Blogs

Tor Browser 4.5 is released

The Tor Browser Team is proud to announce the first stable release in the 4.5 series. This release is available from the Tor Browser Project page and also from our distribution directory.

The 4.5 series provides significant usability, security, and privacy enhancements over the 4.0 series. Because these changes are significant, we will be delaying the automatic update of 4.0 users to the 4.5 series for one week.

On the usability front, we've improved the application launch experience for both Windows and Linux users. During install, Windows users are now given the choice to add Tor Browser to the Start Menu/Applications view, which should make it easier to find and launch. This choice is on by default, but can be disabled, and only affects the creation of shortcuts - the actual Tor Browser is still self-contained as a portable app folder. On the Linux side, users now start Tor Browser through a new wrapper that enables launching from the File Manager, the Desktop, or the Applications menu. The same wrapper can also be used from the command line.

We've also simplified the Tor menu (the green onion) and the associated configuration windows. The menu now provides information about the current Tor Circuit in use for a page, and also provides an option to request a new Tor Circuit for a site. Tor Browser is also much better at handling Tor Circuits in general: while a site remains in active use, all associated requests will continue to be performed over the same Tor Circuit. This means that sites should no longer suddenly change languages, behaviors, or log you out while you are using them.

On the security front, the most exciting news is the new Security Slider. The Security Slider provides user-friendly vulnerability surface reduction - as the security level is increased, browser features that were shown to have a high historical vulnerability count in the iSec Partners hardening study are progressively disabled. This feature is available from the Tor onion menu's "Privacy and Security Settings" choice.

Our Windows packages are now signed with a hardware signing token graciously donated by DigiCert. This means that Windows users should no longer be prompted about Tor Browser coming from an unknown source. Additionally, our automatic updates are now individually signed with an offline signing key. In both cases, these signatures can be reproducibly removed, so that builders can continue to verify that the packages they produce match the official build binaries.

The 4.5 series also features a rewrite of the obfs2, obfs3, and ScrambleSuit transports in GoLang, as well as the introduction of the new obfs4 transport. The obfs4 transport provides additional DPI and probing resistance features which prevent automated scanning for Tor bridges. As long as they are not discovered via other mechanisms, fresh obfs4 bridge addresses will work in China today. Additionally, barring new attacks, private obfs4 addresses should continue to work indefinitely.

On the privacy front, the 4.5 series improves on our first party isolation implementation to prevent third party tracking. Specifically, blob: URIs are now scoped to the URL bar domain that created them, and the SharedWorker API has been disabled to prevent cross-site and third party communication. We also now make full use of Tor's circuit isolation to ensure that all requests for any third party content included by a site travel down the same Tor Circuit. This isolation also ensures that requests to the same third party site actually use separate Tor Circuits when the URL bar domain is different. This request isolation is enforced even when long-lived "HTTP Keep-Alive" connections are used.

We have also improved our resolution and locale fingerprinting defenses, and we now disable the device sensor and video statistics APIs.

Our default search provider has also been changed to Disconnect.

Here is the complete list of changes in the 4.5 series since 4.0:

  • All Platforms
    • Update Tor to 0.2.6.7 with additional patches:
      • Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
    • Update NoScript to 2.6.9.22
    • Update HTTPS-Everywhere to 5.0.3
      • Bug 15689: Resume building HTTPS-Everywhere from git tags
    • Update meek to 0.17
    • Include obfs4proxy 0.0.5
      • Use obfs4proxy for obfs2, obfs3, obfs4, and ScrambleSuit bridges
    • Pluggable Transport Dependency Updates:
      • Bug 15265: Switch go.net repo to golang.org/x/net
      • Bug 15448: Use golang 1.4.2 for meek and obs4proxy
    • Update Tor Launcher to 0.2.7.4. Changes since 0.2.7.0.2 in 4.0.8:
      • Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 13576: Don't strip "bridge" from the middle of bridge lines
      • Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
      • Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Bug 15657: Display the host:port of any connection faiures in bootstrap
      • Bug 15704: Do not enable network if wizard is opened
    • Update Torbutton to 1.9.2.2. Changes since 1.7.0.2 in 4.0.8:
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 7255: Warn users about maximizing windows
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
        • (Many Circuit UI issues were fixed during 4.5; see release changelogs for those).
      • Bug 9387: Security Slider 1.0
        • Include descriptions and tooltip hints for security levels
        • Notify users that the security slider exists
        • Make use of new SVG, jar, and MathML prefs
      • Bug 9442: Add New Circuit button to Torbutton menu
      • Bug 9906: Warn users before closing all windows and performing new identity.
      • Bug 10216: Add a pref to disable the local tor control port test
      • Bug 10280: Strings and pref for preventing plugin initialization.
      • Bug 11175: Remove "About Torbutton" from onion menu.
      • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
      • Bug 11449: Fix new identity error if NoScript is not enabled
      • Bug 13019: Change locale spoofing pref to boolean
      • Bug 13079: Option to skip control port verification
      • Bug 13406: Stop directing users to download-easy.html.en on update
      • Bug 13650: Clip initial window height to 1000px
      • Bugs 13751+13900: Remove SafeCache cache isolation code in favor of C++ patch
      • Bug 13766: Set a 10 minute circuit lifespan for non-content requests
      • Bug 13835: Option to change default Tor Browser homepage
      • Bug 13998: Handle changes in NoScript 2.6.9.8+
      • Bug 14100: Option to hide NetworkSettings menuitem
      • Bug 14392: Don't steal input focus in about:tor search box
      • Bug 14429: Provide automatic window resizing, but disable for now
      • Bug 14448: Restore Torbutton menu operation on non-English localizations
      • Bug 14490: Use Disconnect search in about:tor search box
      • Bug 14630: Hide Torbutton's proxy settings tab.
      • Bug 14631: Improve profile access error msgs (strings for translation).
      • Bugs 14632+15334: Display Cookie Protections only if disk records are enabled
      • Bug 15085: Fix about:tor RTL text alignment problems
      • Bug 15460: Ensure FTP urls use content-window circuit isolation
      • Bug 15502: Wipe blob: URIs on New Identity
      • Bug 15533: Restore default security level when restoring defaults
      • Bug 15562: Bind SharedWorkers to thirdparty pref
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 4100: Raise HTTP Keep-Alive back to 115 second default
    • Bug 5698: Fix branding in "About Torbrowser" window
    • Bug 10280: Don't load any plugins into the address space by default
    • Bug 11236: Fix omnibox order for non-English builds
      • Also remove Amazon, eBay and bing; add Youtube and Twitter
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 12430: Provide a preference to disable remote jar: urls
    • Bugs 12827+15794: Create preference to disable SVG images (for security slider)
    • Bug 13019: Prevent Javascript from leaking system locale
    • Bug 13379: Sign our MAR update files
    • Bug 13439: No canvas prompt for content callers
    • Bug 13548: Create preference to disable MathML (for security slider)
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13788: Fix broken meek in 4.5-alpha series
    • Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
    • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
    • Bug 14392: Make about:tor hide itself from the URL bar
    • Bug 14490: Make Disconnect the default omnibox search engine
    • Bug 14631: Improve startup error messages for filesystem permissions issues
    • Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
    • Bug 14937: Hard-code meek and flashproxy node fingerprints
    • Bug 15029: Don't prompt to include missing plugins
    • Bug 15406: Only include addons in incremental updates if they actually update
    • Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
    • Bug 15502: Isolate blob: URI scope to URL domain; block WebWorker access
    • Bug 15562: Disable Javascript SharedWorkers due to third party tracking
    • Bug 15757: Disable Mozilla video statistics API extensions
    • Bug 15758: Disable Device Sensor APIs
  • Linux
    • Bug 12468: Only print/write log messages if launched with --debug
    • Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
    • Bug 13717: Make sure we use the bash shell on Linux
    • Bug 15672: Provide desktop app registration+unregistration for Linux
    • Bug 15747: Improve start-tor-browser argument handling
  • Windows
    • Bug 3861: Begin signing Tor Browser for Windows the Windows way
    • Bug 10761: Fix instances of shutdown crashes
    • Bug 13169: Don't use /dev/random on Windows for SSP
    • Bug 14688: Create shortcuts to desktop and start menu by default (optional)
    • Bug 15201: Disable 'runas Administrator' codepaths in updater
    • Bug 15539: Make installer exe signatures reproducibly removable
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS

Here is the list of changes since the last 4.5 alpha (4.5a5):

  • All Platforms
    • Update Tor to 0.2.6.7 with additional patches:
      • Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
    • Update NoScript to 2.6.9.22
    • Update HTTPS-Everywhere to 5.0.3
      • Bug 15689: Resume building HTTPS-Everywhere from git tags
    • Update meek to 0.17
    • Update obfs4proxy to 0.0.5
    • Update Tor Launcher to 0.2.7.4
      • Bug 15704: Do not enable network if wizard is opened
      • Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
      • Bug 13576: Don't strip "bridge" from the middle of bridge lines
      • Bug 15657: Display the host:port of any connection faiures in bootstrap
    • Update Torbutton to 1.9.2.2
      • Bug 15562: Bind SharedWorkers to thirdparty pref
      • Bug 15533: Restore default security level when restoring defaults
      • Bug 15510: Close Tor Circuit UI control port connections on New Identity
      • Bug 15472: Make node text black in circuit status UI
      • Bug 15502: Wipe blob URIs on New Identity
      • Bug 15795: Some security slider prefs do not trigger custom checkbox
      • Bug 14429: Disable automatic window resizing for now
    • Bug 4100: Raise HTTP Keep-Alive back to 115 second default
    • Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
    • Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
    • Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
    • Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
    • Bug 15794: Crash on some pages with SVG images if SVG is disabled
    • Bug 15562: Disable Javascript SharedWorkers due to third party tracking
    • Bug 15757: Disable Mozilla video statistics API extensions
    • Bug 15758: Disable Device Sensor APIs
  • Linux
    • Bug 15747: Improve start-tor-browser argument handling
    • Bug 15672: Provide desktop app registration+unregistration for Linux
  • Windows
    • Bug 15539: Make installer exe signatures reproducibly removable
    • Bug 10761: Fix instances of shutdown crashes

Tor Weekly News — April 22nd, 2015

Welcome to the sixteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

A new era at the Tor Project

Andrew Lewman, who has overseen the Tor Project’s business operations since 2009 as Executive Director, will shortly be moving on to a new position at the head of an internet services company. During Andrew’s time as Executive Director, Tor has developed into a leading privacy tool used every day by millions of users around the world, and the Tor community has grown to include more engineers, researchers, activists, and volunteers than ever before. Thanks to Andrew for everything he has done for the Tor community, and best of luck for the future!

Tor Summer of Privacy — chosen projects announced!

The application period for the first-ever Tor Summer of Privacy — the funded development season inspired by Google Summer of Code — closed last week, with twenty-two proposals submitted before the deadline. All the project ideas were of a very high standard, but sadly funding and mentoring constraints meant that only four could be chosen, and Damian Johnson took to the Tor blog to share the list of the winners.

Donncha O’Cearbhaill will be implementing a system to increase the availability of large onion services by balancing requests across several back-end servers, each running its own Tor instance; Jesse Victors will be working on a project entitled “The Onion Name System: Tor-Powered Distributed DNS for Tor Hidden Services”, based on his thesis; former GSoC student and GetTor project leader Israel Leiva will be returning to carry out further work on the alternative distribution system for Tor software; and Israel’s twin brother Cristóbal will be developing a web-based status dashboard for Tor relays.

These are all exciting and important projects, and as Damian wrote, “we’re thrilled to have them with us”. Even if you submitted a proposal that wasn’t chosen, please don’t be discouraged: a number of the projects rejected for lack of resources are still high on Tor developers’ wishlists, so if you can find any way to contribute in the future, feel free to seek advice and assistance from the community.

Coding for Tor Summer of Privacy officially starts on May 25th. In the meantime, congratulations to the four students!

Miscellaneous news

Yawning Angel announced obfs4proxy-0.0.5. This release is better able to detect whether the parent Tor process has crashed, and also brings IPv6 support to clients. All users are recommended to upgrade: please see Yawning’s announcement for further details.

Anthony G. Basile announced version 20150411 of Tor-ramdisk, the micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. This release includes updated versions of Tor and the Linux kernel.

David Fifield wondered about the cause of a sudden large increase in the number of Tor clients using the meek pluggable transport that occurred around April 15th.


This issue of Tor Weekly News has been assembled by Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Summer of Privacy Projects

in

We're pleased to announce the projects for this year's Tor Summer of Privacy! Of our twenty-two applicants sadly we only had funding for four, so without further ado here they are!
 

Projects officially begin on May 25th. We're thrilled to have them with us, and have our fingers crossed that they'll stay afterward to become core developers!

Tor Weekly News — April 15th, 2015

Welcome to the fifteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 4.0.8 is out

Mike Perry announced a new stable release by the Tor Browser team. This version is exactly the same as 4.0.7, which was briefly advertised to users last week but then withdrawn because a bug would have caused it to endlessly recommend updating.

This release includes Tor 0.2.5.12, which fixes the recent onion service and client crash bugs.

There is no corresponding Tor Browser alpha update; that series will become the new stable release in a couple of weeks.

Download your copy of Tor Browser 4.0.8 from the project page, or over the in-browser update system.

Hidden services that aren’t hidden

As the name implies, Tor hidden services (also known as “onion services”) are location-hidden and anonymous, just like regular Tor clients. There may be instances, however, in which a potential hidden service operator doesn’t much care about being hidden: they are more interested in the other unique properties of hidden services, like free end-to-end encryption and authentication, or they want to prevent their users from accidentally sending information non-anonymously. For example, even though everyone knows who Facebook are and where to find them, their users still have things to gain from using their .onion address.

At the moment, these kinds of services are still forced to use the regular hidden service protocol, meaning they connect to rendezvous points over a Tor circuit. Hiding someone who doesn’t want to be hidden is an inefficient use of network resources, and needlessly slows down connections to the service in question, so Tor developers have been discussing the possibility of enabling “direct onion services”, which sacrifice anonymity for improved performance.

George Kadianakis requested feedback on a draft of a Tor proposal for this feature. One of the major questions still to be resolved is how to ensure that nobody enables this option by mistake, or fails to understand the implications for their service’s anonymity. Possible solutions include choosing a better name, making the configuration file option sound more ominous, or even requiring the operator to compile Tor themselves with a special flag.

See George’s proposal for more use-cases and full details of the concept, and feel free to comment on the tor-dev list thread.

Tor Summer of Privacy — entry closing soon!

If you’d like to participate in the first-ever Tor Summer of Privacy, you still have the chance — but be quick, as the application period closes on Friday.

Competition for places is already strong, so make it as easy as possible for your entry to be chosen: look at previous applications for an idea of what Tor developers like to see, drum up interest from potential mentors on the tor-dev mailing list or IRC channel, link to your best code samples, and show the community that you can take the initiative in moving your project forward. Good luck!

More monthly status reports for March 2015

A few more Tor developers submitted monthly reports for March: Isis Lovecruft (for work on BridgeDB and pluggable transports), Arlo Breault (reporting on Tor Messenger and Tor Check), Karsten Loesing (for projects including hidden service statistics, translation coordination, and Tor network tools), and Colin C. (for work on support, documentation, and localization).

The Tails team published its March report. Take a look for updates on development, funding, and outreach; summaries of ongoing discussions; Tails in the media; and much more besides.

Miscellaneous news

Nathan Freitas announced the third release candidate for Orbot v15. This version supports the x86 processor architecture, so devices such as the Galaxy Tab 3 and the Asus Zenphone/Padphone are now officially Tor-compatible. See Nathan’s announcement for the full changelog.

Giovanni Pellerano announced GlobalLeaks 2.60.65, featuring lots of bugfixes, improved localization (including eight new languages), and more.

David Fifield located and fixed a problem with meek’s Microsoft Azure backend that was causing it to run much more slowly than the other two options. “If you tried meek-azure before, but it was too slow, give it another try!”

Thanks to John Penner for running a mirror of the Tor Project’s website and software!


This issue of Tor Weekly News has been assembled by Harmony, the Tails team, and other contributors.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

A New Era at the Tor Project

Andrew Lewman, our current Executive Director, is leaving The Tor Project to take a position at an Internet services company. While at Tor, Andrew was passionate about using our tools to help people from diverse backgrounds and points of view benefit from online privacy. We thank Andrew for his contributions and wish him well.

The Board has asked Tor’s Executive Committee to plan the transition. As a member of this committee, I can say that I expect that Tor Project co-founder Roger Dingledine will serve as interim Executive Director while we conduct the search for a permanent replacement.

Although we are sad to see Andrew leave, Tor is entering an exciting period of growth. We are exploring the establishment of Tor Labs and launching new programs like our Tor Summer of Privacy.

Our developers are building the next generation of Internet anonymity tools — and we continue to lead the international discussion on Internet freedom and liberty through our public talks and research.

Thanks to the entire Tor community for your help as we move forward!

--Wendy Seltzer
Member of the Board of Directors of the Tor Project

Tor Browser 4.0.8 is released

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release contains a fix for the update loop issue present in 4.0.7. It is otherwise identical to that release.

Both 4.0.7 and 4.0.8 contain an update to the included Tor software, to fix two crash bugs in the version of the Tor software included prior to 4.0.7. One crash bug affects only people using the bundled tor binary to run hidden services, and the other crash bug allows a malicious website or Tor exit node to crash the underlying tor client by inducing it to load a resource from a hidden service with a malformed descriptor. These bugs do not allow remote code execution, but because they can be used by arbitrary actors to perform a denial of service, we are issuing a security update to address them.

There will be no corresponding 4.5-alpha release for this fix, to allow us to focus on stabilizing that series for release in ~2 weeks.

Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.

Here is the complete changelog since 4.0.6 (covering 4.0.7 and 4.0.8):

  • All Platforms
    • Bug 15637: Fix update loop due to improper versioning
    • Update Tor to 0.2.5.12
    • Update NoScript to 2.6.9.21

Tor Weekly News — April 8th, 2015

Welcome to the fourteenth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor 0.2.5.12 and 0.2.6.7 are out

Roger Dingledine announced new releases in both the stable and alpha series of the core Tor software. Tor 0.2.5.12 and 0.2.6.7 both contain fixes for two security bugs that could be used either to crash onion services, or clients trying to visit onion services. The releases also make it harder for attackers to overwhelm onion services by launching lots of introductions. For full details, please see the release announcement.

The bugs fixed in these releases are not thought to affect the anonymity of Tor clients or onion services. However, they could be annoying if exploited, so onion service operators should upgrade as soon as possible, while Tor Browser users will be updated with the upcoming Tor Browser stable release.

Tor Summer of Privacy — apply now!

Some of Tor’s most active contributors and projects got their start thanks to Google’s Summer of Code, in which the Tor Project has successfully participated for a number of years. This year, Google have decided to focus on encouraging newer, smaller projects, so rather than miss out on the benefits of this kind of intense coding program, Tor is launching its own Summer of Privacy, as Kate Krauss announced on the Tor blog.

The format is the same as before: students have the opportunity to work on new or existing open-source privacy projects, with financial assistance from the Tor Project and expert guidance from some of the world’s most innovative privacy and security engineers.

If that appeals to you (or someone you know), then see Kate’s announcement and the official TSoP page for more information on the program and how to apply. Applications close on the 17th of this month, so don’t leave it too late!

Should onion services disclose how popular they are?

Even on the non-private web, it is not possible by default to determine how popular a certain website is. Search engines and third-party tracking toolbars might be able to estimate the number of visitors a website gets, but otherwise the information is only available to the site’s operators or to groups who are able to measure DNS requests (as well as anyone in a position to eavesdrop on those two).

On the tor-dev mailing list, George Kadianakis posted a detailed exploration of this issue considered from the perspective of Tor onion services. If improvements and additions to the onion service design would as a side effect give an observer an idea of how popular a certain service is, should this be considered a security risk?

Some of the arguments put forward for the inclusion of popularity-leaking features are that they enable the collection of useful statistics; that they allow further optimization of the onion service design; and that concealing onion service popularity might not be necessary or even possible.

On the other hand, disclosing popularity might help an adversary decide where to aim its attacks; it may not actually offer significant performance or research benefits; and it may surprise onion service users and operators who assume that onionspace popularity is no easier to discover than on the non-private web.

“I still am not 100% decided here, but I lean heavily towards the ‘popularity is private information and we should not reveal it if we can help it’ camp, or maybe in the ‘there needs to be very concrete positive outcomes before even considering leaking popularity’”, writes George. “Hence, my arguments will be obviously biased towards the negatives of leaking popularity. I invite someone from the opposite camp to articulate better arguments for why popularity-hiding is something worth sacrificing.”

Please see George’s analysis for in-depth explanations of all these points and more, and feel free to contribute with your own thoughts.

More monthly status reports for March 2015

The wave of regular monthly reports from Tor project members for the month of March continued, with reports from Georg Koppen (for work on Tor Browser), David Goulet and George Kadianakis (working on onion services), Griffin Boyce (with news on secure software distribution, onion service setup, and Tails), Sherief Alaa (with updates about support and Arabic localization), Leiah Jansen (working on communication and graphic design), Sebastian Hahn (improving testability and fixing website issues), and Sukhbir Singh (for work on TorBirdy and Tor Messenger).

Mike Perry reported on behalf of the Tor Browser team, while George Kadianakis did so for SponsorR work, Israel Leiva for the GetTor project, and Colin C. for the Tor help desk.

Miscellaneous news

Nathan Freitas announced version 15 beta 1 of Orbot, which is “functionality complete”. “The main area for testing is using the Apps VPN mode while switching networks and/or in bad coverage, as well as using it in combination with Meek or Obfs4, for example. Also, the implementation is bit different between Android 4.x and 5.x, so please report any difference you might see there.”

Nathan also shared Amogh Pradeep’s analysis of the network calls made in the latest version of the Firefox for Android source code, “to get our Orfox effort started again”.

This week in Tor history

A year ago this week, Nathan Freitas reported that the number of Orbot users in Turkey had quadrupled in the previous month, after an order by the Turkish government to block access to several popular social media websites led to a surge in Tor connections. This week, the same thing happened (albeit more briefly), leading to another increase in Tor use within Turkey.

The best time to prepare for these censorship events is before they happen — and that includes letting people around you know what they should do to ensure their freedom of expression remains uninterrupted. Show them the Tor animation and Tor brochures, help them install Tor Browser and Orbot, and teach them how to configure their social media applications to connect over Tor. If you make a habit of browsing over Tor, you may not even have to take any notice when things get blocked!


This issue of Tor Weekly News has been assembled by Harmony, nicoo, and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 4.0.7 is released

Unfortunately, the 4.0.7 release has a bug that makes it think of itself as 4.0.6, causing an update loop. This version mismatch will also cause the incremental update to 4.0.8 to fail to properly apply. The browser will then download the full update at that point, which should succeed, but at the expense of both user delay and wasted Tor network bandwidth.

For this reason, we have decided to pull 4.0.7 from the website at the moment, and instead prepare 4.0.8 as soon as possible.

Thank you for your patience.

Syndicate content Syndicate content