Update 2013/6/28: Describe workaround for the Windows d2d1.dll crash.
After almost 6 months of solid development, the Tor Project is proud to announce the first alpha in the 3.0 series of the Tor Browser Bundle!
The 3.0alpha1 bundles are downloadable from the Tor Package Archive.
Here are the major highlights of the 3.0 series:
- Usability, usability, usability!
We've attempted to solve several major usability issues in this series, including:
- No more Vidalia
The Tor process management is handled by the new Tor Launcher Firefox extension. If you want the Vidalia map and other features, you can point an existing Vidalia binary at control port 9151 after Tor Browser has launched, and it should still work (and even allow you to reconfigure the TBB Tor as a bridge or a relay).
- Local homepage with search box
The browser now uses a local about:tor homepage instead of https://check.torproject.org. A local verification against the Tor control port is still performed, to ensure Tor is working, and a link to https://check.torproject.org is provided from the about:tor homepage for manual verification as well.
- Guided Extraction for Windows
For Windows users, an NSIS-based extractor now guides you through the TBB extraction and ensures the extracted bundle ends up on your Desktop, or in a known location chosen by you (but make sure you have permissions on that location). Hopefully this will mean no more losing track of the extracted bundle files!
- No more Vidalia
- Email-sized bundles
The bundles are all under the 25M gmail attachment size limit, so direct email and gettor attachments are once again possible.
- Improved build security and integrity verification
We now use Gitian to build the bundles. The idea behind Gitian is to allow independent people to take our source code and produce exactly identical binaries on their own. We're not quite at the point where you always get a matching build, but the remaining differences are minor, and within a couple more releases we should have it fully reproducible. For now, we are posting all of the builds for comparison, and you can of course build and compare your own.
Of course, being an alpha release (in fact, the first alpha release of this series), we expect these bundles to have some issues. Here's the major user-facing issues that we know about so far:
- Crash Issue: Windows Permissions
On Windows, if you install the bundle to anywhere other than the Desktop, permissions issues can cause the bundles to crash at startup.
- Crash Issue: Windows Software Conflict(s)
There appears to be an issue with direct2d rendering acceleration that affects some video cards, and has a crash report with a module d2d1.dll. The simplest workaround is to right click on 'Start Tor Browser' and select "Properties->Compatibility->Run in Windows XP Compatibility mode".
- Extraction: Delete or rename your old TBB directory first!
These bundles are significantly different than the previous alphas or stable releases. You must not extract this bundle on top of a previous TBB directory, or multiple things will break. If you want to preserve your bookmarks and history, you can do so by copying only the places.sqlite file from your old bundle directory into the new one. The good news is that the elimination of Vidalia should make it much simpler for us to finally deploy an autoupdater, but please bear with us until we can finally complete that important usability work.
- Misc: Missing Translations
Some of the translations strings for the Tor Launcher startup got munged by Transifex. In particular, the Farsi and the German builds both have missing button labels and strings.
If you experience any other issues, please let us know and/or file a bug!
We have been discussing setting up a Q&A page for a while now and have finally proposed a Stack Exchange page for Tor.
The detailed version about how we go from a proposal to a live page can be found in this FAQ, but here is a quick summary:
A user proposes a new page, other users follow said page, and users create and vote on hypothetical questions. Each user can only ask 5 questions and vote on other questions. Once the page reaches enough followers and questions with a high score, the page moves into the "Commit" phase. A small number of users will need to commit to help building the site. Once that's done, the page goes live and is considered to be in "Beta".
The proposal is currently in a "Definition" phase. To move to the next phase, we need (1) a high number of followers of the page, and (2) a collection of good, relevant questions.
After numerous reports that the 64-bit Tor Browser Bundle was crashing frequently, we've updated all them. If you were having problems with the last ones, please try these instead and let us know if you have any further problems. Only the 64-bit Linux Tor Browser Bundles have been updated, the other Tor Browser Bundles are still 2.3.25-8
Tor Browser Bundle (2.3.25-9)
- Rebuild 64-bit bundles with Firefox optimizations disabled in order to prevent browser crashes. (closes: #8970)
- Update HTTPS Everywhere to 3.2.2
- Update NoScript to 220.127.116.11
Due to several requests received today from members of the press community and others we felt it was in the best interest of time and consistency to provide a statement regarding today's developments and stories surrounding the NSA Prism surveillance program.
The Tor Project is a nonprofit 501(c)(3) organization dedicated to providing tools to help people manage their privacy on the Internet. Beyond our free, open source technology and extensive research we actively foster important conversations with many global organizations in order to help people around the world understand the value of privacy and anonymity online. As a result, members of the core Tor team and the greater Tor community are out in the world sharing knowledge and insights with countless individuals every day - many times handing out free Tor stickers; with no donation requested or expected. Edward Snowden, like tens of thousands of people, put Tor stickers on their devices. He likely got it at a conference from one of us in the past year.
Today, as always, the team at Tor remains committed to building innovative, sustainable technology solutions to help keep the doors to freedom of expression open.
For more on our view on this situation visit also our blog post:
For further questions please contact us at firstname.lastname@example.org.
By now, just about everybody has heard about the PRISM surveillance program, and many are beginning to speculate on its impact on Tor.
Unfortunately, there still are a lot of gaps to fill in terms of understanding what is really going on, especially in the face of conflicting information between the primary source material and Google, Facebook, and Apple's claims of non-involvement.
This apparent conflict means that it is still hard to pin down exactly how the program impacts Tor, and is leading many to assume worst-case scenarios.
For example, some of the worst-case scenarios include the NSA using weaponized exploits to compromise datacenter equipment at these firms. Less severe, but still extremely worrying possibilities include issuing gag orders to mid or low-level datacenter staff to install backdoors or monitoring equipment without any interaction what-so-ever with the legal and executive staff of the firms themselves.
We're going to save analysis of those speculative and invasive scenarios for when more information becomes available (though we may independently write a future blog post on the dangers of the government use of weaponized exploits).
For now, let's review what Tor can do, what tools go well with Tor to give you defense-in-depth for your communications, and what work needs to be done so we can make it easier to protect communications from instances where the existing centralized communications infrastructure is compromised by the NSA, China, Iran, or by anyone else who manages to get ahold of the keys to the kingdom.
The core Tor software's job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end. By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.
Through the use of HTTPS-Everywhere in Tor Browser, in many cases we can protect your communications content where parts of the Tor network and/or your recipients' infrastructure are compromised or under surveillance. The EFF has created an excellent interactive graphic to help illustrate and clarify these combined properties.
Through the use of combinations of additional software like TorBirdy and Enigmail, OTR, and Diaspora, Tor can also protect your communications content in cases where the communications infrastructure (Google/Facebook) is compromised.
However, the real interesting use cases for Tor in the face of dragnet surveillance like this is not that Tor can protect your gmail/facebook accounts from analysis (in fact, Tor could never really protect account usage metadata), but that Tor and hidden services are actually a key building block to build systems where it is no longer possible to go to a single party and obtain the full metadata, communications frequency, *or* contents.
Tor hidden services are arbitrary communications endpoints that are resistant to both metadata analysis and surveillance.
A simple (to deploy) example of a hidden service based mechanism to significantly hinder exactly this type of surveillance is an XMPP client that also ships with an XMPP server and a Tor hidden service. Such a P2P communication system (where the clients are themselves the servers) is both end-to-end secure, and does *not* have a single central server where metadata is available. This communication is private, pseudonymous, and does not have involve any single central party or intermediary.
Despite these compelling use cases and powerful tool combination possibilities, the Tor Project is under no illusion that these more sophisticated configurations are easy, usable, or accessible by the general public.
We recognize that a lot of work needs to be done even for the basic tools like Tor Browser, TorBirdy, EnigMail, and OTR to work seamlessly and securely for most users, let alone complex combinations like XMPP or Diaspora with Hidden Services.
Additionally, hidden services themselves are in need of quite a bit of development assistance just to maintain their originally designed level of security, let alone scaling to support large numbers of endpoints.
Being an Open Source project with limited resources, we welcome contributions from the community to make any of this software work better with Tor, or to help improve the Tor software itself.
If you're not a developer, but you would still like to help us succeed in our mission of securing the world's communications, please donate! It is a rather big job, after all.
We will keep you updated as we learn more about the exact capabilities of this program.
We've updated the Pluggable Transports Tor Browser Bundles with Firefox 17.0.6esr and Tor 0.2.4.11-alpha. These correspond to the Tor Browser Bundle release of May 14.
These bundles contain contain flash proxy and obfsproxy configured to run by default. Flash proxy has a new faster registration method, flashproxy-reg-appspot. The existing flashproxy-reg-email and flashproxy-reg-http will be tried if flashproxy-reg-appspot doesn't work.
If you want to use flash proxy, you will have to take the extra steps listed in the flash proxy howto.
These bundles contain the same hardcoded obfs2 bridge addresses as the previous bundles which may work for some jurisdictions but you are strongly advised to get new bridge addresses from BridgeDB: https://bridges.torproject.org/?transport=obfs2 https://bridges.torproject.org/?transport=obfs3.
These bundles are signed by David Fifield (0x5CD388E5) with this fingerprint.
Tails, The Amnesic Incognito Live System, version 0.18, is out.
All users must upgrade as soon as possible.
Notable user-visible changes include:
- New features
- Support obfs3 bridges.
- Automatically install a custom list of additional packages chosen by the user at the beginning of every working session, and upgrade them once a network connection is established (technology preview).
- Upgrade to Iceweasel 17.0.5esr-0+tails2~bpo60+1.
- Update Torbrowser patches to current maint-2.4 branch (567682b).
- Torbutton 1.5.2, and various prefs hacks to fix breakage.
- HTTPS Everywhere 3.2
- NoScript 18.104.22.168-1
- Isolate DOM storage to first party URI, and enable DOM storage.
- Isolate the image cache per url bar domain.
- Update prefs to match the TBB's, fix bugs, and take advantage of the latest Torbrowser patches.
- Make prefs organization closer to the TBB's, and generally clean them up.
- Linux 3.2.41-2+deb7u2.
- All Iceweasel prefs we set are now applied.
- Bring back support for proxies of type other than obfsproxy.
- Minor improvements
kernel.dmesg_restrict=1, and make
/proc/<pid>/invisible and restricted for other users. It makes it slightly harder for an attacker to gather information that may allow them to escalate privileges.
- Install gnome-screenshot.
- Add a About Tails launcher in the System menu.
- Install GNOME accessibility themes.
- Use Getting started... as the homepage for the Tails documentation button.
- Disable audio preview in Nautilus.
- Localization: many translation updates all over the place.
See the online Changelog for technical details.
The web browser default search engine is Google, instead of the intended localized Startpage. You may select Startpage HTTPS in the search engine menu next to the Google icon.
I want to try it / to upgrade!
See the Getting started page.
As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.
What's coming up?
The next Tails release is scheduled for June 27.
Have a look to our roadmap to see where we are heading to.
Would you want to help? As explained in our "how to contribute" documentation, there are many ways you can contribute to Tails. If you want to help, come talk to us!
There is a new Firefox 17.0.6esr out and all of the Tor Browser Bundles (stable and alpha branches) have been updated. The new stable TBBs have a lot of new and updated Firefox patches, so those of you who were experiencing crashes should no longer be seeing that behavior. Please let us know if you do by opening a ticket with details.
The stable Tor Browser Bundles are available at their normal location.
The alpha Tor Browser Bundles are available here.
Tor Browser Bundle (2.3.25-8)
- Update Firefox to 17.0.6esr
- Update HTTPS Everywhere to 3.2
- Update Torbutton to 1.5.2
- Update libpng to 1.5.15
- Update NoScript to 22.214.171.124
- Firefox patch changes:
- Apply font limits to @font-face local() fonts and disable fallback
rendering for @font-face. (closes: #8455)
- Use Optimistic Data SOCKS handshake (improves page load performance).
- Honor the Windows theme for inverse text colors (without leaking those
colors to content). (closes: #7920)
- Increase pipeline randomization and try harder to batch pipelined
requests together. (closes: #8470)
- Fix an image cache isolation domain key misusage. May fix several image
cache related crash bugs with New Identity, exit, and certain websites.
- Torbutton changes:
- Allow session restore if the user allows disk actvity (closes: #8457)
- Remove the Display Settings panel and associated locales (closes: #8301)
- Fix "Transparent Torification" option. (closes: #6566)
- Fix a hang on New Identity. (closes: #8642)
- Build changes:
- Fetch our source deps from an https mirror (closes: #8286)
- Create watch scripts for syncing mirror sources and monitoring mirror
integrity (closes: #8338)
- Update Firefox to 17.0.6esr
- Update NoScript to 126.96.36.199
Tor Browser Bundle (2.4.12-alpha-2)