This release features important security updates to Firefox.
Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q), NoScript (2.7) and HTTPS-Everywhere (5.1.1). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes) and improved our fingerprinting defense against MIME type enumeration.
Tor Browser 5.0.5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.
These and all the other changes (minor bug fixes and new features) can be found in the complete changelog since 5.0.4:
- All Platforms
- Update Firefox to 38.5.0esr
- Update Tor to 0.2.7.6
- Update OpenSSL to 1.0.1q
- Update NoScript to 2.7
- Update HTTPS Everywhere to 5.1.1
- Update Torbutton to 126.96.36.199
- Bug 16990: Avoid matching '250 ' to the end of node name
- Bug 17565: Tor fundraising campaign donation banner
- Bug 17770: Fix alignments on donation banner
- Bug 17792: Include donation banner in some non en-US Tor Browsers
- Translation updates
- Bug 17207: Hide MIME types and plugins from websites
- Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
- Bug 16863: Avoid confusing error when loop.enabled is false
- Bug 17502: Add a preference for hiding "Open with" on download dialog
- Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
- Bug 16441: Suppress "Reset Tor Browser" prompt
- Bug 17747: Add ndnop3 as new default obfs4 bridge
Rabbi Rob Thomas, founder and CEO of Team Cymru, is a member of The Tor Project's Board of Directors, and a loud and proud advocate for Tor and our first fundraising campaign.
Rabbi Rob and his wife have issued a challenge to the Tor community worldwide: donate to Tor by 11:59pm PST on December 31st and they will match your gift, dollar for dollar, up to $18,000..
Rob and his wife Lauren normally make their contributions to the causes they support anonymously, for spiritual purposes. But their deep and long-term support for Tor's sustainability has moved them to make a public challenge. Your gift to Tor will now have twice the impact.
"The internet cannot heal itself in the face of tyrants," Thomas says. "Tor is the salve that heals that wound; Tor is what allows us to route around tyranny."
Our deep gratitude to you Rabbi Rob and Lauren, and to all who join the challenge to #SupportTor.
I am honored to be joining the Tor Project today as the new Executive Director. I've been a big fan of Tor for a long time—ever since I met founders Roger Dingledine and Nick Mathewson in 2004 and learned about the important work they were doing to provide anonymity for online communications. Today Tor is an essential part of the Internet freedom infrastructure. Activists around the world depend on Tor, as do whistleblowers, victims of domestic violence, and regular citizens who care about their privacy.
This incredible team of people has built an amazing organization. I hope to help grow the Tor Project by building a more sustainable infrastructure and a more robust funding base, as well as by achieving greater adoption of Tor products by mainstream Internet users. There's a lot to be done, but I think we'll have fun while working to make the Internet safer and more secure.
I look forward to meeting many of you in the coming weeks and months, and I welcome your ideas and suggestions.
Yours in freedom,
At long last, I am thrilled to announce that our executive director search is now successful! And what a success it is: we have our good friend Shari Steele, who led EFF for 15 years, coming on board to lead us.
We've known Shari for a long time. She led EFF's choice to fund Tor back in 2004-2005. She is also the one who helped create EFF's technology department, which has brought us HTTPS Everywhere and their various guides and tool assessments.
Tor's technical side is world-class, and I am excited that Shari will help Tor's organizational side become great too. She shares our core values, she brings leadership in managing and coordinating people, she has huge experience in growing a key non-profit in our space, and her work pioneering EFF's community-based funding model will be especially valuable as we continue our campaign to diversify our funding sources.
Tor is part of a larger family of civil liberties organizations, and this move makes it clear that Tor is a main figure in that family. Nick and I will focus short-term on shepherding a smooth transition out of our "interim" roles, and after that we are excited to get back to our old roles actually doing technical work. I'll let Shari pick up the conversation from here, in her upcoming blog post.
Please everybody join me in welcoming Shari!
Here comes another stable release!
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as well as a minor bug in hidden service reliability. (For more information on the guard bug, see Roger's preliminary analysis.
You can download the source from the usual place on the website. Packages should be up within a few days.
Changes in version 0.2.7.6 - 2015-12-10
- Major bugfixes (guard selection):
- Actually look at the Guard flag when selecting a new directory guard. When we implemented the directory guard design, we accidentally started treating all relays as if they have the Guard flag during guard selection, leading to weaker anonymity and worse performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered by Mohsen Imani.
- Minor features (geoip):
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2 Country database.
- Minor bugfixes (compilation):
- When checking for net/pfvar.h, include netinet/in.h if possible. This fixes transparent proxy detection on OpenBSD. Fixes bug 17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
- Fix a compilation warning with Clang 3.6: Do not check the presence of an address which can never be NULL. Fixes bug 17781.
- Minor bugfixes (correctness):
- When displaying an IPv6 exit policy, include the mask bits correctly even when the number is greater than 31. Fixes bug 16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
- The wrong list was used when looking up expired intro points in a rend service object, causing what we think could be reachability issues for hidden services, and triggering a BUG log. Fixes bug 16702; bugfix on 0.2.7.2-alpha.
- Fix undefined behavior in the tor_cert_checksig function. Fixes bug 17722; bugfix on 0.2.7.2-alpha.
Being able to build Tor Browser several times in a row and getting exactly the same result each time has been an important feature for a while now. It provides a direct link between the source code we provide and the binary that Tor users are downloading and using to surf the web. This offers a number of benefits to all parties involved:
- Users can verify that they really got the binary they were supposed to get
- Pressure on developers to provide a bullet-proof build and signing setup is reduced
- Incentives to pressure release engineers into inserting backdoors into the code are reduced
From December 1-3, 2015 we had the opportunity to discuss these and other topics around reproducible builds with members of different projects. Thanks to the Linux Foundation, the Open Technology Fund and Google, developers from Debian, FreeBSD, NetBSD, Google, the Guardian Project, Coreboot and Tor (to name just a few) were able to attend. The workshop started with exchanging experiences with already existing systems (like Gitian, which we use for Tor Browser). During the three days of the meeting, work went on to explore together future directions for advocacy, commonly used tools, infrastructure and documentation.
We were especially pleased to see the fruitful collaboration on the operating systems level. While it is good to have a reproducible Tor Browser, the security guarantees that it provides are even stronger if the operating systems and the toolchains used to build it can be created reproducibly as well. Moreover, all participants agreed that non-reproducibility is essentially a defect that needs to be fixed. This allows us to treat workarounds (like using libfaketime to avoid timestamp differences in binaries) as mere band-aids and instead focus on addressing the root causes of non-determinism directly upstream.
Thanks to Allen Gunn and the Aspiration team for the excellent facilitation and all participants for the productive and exciting time. See all of you at the next workshop!
We are pleased to announce another public beta release of Tor Messenger. This release addresses a number of stability and usability issues, and includes the default bridge configurations for pluggable transports.
The initial public release was a success in that it garnered a lot of useful feedback. We tried to respond to all your concerns in the comments of the blog post but also collected and aggregated a FAQ of the most common questions.
Before upgrading to the new release, you will need to backup your OTR keys or simply generate new ones. Please see the following steps to back them up.
In our eagerness to build on work done by Tor Browser, we made the decision to store your profile directory inside the application bundle. This complicates matters when you want to use the same accounts and keys across updates, especially while we don't have an automatic updater. Please see #13861.
Also, as was vociferously pointed out by some of our early adopters, this probably isn't a very intuitive user experience. Copying the extracted application to someone else's computer would unknowingly transfer your accounts and OTR keys. It's unclear if this is commonly done and we'd love feedback on this point to understand the urgency of the issue.
In future releases, we plan on revisiting this decision. The number one item on our roadmap is porting Tor Browser's updater patches (#14388) so that keeping Tor Messenger up-to-date is seamless and automatic. We also plan to add a UI to make importing OTR keys and accounts from Pidgin, and other clients, as easy as possible (#16526).
Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.
sha256sums.txt file containing hashes of the bundles is signed with the key
3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391).
Here is the complete changelog since v0.1.0b2:
Tor Messenger 0.1.0b4 -- November 22 2015
- All Platforms
- Bug 17492: Include default bridges configuration
- Use tor and the pluggable transports from tor-browser 5.0.4
- Bug 17552: Instantbird should handle XMPP message stanzas with subjects
- Bug 17539: Pass username when interpolating resent string
- Bug 15179: Add an OTR Preferences item to the Tools menu
- Use the FIREFOX_42_0_RELEASE tag on mozilla-release
- Use the THUNDERBIRD_42_0b2_RELEASE tag on comm-release
- Bug 16489: Prevent automatic logins at startup
- Update Tor Messenger logo in Tor Launcher
- Bug 16476: Themes preference is positioned incorrectly
- Bug 17456: Application hang when navigating the preferences menu
Tor Messenger 0.1.0b3 -- October 30 2015
- Bug 17453: Fix Tor Messenger crash when starting up in Windows