Blogs

Announcement: The Tor Project is now accepting Bitcoin Donations

Over the past year, we have received many requests for us to accept bitcoin donations. After careful consideration and research, we are thrilled to announce that effective today The Tor Project is accepting bitcoin donations. In partnership with Bitpay, bitcoins can easily and directly be donated to support Tor’s ongoing mission of being the global resource for privacy technology advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. Check out our donations page now. Bitcoin donations received by The Tor Project will be converted directly to US Dollars.

Our decision to accept bitcoins has been well thought out and researched from a financial accounting perspective with an eye on passing our required annual A-133 audit. We believe we are the first US 501(c)3 non-profit organization to test acceptance of bitcoins and attempt to pass the US Government A-133 Audit Standard. Our 2013 audit results, along with our past financial documents, will be made available on our website once complete in 2014.

The Tor Project is also proud to be in the company of other visible non-profit organizations accepting bitcoins including EFF and Wordpress.

Why is this important? The Tor Project needs your donations to continue our mission and to keep the Tor suite of technologies ahead with the growing threats to privacy and anonymity around the world. Your donation made TODAY, through bitcoin, Paypal, Amazon Payments, Givv.org, checks, money orders or bank transfers, will provide greater security and privacy for millions around the world who use Tor every day.

Help us continue our mission!

Tor Browser Bundle 3.5rc1 Released

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:
https://archive.torproject.org/tor-package-archive/torbrowser/3.5rc1/.

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to 2.6.8.7
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to 0.2.4.1
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to 1.6.5.1
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

Tails 0.22 is out

Tails, The Amnesic Incognito Live System, version 0.22, is out.

All users must upgrade as soon as possible: this release fixes numerous security issues.

Download it now but first, please consider testing the incremental upgrade.

Changes

  • Security fixes
    • Upgrade to Iceweasel 24.2.0esr that fixes a few serious security issues.
    • Stop migrating persistence configuration and access rights. Instead, disable all persistence configuration files if the mountpoint has wrong access rights.
    • Upgrade to NSS 3.15.3 that fixes a few serious security issues affecting the browser.
  • Major improvements
    • Switch to Iceweasel 24.2.0esr and Torbutton 1.6.5.
    • Incremental upgrades are ready for beta-testing.
  • Bugfixes
    • Fix Vidalia startup.
    • Disable DPMS screen blanking.
    • Fix checking of the persistent volume"s ACL.
    • Sanitize more IP and MAC addresses in bug reports.
    • Do not fail USB upgrade when the "tmp" directory exists on the destination device.
  • Minor improvements
    • Clearer warning when deleting the persistent volume.
    • Use IBus instead of SCIM.
    • Always list optimal keyboard layout in the greeter.
    • Fix on-the-fly translation of the greeter in various languages.
    • Update I2P to 0.9.8.1 and rework its configuration.

See the online Changelog for technical details.

Known issues

  • The Unsafe Browser cannot connect to the Internet (ticket #6479). This can be workaround"ed by setting network.proxy.socks_remote_dns to false on the about:config web page.
  • Keyboard shortcuts use QWERTY mapping instead of AZERTY on French keyboard (ticket #6478). This may impact other keyboard layouts as well.
  • TorBrowser takes too long to shutdown (ticket #6480).
  • TorBrowser proposes to share the microphone with websites (ticket #6481).
  • htpdate uses a different User-Agent than the Tor Browser (ticket #6477).
  • The included Linux 3.10-3 (version 3.10.11-1) kernel has a few known security issues.
  • Longstanding known issues.

I want to try it or to upgrade!

Go to the download page but first, please consider testing the incremental upgrade.

As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.

What's coming up?

The next Tails release is scheduled for January 21.

Have a look to our roadmap to see where we are heading to.

Would you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Tor Weekly News — December 11th, 2013

Welcome to the twenty-fourth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

Introducing a new Lead Automation Engineer

The Tor Project welcomed a new member, Nicolas Vigier, in the role of Lead Automation Engineer. He swiftly got down to business by putting out a call for automation-related feedback “from developers of any tor components”, promising a summary of “the current status regarding build, packaging, testing, and what should be done” to improve the automated processes involved in Tor development, as well as “some proposals and a general plan for the work to be done during the coming months”, an early version of which is already online. A warm welcome to him!

Freedom of the Press Foundation launch a support campaign for Tor

In his report for November, Roger Dingledine wrote: “We've also been pondering lately how to do a fundraising or donations drive, to help move us off our reliance on government funders.” The good news is that Tor has many supporters.

The Freedom of the Press Foundation just started a campaign to support encryption tools for journalists that is going to last for two months. The campaign is gathering funds for Tor core development work, the Tails live system, the encrypted mobile communication tools RedPhone and TextSecure, and the encrypted email platform LEAP.

Spread the word and help make the campaign a success. Direct donations to The Tor Project are also always possible.

More monthly status reports for November 2013

The wave of regular monthly reports from Tor project members for the month of November continued, with reports from Roger Dingledine, Georg Koppen, Karsten Loesing, Matt Pagan, Nicolas Vigier Philipp Winter, Damian Johnson, and Noel David Torres Taño .

Miscellaneous news

David Fifield has produced updated “pluggable transport bundles” based on the 2.4.18 browser bundles. Be sure to upgrade!

David also announced great progress in integrating our current set of pluggable transports within the new Tor Browser 3 build infrastructure.

Thanks to Himanshu from India, Andrew Lewman was able to deploy a new script to list mirrors of the Tor Project's website. The new code will ensure that mirrored files are “100% the same as those on torproject.org (hashing, pgp signatures, etc)” and will remove and re-instate mirrors accordingly.

Thanks BarkerJr, DevRandom, and Userzap for setting up new mirrors!

Nathan Freitas announced that Orfox was going to replace Orweb in the Guardian Project set of secure communication tools. Orfox is based on the Firefox engine and is likely to behave more like the Tor Browser. “However, Orfox is still very early (not alpha yet) and has not been fully tested. I would either do your own testing and report back to us, or only use the app for non sensitive/critical browsing for now”, Nathan added.

arkmd reported that TorBirdy was saving unencrypted drafts on the remote server on their system. Sukhbir Singh has not been able to reproduce the issue so far but he is thinking of disabling the automatic save feature entirely.

Christian announced that Globe is “now officially hosted on the torproject servers”. Credits to Karsten Loesing and Peter Palfrader for setting up the infrastructure. Have a look at this new Tor relay and bridge explorer!

ghostmaker advertised “a small new tool for Windows called InjectSOCKS that can force other Windows software to do TCP connections via SOCKS.” InjectSOCKS source code and binaries are available from the project page.

The Tails team has issued a call for testing regarding incremental upgrades — one more step on the path to providing Tails users with easy upgrades.

The release schedule for Tails 0.22.1 has been published by intrigeri. The expected release date for this point release is January 21th.

Tor help desk roundup

Multiple users have asked the help desk specifically for assistance with IPv6 bridges. Currently getting IPv6 bridges is not too easy, but the issue is known and should be solved as the bridge distributor is improved. IPv6 bridges are functional in (at least part of) China, but we do not have many of them to distribute. Please set up an IPv6 bridge if you can: it's only one “ORPort” line to add to the usual configuration.


This issue of Tor Weekly News has been assembled by Lunar, harmony, dope457, Matt Pagan, Roger Dingledine and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Pluggable transports bundles 2.4.18-rc-1-pt1 and 2.4.18-rc-2-pt1 with Firefox 17.0.11esr

There are new Pluggable Transports Tor Browser Bundles with Firefox 17.0.11esr. They are made from the Tor Browser Bundle 2.4.18-rc-1 release of November 19, except for the 64-bit GNU/Linux bundle, which is made from the 2.4.18-rc-2 release of November 20.

Pluggable Transports bundle download

Tor Weekly News — December 4th, 2013

Welcome to the twenty-third issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

Next-Generation Hidden Services reach draft proposal state

Nick Mathewson has been working on turning a “revamp of the hidden services protocol” into a formal proposal. Last Saturday, Nick blessed the tor-dev mailing list with a post of the current draft for proposal 224, dubbed “Next-Generation Hidden Services in Tor”.

Nick currently lists 25 different people who made writing the new proposal possible, and there will be probably some more to add before the proposal reaches completion. We will spare the reader a full list, but Tor Weekly News’ archives attest that George Kadianakis deserves a special mention for his repeated efforts to move things forward.

The proposal aims to replace “the current rend-spec.txt, rewritten for clarity and for improved design.” The most user visible change from the current hidden services protocol is the new address format. In order to prevent the enumeration of hidden services, the new protocol derives a “blinded key” (section 1.3) from an Ed25519 master identity key. The blinding operation operates on the full key (and not just a truncated hash, as before). With a base 32 encoding of the entire 256 bits (section 1.2), “a new name following this specification might look like: a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rffdw9jmntwkdsd.onion”. Other encodings might still be worth consideration as long as they make valid hostnames.

Less visible changes include the departure from RSA1024, DH1024, and SHA1 to prefer Ed25519, Curve25519, and SHA256 as the cryptographic primitives (section 0.3).

The selection of directories responsible for a hidden service will now depend on a periodic “collaboratively generated random value” provided by the Tor directory authorities. This way the directories of a hidden service are not predictable in advance, which prevents targeted denial of service attacks (see ticket #8244 and proposal 225 for a possible scheme).

The new proposal also introduces the possibility of keeping the master identity key offline (section 1.7).

The proposal is completely unfinished when it comes to scaling hidden services to multiple hosts (section 1.5). There have been discussions on this topic, but there is no final decision on what the final scheme should be. The problem with naive scaling schemes is that information about the number of hidden service nodes can leak to adversarial clients or introduction points.

In order to move the proposal forward from the current draft, Nick Mathewson told the readers: “I’d like to know what doesn’t make sense, what I need to explain better, and what I need to design better. I’d like to fill in the gaps and turn this into a more full document. I’d like to answer the open questions. Comments are most welcome, especially if they grow into improvements.” The document is still sprinkled with many TODO items, so feel free to jump in if you want to help!

Tor relay operators meeting at 30C3

Moritz Bartl announced that a meeting of Tor relay operators and organizations will be held as part of the first day of the 30th Chaos Communication Congress in Hamburg on the 27th December. He asked major relay operators and Torservers.net partner organizations to prepare some slides explaining their activities; the German partner organization, Zwiebelfreunde e.V., will hold its own meeting directly afterwards.

Monthly status reports for November 2013

The wave of regular monthly reports from Tor project members for the month of November has begun. Pearl Crescent released their report first , followed by reports from Sherief Alaa, Lunar, Colin C., Nick Mathewson, George Kadianakis, Arlo Breault, and Ximin Luo.

Miscellaneous news

The first release candidate for Tails 0.22 is out. The new version features a browser based on Firefox 24 and has reached beta stage for incremental updates, among other things. Tests are most welcome, as always!

The Tails team called for translators to help with the strings both for Tails 0.22, as well as for the new incremental upgrade software. The strings for translation are now available in the Tails Git repository, and hopefully should also be up on Transifex soon.

Damian Johnson sent out a link to a recording of his talk on the Tor ecosystem at TA3M in Seattle.

David Goulet called for assistance with the code-review process for the Torsocks 2.0 release candidate, and offered some guidance on where to begin.

Erinn Clark and Peter Palfrader upgraded the Tor Bug Tracker & Wiki to Trac version 1.0.

intrigeri began compiling a glossary of words that Tails and its developers use for particular concepts, to assist contributors who might not be familiar with these special meanings.

In order to remove “a full database of relays on our already overloaded metrics machine”, Karsten Loesing is asking for those using the “relay-search service” to speak up before the decommissioning of the service by the end of the year.

Philipp Winter followed up on his experiments in exit scanning and released exitmap, which uses Stem to control the tor daemon in creating circuits to all exit nodes.

Orchid, a Tor client implementation written in pure Java, silently reached the 1.0 milestone on November 27th. Nathan Freitas is looking for comment from the community as he is “thinking about having Orbot use it by default, and then offering ARM and x86 binaries as add-on enhancements.” His main argument is that it “would make the core Tor on Android experience more lightweight for client only use.”

The Electronic Frontier Foundation helped a student group in Iowa convince their university that they should be allowed to hold discussions about Tor on campus. The EFF’s open letter to universities and their “Myths and Facts About Tor” document make useful advocacy material.

Tor help desk roundup

Multiple users asked about using Tor for PC gaming. Tor can only transport TCP, which is how web pages are transmitted. Many video games rely on UDP or other protocols to transport data because of the lower latency. Information these games transport over protocols besides TCP would not be sent over Tor. Also any software used with Tor needs to be tested for proxy obedience. Untested applications might send information without using Tor even if they appear to be configured correctly, and
without the user realizing it.


This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, dope457, George Kadianakis, Nick Mathewson, sqrt2 and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Weekly News — November 27th, 2013

Welcome to the twenty-second issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

Round of updated Tor Browser Bundles

Mozilla put out an urgent security release of the stable Firefox branch with version 17.0.11esr. The stable version of the Tor Browser Bundle has been updated accordingly. The 2.4 release candidate also received an update, together with the latest incarnation of tor 0.2.4.18-rc. Both were then given a further update due to an issue on 64 bit GNU/Linux systems.

The 3.0 branch saw the release of 3.0rc1 which — on top of updating its base software — fixed a build reproducibility issue on Windows, and a few other small fixes.

An updated version of Tails and the pluggable transport bundle are still in the making at the time of writing.

Tor is looking for a Browser Hacker and an Extension Developer!

Mike Perry wrote a blog post to announce two new positions available at the Tor Project: “We are looking for a C++ browser developer to work on our Firefox-based browser, and a Firefox extension developer to work on our growing number of Firefox extensions. Our ideal candidates would be comfortable in both roles, but we are also interested in hearing from people with either skillset.”

Look at the job descriptions for more details and how to apply for these exciting opportunities to make Tor software even better.

“Safeplug”

Roman Mamedov reported that the Californian company Cloud Engines is now shipping a device called the “Safeplug”. Exactly how the device works is unclear, but according to their FAQ, it looks like a router which transparently directs its client connections through Tor.

Such an approach is known to be flawed. Sean Alexandre was prompt in reminding everyone that “application protocols can still reveal your identity”, and quoted the warning on Tor’s download page: “To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you’re browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.”

Aaron Gibson detailed other concerns, namely the absence of source code or design documents, the mandatory router registration procedure, issues with the automatic update system, and the terms of service. He also criticized the “torified everything” approach and outlined an alternative which he had discussed with Roger Dingledine: “providing a captive portal that would instruct a user to download a copy of TBB and use the local router device as a first hop into the Tor network, perhaps by configuring the device as a bridge.”

On the upside, Andrew Lewman views the product as “a fine test case for consumer-level torouter market analysis. It would be great to learn 6 months from now how many they sold and a summary of customer feedback.” Despite having “lots of concerns”, Andrew is “trying to discuss them with Cloud Engines” and praised the community for “doing a fine job of raising questions”.

Miscellaneous news

Nick Mathewson gave the number 223 to Esfandiar Mohammadi’s proposal titled “Ace: Improved circuit-creation key exchange”.

Matt Pagan reported on his trip to Washington, D.C., USA for the Rally Against Mass Surveillance. He gave an account of his talk during the cryptoparty and the march that happened the next day.

Arturo Filastò sent his report about his activities in October.

Nathan Freitas reported on his efforts to use GeckoView on Android 4.4, which can be seen as the “first step towards Tor Browser on Android”.

Kevin Dyer announced a new release of a pluggable transport powered by Format-Transforming Encryption. Cross-platform builds of the pluggable transport Tor Browser Bundle are available for download for the adventurous.

Tor help desk roundup

Echoing the tor-talk thread summarized above, multiple people asked whether or not the Tor Project could recommend the Safeplug device.

An OS X user asked if it was always necessary to open the Tor Browser folder in order to start the Tor Browser Bundle. It is possible to create an alias in Mac OS or a shortcut in Windows to the “Start Tor Browser” script and place that alias or shortcut in a convenient place,
such as the Desktop.


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, harmony, Philipp Winter, and dope457.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor is looking for a Browser Hacker and an Extension Developer!

The Tor Project has two browser-related job openings available!

We are looking for a C++ browser developer to work on our Firefox-based browser, and a Firefox extension developer to work on our growing number of Firefox extensions. Our ideal candidates would be comfortable in both roles, but we are also interested in hearing from people with either skillset.

On the C++ side, your tasks would include implementing new Firefox APIs and browser behavior changes; looking for and resolving web privacy issues; fixing bugs; responding on short notice to security issues; and helping to merge patches upstream.

On the extension development side, your primary tasks will include writing patches and UI improvements for Tor Birdy, Torbutton, HTTPS-Everywhere, Tor Launcher, and an OTR plugin for InstantBird. These improvements will primarily revolve around improving usability, Tor configuration, and security for our users.

Instructions on how to apply to the C++ position can be found on the browser hacker job posting. If you would prefer to focus on extension development, you should apply to the extension developer position.

Syndicate content Syndicate content