New Tor packages and updated stable Tor Browser Bundles

There's a new Tor out and all packages, including the beta Tor Browser Bundles, have been updated. The stable Tor Browser Bundles have also been updated to fix a bug in the last release which prevented the language packs from working (which resulted in all of the bundles being in English!). We're very sorry about this.

Tor Browser Bundle (2.3.25-12)

  • Re-add the locale pref to the Firefox prefs file to allow for localization
    of bundles again (closes: #9436)

Tor Browser Bundle (2.4.16-beta-1)

  • Update Tor to
  • Re-add the locale pref to the Firefox prefs file to allow for localization
    of bundles again (closes: #9436)

Pluggable transports bundles 2.4.15-beta-2-pt1 with Firefox 17.0.8esr

We've updated the Pluggable Transports Tor Browser Bundles with Firefox 17.0.8esr and Tor These correspond to the Tor Browser Bundle release of August 9 and contain important security fixes.

These bundles contain flash proxy and obfsproxy configured to run by default. If you want to use flash proxy, you will have to take the extra steps listed in the flash proxy howto.

These bundles contain the same hardcoded obfs2 bridge addresses as the previous bundles which may work for some jurisdictions but you are strongly advised to get new bridge addresses from BridgeDB.

These bundles are signed by David Fifield (0x5CD388E5) with this fingerprint.

Tor Browser Bundle 3.0alpha3 Released

The third alpha release in the 3.0 series of the Tor Browser Bundle is now available from the Tor Package Archive:

This release includes important security updates to Firefox. Here is the complete ChangeLog:

  • All Platforms:
    • Update Firefox to 17.0.8esr

    • Update Tor to
    • Update HTTPS-Everywhere to 3.3.1
    • Update NoScript to
    • Improve build input fetching and authentication
    • Bug #9283: Update NoScript prefs for usability.
    • Bug #6152 (partial): Disable JSCtypes support at compile time
    • Update Torbutton to 1.6.1
      • Bug 8478: Change when window resize code fires to avoid rounding errors
      • Bug 9331: Hack a correct download URL for the next TBB release
      • Bug 9144: Change an aboutTor.dtd string so transifex will accept it
    • Update Tor-Launcher to 0.2.1-alpha
      • Bug #9128: Remove dependency on JSCtypes
  • Windows:
    • Bug #9195: Disable download manager AV scanning (to prevent cloud
      reporting+scanning of downloaded files)
  • Mac:
    • Bug #9173 (partial): Launch firefox-bin on MacOS instead of
      (improves dock behavior).

As usual these binaries should be exactly reproducible by anyone with Ubuntu and KVM support (though there are some issues in LXC).
To build your own identical copies of these bundles from source code, check out the official repository and use git tag tbb-3.0alpha3-release (commit 49db54d147bd0bccc26f1d4f859cf9fe97e5f14c).

These instructions should explain things from there. If you notice any differences from the official bundles, I would love to hear about it!

New Tor Browser Bundles with Firefox 17.0.8esr

All of the Tor Browser Bundles have been updated with Firefox 17.0.8esr which includes critical security fixes. All users are strongly encouraged to upgrade. To read more about which kinds of fixes are in this version of Firefox, please click here. This link is also included in the changelogs and we will continue to add it in the future versions of Tor Browser Bundle as well so that users can always be aware of major issues.

Tor Browser Bundle (2.3.25-11)

Tor Browser Bundle (2.4.15-beta-2)

Tails 0.20 is out

Tails, The Amnesic Incognito Live System, version 0.20, is out.

All users must upgrade as soon as possible: this release fixes numerous security issues.

Download it now.


Notable user-visible changes include:

  • New features
    • Install Linux kernel 3.10.3-1 from Debian unstable.
    • Iceweasel 17.0.8esr + Torbrowser patches.
  • Bugfixes
    • Prevent Iceweasel from displaying a warning when leaving HTTPS web sites.
    • Make Iceweasel use the correct, localized search engine.
    • Fix Git access to https:// repositories.
  • Minor improvements
    • Install Dasher, a predictive text entry tool.
    • Add a wrapper around TrueCrypt which displays a warning about it soon being deprecated in Tails.
    • Remove Pidgin libraries for all protocols but IRC and Jabber/XMPP. Many of the other protocols Pidgin support are broken in Tails and haven't got any security auditting.
    • Disable the pre-defined Pidgin accounts so they do not auto-connect on Pidgin start.
    • Include information about Alsa in WhisperBack reports.
    • Explicitly restrict access to ptrace. While this setting was enabled by default in Debian's Linux 3.9.6-1, it will later disabled in 3.9.7-1. It's unclear what will happen next, so let's explicitly enable it ourselves.
    • Do not display dialog when a message is sent in Claws Mail.
    • Sync iceweasel preferences with the Torbrowser's.
  • Localization
    • Many translation updates all over the place.
    • Merge all Tails-related POT files into one, and make use of intltoolize for better integration with Transifex.

See the online Changelog for technical details.

Known issue

No new known issue but longstanding known issues.

I want to try it / to upgrade!

See the Getting started page.

As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.

What's coming up?

The next Tails release is scheduled for around September 19.

Have a look to our roadmap to see where we are heading to.

Would you want to help? There are many ways you can contribute. If you want to help, come talk to us!

NNEDV Tech Summit 2013 Report

I was invited to talk for 90 minutes at NNEDV's TechSummit 13 about privacy, helping victims, and Tor. My presentation covered a quick overview of Tor, why I'm here talking about domestic violence and intimate partner abuse, and what we're doing to help. I also included four case studies of which highlight the role of technology in stalking and abuse. Videos of my talk may make their way online at some point. At the request of the audience, I walked through my World Bank Hackathon presentation to show how easy it is to infect a mobile phone and what an abuser will get out of such an action.

The conference was held at the great Hayes Mansion which allowed for lots of informal conversations in a more relaxed atmosphere. The attendees are a mix of advocates from around the world, law enforcement, commercial companies (such as Apple, Facebook, Google, Verizon, Mozilla, etc), and a number of lawyers from public and private organizations.

I could only stay for one of the three-day conference, but once again, it was great to engage in conversations with people of all backgrounds. Many organizations are now more aware of Tor and interested in talking to us about using our technology and experience to help. Hopefully our continuing commitment to helping and past experience in this area are beginning to make a difference.

Overall, it was great to be invited and worth the trip.

Tor Weekly News — August, 7th 2013

Welcome to the 6th issue of Tor Weekly News, the weekly newsletter that covers what is happening in the resilient Tor community.

Large hidden services provider compromised, attacks older TBB versions

Andrew Lewman wrote: “Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor network.”

It turned out that Freedom Hosting, a company specializing in hosting websites accessible through Tor hidden services, was compromised. As Andrew puts it, “From what is known so far, the breach was used to configure the server in a way that it injects some sort of JavaScript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers.” Andrew also reiterated that “the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research”.

The Tor Browser is currently based on Mozilla Firefox 17 ESR. With the help of Mozilla and other researchers it was understood that the exploit used a vulnerability in Firefox JavaScript engine to attack Windows users of the Tor Browser Bundle. This vulnerability was fixed in Firefox 17.0.7 ESR and subsequently in versions 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013) 3.0alpha2 (released June 30 2013) and 2.4.15-beta-1 (released July 8 2013).

Users running updated versions, and those who have disabled JavaScript, are not affected by the exploit.

Roger Dingledine issued a security advisory with advice to mitigate future issues: “be sure you’re running a recent enough Tor Browser Bundle”, “be sure to keep up-to-date in the future”, “consider disabling JavaScript”, “consider switching to a “live system” approach like Tails”, “be aware that many other vectors remain for vulnerabilities in Firefox”. It is strongly advised to read the advisory in full.

The versions of Firefox used in Pluggable Transport bundles are still vulnerable. Replacements have been built, with credit to David Fifield, but they are yet to be released.

The press is running many stories covering these events, several containing false information. A better example is Kevin Poulsen’s article published in Wired on August, 5th. It did however assert “the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle”, in-fact most recent Tor Browser Bundle releases, with the exception of Pluggable Transports bundles, contained the patched version of Firefox ESR.

Monthly status reports for July 2013

The wave of regular monthly reports from Tor project members for the month of July has begun. Philipp Winter was first this time, followed by reports from Arlo Breault, Nick Mathewson, Noel David Torress Taño, Colin C., Sherief Alaa, Karsten Loesing, Damian Johnson, Mike Perry, George Kadianakis, and Andrew Lewman.

Miscellaneous news

Tails developers issued a call for testing of the first release candidate of the upcoming 0.20 [21]. Send them your reports!

Security researcher Jason Geffner presented a new tool to route all TCP/IP and DNS traffic through the Tor network on Windows called Tortilla during Black Hat USA 2013 and subsequently on the tor-talk mailing list. Binary and source code are available and are awaiting reviews by the community.

Wendell announced the first release of Tor.framework, a “Cocoa framework that allows developers to write apps for Mac OS X and iOS that work over the Tor onion routing network”. No comments have been made yet. Feel free to look at the source code, review and experiment.

Jerzy Łogiewa asked on tor-talk if Tor hidden services could be made to work near the speed of the standard web. Arian Sanusi replied that speed of light was actually the limiting factor for latency issues: “if relays were homogeneous distributed among the globe, two random relays will be 1/4 earth circumference apart on average. […] That’s 400ms from finite speed of light. Switches, routers and relays along the way will add to that.”

Thanks to Michael Marz and Neo for running new mirrors of the Tor website.

This issue of Tor Weekly News has been assembled by dope457, malaparte, Lunar, harmony, and Yawning.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing-list if you want to get involved!

Tor security advisory: Old Tor Browser Bundles vulnerable

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:

Syndicate content Syndicate content