Tor Summer of Privacy--Apply Now!

The Tor Project is launching our first Tor Summer of Privacy! This is a pilot program for students who want to collaborate to develop privacy tools. We participated in Google's groundbreaking Summer of Code from 2007-2014, but we weren't renewed this year (Google is rightly offering new groups this opportunity) so we've decided to start our own program. Many thanks to Tor's individual donors who decided to sponsor the Summer of Privacy. Students only have 10 days to apply--so spread the word!

We feel that working on Tor is rewarding because:

• You will work with a world-class team of developers on an anonymity network that is already protecting millions of people daily--or work on your own, new project.

• We only write free (open source) software. The tools you make won't be locked down or rot on a shelf.

• The work you do could contribute to academic publications — Tor development raises many open questions and interesting problems in the field of anonymity systems

• You can work your own hours wherever you like.

• We are friendly and collaborative.

We are looking for people with great code samples who are self-motivated and able to work independently. We have a thriving and diverse community of interested developers on the IRC channel and mailing lists, and we're eager to work with you, brainstorm about design, and so on, but you need to be able to manage your own time, and you need to already be somewhat familiar with how free software development on the Internet works.

We invite and welcome applications from many different kinds of students who come from many different backgrounds. Don't be shy--apply!

Tor will provide a total stipend of USD $5,500 per accepted student developer.

DEADLINE FOR APPLICATION: We are accepting applications now through April 17th, 2015. Apply soon!

We're always happy to have new contributors, so if you are still planning your summer, please consider spending some time working with us to make Tor better!

Tor Weekly News — April 1st, 2015

Welcome to the thirteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 4.0.6 and 4.5a5 are out

Mike Perry announced two new releases by the Tor Browser team. Tor Browser 4.0.6 contains updates to Firefox, meek, and OpenSSL; it is also the last release planned to run on 32-bit Apple hardware. If you have a 64-bit Mac and are running Mac OS X 10.8, you can expect to be automatically upgraded to Tor Browser 4.5, optimized for your hardware, later this month. If you are running OS X 10.6 or 10.7, however, you will need to update manually once that version of Tor Browser is released, as described in the end-of-life announcement last year.

Tor Browser 4.5a5, meanwhile, includes several exciting security and usability updates. Tor Browser’s windows, when resized, will now “snap” to one of a limited range of sizes, to prevent an adversary from fingerprinting a user based on their unique browser size; the Security Slider now offers information about the features that are disabled at each security level; and Tor circuits remain in use for a longer period, avoiding the errors that can result when websites detect a change in your connection. You can read about all these features and more in Mike’s announcement.

These new releases contain important security updates, and all users should upgrade as soon as possible. As usual, you can get your copy of the new software using the in-browser updater, or from the project page.

Tails 1.3.2 is out

Tails version 1.3.2 was put out on March 31. This release includes updates to key software, fixing numerous security issues. All Tails users must upgrade as soon as possible; see the announcement for download instructions.

Crowdsourcing the future (of onion services)

Onion (or hidden) services are web (or other) services hosted in the Tor network that have anonymity, authentication, and confidentiality built in. As George Kadianakis writes, “anything you can build on the Internet, you can build on hidden services — but they’re better”. A major task for the Tor community in the near future is making these important tools more widely available, and usable by groups who urgently need them, so George took to the Tor blog to solicit ideas for future onion service-related projects that could form the basis for a crowdfunding campaign. “Long story short, we are looking for feedback! What hidden services projects would you like to see us crowdfund? How do you use hidden services; what makes them important to you? How you want to see them evolve?…Also, we are curious about which crowdfunding platforms you prefer and why.”

See the full post for an introduction to onion services, why they matter, why a crowdfunding campaign makes sense, and how to join in with your own ideas.

Spreading the word about Tor with free brochures

Tor advocates play an important role in talking to groups and audiences around the world about the ways Tor and online anonymity can benefit them. Until now, printed materials offering a simple introduction to the basic concepts behind Tor have been hard to come by, so Karsten Loesing announced a set of brochures, aimed at various audiences, that can be freely printed and distributed at Tor talks, tech conferences, public demonstrations, or just for fun. These will continue to receive updates and translations, so stay tuned.

If you don’t have access to printing facilities, you can contact the Tor Project with details of your event and requirements and receive a stack of brochures, possibly in return for a report or other feedback. Spread the word, and feel free to screen the Tor animation in your language while you’re at it!

Monthly status reports for March 2015

The wave of regular monthly reports from Tor project members for the month of March has begun. Damian Johnson released his report first, followed by reports from Tom Ritter, Philipp Winter, Pearl Crescent, Nick Mathewson, Juha Nurmi, and Isabela Bagueros.

Miscellaneous news

Anthony G. Basile announced version 20150322 of tor-ramdisk, the micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. This release includes updates to Tor, busybox, OpenSSL, and the Linux kernel.

George Kadianakis used some newly-discovered bridge statistics to generate visual bandwidth histories, in order “to better understand how much bridges are used”. “Questions and feedback on my methodology are welcome”, writes George. On the other hand, “we should think about the privacy implications of these statistics since they are quite fine-grained (multiple measurements per day) and some bridges don’t have many clients (hence small anonymity set for them)”, so if you have comments on this topic feel free to send them to the thread.

News from Tor StackExchange

Tor’s StackExchange site is currently running a self-evaluation. On the evaluation page you’ll see some questions and answers. Please go through this list and rate those questions. It helps the Q&A site to improve those answers and see where weaknesses are.

User 2313265939 lives in a heavily censored region and wants an OnionPi to connect to the meek-amazon pluggable transport. If you have an answer, please share it with this user.

This week in Tor history

A year ago this week, Tor developers were discussing the possibility of distributing bridge relay addresses via QR code, to avoid tricky copy-pastes and input errors that might cause a failed connection. Today, you can request some bridge lines from BridgeDB and select “Show QR code” to be shown…exactly that. Bridge address QR code recognition will soon make its way into the Orbot stable release, as well, so your simple censorship circumvention is no longer dependent on finicky touchscreen keyboards!

This issue of Tor Weekly News has been assembled by Harmony, Karsten Loesing, qbi, and the Tails team.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 4.5a5 is released

The Tor Browser team is proud to announce the release of the fifth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a5 is based on Firefox ESR 31.6.0, which features important security updates to Firefox.

We're very excited about the usability and security improvements in this release. On the usability front, we've created a FreeDesktop-compatible launcher wrapper for Linux that can be invoked from either the GUI or the shell, and we also provide Windows users with the ability to add optional Start Menu and Desktop shortcuts. The circuit usage of Tor Browser has also been improved to avoid transitioning to a new circuit for a website while it is in active use.

On the security front, the Security Slider now has full descriptions of the browser behaviors that are changed at each security level. We've also made improvements to our display resolution fingerprinting defenses to automatically resize the browser window to a 200x100 pixel multiple after resize or maximization, and to perform similar resizing for full screen HTML5 video. Finally, the Windows releases are also now signed using the hardware signing token graciously provided to us by DigiCert, so Windows users should no longer be warned about Tor Browser being downloaded from an "unknown publisher".

And those are just the highlights. The complete list of changes since the 4.5a4 release is as follows:

  • All Platforms
    • Update Firefox to 31.6.0esr
    • Update OpenSSL to 1.0.1m
    • Update Tor to
    • Update NoScript to
    • Update HTTPS-Everywhere to 5.0
    • Update meek to 0.16
    • Update Tor Launcher to
      • Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
    • Update Torbutton to
      • Bug 9387: "Security Slider 1.0"
        • Include descriptions and tooltip hints for security levels
        • Notify users that the security slider exists
        • Flip slider so that "low" is on the bottom
        • Make use of new SVG and MathML prefs
      • Bug 13766: Set a 10 minute circuit lifespan for non-content requests
      • Bug 15460: Ensure FTP urls use content-window circuit isolation
      • Bug 13650: Clip initial window height to 1000px
      • Bug 14429: Ensure windows can only be resized to 200x100px multiples
      • Bug 15334: Display Cookie Protections menu if disk records are enabled
      • Bug 14324: Show HS circuit in Tor circuit display
      • Bug 15086: Handle RTL text in Tor circuit display
      • Bug 15085: Fix about:tor RTL text alignment problems
      • Bug 10216: Add a pref to disable the local tor control port test
      • Bug 14937: Show meek and flashproxy bridges in tor circuit display
      • Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
      • Bug 13019: Change locale hiding pref to boolean
      • Bug 7255: Warn users about maximizing windows
      • Bug 14631: Improve profile access error msgs (strings).
    • Pluggable Transport Dependency Updates:
      • Bug 15448: Use golang 1.4.2 for meek and obs4proxy
      • Bug 15265: Switch repo to
    • Bug 14937: Hard-code meek and flashproxy node fingerprints
    • Bug 13019: Prevent Javascript from leaking system locale
    • Bug 10280: Improved fix to prevent loading plugins into address space
    • Bug 15406: Only include addons in incremental updates if they actually update
    • Bug 15029: Don't prompt to include missing plugins
    • Bug 12827: Create preference to disable SVG images (for security slider)
    • Bug 13548: Create preference to disable MathML (for security slider)
    • Bug 14631: Improve startup error messages for filesystem permissions issues
    • Bug 15482: Don't allow circuits to change while a site is in use
  • Linux
    • Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
    • Bug 12468: Only print/write log messages if launched with --debug
  • Windows
    • Bug 3861: Begin signing Tor Browser for Windows the Windows way
    • Bug 15201: Disable 'runas Administrator' codepaths in updater
    • Bug 14688: Create shortcuts to desktop and start menu by default (optional)

Tor Browser 4.0.6 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.6 is based on Firefox ESR 31.6.0, which features important security updates to Firefox.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.5:

  • All Platforms
    • Update Firefox to 31.6.0esr
    • Update meek to 0.16
    • Update OpenSSL to 1.0.1m

Spread the word about Tor

To all Tor advocates,

For all of you who want to spread the word about Tor at a symposium or conference and need printed materials, we finally have something for you:

Download these brochures here:

Language Available formats
Brazilian Portuguese PDF ODG TXT
Portuguese PDF ODG TXT

EDIT: Adding new translations as they come in (thanks, folks!). If you're considering translating these brochures, please contact us first at to make sure nobody else is already working on the same translation.

There are three different versions of the brochure, all with the same front and different backs:

  1. Law Enforcement & The Tor Project: Geared as a quick reference for law enforcement audiences (not just investigators, but also support services).
  2. The Benefits of Anonymity Online: This is meant for journalists, domestic violence organizations, and others focused on protecting their identity online.
  3. Freedom & Privacy Online: The target audience here is the general public - helping educate people about the reasons that protecting their privacy is important.

Feel free to use these brochures to spread the word about Tor. And just in case you're new to Tor and wondering whether you're permitted to use these brochures: yes, absolutely! We really want people to talk about Tor. Even if you don't have good answers for all the questions people might come up with, these brochures might serve you as a guidance.

Need a stack of these for an event? Contact us, tell us about the event and how many brochures and which of the three versions you need, and we'll mail them to you. Note that we might ask you to write a trip report and give us some feedback on the brochures in exchange.

Also, we will be offering updated versions of these brochures on an ongoing basis.

Thanks for spreading the word about Tor!

Crowdfunding the Future (of Hidden Services)

Hidden Services have received a lot of attention in 2015, and Tor is at the center of this conversation. Hidden Services are a Tor technology that allows users to connect to services (blogs, chats, and many other things) with neither the user nor the site giving up identifying information.

In fact, anything you can build on the internet, you can build on hidden services. But they're better--they give users things that normal networking doesn't authentication and confidentiality are built in; anonymity is built in. An internet based on hidden services would be an internet with Tor built in--a feature that users could take for granted. Think of what this might mean to millions of users in countries like China, Iran, or the UK. Yet currently, only about 4% of Tor's traffic comes from hidden services.

So we at Tor have been considering how we might meet the challenge of making them more widely available. In this post, we will briefly discuss the role of hidden services before we explore the idea of using crowdfunding to pay for bold, long-term tech initiatives that will begin to fulfill the promise of this technology.

Hidden Services are a critical part of Tor's ecosystem

Hidden Services provide a means for Tor users to create sites and services that are accessible exclusively within the Tor network, with privacy and security features that make them useful and appealing for a wide variety of applications.

For example, hidden services are currently used by activists and journalists to publish blogs--in anonymity and free from retaliation. They are used by NGOs to securely receive information on government corruption and injustice from concerned citizens. Newspapers such as the Washington Post, and human rights groups such as Amnesty International use them to receive leaked information. They are used by people looking for the latest cat facts, companies that want to secure the path of their clients or by people chatting securely and anonymously -- including at-risk journalists talking to sources.

In addition, developers use hidden services as a building block to incorporate Tor's security and anonymity features into totally separate products. The potential of hidden services is huge, and much of it is yet to be explored.

Next Steps for Hidden Services

We want to make this technology available to the wider public as these services will play a key role in the future of secure communications. This means that we must increase the uses for hidden services, bring them to mobile platforms for anonymous mobile apps, and vastly increase the number of people who use them.

Since our goal is wider use, it is imperative that we build them to be more secure, easier to set up, better performing, and more usable. Clearly, the questions that we answer in early deployment efforts will inform how we answer the deeper questions pertaining to massive worldwide deployment.

We must engage a large number of people to bring hidden services to the next level. Until now, hidden services development largely relied on the volunteer work of developers in their spare time. This will not be sufficient if we are to make the leap to transformative hidden services.

We are currently evaluating funding strategies that will support our Hidden Service initiatives in the short-, intermediate- and long-term. In order to fit the requirements more conservative large funders have, so we can fully sponsor the Next Generation Hidden Services, we must put preliminary pieces in place. And for that we will reach out to crowdfunding. To do this right, we need your feedback.

Why Crowdfunding?

Crowdfunding allows us to engage the broader community in grasping the opportunity that this new technology promises. We are confident that we can deliver significant advancements in the hidden services field in the short-term, and that many small donors who understand their context will be eager to contribute. We intend to begin by prioritizing the improvement of the security, usability, and performance of the current hidden services system.

Further, we want to make sure we support the efforts of community projects and that the community is participating in shaping the evolution of hidden services. For example, it would be important to assist and improve the Tor integration of projects such as SecureDrop, Pond, Ahmia and Ricochet. We are in the unique position to be able to shape the Tor protocol to make these projects easier to use and better performing, and we would like to identify ways to promote broader deployment of these projects.

Identifying, prioritizing and meeting future challenges will require engagement throughout the greater community. For instance, as changes and enhancements are introduced, we hope to speak with the best bug hunters, cryptographers and privacy experts and ask them to audit our code and designs. Non-technical users could help us evaluate the usability of our improvements.

For this crowdfunding campaign we have identified a few possible ideas-- but the point of this post is to ask you for yours. Here are three projects that we have come up with so far:

  • Information Panel for Hidden Service Operators

  • An application that Hidden Service operators could use to learn more about the activity of their Hidden Service. The operator would have access to information on user activity, security information, etc., and will receive important system-generated updates, including log messages

  • Fast-but-not-hidden services

  • A way to set up public hidden services with improved performance but reduced server-side anonymity. Basically, hidden services that don't care about anonymity but still want to protect their clients with Tor's cryptography and anonymity, will be able to run faster since they don't need to protect their own anonymity. This is an optional feature that suits the needs of large sites like Facebook and reddit, and will make their hidden services faster while also reducing the traffic they cause to the network. Also by optimizing for performance in this specialized feature, we can optimize for security even more in the default hidden services configuration.

  • Next Generation Hidden Services

  • Tor has been at the center of hidden services from the beginning. We have big lists of changes we need to do to the Tor protocol to increase the security of hidden services against cryptanalysis, DoS and deanonymization attacks. We also want to improve guard security, allow operators to store their cryptographic keys offline and enable scaling of hidden services to new levels. This is a big project but we hope to start crunching through it as part of this crowdfunding campaign.

    Your Idea for Hidden Services?

    Long story short, we are looking for feedback!

  • What hidden services projects would you like to see us crowdfund?

  • How do you use hidden services; what makes them important to you? How you want to see them evolve?

  • We'd love to hear your ideas on picking crowdfunding rewards and stretch goals.
    Also, we are curious about which crowdfunding platforms you prefer and why.

  • Feel free to use the comments of this blog, or contact us directly at Also see our wiki page with more information!

    In the following weeks, we will update you on our progress, incorporating feedback we receive from the community. We hope to make this process as transparent and public as possible!


    EDIT: The "Unhidden Services" paragraph was expanded and changed to "Fast-but-not-hidden Services". The previous name was too scary and the description not sufficient to show the potential of the project. Please send us better names for this feature!

    Tor Weekly News — March 25th, 2015

    Welcome to the twelfth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

    Tor,, and are out

    Nick Mathewson announced three new releases by the core Tor team. Versions and are updates to the stable release series, featuring backports from later releases and an updated list of Tor directory authorities.

    Tor, meanwhile, is the second release candidate in the upcoming Tor 0.2.6 series. It fixes a couple of possible crashes, and makes it easier to run Tor inside the Shadow network simulator. To find out more about all the new features that are expected in this release series, take a look at Nick’s guide on the Tor blog.

    Please see the release announcements for details of all changes, and download the source code from the distribution directory.

    Tor Browser 4.0.5 is out

    Following the disclosure of two potentially serious security flaws in Firefox, the Tor Browser team announced a pointfix release of the privacy-preserving browser. Tor Browser 4.0.5 is based on Firefox 31.5.3 ESR, fixing flaws in the handling of SVG files and Javascript bounds checking that could have allowed an adversary to run malicious code on a target machine.

    This is an important security update, and all users of the stable Tor Browser should upgrade as soon as possible. Users of the alpha Tor Browser release channel will need to wait another week for an updated version; in the meantime, as Georg Koppen explained, they “are strongly recommended to use Tor Browser 4.0.5”. Download your copy of the new Tor Browser from the project page.

    Tails 1.3.1 is out

    The Tails 1.3.1 emergency release was put out on March 23, following the Firefox security announcement. As well as Tor Browser 4.0.5, this release includes updates to key software, fixing numerous security issues. All Tails users must upgrade as soon as possible; see the announcement for download instructions.

    This release is also the first to be signed by the Tails team’s new OpenPGP signing key. For full details of the new key, see the team’s announcement.

    Who runs most of the Tor network?

    The Tor network is a diverse and mostly decentralized system, and it would not exist without the efforts of thousands of volunteer relay operators around the world. Some focus on the task of maintaining a single relay, while others set up “families” of nodes that handle a larger share of Tor traffic.

    In an effort to identify the largest (publicly-declared) groupings of relays on the Tor network today, Nusenu posted a list of entries found in the MyFamily field of Tor relay configuration files, grouped by total “consensus weight”. This list also includes other relevant data such as the number of Autonomous Systems, /16 IP address blocks, and country codes in which these relays are located; as Nusenu says, “more is better” for these statistics, at least as far as diversity is concerned. If the concentration of relays in one location is too high, there is a greater risk that a single adversary will be able to see a large proportion of Tor traffic.

    Nusenu also posted shorter lists of the largest relay families sorted by contact information, and in the course of all this research was able to notify some relay operators of problems with their configuration. The future of the MyFamily setting is still being discussed; in the meantime, thanks to Nusenu for this impressive effort!

    Miscellaneous news

    Nathan Freitas announced Orbot version 15-alpha-5, bringing support for the meek and obfs4 pluggable transports, QR code bridge distribution, and other new features closer to a stable release.

    George Kadianakis invited feedback on proposal 243, which would require Tor relays to earn the “Stable” flag before they are allowed to act as onion service directories, making it harder for malicious relay operators to launch denial-of-service attacks on onion services.

    Nick Mathewson asked for comments on a list of possible future improvements to Tor’s controller protocol: “This is a brainstorming exercise, not a declaration of intent. The goal right now is to generate a lot of ideas and thoughts now, and to make decisions about what to build later.”

    David Fifield wondered why many of the graphs of Tor user numbers on the Metrics portal appear to show weekly cycles.

    Jens Kubieziel posted a list of ideas for the further development of the Torservers organization, following recent discussions.

    Mashael AlSabah and Ian Goldberg published “Performance and Security Improvements for Tor: A Survey”, a detailed introduction to the current state of research into performance and security on the Tor network. If you want to get up to speed on the most important technical questions facing the Tor development community, start here!

    Aaron Johnson announced that this year’s Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETS) is accepting two-page talk proposals, rather than full-length papers, in the hope that “this will make it even easier for more of the Tor community to participate, especially people who don’t write research papers for a living”. If you can offer “new ideas, spirited debates, or controversial perspectives on privacy (and lack thereof)”, see the Workshop’s website for submission guidelines.

    This issue of Tor Weekly News has been assembled by Harmony, the Tails team, nicoo, and other contributors.

    Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

    Tor and are released

    Hello! I released Tor and last week. This is the formal announcement.

    (Per usual practice with non-critical stable releases, I've delayed
    the tor-announce announcement to give distributions have a chance to
    make packages. If you are a packager and you didn't notice that,
    please let me know and I'll put you on the list of people I notify
    extra-early about new releases.)

    Tor 0.2.4 and 0.2.5 are stable release series. Going forward, they will continue to only receive patches for really serious issues.

    You can get the source code for Tor and from the download page, or at If you're running TorBrowser 4.0.5, you already have Tor Remember to check the signatures!

    The changelogs follow below... read more »

    Syndicate content