We, the Debian project and the Tor project are enabling Tor onion services for several of our sites. These sites can now be reached without leaving the Tor network, providing a new option for securely connecting to resources provided by Debian and Tor.
The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others. Consequently, we are pleased to announce that we have started making several of the various web services provided by both Debian and Tor available via onion services.
While onion services can be used to conceal the network location of the machine providing the service, this is not the goal here. Instead, we employ onion services because they provide end-to-end integrity and confidentiality, and they authenticate the onion service end point.
For instance, when users connect to the onion service running at http://sejnfjrq6szgca7v.onion/ using a Tor-enabled browser such as the TorBrowser, they can be certain that their connection to the Debian website cannot be read or modified by third parties, and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certificate authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.
In addition to the Tor and Debian websites, the Debian FTP and the Debian Security archives are available from .onion addresses, enabling Debian users to update their systems using only Tor connections. With the apt-transport-tor package installed, the following three lines can replace the normal debian mirror entries in the apt configuration file (
deb tor+http://vwakviie2ienjx6t.onion/debian jessie main
deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main
Likewise, Tor's Debian package repository is available from an onion service :
deb tor+http://sdscoq7snqtznauu.onion/torproject.org jessie main
Lists of several other new onion services offered by Debian and Tor are available from https://onion.debian.org and https://onion.torproject.org respectively. We expect to expand these lists in the near future to cover even more of Debian's and Tor's services.
Seven weeks ago, I published a blog post saying that Jacob Appelbaum had left the Tor Project, and I invited people to contact me as the Tor Project began an investigation into allegations regarding his behavior.
Since then, a number of people have come forward with first-person accounts and other information. The Tor Project hired a professional investigator, and she interviewed many individuals to determine the facts concerning the allegations. The investigator worked closely with me and our attorneys, helping us to understand the overall factual picture as it emerged.
The information shared was sensitive, and in writing this post I am aiming to balance my desire for the Tor Project to be transparent and accountable with my desire to respect individual privacy.
Here is what I am able to say:
The investigation is now complete. Many people inside and outside the Tor Project have reported incidents of being humiliated, intimidated, bullied and frightened by Jacob, and several experienced unwanted sexually aggressive behavior from him. Some of those incidents have been shared publicly, and some have not. The investigation also identified two additional people as having engaged in inappropriate conduct, and they are no longer involved with the Tor Project.
Based on the results of this investigation, we want to be more clear about (1) how we expect people to behave, (2) where people can take complaints and problems, (3) what will happen when complaints are received.
Putting procedures in place is more difficult for the Tor Project than for other organizations, because the staff of the Tor Project works in partnership with a broader Tor community, many of whom are volunteers or employed by other organizations. It is not a traditional top-down management environment. I am pleased, therefore, to announce that both the Tor Project and the Tor community are taking active steps to strengthen our ability to handle problems of unprofessional behavior. Specifically, the Tor Project has created an anti-harassment policy, a conflicts of interest policy, procedures for submitting complaints, and an internal complaint review process. They were recently approved by Tor’s board of directors, and they will be rolled out internally this week.
In addition, the Tor community has created a community council to help to resolve intra- community difficulties, and it is developing membership guidelines, a code of conduct, and a social contract that affirms our shared values and the behaviors we want to model. We expect these to be finalized and approved by the community at or before our next developer meeting at the end of September.
I believe these new policies and practices will make the Tor Project and the Tor community significantly healthier and stronger. I want to thank everyone who has contributed to the work we've done so far, and also to those who will contribute in the coming months.
I also want to note that the Tor Project board just elected a slate of new board members with significant governance and executive leadership experience. This was a bold and selfless decision by the outgoing board, to whom I am grateful. I am confident the new board will be a key source of support for the Tor Project going forward.
I want to thank all the people who broke the silence around Jacob's behavior. It is because of you that this issue has now been addressed. I am grateful you spoke up, and I acknowledge and appreciate your courage.
I look forward to instituting the changes described above and to continuing the Tor Project's important work.
We’ve been speaking to journalists who are curious about a HotPETS 2016 talk from last week: the HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs research paper conducted by our colleagues at Northeastern University. Here's a short explanation, written by Donncha and Roger.
Internally, Tor has a system for identifying bad relays. When we find a bad relay, we throw it out of the network.
But our techniques for finding bad relays aren't perfect, so it's good that there are other researchers also working on this problem. Acting independently, we had already detected and removed many of the suspicious relays that these researchers have found.
The researchers have sent us a list of the other relays that they found, and we're currently working on confirming that they are bad. (This is tougher than it sounds, since the technique used by the other research group only detects that relays *might* be bad, so we don't know which ones to blame for sure.)
It's especially great to have this other research group working on this topic, since their technique for detecting bad relays is different from our technique, and that means better coverage.
As far as we can tell, the misbehaving relays' goal in this case is just to discover onion addresses that they wouldn't be able to learn other ways—they aren't able to identify the IP addresses of hosts or visitors to Tor hidden services.
The authors here are not trying to discover new onion addresses. They are trying to detect other people who are learning about onion addresses by running bad HSDirs/relays.
This activity only allows attackers to discover new onion addresses. It does not impact the anonymity of hidden services or hidden service clients.
We have known about and been defending against this situation for quite some time. The issue will be resolved more thoroughly with the next-generation hidden services design. Check out our blog post, Mission: Montreal!
"The Internet of Things" is the remote control and networking of everyday devices ranging from a family's lawn sprinkler or babycam to a corporation's entire HVAC system.
Tor Project contributor Nathan Freitas, Executive Director of The Guardian Project, has developed a new way to use Tor's anonymous onion services to protect the "Internet of Things." The new system, while experimental, is also scalable.
The system uses Home Assistant, a free, open-source platform built on Python, that can run on Raspberry Pi and other devices. It easily can be set up to control and network people’s “Internet of Things” —home security systems, toasters, thermostats, smart lightbulbs, weather sensors and other household appliances. The new "Tor Onion Service Configuration" setup is available on their website.
"The Tor Project wants Tor privacy technology to be integrated into everyday life so that people don't have to log on to it—their privacy and security are built in. Nathan's work with Home Assistant is an early but important milestone," said Shari Steele, Tor's Executive Director.
The great danger with the "Internet of Things" (or IoT) is the opportunity for surveillance--for an individual hacker or a state actor to accumulate, store, and exploit very private information against individuals or companies.
These attacks are far from hypothetical: We've read about the ability for an attacker to see and speak to a baby through a babycam or hack and control a car. Attackers stole 40 million credit card numbers after they hacked into a national retailer's HVAC system and used it to reach their computer system and their customers.
Tor has developed a way to build a buffer of privacy between the baby and the Internet--so that the baby (or the HVAC system) is never exposed to the open Internet at all. Instead of a hackable, single point of failure, attackers must contend with the global network of thousands of Tor nodes.
"Too many 'Things' in our homes, at our hospitals, in our businesses and throughout our lives are exposed to the public Internet without the ability to protect their communication. Tor provides this, for free, with real-world hard ended, open-source software and strong, state of the art cryptography," said Nathan Freitas, Executive Director of the Guardian Project.
“Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.”
--"DON'T PANIC," Berkman Klein Center's report on encryption
• Guardian Project video explaining the Tor/Home Assistant system: https://www.youtube.com/watch?v=j2yT-0rmgDA
• Guardian Project's easy-to-understand slides:
• Home Assistant page on setting up Tor:
Today, the board of directors of the Tor Project is announcing a bold decision in keeping with its commitment to the best possible health of the organization.
Says Tor's Executive Director Shari Steele, "I think this was an incredibly brave and selfless thing for the board to do. They’re making a clear statement that they want the organization to become its best self."
A Statement from the Board of Directors of The Tor Project
As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the best possible leadership. The importance of Tor's mission requires it; the public standing of the organization makes it possible; and we are committed to achieve it.
We had that duty in mind when we conducted an Executive Director search last year, and appreciate the leadership Shari Steele has brought. To support her, we further believe that it is time that we pass the baton of board oversight as the Tor Project moves into its second decade of operations.
Accordingly, we are pleased to announce an excellent slate of new directors who have agreed to serve on Tor's board. The old directors have, as of July 12, 2016, elected these directors as the new Tor board:
Roger Dingledine and Nick Mathewson will continue in their roles as co-founders of the Tor Project, leading Tor's technical research and development. We will all continue to support Tor's mission, community, management, and organization; and we are happy to offer Shari, the new board, and the entire team our help and knowledge. We thank the Tor community for their patience and help in this transition.
Meredith Hoban Dunn
Rabbi Rob Thomas
Biographies of Incoming Board Members
(Photos available upon request)
Matt Blaze is a professor in the computer and information science department at the University of Pennsylvania, where he directs the Distributed Systems Laboratory. He has been doing research on surveillance technology for over 20 years, as well as cryptography, secure systems, and public policy.
Cindy Cohn is the Executive Director of the Electronic Frontier Foundation (EFF). From 2000 to 2015 she served as EFF’s Legal Director as well as its General Counsel. Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography. Since then, Ms. Cohn has worked to ensure that people around the world have the right to access information and communicate privately and anonymously, including mounting lawsuits against NSA spying, providing legal counsel to computer programmers building and developing privacy and anonymity tools, and helping to develop the Necessary and Proportionate Principles applying international human rights standards to digital communications surveillance.
The National Law Journal named Ms. Cohn one of 100 most influential lawyers in America in 2013, noting: "[I]f Big Brother is watching, he better look out for Cindy Cohn." She was also named one of the 100 most influential lawyers in 2006 for "rushing to the barricades wherever freedom and civil liberties are at stake online." In 2007 the National Law Journal named her one of the 50 most influential women lawyers in America. In 2010 the Intellectual Property Section of the State Bar of California awarded her its Intellectual Property Vanguard Award and in 2012 the Northern California Chapter of the Society of Professional Journalists awarded her the James Madison Freedom of Information Award.
Bruce Schneier is an internationally renowned security technologist; called a "security guru" by The Economist. He is the author of 14 books -- including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and blog "Schneier on Security" are read by over 250,000 people. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of Resilient.
Gabriella (Biella) Coleman holds the Wolfe Chair in Scientific and Technological Literacy at McGill University. Trained as an anthropologist, her scholarship explores the intersection of the cultures of hacking and politics, with a focus on the sociopolitical implications of the free software movement and the digital protest ensemble Anonymous. She has authored two books, Coding Freedom: The Ethics and Aesthetics of Hacking (Princeton University Press, 2012) and Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (Verso, 2014), which was named to Kirkus Reviews’ Best Books of 2014 and was awarded the Diana Forsythe Prize by the American Anthropological Association. Her work has been featured in numerous scholarly journals and edited volumes. Committed to public ethnography, she routinely presents her work to diverse audiences, teaches undergraduate and graduate courses, and has written for popular media outlets, including the New York Times, Slate, Wired, MIT Technology Review, Huffington Post, and the Atlantic.
Linus Nordberg is a longtime internet and privacy activist who has been involved with Tor since 2009. He's a software developer who specializes in network security and operating internet services. Since his start at Tor he's developed code, run services, and advocated for the Tor Project. He's one of the founders of the Swedish digital rights organization DFRI (Digitala Fri- och Rättigheter) and through that involved in the European umbrella public policy organization EDRi (European Digital Rights).
Megan Price, Executive Director of the Human Rights Data Analysis Group, designs strategies and methods for statistical analysis of human rights data for projects in a variety of locations including Guatemala, Colombia, and Syria. Her work in Guatemala includes serving as the lead statistician on a project in which she analyzes documents from the National Police Archive; she has also contributed analyses submitted as evidence in two court cases in Guatemala. Her work in Syria includes serving as the lead statistician and author on three reports, commissioned by the Office of the United Nations High Commissioner of Human Rights (OHCHR), on documented deaths in that country.
Megan is a member of the Technical Advisory Board for the Office of the Prosecutor at the International Criminal Court, a Research Fellow at the Carnegie Mellon University Center for Human Rights Science, and she is the Human Rights Editor for the Statistical Journal of the International Association for Official Statistics (IAOS). She earned her doctorate in biostatistics and a Certificate in Human Rights from the Rollins School of Public Health at Emory University. She also holds a master of science degree and bachelor of science degree in Statistics from Case Western Reserve University.
The Tor Project develops and distributes free software and has built an open and free network that helps people defend against online surveillance that threatens personal freedom and privacy. Tor is used by human rights defenders, diplomats, government officials, and millions of ordinary people who value freedom from surveillance.
The Tor Project's Mission Statement: "To advance human rights and freedoms by creating and deploying free and open anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding."
For media inquiries, contact press at tor project dot org.
Tor 0.2.8.5-rc has been released! You can download the source from the Tor website. Packages should be available over the next week or so.
Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8 series. If we find no new bugs or regressions here, the first stable 0.2.8 release will be identical to it. It has a few small bugfixes against previous versions.
PLEASE NOTE: This is a release candidate. We think that we solved all of the showstopper bugs, but we also thought the same thing about 0.2.8.4-rc: crucial bugs may remain. Please only run this release if you're willing to test and find bugs. If no showstopper bugs are found, we'll be putting out 0.2.8.6 as a stable release.
Changes in version 0.2.8.5-rc - 2016-07-07
- Directory authority changes:
- Urras is no longer a directory authority. Closes ticket 19271.
- Major bugfixes (heartbeat):
- Fix a regression that would crash Tor when the periodic "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on tor-0.2.8.1-alpha. Reported by "kubaku".
- Minor features (build):
- Minor bugfixes (fallback directory selection):
- Avoid errors during fallback selection if there are no eligible fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch by teor.
- Minor bugfixes (IPv6, microdescriptors):
- Don't check node addresses when we only have a routerstatus. This allows IPv6-only clients to bootstrap by fetching microdescriptors from fallback directory mirrors. (The microdescriptor consensus has no IPv6 addresses in it.) Fixes bug 19608; bugfix on 0.2.8.2-alpha.
- Minor bugfixes (logging):
- Reduce pointlessly verbose log messages when directory servers can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and 0.2.8.1-alpha. Patch by teor.
- When a fallback directory changes its fingerprint from the hard- coded fingerprint, log a less severe, more explanatory log message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor.
- Minor bugfixes (Linux seccomp2 sandboxing):
- Allow statistics to be written to disk when "Sandbox 1" is enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and 0.2.6.1-alpha respectively.
- Minor bugfixes (user interface):
- Remove a warning message "Service [scrubbed] not found after descriptor upload". This message appears when one uses HSPOST control command to upload a service descriptor. Since there is only a descriptor and no service, showing this message is pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha.
- Fallback directory list:
- Add a comment to the generated fallback directory list that explains how to comment out unsuitable fallbacks in a way that's compatible with the stem fallback parser.
- Update fallback whitelist and blacklist based on relay operator emails. Blacklist unsuitable (non-working, over-volatile) fallbacks. Resolves ticket 19071. Patch by teor.
- Update hard-coded fallback list to remove unsuitable fallbacks. Resolves ticket 19071. Patch by teor.
Georg Koppen is a longtime Tor browser developer. He and Tor developer Mike Perry worked to integrate Selfrando into Tor browser.
Tell us about Selfrando, the new code being tested for Tor Browser.
Selfrando randomizes Tor browser code to ensure that an attacker doesn't know where the code is on your computer. This makes it much harder for someone to construct a reliable attack--and harder for them to use a flaw in your Tor Browser to de-anonymize you.
How were you and Tor's Mike Perry involved in the project?
We mainly worked on integrating Selfrando in Tor Browser where needed and tested it as well as we could. We closely read the paper and helped to improve it. The bulk of the work was done by the other researchers. These are Mauro Conti, Stephen Crane, Tommaso Frassetto, Andrei Homescu, Per Larsen, Christopher Liebchen, and Ahmad-Reza Sadeghi.
Can you talk about Tor's relationship with the research community?
Tor relies on the research community to ethically investigate unsolved issues with Tor software. We work closely with research groups in the anonymity space, the security space, in privacy research, etc.
Tor is the focus of many researchers. We have rigorous documentation and open, transparent development processes. We also have a working product, Tor Browser, that easily reaches 1 to 2 million users, with testing channels where one can try new defenses first and refine them as needed, as we are doing with the Selfrando project.
When will Selfrando be available for ordinary Tor users (in the stable version)?
The first thing to note here is that Selfrando is currently only available for a fraction of our users; those who have a 64-bit Linux systems. The Selfrando folks are working on a version for Windows which is not yet ready.
I think that Tor browser version 6.5 might be a bit too early for a stable release. However, if user testing shows this is okay, Selfrando will make it in. A more conservative approach is pointing to Tor browser version 7.0.
That’s a pretty long time from now (next Spring!) How can people help Tor speed it up?
We need more users testing things--more experienced people trying out our nightly/alpha builds.
Selfrando's development is good so far and the browser integration work has not been so tricky; the main problem is being confident enough that it does not break some random user setups while everything is fine and working on our testing machines.
Specifically, we need more experienced people running Linux 64-bit operating systems to download and try our hardened nightly builds. They can download the latest hardened nightly build and look for the latest "nightly-hardened" build in general at https://people.torproject.org/~linus/builds/. Obviously, these are test versions of the Tor Browser--we're trying to look for bugs.
Will there will be future collaborations with these researchers?
To port Selfrando to Windows and OSX and make it available to our users, yes!
How do you feel about the fact that the research community is teaming up with Tor to strengthen Tor browser against attacks?
I think this is great as it gives us another valuable ally to make our users safer. And in the longer run, all other users with "normal" browsers could benefit from that, too.
The researchers behind Selfrando will present their project in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.
An advance copy of their research paper is available here.
Selfrando is available for use in other open-source projects on Github.
We are pleased to announce the sixth beta release of TorBirdy and the first in the 0.2 series: TorBirdy 0.2.0. All users are encouraged to upgrade as this release fixes numerous security and privacy issues.
Notable changes include fixing local timestamp disclosure in the date and the message-ID headers, as detailed in tickets #6314 and #6315. The patch for sanitizing the date header is shipped with TorBirdy. The patch for the message-ID header was submitted upstream to Mozilla and merged in Thunderbird 45, and it is therefore recommended that you upgrade to Thunderbird 45 if possible.
There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.
If you are using TorBirdy for the first time, visit the wiki to get started.
Other changes in this release include:
0.2.0, 27 Jun 2016
* Bug #6314: Prevent local timestamp disclosure via Date header
* Bug #6315: Prevent local timestamp disclosure via Message-ID header
* Bug #13721: Fix usage of wrong locale
* Bug #17426: Allow configuration of default email protocol
* Bug #15459: Add support for deterministic XPI generation
* Bug #11387, #13006: Fix non-standard EHLO argument
* Bug #17118: Allow manual account configuration for Gmail with OAuth2
* Bug #19031: Add and audit support for RSS reader
* Bug #7847: Audit and update support for NNTP
* Bug #10683: Update Thunderbird UI to reflect TorBirdy's state
* Bug #19330: Set secure defaults for outgoing mail servers
* Removed compatibility for older versions of Thunderbird and added support for Thunderbird 37+
* Added support for automatic configuration of Riseup email accounts
* Updated various privacy and security settings (see commit 2bdeffbb for a list of the changes)
* Update translations for current languages
Many thanks to Arthur Edelstein and the Tails Developers for this release!
We offer two ways of installing TorBirdy -- either by visiting our website (GPG signature; signed by
0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.
(Packages for Debian GNU/Linux will be created and uploaded shortly.)