one of two Lebanon Libraries. Chuck McAndrew is the IT librarian there, and he's done amazing things to the computers on his network, like running them all on GNU/Linux distributions. Why is this significant? Most library environments run Microsoft Windows, and we know that Microsoft participated in the NSA's PRISM surveillance program. By choosing GNU/Linux and installing some privacy-protecting browser extensions too, Chuck's helping his staff and patrons opt-out of pervasive government and corporate surveillance. Pretty awesome.

Kilton Library is not only exemplary because of its GNU/Linux computer environment; it's also beautiful and brand-new, LEED Gold-certified, with an inviting and sunny open floor plan and an outdoor community garden. It's an example of the amazing potential inherent in libraries. We drove up to New Hampshire last week to start phase one.

We decided to set our pilot up as a middle relay to start – we want to ensure that it is stable and doesn't interfere in any way with the library's other network traffic. We nicknamed the new relay LebLibraries, and you can check out how our relay is doing here, on Globe.

After the LebLibraries relay is up for a few months, we'll return for phase two of the project and convert it into an exit node. Our goal is to make exit relay configuration a part of the Library Freedom Project's privacy trainings for librarians; we'll meet with library directors and boards of trustees to talk about how Tor fits into the mission of libraries as beacons of intellectual freedom, and how libraries are perfectly positioned not only to help our patrons use Tor Browser, but are the ideal location to run Tor exit relays to help give back to the Tor community.

We need more libraries to join us in this initiative. Want your local library to be our next exit relay site? Know an awesome librarian who wants to help protect free expression locally and globally? Please have them contact us with the answers to this questionnaire. We're also looking for libraries to host FOSS seedboxes. And as always, we want libraries to install and run the Tor Browser on library computers.

Want to support this project and more like it? You can make a donation to the Library Freedom Project, or donate directly to Tor Project. And stay tuned for phase two of our pilot with Kilton Library.

Alison Macrina and Nima Fatemi

A version of this post also appeared on The Library Freedom Project’s blog

Note: This post was drafted by Alison. (Thank you!)

Tor is released

This, the second alpha in the Tor 0.2.7 series, has a number of new features, including a way to manually pick the number of introduction points for hidden services, and the much stronger Ed25519 signing key algorithm for regular Tor relays (including support for encrypted offline identity keys in the new algorithm).

Support for Ed25519 on relays is currently limited to signing router descriptors; later alphas in this series will extend Ed25519 key support to more parts of the Tor protocol.

If you typically build Tor from source, you can download the source code from the usual place on the website.
Packages should be up in a few days.

Changes in version - 2015-07-27
  • Major features (Ed25519 identity keys, Proposal 220):
    • All relays now maintain a stronger identity key, using the Ed25519 elliptic curve signature format. This master key is designed so that it can be kept offline. Relays also generate an online signing key, and a set of other Ed25519 keys and certificates. These are all automatically regenerated and rotated as needed. Implements part of ticket 12498.
    • Directory authorities now vote on Ed25519 identity keys along with RSA1024 keys. Implements part of ticket 12498.
    • Directory authorities track which Ed25519 identity keys have been used with which RSA1024 identity keys, and do not allow them to vary freely. Implements part of ticket 12498.
    • Microdescriptors now include Ed25519 identity keys. Implements part of ticket 12498.
    • Add support for offline encrypted Ed25519 master keys. To use this feature on your tor relay, run "tor --keygen" to make a new master key (or to make a new signing key if you already have a master key). Closes ticket 13642.
  • Major features (Hidden services):
    • Add the torrc option HiddenServiceNumIntroductionPoints, to specify a fixed number of introduction points. Its maximum value is 10 and default is 3. Using this option can increase a hidden service's reliability under load, at the cost of making it more visible that the hidden service is facing extra load. Closes ticket 4862.
    • Remove the adaptive algorithm for choosing the number of introduction points, which used to change the number of introduction points (poorly) depending on the number of connections the HS sees. Closes ticket 4862.

  read more »

Tor Weekly News — July 22nd, 2015

Welcome to the twenty-ninth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

More TSoP status reports

The students in this year’s Tor Summer of Privacy continued work on their respective projects, as their status reports show.

Jesse Victors made significant progress on his DNS-like Onion Naming System (OnioNS) project at the recent onion service development meeting in Washington, DC. Many bugs were fixed and the software is now in a demonstration-ready state. The issue of implementing a global source of randomness, which is important for the next generation of onion services as well as for OnionNS, was also worked on. “The server-to-server communication needs a few bug fixes, but most of that code is in place. As soon as that is complete, I should be about ready for a beta test.”

Israel Leiva sent the first report on his GetTor enhancement project. GetTor now distributes links to copies of Tor Browser hosted on Github as well as Dropbox, and the text of the autoresponder was expanded with more information. Upcoming additions include a Google Drive script, distribution of mirror links, and the promotion of Github to the default download source.

Cristobal Leiva also sent his first report, for the relay web status dashboard project. A prototype UI has been created and development milestones have been prioritized: “Over the next two weeks I’ll be coding the graph and log components”.

Finally, Donncha O’Cearbhaill’s OnionBalance load-balancing system has been enhanced with unit tests, and has received some real-world testing courtesy of s7r .

Exciting progress all round!

Miscellaneous news

The Guardian Project announced new releases of Chatsecure and Orbot. Chatsecure v14.2.0 is “all about squashing bugs, reducing memory and improving network stability”, while Orbot 15.0.3-RC-3 features “overall improvements to system and server stability, improvements to Apps VPN mode support…improved launch and hidden service API for third-party app interaction”, and updates to Tor and OpenSSL.

Anthony G. Basile announced a new release of tor-ramdisk, the micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. Version 20150714 includes updates to the distribution’s core software.

Nick Mathewson published proposal 248 , which offers a migration path for “finally removing our old Ed25519 keys”.

Following the recent outage of meek-azure, David Fifield published a workaround for those who want to use this backend.

The Tails team is planning a sprint in November, possibly face-to-face, focusing on porting Tails to the current stable release of Debian, Jessie. “If you want to join the fun, let me know. If you’re interested in having a face-to-face sprint to work on this in November, let me know. If these dates don’t work for you, let me know”, wrote intrigeri.

The Intercept’s Micah Lee published a detailed beginner’s guide to secure online chat, including how to configure your chat client to use Tor.

For those who wish the modern world looked more like “Johnny Mnemonic” than “CITIZENFOUR”: you can hear Keanu Reeves narrating an unexpectedly soothing animation about the “Deep Web” and Tor onion services as part of Alex Winter’s upcoming documentary film on the subject.

This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Help Tor Find a New Executive Director

The Tor Project is continuing its world-wide search for our new Executive Director. We need your help to find this person, whether they work for a nonprofit organization, for a tech company, at a university, for an open software project, or somewhere else entirely. We are open to candidates from lots of different backgrounds.

Here's a link to our original blog post with many more details, including how to submit candidates: Tor Project Launches Worldwide Search for a New Executive Director

An excerpt:

"The Tor Project, one of the world’s strongest advocates for privacy and anonymous, open communications is currently seeking an experienced Executive Director to lead the organization. The new Executive Director will spearhead key initiatives to make the organization even more robust in its work to advance human rights and freedoms by creating and deploying anonymity and privacy technologies, advancing their scientific and popular understanding, and encouraging their use."

Please take a moment to consider whether you know a candidate, likely or unlikely, who might be a great fit for this position.


Tor Weekly News — July 15th, 2015

Welcome to the twenty-eighth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Caspar Bowden

Caspar Bowden, a leading advocate for many years in the field of civil liberties, and a member of the Tor Project, Inc.’s board of directors, has died after a short illness. As the Tor Project wrote in a statement, Caspar “was a passionate supporter of universal human rights, including the right to privacy”: “The world has lost a voice of tremendous moral courage.”

A Caspar Bowden Legacy Fund has been established “to promote advocacy for privacy as a universal human right and privacy enhancing technologies as one means to protect it”, in accordance with Caspar’s request “that we work to ensure equal protection regardless of nationality”. If you would like to make a contribution to this fund in Caspar’s memory, please see the web page for further details.

The Tor Project launches its search for a new Executive Director

Following the departure of long-time Executive Director Andrew Lewman earlier this year, the Tor Project, Inc. has opened a world-wide search for its new Executive Director. As Wendy Seltzer, a member of the board of directors, writes: “We have engaged The Wentworth Company to help us with the search process, and invite the broader Tor community and friends to share the job posting among your networks. If you are or know a great leader with a passion for anonymous communication and free software, please contact Judy Tabak at Wentworth (judytabak at, other contact details in the posting) for more information or to be considered for the job.”

Tor is out

Nick Mathewson put out a new release in the current Tor stable series. Version contains a fix for a regression introduced in that made it difficult for clients to access onion services under certain circumstances — for example, if a hidden service restarts after a client connects, the same client would have been unable to connect again until the next hour. This version also “bulletproofs the cryptography init process, and fixes a bug when using the sandbox code with some older versions of Linux”.

“Everyone running an older version, especially an older version of 0.2.6, should upgrade”, writes Nick. Source code is downloadable from the distribution directory; packages will become available as their packagers package them.

New onion service-related proposals

A gathering of experts in Tor onion service research and development resulted (among other things) in two new Tor proposals for improving the anonymity and efficiency of services hosted inside the Tor network.

John Brooks and George Kadianakis expanded John’s earlier suggestion that the roles of “hidden service directory” and “introduction point” could be merged in the next generation of onion services, into what is now proposal 246. This innovation would simplify the relevant code, reduce load on the network, and limit the number of relays that can observe the service’s activity or serve as a fingerprint for an observer.

George also wrote up draft proposal 247, which tries to prevent “guard discovery attacks” (where an adversary is able to work out which Tor relay is being contacted directly by the target client, thereby allowing them to attack that relay itself and deanonymize the client) by making the attack significantly more costly to perform, using “vanguards”. By enabling a Tor configuration option, the service operator could pin the second and third hops (the “vanguards” in question) of their circuits for a longer period. A would-be attacker is then forced to carry out “a Sybil attack and two coercion attacks” before succeeding, as opposed to the current situation “where the Sybil attack is trivial to pull off, and only a single coercion attack is required”. “I consider this issue very important and any feedback is greatly appreciated”, wrote George.

This is privacy development at the most advanced level, and the waters are very much uncharted: there may be major design flaws, improvements, and counter-arguments lurking up ahead. If this is an area in which you feel you have a contribution to make, by all means take a look at the proposals, and then pitch in on the tor-dev mailing list!

ExoneraTor gets an update

The ExoneraTor service lets you use historical Tor network data to quickly determine whether or not a particular IP address was being used by a public Tor relay on a given date. This is useful if, for example, you’re the administrator of a web service that received malicious traffic on that date, and you want to find out if the IP address will be useful to your investigation of the problem.

After much discussion and feedback on the tor-relays list, Karsten Loesing and Julius Mittenzwei have updated ExoneraTor to offer a simpler, more intuitive service without unnecessary details that might confuse a non-specialist. Searches are now restricted to full days, rather than precise timestamps, to avoid most issues relating to timezone differences (ExoneraTor’s results are given in UTC, and searchers might forget to make adjustments for their local timezone); the form allowing searchers to check whether a relay permitted exit traffic to a target address and port has been replaced by an “Exit” column indicating whether or not any exit traffic was allowed by that relay, again for the sake of simplicity; and the overall look of the service has been streamlined, with clearer, non-technical explanations of Tor and Exonerator, and a translation into German (with more languages planned).

“Please give it a try, including the tricky edge cases where you expect it to break”, wrote Karsten. “And if you have any further feedback,” please send it to the tor-relays mailing list.

The Vegas plan continues to roll out

The “Vegas plan” — a reorganization of Tor’s active contributors into a more focused team-based structure, named after the fair city in which it was developed — continues to roll out, with the Measurement, Community, Networks, and Applications teams holding their first or second IRC meetings this week. Isabela Bagueros, Tor’s project manager, writes: “Keep an eye out for teams’ updates, and for things that can be done better; feedback will be key for making this successful, and that is why we will have a check-in during our next dev meeting. So follow up, participate, bring feedback!”

If you aren’t already working with one of the new teams, and feel you should be, please check in on IRC or the mailing lists, and someone will help direct you to the right place.

Miscellaneous news

The upcoming IETF Meeting in Prague will have a DNS Operations meeting on 20th July that will discuss both the draft proposal to reserve .onion as a special-use domain suffix (about which Tor Weekly News has written before), and other proposals for related projects like I2P and Gnunet. If you're going to Prague, consider attending this meeting and humming in support of reserving .onion and these other domains!

After a hiatus in activity on the tor-mirrors list, Sebastian Hahn updated the file used to build the directory of mirrors on the Tor Project website with changes made in the last few months. “If you notice any unexpected entries or think you should be on the list but aren’t, I’ll check what the problem is.”

This issue of Tor Weekly News has been assembled by Karsten Loesing, Tom Ritter, Wendy Seltzer, Isabela Bagueros, nicoo, and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor is released

Hi, all! There's a new stable Tor release out, and source code is now available on the website. If you build Tor from source code, you'll want to upgrade. Otherwise, packages should be available reasonably soon.

Remember to check signatures! (See the FAQ for information how)

Tor version fixes some significant stability and hidden service client bugs, bulletproofs the cryptography init process, and fixes a bug when using the sandbox code with some older versions of Linux. Everyone running an older version, especially an older version of 0.2.6, should upgrade.

Changes in version - 2015-07-12

  • Major bugfixes (hidden service clients, stability):
    • Stop refusing to store updated hidden service descriptors on a client. This reverts commit 9407040c59218 (which indeed fixed bug 14219, but introduced a major hidden service reachability regression detailed in bug 16381). This is a temporary fix since we can live with the minor issue in bug 14219 (it just results in some load on the network) but the regression of 16381 is too much of a setback. First-round fix for bug 16381; bugfix on
  • Major bugfixes (stability):
    • Stop crashing with an assertion failure when parsing certain kinds of malformed or truncated microdescriptors. Fixes bug 16400; bugfix on Found by "torkeln"; fix based on a patch by "cypherpunks_backup".
    • Stop random client-side assertion failures that could occur when connecting to a busy hidden service, or connecting to a hidden service while a NEWNYM is in progress. Fixes bug 16013; bugfix on

  read more »

Syndicate content