Tor Project blog

Sunsetting Tor 0.4.8 – Please update to 0.4.9 by September

2026-06-23T00:00:00Z

Hello Tor Community!

As you know, different teams inside the Tor Project are working on the Arti Relay project where we hope to be able to begin the upgrade of the network towards our Rust implementation of Tor in the near future. To support this work, we would like to announce that we intend to actively stop compatibility for 0.4.8 and earlier C Tor versions soon. This means that these versions will no longer work on the network at all after our target date, which is currently September 1st, 2026.

If you’re a Tor Browser user running an up-to-date version of Tor Browser, this won't impact you. If you're running an older, perhaps not-so-well-maintained, Onion Service somewhere, or you’re building an app that integrates C Tor, you may want to read along here.

Tor 0.4.8 reached End of Life on the 1st of June, and there will not be any more updates to this release series. We highly encourage people to upgrade to the Tor 0.4.9 series (or later).

Usually, we try not to break existing releases, even if they are unsupported, unless we have a pretty good reason. In this case, we have several reasons. With the work towards Arti on both the client and relay, the Network Team has identified a couple of features we would like to remove from the Tor ecosystem. Removing support for 0.4.8 will help us facilitate a smooth transition, and reduce effort associated with difficult to maintain features that provide very little value. Unfortunately, because Tor’s Directory Protocol layer works the way it does, we cannot remove these features without affecting older clients.

The most important reason is this: in 0.4.9, we have made some former fields in our directory data obsolete -- specifically, TAP onion keys and family lines. Removing these fields will let us save a great deal of client directory bandwidth for everyone. This, in turn, will make all Tor clients bootstrap a little faster, especially those on slow connections. But when we remove these fields, clients and relays running earlier versions of Tor will no longer work, since they expect the TAP onion keys to be present. Therefore, in order to deliver improved performance faster, we need to accelerate the date on which 0.4.8 will stop working.

The secondary reason for sunsetting 0.4.8: Our Arti directory authority implementation needs network integration soon, and it will be easier to write if it doesn’t support deprecated fields.

With this blog post out, we will begin reaching out to the downstreams of Tor we identified as shipping older versions and try to get them to upgrade. We appreciate community help here, too. If you identify that your favorite project that bundles Tor uses an outdated version of Tor, please reach out to them and (politely!) encourage them to upgrade. We are tracking some of this outreach in network-health/team#460. If you have a very good reason for needing a longer time with 0.4.8 support than 1 September 2026, please let us know by leaving a comment on that ticket.

Thank you!

New Release: Tails 7.9

2026-06-18T00:00:00Z

Changes and updates

Update Tor Browser to 15.0.16.
Update some firmware packages. This improves support for newer hardware: graphics, Wi-Fi, and so on.

Fixed problems

Stop notifying about outdated Secure Boot certificates in rare cases where the certificates are already up to date. (#21643)

For more details, read our changelog.

Get Tails 7.9

To upgrade your Tails USB stick and keep your Persistent Storage

Automatic upgrades are available from Tails 7.0 or later to 7.9.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails 7.9 on a new USB stick

Follow our installation instructions.

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 7.9 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.

New Release: Tor Browser 15.0.16

2026-06-17T00:00:00Z

Tor Browser 15.0.16 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 15.0.16 is:

All Platforms
- Updated NoScript to 13.6.24.1984
- Updated OpenSSL to 3.5.7
- Bug tor-browser#45044: NS 13.6.19.902 DocStartInjection regressed
- Bug tor-browser#45046: Rebase Tor Browser stable onto 140.12.0esr
- Bug tor-browser#45054: Backport Security Fixes from Firefox 152
Windows + macOS + Linux
- Updated Firefox to 140.12.0esr
Android
- Updated GeckoView to 140.12.0esr
Build System
- All Platforms
  - Bug tor-browser-build#41802: Remove the tor daemon requirement for signing
- Windows + Linux + Android
  - Updated Go to 1.25.11

Paskoocheh: When you need a tool to reach the tool

2026-06-10T00:00:00Z

++ This guest post is part of a spotlight series on the organizations defending the free Internet.++

Due to heavy information controls, people in Iran face significant barriers to accessing the Internet. Authorities have actively blocked numerous websites and apps, including conventional circumvention and digital security tools such as VPNs, social media platforms, and the app stores themselves. This creates a "chicken-and-egg" problem: users need a VPN to download a VPN.

Launched in 2016, Paskoocheh, Persian for "alleyway," is an open source alternative app store, community hub, and one-stop-shop for users to access information and tools to circumvent censorship, enhance their privacy, securely communicate, and express themselves freely online. Developed and maintained by ASL19, a technology and exiled media organization named after Article 19 of the Universal Declaration of Human Rights, Paskoocheh restores access and allows people to reach trusted tools through four censorship-resilient channels: the Paskoocheh website, Android App, Email bot, and Telegram bot.

Users are also able to reach our Persian-speaking support team through the Paskoocheh Helpdesk, which handles over 200 tickets daily. In addition, ASL19 translates and publishes accessible user guides, blog posts, and multimedia content to help users navigate online privacy and digital security best practices.

Paskoocheh serves as more than an alternative app store; it is also a bridge between tool developers and in-country users. Our support team relays user feedback to tool developers, helping improve tools and overall experience in Iran. We also conduct in-country testing with developers and user communities to evaluate new features and strengthen censorship-resilient technologies.

Paskoocheh's impact so far

This combination of access, user support, and education has turned Paskoocheh into a critical lifeline for users in Iran.

# of tool downloads since 2016: 17,634,852
# of community members in Iran supporting testing and localization efforts: 2,000+
# of monthly active users on web and app: ~200K

During periods of internet disruption and nationwide protests in Iran, these tools became critical communication lifelines. One longtime user wrote to us:

"I've been using this free app for several years now. It's free, unique, and unlike others, it has no equal." Reflecting on the broader digital environment in the country, they added that "in these difficult economic conditions, people are struggling just to survive, while many apps either empty people's pockets, deceive and lie to them, or serve as tools for spying and propaganda."

Messages like these highlight the importance of privacy-preserving technologies in environments where surveillance, censorship, and disinformation shape everyday life online. In moments of crisis, internet freedom tools become part of how people maintain relationships, exchange trusted information, and stay connected to the outside world. For some users, these tools also made it possible to continue reporting on events on the ground, verify information during periods of state-backed disinformation, and safely communicate evidence of abuses despite widespread surveillance and connectivity disruptions.

The future of Paskoocheh: Scaling a community-first approach to internet freedom

As internet censorship tactics evolve rapidly, internet shutdowns are becoming more frequent and more sophisticated, cutting communities off from information, communication, and one another.

What we have learned through this work is that access alone is not enough. Technology is only useful if people trust it, understand how to use it safely, and can rely on support networks when digital spaces become unstable or dangerous.

That is why our work extends beyond technical development. Alongside building secure access technologies, ASL19 invests heavily in user education, digital security guidance, and community capacity building. Every support ticket answered, training delivered, and piece of digital safety guidance shared helps people stay connected under pressure.

This human-centered approach is becoming increasingly important as authoritarian tactics evolve globally. During internet shutdowns and heightened censorship, local helper communities often become the first line of assistance for journalists, activists, students, and ordinary citizens.

With additional support, ASL19 aims to continue expanding Paskoocheh beyond its current capacity into a broader resilience ecosystem that combines technical innovation with stronger on-the-ground support systems. This includes improving access to trusted circumvention and privacy tools during shutdowns, expanding multilingual user support and educational resources, and deepening collaboration with communities operating under digital authoritarianism.

This work is not solely about technology products. At a moment when most people's understanding of the internet is shaped by the little squares in their pockets, it is important to acknowledge and support the broader ecosystems that make access possible. Civil society, independent media, and grassroots communities all play a part in helping people survive under pressure. This is why partnerships within the internet freedom ecosystem matter. Living under digital authoritarianism means that these are not abstract protections against hypothetical risks, but practical tools that make journalism, organizing, education, and communication possible in the first place.

About ASL19

Named after Article 19 of the Universal Declaration of Human Rights, ASL19 is a technology and exiled media organization working to counter digital authoritarianism. For more than a decade, we have partnered with civil society groups, journalists, researchers, activists, and internet users living under some of the world's most restrictive online environments. Guided by the belief that privacy and internet freedom are essential to safe communication, access to information, and civic participation, ASL19 develops technologies and support systems that help people navigate censorship, surveillance, internet shutdowns, and information manipulation. In countries such as Iran, Russia, and China, these tools serve as critical lifelines, enabling people to communicate securely, access information, document human rights abuses, and stay connected to the outside world.

Supporting those who speak out

2026-06-04T00:00:00Z

++ This guest post is part of a spotlight series on the organizations defending the free Internet.++

Fear of digital surveillance breeds silence.

In the words of a youth activist in Zambia who took part in a research study tracking digital security threats:

We are all fearful. It makes you constantly paranoid. It also undermines our work. It discourages us. It's very disheartening. It's difficult to keep the fire going. I've sort of stepped back from the front line.

Silencing of whistleblowers, journalists and human rights defenders deprives citizens of the credible information they need to participate meaningfully in public life. It undermines democracy, enabling corruption and human rights abuses to flourish.

Blueprint for Free Speech is a non-profit committed above all to upholding the right to freedom of opinion and expression for all people, as enshrined by Article 19 of the Universal Declaration of Human Rights. We work internationally to promote protections for a free and independent media, the free flow of information, institutional transparency and support for whistleblowers.

Industrial-scale surveillance with military-grade spyware is having a chilling effect on investigative journalism and human rights advocacy work, with profound implications for access to truth about power.

Killer corporations

Free access to reliable information has never mattered more. Some of the world's biggest corporations are manipulating scientific data, controlling narratives and capturing regulators to sell products they know will kill us. That's not an overstatement: it's the conclusion of the New England Journal of Medicine. Their latest research shows fossil fuels, tobacco, alcohol, ultra-processed foods, chemicals and pesticides, and drugs such as opioids cause 20 million deaths a year.

Blueprint works closely with activists, journalists and whistleblowers in many of these fields, exposing or highlighting a range of public interest issues, from data privacy violations in the EU, organ trafficking in East Africa and deaths squads in West Africa and South Africa, the collapse of quality control at Boeing in the US, and the dirty tricks deployed by big tobacco in Asia and Africa.

We provide them with support, public recognition, guidance, referrals and training, legal assessments, as well as arming them with actionable research.

More recently, with the rise of unaccountable tech oligarchs raising the spectre of a dystopian cybernetic authoritarianism, we are increasingly supporting AI whistleblowers and have added artificial intelligence safety to our arsenal of offerings through a new European project.

A common thread is the need to guard against intrusive surveillance. For anonymous whistleblowers, this translates into the difference between coming forward with public interest disclosures that could save lives, or staying silent. For journalists and activists, it means being able to continue the work of speaking truth to power.

Ricochet Refresh

Blueprint develops and maintains software that allows people to reach out to the media, NGOs and anti-corruption agencies anonymously. Ricochet Refresh is a peer-to-peer, instant messaging application by Blueprint that prioritizes user privacy and user control by design. The application and protocol are completely decentralized, and do not depend on any third-party infrastructure apart from the Tor network itself. Best of all, the project is community-driven, so we listen to what people need when using it and translate that into action.

Ricochet Refresh is free and open-source software that works by creating a Tor onion service on your computer, which serves as your anonymous identity and endpoint on the network. When you communicate with a contact, a Tor circuit is established between your machine, routing data through multiple nodes so that no single node knows both the origin and destination. This strengthens anonymity. All communications are end-to-end encrypted, so message contents are only visible to the parties in a conversation.

The architecture makes it particularly valuable for protecting freedom of expression among civil society groups worldwide who face surveillance risks. The Ricochet Refresh package also bundles in the Tor Project's censorship-circumvention tools to enable connectivity even in constrained network environments. It is one of the only free, open-source applications that allows unlimited file size transfer on a fully anonymized basis. This is incredibly important if you're a journalist, activist or whistleblower who wants to transfer large files, such as videos.

Cybersecurity training

Since 2024, Blueprint has conducted a series of cybersecurity training sessions in over a dozen lower- and middle-income countries in Africa, the Middle East and Asia, where the need for technical support to guard against digital surveillance is the greatest. We support journalists, researchers, community advocacy workers and others who face threats to their digital and often personal safety.

These sessions apply foundational and more advanced digital security precautions with expert facilitators on-hand to help participants make practical changes to their device set-ups during the sessions. They walk out at the end of the day more cybersecure than when they arrived in the morning. As part of this, we introduce them to metadata-resistant communications platforms -- including Ricochet Refresh -- to make it safer to receive whistleblower disclosures.

Whistleblowers often face vicious retaliation attacks. Anonymity gives them some protection -- and it does something else important: it shifts the public conversation from "let's blame the whistleblower!" to "let's focus on finding out about the wrongdoing".

The impact of this work, made possible thanks to the time and energy invested by many people and organizations who ensure the internet is kept open and secure, is tangible and profound. As this journalist in North Africa put it:

This session made me realise, in a very concrete way, that cybersecurity isn't just an IT department's responsibility, but also concerns my daily actions, my digital reflexes, and how I protect my professional identity online. As a journalist, this pragmatic approach was particularly useful: it gave me concrete tools, but also a new framework for analysing the risks I face.

The digital threats faced by defenders of truth and democracy are multiplying. So should our capacity to respond to them. The free internet is at the frontline of this battle, and Blueprint's digital protection tools make a difference where it counts.

New Release: Tails 7.8.1

2026-06-04T00:00:00Z

This release is an emergency release to fix a serious security vulnerability in the Linux kernel, as well as security vulnerabilities in the Tor client.

Changes and updates

Update the Tor client to 0.4.9.9, which fixes several security vulnerabilities.
Update the Linux kernel to 6.12.90-2, which fixes CVE-2026-43503, a vulnerability that could allow an application in Tails to gain administration privileges.

For example, if an attacker was able to exploit other unknown security vulnerabilities in an application included in Tails, they might then use this vulnerability to take full control of your Tails and deanonymize you.

This attack is very unlikely, but could be performed by a strong attacker, such as a government or a hacking firm. We are not aware of this vulnerability being used in practice until now.

Get Tails 7.8.1

To upgrade your Tails USB stick and keep your Persistent Storage

Automatic upgrades are available from Tails 7.0 or later to 7.8.1.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails 7.8.1 on a new USB stick

Follow our installation instructions.

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 7.8.1 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.

New Release: Tor Browser 15.0.15

2026-06-03T00:00:00Z

Tor Browser 15.0.15 is now available from the Tor Browser download page and also from our distribution directory.

This release contains important security updates to the tor daemon and fixes some censorship circumvention problems.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 15.0.14 is:

All Platforms
- Updated NoScript to 13.6.20.1984
- Updated Tor to 0.4.9.9
- Bug tor-browser#42436: Allow for multiple configured (front, reflector) domain fronting pairs in Moat module
Windows + macOS + Linux
- Bug tor-browser#44997: Captcha doesn't work in TB desktop
Linux
- Bug tor-browser#44886: Backport tor-browser#44361: Notify Linux i686 users that they won't receive updates anymore

New Alpha Release: Tor Browser 16.0a7

2026-06-03T00:00:00Z

Tor Browser 16.0a7 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

⚠️ Reminder: The Tor Browser Alpha release-channel is for testing only. As such, Tor Browser Alpha is not intended for general use because it is more likely to include bugs affecting usability, security, and privacy.

Moreover, Tor Browser Alphas are now based on Firefox's betas. Please read more about this important change in the Future of Tor Browser Alpha blog post.

If you are an at-risk user, require strong anonymity, or just want a reliably-working browser, please stick with the stable release channel.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 16.0a6 is:

All Platforms
- Updated NoScript to 13.6.19.90401984
- Updated Tor to 0.4.9.9
- Bug tor-browser#42436: Allow for multiple configured (front, reflector) domain fronting pairs in Moat module
- Bug tor-browser#44869: Rebase alpha onto 151
- Bug tor-browser#44952: TOR_PROVIDER=none throws an error at launch
- Bug tor-browser#44989: Backport Bug 2040704: Fix date format leak in Firefox 151
- Bug tor-browser#44990: CI failing due to dubious ownership of cached repo
- Bug tor-browser#44999: Privacy settings are broken in 151
- Bug tor-browser-build#41686: Copy more build artifacts to the artifacts directory
Windows + macOS + Linux
- Updated Firefox to 151.0a1
- Bug tor-browser#44903: Use the support-page instead of tor-manual-page in moz-support-link
- Bug tor-browser#44904: Use settings config for onion site settings
- Bug tor-browser#44991: Improve the no-authentication handling on the control port
- Bug tor-browser#44997: Captcha doesn't work in TB desktop
- Bug tor-browser#45005: Rename arrowpanel CSS variable
Windows
- Bug tor-browser#44745: Change how we hide SSO setting for windows
Android
- Updated GeckoView to 151.0a1
- Bug tor-browser#43543: Make the dev icon distinct from the nightly one
- Bug tor-browser#44211: Disable "Shake it up. Skip the scroll."
- Bug tor-browser#44323: Audit Android Settings changes from 128 to 140
- Bug tor-browser#44917: Disable Ads client for all channels
- Bug tor-browser#45031: Disable AI features for Android
Build System
- All Platforms
  - Bug tor-browser-build#41779: Update toolchains for Firefox 151
  - Bug tor-browser-build#41781: Fix clean section in rbm.local.conf.example
  - Bug tor-browser-build#41792: Switch from ftp.gnu.org to ftpmirror.gnu.org
  - Bug tor-browser-build#41798: Update the URL to versions.ini in relprep.py
  - Bug tor-browser-build#41806: make list_toolchain_updates should check var/firefox_platform_version
  - Bug tor-browser-build#41807: Incorrectly generated Bugzilla query link in generate-bugzilla-triage-csv.py
- Windows + Linux + Android
  - Updated Go to 1.26.3
- macOS
  - Bug tor-browser-build#41793: Stop copying permissions from .mar in dmg2mar
- Android
  - Bug tor-browser-build#41801: Hardlink artifacts in fix_gradle_deps.py

Arti 2.4.0 released: Relay and directory authority development; flowctl-cc stable

2026-06-01T00:00:00Z

Arti is our ongoing project to create a next-generation Tor implementation in Rust. We're happy to announce the latest release, Arti 2.4.0.

This release continues our ongoing development towards using Arti as a relay and as a directory authority. It also contains fixes for a number of bugs affecting onion service client connectivity.

Additionally, as of this release, flow control and congestion control is considered stable, and can be enabled by compiling Arti with the flowctl-cc feature.

Users of the arti-client crate should note that there are multiple breaking changes to the TorClient APIs, and that the use_obsolete_software option has been removed (see #1960).

As usual, this release also contains a number of bugfixes, cleanups, and improvements to our CI infrastructure.

For full details on what we've done, including API changes, and for information about many more minor and less-visible changes, please see the CHANGELOG.

For more information on using Arti, see our top-level README, and the documentation for the arti binary.

Thanks to everybody who's contributed to this release, including Aaron Dewes, Andrew Kloet, Boris Nagaev, Neel Chauhan, Nihal, syphyr.

Also, our deep thanks to our sponsors for funding the development of Arti!

New Release: Tails 7.8

2026-05-21T00:00:00Z

Changes and updates

Update Tor Browser to 15.0.14.
Remove Thunderbird.

You can still install Thunderbird as additional software.

If you have both the Thunderbird Email Client and Additional Software features of the Persistent Storage turned on, Tails automatically adds Thunderbird to your list of additional software.

A new version of Thunderbird is released in Debian shortly after each Tails releases, because both Tails and Thunderbird follow the release calendar of Firefox. As a consequence, until Tails 7.5 (February 2026), the version of Thunderbird in Tails was almost always outdated, with known security vulnerabilities.

By installing Thunderbird as additional software, the latest version of Thunderbird is installed automatically from your Persistent Storage each time you start Tails.

Fixed problems

Fix multiple security vulnerabilities in the Linux kernel and haveged, that could allow an application in Tails to gain administration privileges.

For example, if an attacker was able to exploit other unknown security vulnerabilities in an application included in Tails, they might then use one of these vulnerabilities to take full control of your Tails and deanonymize you.

For more details, read our changelog.

Get Tails 7.8

To upgrade your Tails USB stick and keep your Persistent Storage

Automatic upgrades are available from Tails 7.0 or later to 7.8.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails 7.8 on a new USB stick

Follow our installation instructions:

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 7.8 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.