GetTor: New Ways to Download Tor Browser

by ilv | April 7, 2016

We are pleased to announce the new features available in the GetTor, a service that provides alternative ways to download Tor Browser, aimed for people who live in places with high levels of censorship (e.g. when www.torproject.org is blocked) or people who just don't want to expose the fact that they are downloading Tor Browser. This work adds important new download options and capabilities and includes improvements to the current code, deployment of new channels and providers, and some brand new features such as the GetTor API. We would also like to give special thanks to Nima Fatemi, who was in charge of the non-coding parts of this project (from funding to technical management).

Update note: we now have the gettor@torproject.org account for the XMPP channel. However, we will have the get_tor@riseup.net account enabled for a couple of more weeks just in case you are still using it.

Landing page

A GetTor landing page has been created to offer information in one place (statistics, guides, etc.). If you are interested in what is going on with GetTor, following the landing page is highly recommended.

New Distribution Channels

In the past, GetTor has distributed packages by sending the bundles -- and then, later, just links -- via email. Now there are two more ways to interact with GetTor:

  1. Using Twitter: You can send a direct message to @get_tor account (you don't need to follow the @get_tor acount). Send the word help in a direct message to receive information on how to download the Tor Browser.
  2. Using XMPP: You can send a message to gettor@torproject.org using your favorite XMPP client. Simply enter help in an XMPP message to receive information on how to download the Tor Browser.

GitHub

GitHub is now a provider of Tor Browser (in addition to Dropbox and Google Drive), and the latest version of Tor Browser may be downloaded from our Github page and our Github repository.

Support for Android

Orbot is a free proxy (i.e. an intermediary) app that empowers other apps to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by sending it through a series of computers around the world. In addition to the download options provided by Guardian Project (Google Play, F-Droid, Direct download), GetTor provides yet another way to download Orbot to your mobile device. To do this, you have to reach one of our distribution channels and specify the android command (See Examples, at the bottom of this blog post). You will then receive instructions to download Orbot's Android Application Package (APK) file from Github, Google Drive or Dropbox. Once you have downloaded the APK file you can use it to install Orbot (similar to .exe files in Windows) and start using it.

Translated Versions of Tor Browser

GetTor provides a small set of translated packages focused on its end users. The available languages are Farsi, Chinese, Turkish, and English (which is the default). If you want to use this feature in the email autoresponder, for example, you send your request to:

    Farsi: gettor+fa@torproject.org
    Chinese: gettor+zh@torproject.org
    Turkish: gettor+tr@torproject.org
    English: gettor@torproject.org

For the Twitter and XMPP channels, you just need to add the language word to the
message (e.g. linux fa will get you links for Tor Browser in Farsi).

Mirrors

There are many volunteers who use their own servers to provide mirrors of Tor Project's website. One or more of these mirrors may be not blocked in places where torproject.org is censored and could help in downloading Tor Browser. With this new release, you can request a list of these mirrors from GetTor by sending an email (or message, in case of Twitter and XMPP) with the word mirrors in the body of the text.

Statistics

Some basic but effective improvements have been made to collect anonymous data and compile meaningful statistics about GetTor usage, including requests per channel, operating system, and language. Safeguards have been implemented so that all information collected is anonymous, and it is erased on a daily basis -- we just keep the number and types of requests. Reports about this data will soon be available on GetTor's website.

RESTful API

One of GetTor's major new features is its API. In simple terms, an API is a set of rules and specifications that allow applications to communicate with each other (following these rules). This is helpful to developers who want to create new services or applications based on the information provided by the API. In this case, the GetTor API provides the following information:

  1. Links to download Tor Browser by provider, with filters for operating system and language.
  2. Links to download Tor Browser from Tor Project's website, with filters for choosing the release (latest version , etc.), operating system, and language.
  3. List of mirrors of Tor Project's website.

You can find more information on the API documentation.

Invitation to Collaborate

If you are a Tor user, a developer, good at writing content for non-technical users or anything else, we are happy to hear from you! You can use the comments section below, the tor-talk and tor-dev mailing lists, or come talk to us on IRC (#tor-dev on OFTC; our nicknames are ilv, sukhe and mrphs).

How to Ask for Tor Browser--Some Examples

To help you get started, here are a few examples of GetTor requests with different locales (languages) and operating systems:

Example 1 (Email): To get links for downloading Tor Browser in Farsi for Windows, send an email to gettor+fa@torproject.org with the word windows in the body of the message.

Example 2 (Twitter): To get links for downloading Tor Browser in English for OS X, send a Direct Message to @get_tor with the words osx on it (you don't need to follow the account).

Example 3 (XMPP): To get links for downloading Tor Browser in Chinese for Linux, send a message to gettor@torproject.org account with the words linux zh on it.

Example 4 (Email): To get links for downloading Orbot for Android, send an email to gettor@torproject.org with the word android in the body of the message.

Comments

Please note that the comment area below has been archived.

April 06, 2016

Permalink

Wow! You guys are the greatest!

Just one question: adding download options, but not removing any, right?

GetTor provides for alternative ways to download Tor Browser in case the existing ones don't work for you. But to answer your question, no, we are not removing any (existing) options like downloading Tor Browser from the website or mirrors.

April 07, 2016

In reply to sukhbir

Permalink

Thanks. Can Yawning or someone else please approve some recent submissions which have not appeared, in the backdoor thread and human rights interview thread?

Err. I'm not the keeper of the blog. I just periodically clear out all the obvious spam, because if no one does it, it gets unmanageable. Publishing is usually done by others.

(Just clearing out the spam again).

April 08, 2016

In reply to yawning

Permalink

Well, clearing out spam should help the moderators, so thanks much, and thanks for all your work for Tor!

April 07, 2016

Permalink

There are two linux versions,32 bit & 64 bit, how do you specify which one you want?

For simplicity, when you ask for links for Linux you will receive links to download Tor Browser for both 32 & 64 bit (the message sent by GetTor specifies which links are for 32 bit and which links are for 64 bit). You can then choose to download the version you need.

April 07, 2016

Permalink

OT, but no other way to ask:

While using latest edition of Tails, when requesting a new identity in Tor Browser, I sometimes see warning message "Tails cannot safely give you a new identity: does not own Tor control socket?" That sounds bad.

April 07, 2016

Permalink

Ever thought of getting an EV certificate for the main torproject.org domains so we can confirm the identity of the main site with a green bar in the browser? They are available to 501(c)(3)'s; the ASPCA has one.

April 07, 2016

Permalink

Have you seen this? arstechnica.co.uk/security/2016/04/noscript-and-other-popular-firefox-add-ons-open-millions-to-new-attack/
Could Tor Browser be vulnerable as it uses NoScript?

It's something moderately interesting, but nothing new (the Firefox security model is crap, and is being reworked with e10s, the move to Web Extensions among other things), wrapped in sensationalist clickbait garbage that is par for the course for modern "tech journalism".

If users install malicious addons, then the current Firefox extension model means that the code in other addons can be leveraged. But the user first has to install extra malicious addons, at which point they've lost anyway.

May 02, 2016

In reply to yawning

Permalink

Unfortunately, the e10 sandbox does not work with noscript, even though it works with most other addons. You're completely right though. The Firefox security model is absolutely horrific. I don't want to scare many users here, but I will say that Firefox has some of the most terrifying code I have ever seen in my life. Have you even *seen* their experimental seccomp policy? Has anyone in the world fuzzed imlib? I mean, Chrome is orders of magnitude more secure, and even IE is harder to hack now days (for the average hacker, not the privileged law enforcement agency with access to possible backdoors). I'm going to stop myself now before I go on a 2 hour rant about Firefox security...

April 12, 2016

Permalink

Friend they recommend I get Tor... so I download and install... now it requires attention or refuses access on almost every site I visit... now I uninstall and say bye, bye to Tor... now my web surfing is back to being smooth and fast :)

April 12, 2016

Permalink

thanks so much

i wonder is there any way to get bridges Apart from Email . i send email by didn't receive any bridge In fact, email is not delivered at all

April 16, 2016

Permalink

I see some strange things with tor - it has connection with the server:

tcp 192.168.0.200 33508 <-> 108.61.198.207 443

but according to the following

30902:r startor0nl 2xB+7VKkY3YySUlQWzDrrFt93w8 2016-04-16 07:14:28 108.61.198.207 443 80
30903-m MJ8eOrLAFi/ODh7/2rdEwmPMATaYB21NrR/CCDw7E/Y
30904-s Fast HSDir Running Stable V2Dir Valid
30905-v Tor 0.2.7.6

this server is not marked as Guard !!!
How can it be??? Did anybody see such a thing?

April 17, 2016

Permalink

ohai !

Good work making these alternative ways of getting tbb !

Here's another idea:

What about spreading torbrowser using DNS ? (using, for example, TXT records). We'd then even be able to download it from hotspots without being logged in !

It'd also be easy to mirror it

but it'd need to be b64'd before being put in the dns, and after being retrieved, so maybe it isn't a great idea

Hello!

That could work, but our main focus is making alternatives that are easy-to-use for people who is not very familiar with computers, and the method you describe sounds a little bit complicated for that case. This might be useful for technical users, but only if torproject.org is not blocked, which is our initial assumption for GetTor (unless we use other domain for doing it, in that case, which one?).

In any case, thanks for the input!

April 19, 2016

Permalink

thx,_often harassed and sometimes for an personal opinion, i thank you for your browser TOR , i fell better with.

April 22, 2016

Permalink

Tor Project has been silent for about two weeks and some of us are getting a bit worried. We hope you are just very busy.

Some good news from The Hill (the news org which covers the US Congress, is often read by staffers, and often offers good coverage of tech issues):

http://thehill.com/policy/technology/277239-over-a-million-users-a-mont…
Over a million users a month now access Facebook through anonymity software
David McCabe
22 Apr 2016

> More than a million people a month now use popular anonymity software to browse Facebook without outsiders being able to determine their location or other details about their computer.
>
> Communicating through a connection secured by Tor allows users to hide the location of their device as well as information that could help to identify them. Many use it to get around internet censors in other countries or to keep their information from being obtained by organizations engaged in surveillance.
>
> Facebook announced in 2014 that it had created a version of its website meant to run properly on a Tor-secured connection. Previously, the website would appear broken to some users browsing on Tor.
>
> Facebook engineer Alec Muffett said in a post that in June of last year, roughly 525,000 were accessing Facebook through Tor in a given 30-day period. Now, that number is more than one million, he said.

EFF has said it will organize its members to oppose the Burr-Feinstein mandating encryption backdoors, which would outlaw steganography and file compression as well as cryptography. Will Tor Project get involved too? Since Tor cannot function without cryptography, it seems TP has a dog in this fight.

April 22, 2016

Permalink

The US DOJ has been pushing hard to expand FBI's use of NIT (Network Investigative Technique, i.e. Hacking Team style state-sponsored malware). A spot of good news:

http://arstechnica.com/tech-policy/2016/04/judge-invalidates-warrant-th…
Judge invalidates warrant that let feds hack Tor-using child porn suspect
Massachusetts judge finds warrant issued by magistrate in Virginia was improper.
Cyrus Farivar
21 Apr 2016

> A federal judge in Massachusetts ruled Wednesday in favor of a man accused of accessing child pornography through Tor, finding that the warrant issued by a Virginia-based judge was invalid. The evidence of child pornography the government claims it found on the man's computers is suppressed, which likely makes continuing prosecution of this case significantly more difficult.
>
> That warrant, which was issued in early 2015, allowed federal investigators to use a "network investigative technique" (NIT), government-speak for a piece of malware typically used to penetrate the digital security of Tor users.

A few years ago some of us tried to warn Tor Project about the implications of DOJ's efforts to change Rule 41 (which governs certain aspects of how police can gather evidence about criminal suspects). Notice this plays a role in the case:

https://theintercept.com/2016/04/21/fbi-mass-child-porn-hack-ruled-ille…
FBI Mass Child-Porn Hack Ruled Illegal on a Technicality
Jenna McLaughlin
21 Apr 2016

> When the FBI hacked over 1,000 computers to ensnare consumers of child pornography early last year, its actions were illegal, a federal judge ruled Wednesday.
> ...
> Judge William Young of the U.S. District Court in Boston ruled that the FBI’s search of Playpen visitor Alex Levin’s computer — located in Massachusetts — was unlawful because the magistrate judge who issued the warrant was in Virginia. According to Rule 41 of federal criminal procedure, magistrate judges can’t authorize a warrant outside their geographical jurisdiction.
>
> The Department of Justice is seeking to change that rule, but it hasn’t happened yet. “The government knew they had problems with Rule 41, and they didn’t wait for those changes to be approved. They went ahead with a mass hack,” Chris Soghoian, principal technologist for the American Civil Liberties Union, told The Intercept.
>
> Government lawyers two years ago began the multi-stage process of changing the rule to allow judges to grant warrants for remote searches of computers located outside their district or when the location is unknown. Despite angry protests from civil liberties advocates and technologists including the ACLU and Google, who described it as a power grab by the FBI to be able to conduct mass hacks with impunity, the rule change was approved by several judiciary panels, and is widely expected to be approved by the Supreme Court any day now. Congress has six months to modify or reject it, or else it will take effect.
>
> “This is a serious, complicated issue that Congress needs to consider quickly, to ensure our laws are keeping up with technology,” Sen. Ron Wyden, D-Ore., said in a statement emailed to The Intercept. “The solution is not to allow an obscure bureaucratic process to vastly expand the government’s surveillance powers. This requires serious public debate, to guarantee there are strong safeguards and oversight when it comes to government hacking.”
>
> Just this week, members of Congress first started asking substantive questions of the FBI about “lawful hacking” and the dynamics of getting around encryption by exploiting devices rather than trying to ban unbreakable encryption altogether.
>
> The government’s takeover of the child-porn site also risks becoming a greater source of controversy. Soghoian said the government’s decision to keeping the site running, rather than shut it down immediately, allowed hundreds of thousand of people to share and distribute new hurtful images while the FBI only caught a small percentage with its malware.
>
> In his ruling, Judge Young compared the practice to the FBI selling drugs — not just pretending to — in order to catch drug dealers. “The judge clearly is not happy about the government operating a child-porn site,” said Soghoian.

April 22, 2016

Permalink

Some of us have worried for years about traffic shaping attacks on Tor, and recently evidence emerged which suggests that an adversary may be mounting a large scale traffic shaping attack (on hidden services, but we also worry about ordinary web browsing via Tor Browser). Mike Perry commented:

https://lists.torproject.org/pipermail/tor-talk/2016-April/040822.html
Traffic shaping attack
Mike Perry mikeperry at torproject.org
20 Apr 2016

> Based on what you have reported, the second stage traffic shaping could
be due to some kind of in-line traffic shaping device, though it could
also still be due to targeted denial of service attacks against specific
nodes in the network.

Can you explain how "in-line traffic shaping devices" might work in attacks on Tor Browser?

April 24, 2016

Permalink

fsf from stallman april conference said that a backdoor is embedded in the new intel chipset ... so, is it yet the beginning of the end for TOR/privacy/encryption/cryptography ?

April 24, 2016

Permalink

downloaded tor 20/4/16
useless browser unable to view utube videos
back to chrome browser nice and smooth

April 24, 2016

Permalink

Hi,
while agreeing that this four languages cover an important part of vulnerable users and it is really great that tor is available in three other languages than its original English, it is an important step to make Tor available in more languages. Translation seems not to be a priority here, but it makes a huge difference for users to use this important tool in their own language even for those who an understand English. So, there is already a whole effort going on on Transifex communities, but even for languages that have already 100% or content translated, no version of Tor is released in those languages. I just would like to remember here that translation IS an important issue to address in the Tor community and it deserves more attention and care.
I greet you all!!!

April 26, 2016

Permalink

Found a virus or malware in the Tor files...

Qihoo-360 HEUR/QVM20.1.Malware.Gen 20160426

Keyboard input recorder is what it says on pop up?

April 27, 2016

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

oh Yeah , if using SATCOM or VSAT for downloading TailsOS and Tor with Reberry Router would be better , hope Tor project support more crytocurrency likes Dark coin (DASH) or LiteCoin (LTC)

Which hardware suggest for complatiable likes Gaming notebook or Gaming PC for browing safeNET?many thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXIHdIAAoJEOF93b4xqLWA/r4P/2npkbyc8FAyRwBLcYk5cLyq
SnOKKPjcnsGwwXo5ryzIUY1+sZcRaYzUiRc5a+SLOa1YAZtRRgSoydqOPZKek7YT
fu/cYC7+2ku9OF8ECbjf74eZNwgp2Zh/ctqfEfgJKWWDnv+ZWDfkMguTiPGOBCbb
lXBb7NErs23fRsRqgjhMRum+d4NgGgjiX6WjzmWdKc1AKnCMd6Kta0VDHL24W6xY
kOm0APaMWJq7jd/Op4ymcxrfRb4oQbyXDQh5h304tuJGEwJ8SlQwjPXcLfowTKCh
FLXND7Yht1NoJsJr5bL0LA4JXbyPi+ONmKRgusd2J1uAQmCGsivNGPpuaFPloEmQ
ClbcGqQnyN3OS+2mRxYT0MFpcnalsj3PEUwyHqa9oPC5qOVNeanvKG+wAb4FxS7w
Ad+zzvrn5rwmMT6epuR98xyX1MzZLJD4rs15Oh8fRwnHVOhflP9dP9kPyA96UCG6
czOY7G7blta98x57tlgkeG74XmcrXhct//OdfuVl/+Ktm0v2H/Zl5FKZ2hGfKJUs
zaCSIu5IIpU8DP1P/nFOh5xbu8S3vfB1LOKL9cNddV6qayaKJvSCDQq8y2ImEPoH
3v1xkrdDJzFDGtkxn7fyn9fK/d61MHm1OeIF8z2oa26O+If3rbZENbOiZ0sKXY4W
ANGZp8q02wyyrjQZNhvB
=8vVo
-----END PGP SIGNATURE-----

Sometimes I wonder if random posts to things like this are just for the purpose of discrediting Tor. I mean this comment isn't even relevant to the thread. This thread is about letting people in oppressed countries download Tor when it is blocked, and you post a clickbait link about a Firefox vulnerability, the same one that so many people use to try to convince people that Tor itself is somehow flawed?

April 28, 2016

Permalink

Since 2015 I experienced blocks on different websites, when I used tor browser system. My winsystem hangs for about 30 seconds to 1 minute or more. At first time I felt attacked. Just now I tested a new AntiVirus software, which blocked the automatted update of tor system. I will download the new tor version manually, and will share my experience in this blog.

April 30, 2016

Permalink

Hi,

I am very interested in the OS statistics of the users. I have been monitoring the gettor website for some time now but the only thing I find is the message: We will publish statistics soon. Any idea when the statistics will be available?

Thanks!

May 01, 2016

Permalink

Many thanks for the XMPP way of getting TorBrowser. I’ll give it a go.

But no thanks for TB Github "hostage". You should find an independent Gitlab host or set up your own instance. The Tor project should set an example of decentralization and freedom. Github, apart from being a proprietary platform, also uses Amazon CDN, which is bad news for freedom and anonymity.

> GitHub is now a provider of Tor Browser (in addition to Dropbox and Google Drive)

How can you be proud to be in the company of Dropbox and Google? Are these companies the standard of success? Can’t there be any other standard (Free Software, perhaps?)

Srly

May 02, 2016

Permalink

How about we go one step further and distribute Tor browser over shortwave radio. ;)