Today I'm happy to announce a new era in Tor implementation.
Over the past year or so, we've been working on "Arti", a project to rewrite Tor in Rust. Thanks to funding from Zcash Open Major Grants (ZOMG), we can finally put the Arti project up in our priorities list, and devote more time to it.
Below I'll talk about why we're doing this project, what it means for Tor users and operators, where it's going in the future, and how people can help.
After months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.6.5 on the download page. Packages should be available within the next several weeks, with a new Tor Browser around the end of the week.
Because this release includes security fixes, we are also releasing updates for our other supported releases. You can find their source at https://dist.torproject.org:
Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x series includes numerous features and bugfixes, including a significant improvement to our circuit timeout algorithm that should improve observed client performance, and a way for relays to report when they are overloaded.
This release also includes security fixes for several security issues, including a denial-of-service attack against onion service clients, and another denial-of-service attack against relays. Everybody should upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
Below are the changes since 0.4.5.8. For a list of changes since 0.4.6.4-rc, see the ChangeLog file.
Changes in version 0.4.6.5 - 2021-06-14
Major bugfixes (security):
Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams. Previously, clients failed to validate which hop sent these cells: this would allow a relay on a circuit to end a stream that wasn't actually built with it. Fixes bug 40389; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- 003 and CVE-2021-34548.
Major bugfixes (security, defense-in-depth):
Detect more failure conditions from the OpenSSL RNG code. Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
There's a new release candidate available for download. If you build Tor from source, you can download the source code for 0.4.6.4-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely next week.
Remember, this is a not a stable release yet: but we still hope that people will try it out and look for bugs before the official stable release comes out in June.
Tor 0.4.6.4-rc fixes a few bugs from previous releases. This, we hope, the final release candidate in its series: unless major new issues are found, the next release will be stable.
Changes in version 0.4.6.4-rc - 2021-05-28
Minor features (compatibility):
Remove an assertion function related to TLS renegotiation. It was used nowhere outside the unit tests, and it was breaking compilation with recent alpha releases of OpenSSL 3.0.0. Closes ticket 40399.
Minor bugfixes (consensus handling):
Avoid a set of bugs that could be caused by inconsistently preferring an out-of-date consensus stored in a stale directory cache over a more recent one stored on disk as the latest consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha.
There's a new release candidate available for download. If you build Tor from source, you can download the source code for Tor 0.4.6.3-rc from the download page on the website. Packages should be available over the coming weeks, with a new Tor Browser release likely next week.
Tor 0.4.6.3-rc is the first release candidate in its series. It fixes a few small bugs from previous versions, and adds a better error message when trying to use (no longer supported) v2 onion services.
Though we anticipate that we'll be doing a bit more clean-up between now and the stable release, we expect that our remaining changes will be fairly simple. There will likely be at least one more release candidate before 0.4.6.x is stable.
Changes in version 0.4.6.3-rc - 2021-05-10
Major bugfixes (onion service, control port):
Make the ADD_ONION command properly configure client authorization. Before this fix, the created onion failed to add the client(s). Fixes bug 40378; bugfix on 0.4.6.1-alpha.
Minor features (compatibility, Linux seccomp sandbox):
Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.
We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.4.5.8 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.
Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes from the 0.4.6.x series.
Changes in version 0.4.5.8 - 2021-05-10
Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
Add a workaround to enable the Linux sandbox to work correctly with Glibc 2.33. This version of Glibc has started using the fstatat() system call, which previously our sandbox did not allow. Closes ticket 40382; see the ticket for a discussion of trade-offs.
Minor features (compilation, backport from 0.4.6.3-rc):
Make the autoconf script build correctly with autoconf versions 2.70 and later. Closes part of ticket 40335.
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.6.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely some time next week.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several small bugs in previous releases, and solves other issues that had enabled denial-of-service attacks and affected integration with other tools.
Changes in version 0.4.6.2-alpha - 2021-04-15
Minor features (client):
Clients now check whether their streams are attempting to re-enter the Tor network (i.e. to send Tor traffic over Tor), and close them preemptively if they think exit relays will refuse them for this reason. See ticket 2667 for details. Closes ticket 40271.
Minor features (command line):
Add long format name "--torrc-file" equivalent to the existing command-line option "-f". Closes ticket 40324. Patch by Daniel Pinto.
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.6.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely next week.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It improves client circuit performance, adds missing features, and improves some of our DoS handling and statistics reporting. It also includes numerous smaller bugfixes.
Below are the changes since 0.4.5.7. (Note that this release DOES include the fixes for the security bugs already fixed in 0.4.5.7.)
Changes in version 0.4.6.1-alpha - 2021-03-18
Major features (control port, onion services):
Add controller support for creating version 3 onion services with client authorization. Previously, only v2 onion services could be created with client authorization. Closes ticket 40084. Patch by Neel Chauhan.
Major features (directory authorityl):
When voting on a relay with a Sybil-like appearance, add the Sybil flag when clearing out the other flags. This lets a relay operator know why their relay hasn't been included in the consensus. Closes ticket 40255. Patch by Neel Chauhan.
We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.5.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser coming next week.
These releases fix a pair of denial-of-service issues, described below. One of these issues is authority-only. The other issue affects all Tor instances, and is most damaging on directory authorities and relays. We recommend that everybody should upgrade to one of these versions once packages are available.
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier versions of Tor.
One of these vulnerabilities (TROVE-2021-001) would allow an attacker who can send directory data to a Tor instance to force that Tor instance to consume huge amounts of CPU. This is easiest to exploit against authorities, since anybody can upload to them, but directory caches could also exploit this vulnerability against relays or clients when they download. The other vulnerability (TROVE-2021-002) only affects directory authorities, and would allow an attacker to remotely crash the authority with an assertion failure. Patches have already been provided to the authority operators, to help ensure network stability.
We recommend that everybody upgrade to one of the releases that fixes these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available to you.
This release also updates our GeoIP data source, and fixes a few smaller bugs in earlier releases.
Changes in version 0.4.5.7 - 2021-03-16
Major bugfixes (security, denial of service):
Disable the dump_desc() function that we used to dump unparseable information to disk. It was called incorrectly in several places, in a way that could lead to excessive CPU usage. Fixes bug 40286; bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- 001 and CVE-2021-28089.
Fix a bug in appending detached signatures to a pending consensus document that could be used to crash a directory authority. Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 and CVE-2021-28090.
Minor features (geoip data):
We have switched geoip data sources. Previously we shipped IP-to- country mappings from Maxmind's GeoLite2, but in 2019 they changed their licensing terms, so we were unable to update them after that point. We now ship geoip files based on the IPFire Location Database instead. (See https://location.ipfire.org/ for more information). This release updates our geoip files to match the IPFire Location Database as retrieved on 2021/03/12. Closes ticket 40224.
After months of work, we have a new stable release series! If you build Tor from source, you can download the source code for 0.4.5.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.
The Tor 0.4.5.x release series is dedicated to the memory of Karsten Loesing (1979-2020), Tor developer, cypherpunk, husband, and father. Karsten is best known for creating the Tor metrics portal and leading the metrics team, but he was involved in Tor from the early days. For example, while he was still a student he invented and implemented the v2 onion service directory design, and he also served as an ambassador to the many German researchers working in the anonymity field. We loved him and respected him for his patience, his consistency, and his welcoming approach to growing our community.
This release series introduces significant improvements in relay IPv6 address discovery, a new "MetricsPort" mechanism for relay operators to measure performance, LTTng support, build system improvements to help when using Tor as a static library, and significant bugfixes related to Windows relay performance. It also includes numerous smaller features and bugfixes.
Below are the changes since 0.4.4.7. For a list of changes since 0.4.5.5-rc, see the ChangeLog file.
Changes in version 0.4.5.6 - 2021-02-15
Major features (build):
When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
Major features (metrics):
Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.
