Blogs

Tor Browser 6.5a2-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.5a2-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

In addition to the changes from Tor Browser 6.5a2, this releases integrates Selfrando. For more details about Selfrando integration in Tor Browser, see the Q and A with Georg Koppen and the Selfrando git repository.

Here is the full changelog since 6.5a1-hardened:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Tor to tor-0.2.8.5-rc
    • Update Torbutton to 1.9.6.1
      • Bug 19689: Use proper parent window for plugin prompt
      • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
      • Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
      • Bug 19273: Improve external app launch handling and associated warnings
      • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 17406: Include Selfrando into our hardened builds
    • Bug 19417: Disable asmjs for now
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
    • Bug 19273: Write C++ patch for external app launch handling
    • Bug 16998: Isolate preconnect requests to URL bar domain
    • Bug 18923: Add script to run all Tor Browser regression tests
    • Bug 19478: Prevent millisecond resolution leaks in File API
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
    • Bug 19735: Switch default search engine to DuckDuckGo
    • Bug 19276: Disable Xrender due to possible performance regressions
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Build System
    • All Platforms

Tor Browser 6.5a2 is released

Tor Browser 6.5a2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates firefox to 45.3.0esr and contains the improvements that went into Tor Browser 6.0.3. Additionally, Tor is updated to 0.2.8.5-rc, the default search engine has been switched to DuckDuckGo, resource URLs are blocked to avoid fingerprinting.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Here is the full changelog since 6.5a1:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Tor to tor-0.2.8.5-rc
    • Update Torbutton to 1.9.6.1
      • Bug 19689: Use proper parent window for plugin prompt
      • Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
      • Bug 19417: Disable asm.js (but add code to clear on New Identity if enabled)
      • Bug 19273: Improve external app launch handling and associated warnings
      • Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19417: Disable asmjs for now
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
    • Bug 19273: Write C++ patch for external app launch handling
    • Bug 16998: Isolate preconnect requests to URL bar domain
    • Bug 18923: Add script to run all Tor Browser regression tests
    • Bug 19478: Prevent millisecond resolution leaks in File API
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
    • Bug 19735: Switch default search engine to DuckDuckGo
  • Windows
    • Bug 19348: Adapt to more than one build target on Windows (fixes updates)
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • Linux
    • Bug 19276: Disable Xrender due to possible performance regressions
    • Bug 19725: Remove old updater files left on disk after upgrade to 6.x
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined
  • Build System
    • All Platforms

Tor Browser 6.0.3 is released

Tor Browser 6.0.3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 45.3.0esr. Additionally, it bumps NoScript to 2.9.0.12, HTTPS-Everywhere to 5.2.1, disables asmjs, removes meek-google and contains a few other bug fixes.

Note: Due to bug 19410, on OSX the incremental update will not be working for users who installed the previous version using the .dmg file. The internal updater should still work, though, doing a complete update.

Update (August 11, 10:04 UTC): Starting from a couple of hours ago Tor Browser users might see a notification box in their browser claiming that Firefox is too old providing a button to get a newer one. This is both due to a server-side code change on Mozilla's side and an oversight by us during the ESR45 transition. Clicking on the "Get Firefox" button is safe and leads the user to our Tor Browser download page. Needless to say, this whole behavior is highly confusing and we apologize for it. We are working on a fix as quickly as possible and hope to get Mozilla to exempt Tor Browser users from this feature while we are working on a new release. For technical details see our bug tracker.

Here is the full changelog since 6.0.2:

  • All Platforms
    • Update Firefox to 45.3.0esr
    • Update Torbutton to 1.9.5.6
    • Update HTTPS-Everywhere to 5.2.1
    • Update NoScript to 2.9.0.12
    • Bug 19715: Disable the meek-google pluggable transport option
    • Bug 19714: Remove mercurius4 obfs4 bridge
    • Bug 19585: Fix regression test for keyboard layout fingerprinting
    • Bug 19515: Tor Browser is crashing in graphics code
    • Bug 18513: Favicon requests can bypass New Identity
  • OS X
    • Bug 19269: Icon doesn't appear in Applications folder or Dock
  • Android
    • Bug 19484: Avoid compilation error when MOZ_UPDATER is not defined

Tor 0.2.8.6 is released!

Tor 0.2.8.6 has been released! You can download the source from the Tor website. Packages should be available over the next week or so.

Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series.

The Tor 0.2.8 series improves client bootstrapping performance, completes the authority-side implementation of improved identity keys for relays, and includes numerous bugfixes and performance improvements throughout the program. This release continues to improve the coverage of Tor's test suite.

Below is a list of the changes since Tor 0.2.7. For a list of only the changes that are new since 0.2.8.5-rc, please see the ChangeLog file.

Changes in version 0.2.8.6 - 2016-08-02

  • New system requirements:
    • Tor no longer attempts to support platforms where the "time_t" type is unsigned. (To the best of our knowledge, only OpenVMS does this, and Tor has never actually built on OpenVMS.) Closes ticket 18184.
    • Tor no longer supports versions of OpenSSL with a broken implementation of counter mode. (This bug was present in OpenSSL 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no longer runs with, these versions.
    • Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or later (released in 2008 and 2009 respectively). If you are building Tor from the git repository instead of from the source distribution, and your tools are older than this, you will need to upgrade. Closes ticket 17732.

  read more »

Debian and Tor Services available as Onion Services

We, the Debian project and the Tor project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.

While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.

For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the TorBrowser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certificate authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.

In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following three lines can replace the normal debian mirror entries in the apt configuration file (/etc/apt/sources.list):

deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Likewise, Tor's Debian package repository is available from an onion service :

deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main

Where appropriate, we provide services redundantly from several backend machines using OnionBalance. The Debian OnionBalance package is available from the Debian backports repository.

Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.

Statement

Seven weeks ago, I published a blog post saying that Jacob Appelbaum had left the Tor Project, and I invited people to contact me as the Tor Project began an investigation into allegations regarding his behavior.

Since then, a number of people have come forward with first-person accounts and other information. The Tor Project hired a professional investigator, and she interviewed many individuals to determine the facts concerning the allegations. The investigator worked closely with me and our attorneys, helping us to understand the overall factual picture as it emerged.

The information shared was sensitive, and in writing this post I am aiming to balance my desire for the Tor Project to be transparent and accountable with my desire to respect individual privacy.

Here is what I am able to say:

The investigation is now complete. Many people inside and outside the Tor Project have reported incidents of being humiliated, intimidated, bullied and frightened by Jacob, and several experienced unwanted sexually aggressive behavior from him. Some of those incidents have been shared publicly, and some have not. The investigation also identified two additional people as having engaged in inappropriate conduct, and they are no longer involved with the Tor Project.

Based on the results of this investigation, we want to be more clear about (1) how we expect people to behave, (2) where people can take complaints and problems, (3) what will happen when complaints are received.

Putting procedures in place is more difficult for the Tor Project than for other organizations, because the staff of the Tor Project works in partnership with a broader Tor community, many of whom are volunteers or employed by other organizations. It is not a traditional top-down management environment. I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week.

In addition, the Tor community has created a community council to help to resolve intra- community difficulties, and it is developing membership guidelines, a code of conduct, and a social contract that affirms our shared values and the behaviors we want to model. We expect these to be finalized and approved by the community at or before our next developer meeting at the end of September.

I believe these new policies and practices will make the Tor Project and the Tor community significantly healthier and stronger. I want to thank everyone who has contributed to the work we've done so far, and also to those who will contribute in the coming months.

I also want to note that the Tor Project board just elected a slate of new board members with significant governance and executive leadership experience. This was a bold and selfless decision by the outgoing board, to whom I am grateful. I am confident the new board will be a key source of support for the Tor Project going forward.

I want to thank all the people who broke the silence around Jacob's behavior. It is because of you that this issue has now been addressed. I am grateful you spoke up, and I acknowledge and appreciate your courage.

I look forward to instituting the changes described above and to continuing the Tor Project's important work.

--Shari Steele

The New Research from Northeastern University

We’ve been speaking to journalists who are curious about a HotPETS 2016 talk from last week: the HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs research paper conducted by our colleagues at Northeastern University. Here's a short explanation, written by Donncha and Roger.

Internally, Tor has a system for identifying bad relays. When we find a bad relay, we throw it out of the network.

But our techniques for finding bad relays aren't perfect, so it's good that there are other researchers also working on this problem. Acting independently, we had already detected and removed many of the suspicious relays that these researchers have found.

The researchers have sent us a list of the other relays that they found, and we're currently working on confirming that they are bad. (This is tougher than it sounds, since the technique used by the other research group only detects that relays *might* be bad, so we don't know which ones to blame for sure.)

It's especially great to have this other research group working on this topic, since their technique for detecting bad relays is different from our technique, and that means better coverage.

As far as we can tell, the misbehaving relays' goal in this case is just to discover onion addresses that they wouldn't be able to learn other ways—they aren't able to identify the IP addresses of hosts or visitors to Tor hidden services.

The authors here are not trying to discover new onion addresses. They are trying to detect other people who are learning about onion addresses by running bad HSDirs/relays.

This activity only allows attackers to discover new onion addresses. It does not impact the anonymity of hidden services or hidden service clients.

We have known about and been defending against this situation for quite some time. The issue will be resolved more thoroughly with the next-generation hidden services design. Check out our blog post, Mission: Montreal!

A Quick, Simple Guide to Tor and the Internet of Things (So Far)

"The Internet of Things" is the remote control and networking of everyday devices ranging from a family's lawn sprinkler or babycam to a corporation's entire HVAC system.

Tor Project contributor Nathan Freitas, Executive Director of The Guardian Project, has developed a new way to use Tor's anonymous onion services to protect the "Internet of Things." The new system, while experimental, is also scalable.

The system uses Home Assistant, a free, open-source platform built on Python, that can run on Raspberry Pi and other devices. It easily can be set up to control and network people’s “Internet of Things” —home security systems, toasters, thermostats, smart lightbulbs, weather sensors and other household appliances. The new "Tor Onion Service Configuration" setup is available on their website.

"The Tor Project wants Tor privacy technology to be integrated into everyday life so that people don't have to log on to it—their privacy and security are built in. Nathan's work with Home Assistant is an early but important milestone," said Shari Steele, Tor's Executive Director.

The great danger with the "Internet of Things" (or IoT) is the opportunity for surveillance--for an individual hacker or a state actor to accumulate, store, and exploit very private information against individuals or companies.

These attacks are far from hypothetical: We've read about the ability for an attacker to see and speak to a baby through a babycam or hack and control a car. Attackers stole 40 million credit card numbers after they hacked into a national retailer's HVAC system and used it to reach their computer system and their customers.

Tor has developed a way to build a buffer of privacy between the baby and the Internet--so that the baby (or the HVAC system) is never exposed to the open Internet at all. Instead of a hackable, single point of failure, attackers must contend with the global network of thousands of Tor nodes.

"Too many 'Things' in our homes, at our hospitals, in our businesses and throughout our lives are exposed to the public Internet without the ability to protect their communication. Tor provides this, for free, with real-world hard ended, open-source software and strong, state of the art cryptography," said Nathan Freitas, Executive Director of the Guardian Project.

“Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.”

--"DON'T PANIC," Berkman Klein Center's report on encryption
https://cyber.law.harvard.edu/pubrelease/dont-panic/

More Information:

• Guardian Project video explaining the Tor/Home Assistant system: https://www.youtube.com/watch?v=j2yT-0rmgDA

• Guardian Project's easy-to-understand slides:
https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20...

• Home Assistant page on setting up Tor:
https://home-assistant.io/cookbook/tor_configuration/

Syndicate content Syndicate content