Some statistics about onions

Non-technical abstract:

We are starting a project to study and quantify hidden services traffic. As part of this project, we are collecting data from just a few volunteer relays which only allow us to see a small portion of hidden service activity (between 2% and 5%). Extrapolating from such a small sample is difficult, and our data are preliminary.

We've been working on methods to improve our calculations, but with our current methodology, we estimate that about 30,000 hidden services announce themselves to the Tor network every day, using about 5 terabytes of data daily. We also found that hidden service traffic is about 3.4% of total Tor traffic, which means that, at least according to our early calculations, 96.6% of Tor traffic is *not* hidden services. We invite people to join us in working to research methodologies and develop systems for better understanding Tor hidden services.


Over the past months we've been working on hidden service statistics. Our goal has been to answer the following questions:

  • "Approximately how many hidden services are there?"
  • "Approximately how much traffic of the Tor network is going to hidden services?"

We chose the above two questions because even though we want to understand hidden services, we really don't want to harm the privacy of Tor users. From a privacy perspective, the above two questions are relatively easy questions to answer because we don't need data from clients or the hidden services themselves; we just need data from hidden service directories and rendezvous points. Furthermore, the measurements reported by each relay cannot be linked back to specific hidden services or their clients.

Our first move was to research various ways we could collect these statistics in a privacy-preserving manner. After days of discussions on obfuscating statistics, we began writing a Tor proposal with our design, as well as code that implements the proposal. The code has since been reviewed and merged to Tor! The statistics are currently disabled by default so we asked volunteer relay operators to explicitly turn them on. Currently there are about 70 relays publishing measurements to us every 24 hours:

Number of relays reporting stats

So as of now we've been receiving these measurements for over a month, and we have thought a lot about how to best use the reported measurements to derive interesting results. We finally have some preliminary results we would like to share with you:

How many hidden services are there?

All in all, it seems that every day about 30000 hidden services announce themselves to the hidden service directories. Graphically:

Number of hidden services

By counting the number of unique hidden service addresses seen by HSDirs, we can get the approximate number of hidden services. Keep in mind that we can only see between 2% and 5% of the total HSDir space, so the extrapolation is, naturally, messy.

How much traffic do hidden services cause?

Our preliminary results show that hidden services cause somewhere between 400 to 600 Mbit of traffic per second, or equivalently about 4.9 terabytes a day. Here is a graph:

Hidden services traffic volume

We learned this by getting rendezvous points to publish the total number of cells transferred over rendezvous circuits, which allows us to learn the approximate volume of hidden service traffic. Notice that our coverage here is not very good either, with a probability of about 5% that a hidden service circuit will use a relay that reports these statistics as a rendezvous point.

A related statistic here is "How much of the Tor network is actually hidden service usage?". There are two different ways to answer this question, depending on whether we want to understand what clients are doing or what the network is doing. The fraction of hidden-service traffic at Tor clients differs from the fraction at Tor relays because connections to hidden services use 6-hop circuits while connections to the regular Internet use 3-hop circuits. As a result, the fraction of hidden-service traffic entering or leaving Tor is about half of the fraction of hidden-service traffic inside of Tor. Our conclusion is that about 3.4% of client traffic is hidden-service traffic, and 6.1% of traffic seen at a relay is hidden-service traffic.

Conclusion and future work

In this blog post we presented some preliminary results that could be extracted from these new hidden service statistics. We hope that this data can help us better gauge the future development and maturity of the onion space as well as detect potential incidents and bugs on the network. To better present our results and methods, we wrote a short technical report that outlines the exact process we followed. We invite you to read it if you are curious about the methodology or the results.

Finally, this project is only a few months old, and there are various plans for the future. For example:

  • There are more interesting questions that we could examine in this area. For example: "How many people are using hidden services every day?" and "How many times does someone try to visit a hidden service that does not exist anymore?."

    Unfortunately, some of these questions are not easy to answer with the current statistics reporting infrastructure, mainly because collecting them in this way could reveal information about specific hidden services but also because the results of the current system contain too much obfuscating data (each reporting relay randomizes its numbers a little bit before publishing them, so we can learn about totals but not about specific events).

    For this reason, we've been analyzing various statistics aggregation protocols that could be used in place of the current system, allowing us to safely collect other kinds of statistics.

  • We need to incorporate these statistics in our Metrics portal so that they are updated regularly and so that everyone can follow them.

  • Currently, these hidden service statistics are not collected in relays by default. Unfortunately, that gives us very small coverage of the network, which in turn makes our extrapolations very noisy. The main reason that these statistics are disabled by default is that similar statistics are also disabled (e.g. CellStatistics). Also, this allows us more time to consider privacy consequences. As we analyze more of these statistics and think more about statistics privacy, we should decide whether to turn these statistics on by default.

    It's worth repeating that the current results are preliminary and should be digested with a grain of salt. We invite statistically-inclined people to review our code, methods, and results. If you are a researcher interested in digging into the measurements themselves, you can find them in the extra-info descriptors of Tor relays.

    Over the next months, we will also be thinking more about these problems to figure out proper ways to analyze and safely measure private ecosystems like the onion space.

Till then, take care, and enjoy Tor!

Tor Browser 4.0.4 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Note: The individual bundles of the stable series are signed by one of the subkeys of the Tor Browser Developers signing key from now on, too. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290

Tor Browser 4.0.4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Additionally, it contains updates to NoScript, HTTPS-Everywhere, and OpenSSL (none of the OpenSSL advisories since OpenSSL 1.0.1i have affected Tor, but we decided to update to the latest 1.0.1 release anyway).

Here is the changelog since 4.0.3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update OpenSSL to 1.0.1l
    • Update NoScript to
    • Update HTTPS-Everywhere to 4.0.3
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions

Tor Browser 4.5a4 is released

The Tor Browser team is proud to announce the release of the fourth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Moreover, this release includes an updated Tor,, and switches Scramblesuit and obfs3 bridge support to a new golang-based implementation. We are especially interested in hearing any issues with using obfs3, obfs4, and Scramblesuit in this release.

The release also features several improvements to usability, following the results of the usability sprint at the end of last month. In particular, the Torbutton onion menu and related preference windows have been overhauled to provide more simplicity and more focus. The onion menu now features a much requested "New Circuit for this site" option, and the security and privacy settings window have been simplified. For censored users, the first run configuration wizard was also improved to present the choice of Pluggable Transport before the local proxy information, in an effort to avoid confusion between Pluggable Transports and local proxies. As can be seen from the changelog below, the release contains several other usability tweaks and enhancements as well.

Here is the full changelog for changes since 4.5-alpha-3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update Tor to
    • Update OpenSSL to 1.0.1l
    • Update NoScript to
    • Update obfs4proxy to 0.0.4
      • Use obfs4proxy for ScrambleSuit bridges
    • Update Torbutton to
      • Bug 13882: Fix display of bridges after bridge settings have been changed
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 10280: Strings and pref for preventing plugin initialization.
      • Bug 14866: Show correct circuit when more than one exists for a given domain
      • Bug 9442: Add New Circuit button to Torbutton menu
      • Bug 9906: Warn users before closing all windows and performing new identity.
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 14630: Hide Torbutton's proxy settings tab.
      • Bug 14632: Disable Cookie Manager until we get it working.
      • Bug 11175: Remove "About Torbutton" from onion menu.
      • Bug 13900: Remove remaining SafeCache code in favor of C++ patch
      • Bug 14490: Use Disconnect search in about:tor search box
      • Bug 14392: Don't steal input focus in about:tor search box
      • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
      • Bug 13406: Stop directing users to download-easy.html.en on update
      • Bug 9387: Handle "custom" mode better in Security Slider
      • Bug 12430: Bind jar: pref to Security Slider
      • Bug 14448: Restore Torbutton menu operation on non-English localizations
      • Translation updates
    • Update Tor Launcher to
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Translation updates
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
    • Bug 14490: Make Disconnect the default omnibox search engine
    • Bug 11236: Fix omnibox order for non-English builds
      • Also remove Amazon, eBay and bing; add Youtube and Twitter
    • Bug 10280: Don't load any plugins into the address space.
    • Bug 14392: Make about:tor hide itself from the URL bar
    • Bug 12430: Provide a preference to disable remote jar: urls
    • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
    • Bug 5698: Fix branding in "About Torbrowser" window
  • Windows:
    • Bug 13169: Don't use /dev/random on Windows for SSP
  • Linux:
    • Bug 13717: Make sure we use the bash shell on Linux

Note: Once again, the individual bundles of both Tor Browser series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290

Tor Weekly News — February 25th, 2015

Welcome to the eighth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor 0.2.6-alpha-3 is out

Nick Mathewson announced the third (“and hopefully final”) alpha release in the Tor 0.2.6.x series. The major user- and operator-facing changes in this release include support for AF_UNIX sockets, allowing high-risk applications to reach a local Tor without having to enable other kinds of networking activity; a new warning for relay operators, in order to make it even harder to accidentally run an exit node; improvements and additions to the directory system; and much else besides.

See Nick’s announcement for the full changelog, and download your copy of the source code from the distribution directory, but note that “this is an alpha release”, so “please expect bugs”.

Tails 1.3 is out

The Tails team announced version 1.3 of the anonymous live operating system. This release brings several major new features, including Bitcoin support with Electrum; connections to Tor using the obfs4 pluggable transport; an AppArmor profile to protect the filesystem against some kinds of attack on Tor Browser; a simpler Tails drive creation process on Mac and Linux; and more intuitive handling of computer trackpads.

See the announcement for links to the full list of changes and known issues, and download your copy from the website or, if you already have a running Tails, using the incremental update system.

CITIZENFOUR wins many awards

Laura Poitras’ documentary film CITIZENFOUR, recording the initial encounters between herself, journalist Glenn Greenwald, and the American surveillance whistleblower (and sometime Tor relay operator) Edward Snowden, has been decorated at numerous awards ceremonies over the past few months for its artistic and political achievement.

The filmmakers have been tireless in their activism on behalf of Tor and the free software community both in the mainstream press and at community conferences; upon receiving the Ridenhour Documentary Film Prize last week, Laura called attention to the role of these projects in the production process: “This film and our NSA reporting would not have been possible without the work of the Free Software community that builds free tools to communicate privately. The prize money for the award will be given to the Tails Free Software project.”

CITIZENFOUR went on to win the Independent Spirit and Academy Awards for Best Documentary Feature over the weekend. The recognition is richly deserved. Thanks to Laura and her colleagues for their extraordinary work over the last two years!

Miscellaneous news

Giovanni Pellerano released a security advisory for a bug in GlobaLeaks that was introduced on 28th January 2015, and fixed on 16th February. The bug could have allowed an attacker to read any file in the /var/globaleaks/ directory with the exception of the Tor onion service key; if you installed or upgraded your GlobaLeaks instance on or between those dates, please see Giovanni’s announcement for more details, and upgrade again as soon as possible.

Nathan Freitas announced Orbot version 15-alpha-4, featuring bridge scanning and distribution via QR code, and simpler configuration for pluggable transports like meek, among other improvements.

Rob Jansen announced a major new release of Shadow, the Tor network simulation tool. New features include support for running Bitcoin software inside the simulation, client activity modelling using dependency graphs, and much more.

Yaron Goland updated the Tor Onion Proxy libary, a project to “enable Android and Java applications to easily host their own Tor Onion Proxies using the core Tor binaries”. This release incorporates newer software and a simplified build process.

The organizers of the Workshop on Surveillance and Technology issued a call for papers ahead of their event, which will be held on June 29th. The deadline for submission is midnight UTC on March 11th; please see SAT’s website for topics covered by the workshop and submission guidelines.

Bendert Zevenbergen relayed another call for participation, this time in the ACM SigComm2015 workshop on “Ethics in Networked Systems Research”.

This issue of Tor Weekly News has been assembled by Harmony and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tails 1.3 is out

Tails, The Amnesic Incognito Live System, version 1.3, is out.

This release fixes numerous security issues and all users must upgrade as soon as possible.

New features

  • Electrum is an easy to use bitcoin wallet. You can use the Bitcoin Client persistence feature to store your Electrum configuration and wallet.

  • The Tor Browser has additional operating system and data security. This security restricts reads and writes to a limited number of folders. Learn how to manipulate files with the new Tor Browser.

  • The obfs4 pluggable transport is now available to connect to Tor bridges. Pluggable transports transform the Tor traffic between the client and the bridge to help disguise Tor traffic from censors.

  • Keyringer lets you manage and share secrets using OpenPGP and Git from the command line.

Upgrades and changes

  • The Mac and Linux manual installation processes no longer require the isohybrid command. Removing the isohybrid command simplifies the installation.
  • The tap-to-click and two-finger scrolling trackpad settings are now enabled by default. This should be more intuitive for Mac users.
  • The Ibus Vietnamese input method is now supported.
  • Improved support for OpenPGP smartcards through the installation of GnuPG 2.

There are numerous other changes that may not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

Known issues

See the current list of known issues.

Download or upgrade

Go to the download page.

What's coming up?

The next Tails release is scheduled for April 7.

Have a look to our roadmap to see where we are heading to.

Do you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Tor is released

Tor is the third (and hopefully final) alpha release in the 0.2.6.x series. It introduces support for more kinds of sockets, makes it harder to accidentally run an exit, improves our multithreading backend, incorporates several fixes for the AutomapHostsOnResolve option, and fixes numerous other bugs besides.

If no major regressions or security holes are found in this version, the next version will be a release candidate.

You can download the source from the usual place on the website. Packages should be up in a few days.

NOTE: This is an alpha release. Please expect bugs.

Changes in version - 2015-02-19
  • Deprecated versions:
    • Tor relays older than are no longer allowed to advertise themselves on the network. Closes ticket 13555.
  • Major features (security, unix domain sockets):
    • Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk applications can reach Tor without having to create AF_INET or AF_INET6 sockets, meaning they can completely disable their ability to make non-Tor network connections. To create a socket of this type, use "SocksPort unix:/path/to/socket". Implements ticket 12585.
    • Support mapping hidden service virtual ports to AF_UNIX sockets. The syntax is "HiddenServicePort 80 unix:/path/to/socket". Implements ticket 11485.

  read more »

Tor Weekly News — February 18th, 2015

Welcome to the seventh issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Onion services

Anonymous web services hosted in the Tor network have until now been referred to as “hidden services”. Although this name accurately describes one of their properties, it does not convey some of the other benefits that the system provides, like end-to-end encryption without a purchased SSL certificate, or self-authenticating domain names outside of the commercial DNS system. Furthermore, as Aaron Johnson points out, words like “hidden” and “dark” have an unnecessarily negative connotation.

Aaron and other members of the SponsorR team declared themselves in favor of using the word “onion” (as in “onion routing”) to characterize Tor-protected web services. “Hidden services” could be renamed “onion services”, while websites offered as onion services are “onionsites”; an onion service’s URL is its “onion address”, while the dreaded “Dark Web” becomes simply “onionspace”.

A full list of new and more precise terminology is in Aaron’s message and on the Tor wiki; please feel free to contribute to the discussion on the tor-dev mailing list with your thoughts.

Miscellaneous news

Nathan Freitas of the Guardian Project announced the release of version 15-alpha-3 of Orbot. This release includes more work on VPN support, and builds on last week’s early release of the PLUTO library to offer support for meek, although it is not currently possible to use both at the same time. See Nathan’s announcement for usage instructions and download links.

Yawning Angel asked for comments on an implementation of a proposal to let Tor create “ephemeral” onion services, using key material that is supplied at runtime rather than stored on the disk. See Yawning’s post for a detailed explanation of the concept and a link to the new code; however, trying to run this untested and unreviewed new branch “WILL BROADCAST YOUR SECRETS TO THE NSA’S ORBITAL SPACE STATION”, so don’t do that.

Yawning also announced version 0.0.4 of obfs4proxy, which “is more useful for the Tor Browser people than anyone else, since it means that the next build can remove the old go.crypto cruft from the build process, and the ScrambleSuit client provider can be switched over to obfs4proxy like obfs2 and obfs3 have been”.

SiNA Rabbani announced that Faravahar, the directory authority which he operates, will be moving to a new IP address on Friday.

Thanks to cuanto for running a mirror of the Tor Project website and software!

Thomas White published a guide to configuring an Nginx webserver as a hidden service: “It isn’t intended to be a hardening guide or an ultra secure way of hosting, but it is for people who want to casually publish some static HTML files or with a little extra configuration to host some applications”.

Collin Anderson and the University of Toronto’s Citizen Lab made a joint submission to the United Nations Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, examining the importance of digital security software such as Tor in upholding free expression and the right to privacy.

carlo von lynX wondered about the truth of the statement that “it would take latencies in the order of hours to fully make communications impossible to shape and correlate”. Roger Dingledine clarified : “It’s actually worse than that — we have no idea. I’d love to have a graph where the x axis is how much additional overhead (latency, bandwidth, whatever) we’re willing to add, and the y axis is how much additional security (anonymity, privacy, whatever) we can get. Currently we have zero data points for this graph.”

This issue of Tor Weekly News has been assembled by Harmony and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — February 11th, 2015

Welcome to the sixth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the community around Tor, “your online an-onionising software”.

The 2015 Tor UX Sprint

Many open-source privacy tools struggle with questions of usability: so much effort goes into ensuring they are secure that few resources are left over to work on the user experience. But as Linda Lee and David Fifield write, “usability is critical to security”: user interface issues “can degrade user experience, cause confusion, or even cause people to accidentally deanonymize themselves”.

To explore, and hopefully solve, some of these problems, a group of Tor developers, designers, users, and researchers met at UC Berkeley at the start of the month. As part of the weekend, users were asked to walk through the process of installing and running Tor Browser, noting aloud their assumptions and reactions as they went.

Issues and “stopping points” (where users find the process too difficult to continue) discovered during these sessions were noted, and have been assigned tickets on Tor’s bug tracker. For more details of the event and its outcomes, please see Linda and David’s post; “if you are interested in helping to improve the usability of Tor Browser, get in touch by email or IRC”.

Tor and the Library Freedom Project

As Tor Weekly News reported last September, Massachusetts librarian and activist Alison Macrina has been leading a campaign to educate colleagues and library patrons on the state of digital surveillance and the use of privacy-preserving software such as Tor and Tails. As Alison and April Glaser wrote at the time, “libraries provide access to information and protect patrons’ right to explore new ideas, no matter how controversial or subversive”.

These initial workshops formed the basis for the Library Freedom Project, which has just received a grant from the Knight Foundation to expand its activities beyond the New England region. In a guest post on the Tor blog, Alison introduced the project, the motivations behind it, and its plans for the next few years, as well as suggesting some possible areas for collaboration with the Tor community in the future: “One specific way that librarians can help the Tor Project is with usability issues – we have lots of experience helping ordinary users with common usability problems […] Librarians can also run dev sprints, help update documentation, and generally advocate for tools that help safeguard privacy and anonymity.”

For more information on the Library Freedom Project, or to propose your own ideas, please see the project’s website. Thanks to Alison and colleagues for this important work!

Vidalia laid to rest

Now that Vidalia, the graphical user interface for Tor, has been completely unmaintained ”for too long to be a recommended solution”, Sebastian Hahn has removed the last links to Vidalia-related content from the Tor Project website. If you are still using a version of Tor Browser (outside of Tails) that contains Vidalia, it is almost certainly too old to be safe, so please upgrade as soon as possible.

Vidalia is still shipped in the latest version of Tails, however, so the Tails team has been working on a simple interface to replace one of the most-missed features of the defunct program, the circuit visualization window. The Tor Browser team have already implemented a similar per-site circuit diagram in the current 4.5-alpha series, so there should soon be no reason at all for users to continue controlling their Tor through Vidalia.

More monthly status reports for January 2015

The wave of regular monthly reports from Tor project members for the month of January continued, with reports from George Kadianakis, Pearl Crescent, Michael Schloh von Bennewitz, Nick Mathewson, Karsten Loesing, and Arlo Breault.

Mike Perry reported on behalf of the Tor Browser team, and George Kadianakis sent out the report for SponsorR.

Miscellaneous news

George Kadianakis linked to the technical report produced by the team working on statistics related to the amount of hidden service usage on the Tor network; Karsten Loesing added some more information regarding the fraction of network activity this represents. These are advanced calculations, so if you’re not experienced in data science but want to know more about this topic, the team will be back shortly with a more “casual-reader-friendly” analysis of the results.

“Fresh off a round of real-world intensive testing and debugging using spotty 2.5G coverage in the foothills of the Himalayas”, Nathan Freitas of the ever-intrepid Guardian Project announced the first release candidate for version 14.1 of ChatSecure, the “most private” messaging client for Android and iOS, featuring numerous improvements to usability, stability, and network handling. Please see Nathan’s announcement for the full changelog.

Nathan also shared a “very early” incarnation of PLUTO, “a simplified means for developers to include traffic obfuscation capabilities into their applications” with initial support for obfs4 and meek. “We think many apps could utilize this approach to defeat DPI filtering, and that this would be useful to offer decoupled from the way Tor integrates it”.

David Fifield posted a tutorial for configuring the meek pluggable transport to work with hard-to-block HTTPS websites interested in helping censored Tor users, rather than the large content delivery networks it currently uses, along with the regular summary of the costs incurred by meek’s infrastructure last month: “meek has so far been a smashing success. It’s the #2 pluggable transport behind obfs3 and it moved over 5 TB of traffic last month. But the costs are starting to get serious.” If you have ideas for supporting this vitally important anti-censorship tool, please see David’s message for more details.

Also in meek news, Across The Great FireWall published a Chinese-language introduction to the concepts underpinning this pluggable transport. Other resources (in Chinese and other languages) are listed on the wiki.

Nick Mathewson took to the Tor blog to explain exactly what Tor design proposals are for and how they are written, and offered status updates (and review recommendations) for some new and still-open proposals.

Nick also asked relay operators to contribute their advice to a relay hardening guide that could be shipped with Tor.

Arturo Filastò asked for help in coming up with a roadmap for the future of the Open Observatory of Network Interference, asking for opinions on a range of possible development, deployment, and research projects. Feel free to let the ooni-dev list know which of the ideas catches your attention.

After soliciting feedback on including newer pluggable transports in Tails, the Tails team decided to focus on obfs4 and then (“tentatively”) meek for upcoming versions of the anonymous live operating system.

Tom “TvdW” van der Woerdt wrote a detailed report on his experience implementing a Tor client from scratch in the Go programming language, following Tor’s specification document. One instance of “GoTor” briefly broke the Tor relay speed record with 250 megabytes/second, but Tom ultimately decided that Go isn’t the right language for such a thing, as its library support doesn’t make it easy enough to do. Thanks to Tom for running the experiment, and catching some specification errors in the process!

Even though Tor Browser is not vulnerable to the recent WebRTC IP attack proof-of-concept proof-of-concept, Mike Perry nevertheless invited “interested parties to try harder to bypass Tor in a stock Firefox using WebRTC and associated protocols (RTSP, SCTP) with media.peerconnection.enabled set to false”, before a plan to enable WebRTC-based QRCode bridge address resolution and sharing in Tor Launcher is implemented.

Shadow, the tool by Rob Jansen that allows full Tor network simulation, now has a new website. As Rob wrote: “The new website still uses the Jekyll engine, and is a stripped down customized version of the open source SOLID theme. Please send me feedback if you have it.”

Jillian York of the EFF discussed the problems of over-reliance on US government funding — and the dearth of other funding streams — for anti-surveillance tools, including Tor.

Seven of the eleven activists arrested last year in Spain for, amongst other things, having had email accounts with the technical collective Riseup — longtime Tor allies and operators of one of the directory authorities — have been released from prison. As Riseup wrote following the arrests, “security is not a crime”: “Giving up your basic right to privacy for fear of being flagged as a terrorist is unacceptable.”

Easy development tasks to get involved with

Two problems confronting Mac users who want to download Tor Browser are the “disk image” format and Apple’s Gatekeeper security system. If these users try to run Tor Browser directly from the disk image window that opens after downloading, they will receive an error telling them “Firefox is already running”, and if they correctly move the program to the Applications folder, Gatekeeper will prevent them from running it directly anyway.

If you have access to a machine running the latest version of Mac OS X, and want to spend ten minutes making life easier for Tor users, the Tor Browser download page would benefit from screenshots showing users how to drag the program to the Applications folder, and how to disable Gatekeeper by control-clicking on the Tor Browser icon when running for the first time. Please see the relevant bug ticket for a nice set of example screenshots; your contribution will be gratefully received!

This issue of Tor Weekly News has been assembled by Harmony, Roger Dingledine, Kate Krauss, and David Fifield.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Syndicate content