Blogs

2012 Annual Report

We are excited to announce the Tor Project 2012 Annual Report, which highlights the activities and outstanding accomplishments by the Tor team over the past year. Also included is a glimpse at Tor's strategic initiatives for 2013.

PDF version is available at:
https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pd...

A special thank you goes out to our funders and supporters for their continued commitment to our mission.

Questions regarding the annual report contact execdir@torproject.org

New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

JOIN US - Tor Project Boston Hack Day Event - March 20, 2013 - Hosted by Boston University's Department of Computer Science

Join us for a unique public hack day event where you will have an opportunity to work in a highly collaborative, interactive environment with Tor's team of technology and research experts. Topics for the day will be determined by the attendees; so bring your ideas, questions, projects and technical expertise with you! Continental breakfast will be provided.

Wednesday, March 20, 2012
9 am until 5 pm
BU Computer Science Dept, 111 Cummington Mall, Boston, MA - ROOM 148
Directions: http://www.bu.edu/cs/about/directions-and-contact/

Hosted by Boston University's Department of Computer Science

For more information or questions contact, execdir@torproject.org.

CryptoParty Stockholm

I attended the Stockholm Cryptoparty on Saturday the 16th of February. I was asked to give the opening talk, "Varför krypto?", to start off the day. My goal was to explain why cryptography should be used daily by everyone in mundane ways. The general topic was about how I watch kids using cryptography daily, without knowing it or without fully understanding the technical details behind it. This is ok. Kids chat a lot. When you introduce Off-the-record to their chats, they instantly understand that the chats are now private, and can be authenticated. The distinction between the two concepts is fairly easy to grasp, even if they don't understand the details of hashes, key exchanges, or ciphers. Once a few core people start using OTR, for example, then it spreads to their friends and soon you have networks of kids using OTR having safe and secure chats.

The simplest three steps people can take to begin using cryptography daily are:

  1. Use https everywhere in your browser.
  2. Use a browser password manager. KeePass is as good as any. The point is to keep username/passwords unique and complex per site/service. The next time LinkedIn or some major site loses tens of millions of passwords, you're protected because it's not the same username and password you used for your gmail, facebook, twitter, banking, and vkontact accounts.
  3. Use Tor for actions you want to keep private. Everything on the Internet leaves a trace. The world knows you're a dog online.

Thankfully, I could give the introduction in English and not have to offend the attendees with my poor Swedish. Linus gave a great Tor talk in Swedish. Overall, the day went well. We had huge pizzas and generally a great time. Many people were new to cryptoparties and new to cryptography in general. It was a great time. As an American, it was nice to see about 50% women attending. There were a number of younger kids learning about all of this too. The cryptoparties I've attended in the USA have been all men and the maybe one girlfriend or wife dragged to the event.

(Unfortunately, the camera recording my talk malfunctioned and corrupted the video. However, other images and videos from the day are available on our media server.

Thanks to DFRI, Sparvnästet, and iis.se for hosting the event and inviting me to attend.

New flash proxy talk

Last week I gave an hour-long talk about flash proxies.

The talk contains a detailed summary of the whole system, plus some new information like the details of our rendezvous system and graphs showing usage numbers. I thank the Stanford Computer Systems Colloquium for giving me the opportunity to speak.

Tails 0.17 is out!

Tails, The Amnesic Incognito Live System, version 0.17, is out.

All users must upgrade as soon as possible.

Download it now.

Changes

Notable user-visible changes include:

  • New features
    • Install the KeePassX password manager, with a configuration and documentation that makes it easy to persist the password database.
  • Iceweasel
    • Upgrade to Iceweasel 17.0.3esr-1+tails1~bpo60+1.
    • Do not allow listing all available fonts.
    • Improve default spellchecker dictionary selection.
    • Disable the add-ons automatic update feature.
    • Remove NoScript click-to-play confirmation.
    • Sync some prefs set by Torbutton, to be ready when it stops setting these.
    • Disable navigation timing.
    • Disable SPDY.
    • More aggressive iceweasel HTTP pipelining settings.
    • Enable WebGL (as click-to-play only).
    • Disable network.http.connection-retry-timeout.
    • Disable full path information for plugins.
    • Remove NoScript blocks of WebFonts.
  • Minor improvements
    • Upgrade to live-boot 3.0~b11-1 and live-config 3.0.12-1.
    • Don't add "quiet" to the kernel command-line ourselves.
    • Upgrade I2P to 0.9.4.
  • Bugfixes
    • Many bugfixes brought by the Debian Squeeze 6.0.7 point-release.
    • Use the regular GnuPG agent + pinentry-gtk2 instead of Seahorse as a GnuPG agent. This fixes usage of OpenPGP in Claws Mail, and brings support for OpenPGP smartcards.
    • Enable I2P hidden mode. Else, killing I2P ungracefully is bad for the I2P network.
    • Add shutdown and reboot launchers to the menu. This workarounds the lack of a shutdown helper applet in camouflage mode.
    • Remove Pidgin's MXit and Sametime support to workaround security flaws.
  • Hardware support
    • Install recent Intel and AMD microcode.
    • Install firmware loader for Qualcomm Gobi USB chipsets.
    • Upgrade barry to 0.18.3-5~bpo60+1.
  • Localization
    • Tails USB Installer: update translations for Arabic, Czech, German, Hebrew, Polish and Spanish.
    • tails-greeter: update Spanish and French translations, new Polish translation.
    • tails-persistence-setup: update translations for Arabic, Bulgarian, Spanish, French, Dutch, Polish and Chinese.
    • WhisperBack: update Spanish and Korean translations, import new Polish translation.

Plus the usual bunch of bug reports and minor improvements.

See the online Changelog for technical details.

I want to try it / to upgrade!

See the Getting started page.

As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.

What's coming up?

The next Tails release is scheduled for April 9. It will probably be a minor, bugfix only one.

Have a look to our roadmap to see where we are heading to.

Would you want to help? As explained in our "how to contribute" documentation, there are many ways you can contribute to Tails. If you want to help, come talk to us!

New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

TorBirdy: our first beta release!

Today we are happy to release our first beta of TorBirdy. It has been in development since April of last year and was released internally on the tor-talk mailing list. We think we've had just over five thousand users testing it in the last year. We have polished it and we've made great progress.

What is TorBirdy?

TorBirdy is a Torbutton like extension for Thunderbird, Icedove and related Mozilla mail clients. It may also work with other non-web browser Mozilla programs such as Sunbird. We've also added support for JonDo, Whonix, Tails; if that means something to you, let us know how it works!

We offer two ways to install TorBirdy - either by visiting our website (sig) or by visiting the Mozilla AddOn page for TorBirdy (xpi available here).

As a general Anonymity and security note: We're still working on two known anonymity issues with Mozilla. When our improvements to Thunderbird are accepted, it will be anonymity ready out of the box and we'll do a proper full release.

We'd love help with translations, programming or anything that you think will improve TorBirdy!

Thanks to all of our TorBirdy users and contributors - Sukhbir and I would especially like to tagnaq and Karsten N!

Syndicate content Syndicate content