Tor Weekly News — January 8th, 2014

Welcome to the first issue for the year 2014 of Tor Weekly News, the weekly newsletter that covers what is happening in the impressive Tor community. The tor-news mailing list has reached a thousand subscribers. Thanks for following us!

Tor at the 30th Chaos Communication Congress

The Chaos Computer Club held its thirtieth congress in Hamburg, Germany during the days and nights of December 26th-30th. The congress had over 9,000 participants. The topic of pervasive surveillance was more present than ever, and Tor was a common answer to many questions.

“We are living in interesting times” was the subtitle of Jacob Appelbaum
and Roger Dingledine’s talk for this year. Their tour of what happened to Tor in the past years and more importantly in the past months was seen by more than 3,000 attendees in Hamburg and a couple more from the live stream and recordings. Later on, Sophie Bayerlein had decorated a wall with her visual summary of the talk.

The talk was quickly followed by a “How to help Tor?” workshop. Lunar reported “an overwhelming success as more than 200 people showed up. We were not prepared for helping so many folks waiting to learn how they can help Tor. It still created interesting discussions, I believe, and I hope we will find ways to interact more with the larger community in the upcoming weeks, especially concerning outreach to the general public.”

Earlier the same day, a meetup of Tor relay operators was held. The small room was packed with at least 60-70 attendees. Several relay operator organizations reported on their progress: DFRI, Frënn vun der Ënn, Icetor, Noisetor, Nos oignons, Swiss Privacy Foundation and Zwiebelfreunde. Many of these projects did not exist last year, and new organizations are still being created, like The Torrorists who also gave a quick status update. Nikita Borisov gave a quick presentation of the traceroute research experiment and encouraged more operators to run the test script. Several operators of important relays and directory authorities also assisted the session. Let’s hope everyone shared the same feelings as Jason from Icetor: “It was really excellent meeting all of you and great for my morale to see all the people understanding and working towards common goals. Perhaps it’s just due to my remoteness, but I rarely get to discuss projects like this at such an intricate level.”

On the lightning talks front, Kai Engert presented DetecTor (slides, video at 1:56:25), David Fifield covered the basics of Tor pluggable transports, and Michael Zeltner introduced tor2tcp (video at 1:41:00). Some OnionCat developers have also been spotted in the corridors.

The Chaos Communication Congress is one of the rare events where an impressive number of members of the Tor community have a chance to interact. Let’s hope it has been a fruitful time for everyone!

Tor website needs your help!

One of the outcomes of the “How to help Tor?” session at the 30C3 was that there were quite some people interested in helping the Tor project with its website. In order to foster anyone’s participation, a larger call for help has been sent.

It starts by acknowledging that “Tor has shifted in the recent years from being a project prominently used by researchers, developers, and security experts to the wider audience of anyone concerned about their privacy”. As its primary audience shifted, “it is again time for important changes” to the website structure and design.

As one can read in the call or browse through the website related tickets, it’s going to be a challenging task. A new mailing list has been created to coordinate the efforts. Join if you want to help!

Monthly status reports for December 2013

The wave of regular monthly reports from Tor project members for the month of December has begun. Philipp Winter released his report first, followed by reports from Pearl Crescent, Sherief Alaa, Colin C., Damian Johnson, Tor’s help desk, Lunar, Karsten Loesing, Matt Pagan, Georg Koppen, Ximin Luo, Nick Mathewson, and Nicolas Vigier.

Miscellaneous news

Anthony G. Basile released version 20131230 of Tor-ramdisk — a uClibc-based micro Linux distribution whose only purpose is to host a Tor server — with an updated Linux kernel and Tor

Gregory Maxwell started discussion on how to improve Hidden Services key management: “It would be preferable if it were possible to have a HS master key which was kept _offline_ which could be use to authorize use for some time period and/or revoke usage.” As Nick Mathewson pointed out, the timing is right and such issues have a chance to be addressed with the current redesign process (see proposal 220 and proposal 224).

The Tails team has announced: “The MAC address spoofing feature is ready for testing. This feature prevents geographical tracking of your network devices (and by extension, you) by randomizing their MAC addresses.” Testing on a variety of hardware is now needed, give it a try!

The next Tails contributor online meeting will be held January 9th on the IRC channel #tails-dev (OFTC) at 21:00 UTC.

The “test/rjb-migration” branch has been merged into the Tails development tree. It should now be fairly straightforward to run the automated test suite on a Debian Wheezy system.

The Tor Project’s website has gained another new mirror, thanks PW!

Johannes Fürmann asked the relay operators community to review a short documentation on how to run multiple Tor processes on one host.

Some users have been tricked into downloading malware from the domain. Action is on-going to shutdown the domain. In the meantime, watch out!

Tor help desk roundup

Multiple people have now asked the help desk for support using the Tor Browser on Windows RT. Windows RT is a new edition of Windows 8.1 designed for ARM devices like the Microsoft Surface. There is no supported way of using Tor on Microsoft RT.

Many people have been emailing the help desk to ask how to get a new identity or set up a relay now that Vidalia is no longer included in the Tor Browser package. Vidalia is still available as a standalone package. More information on the transition away from Vidalia can be found on the Tor Browser 3 FAQ wiki page.

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, dope457, Sandeep, weasel, rey, murb and nicoo.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor website needs your help!

Tor started more than eleven years ago. The project website has gone through three major revisions in that time. It looks like it’s again time for important changes.

Tor has shifted in the recent years from being a project prominently used by researchers, developers, and security experts to the wider audience of anyone concerned about their privacy. Tor’s user base continues to grow. While this is a very good news for the anonymity of every Tor user, we need to make information that matters more accessible and better structured. The support team already receive close to 30 new requests every day, and it would be a better experience for newcomers, users, and journalists to directly find their answers.

Creating the ideal website for Tor is not an easy task. We have very diverse audiences with very diverse expectations. We need to gather information from different sources. Some pages should be multi-lingual. As outdated information could endanger our users, it should be easy to keep up-to-date. Our users deserve beautiful, clear, and comprehensive graphics to allow everyone to quickly understand Tor better. We’ve had some starting discussions, but we’re very much in need of your help.

Up to the challenge? Do you want to help improving a website visited everyday by millions of people looking for protection against surveillance? Then feel free to join the website team mailing list. We need usability experts, technical writers, designers, code wizards of the modern web, static website generator experts, documentalists… Join us and help!

Tor Weekly News — December 25th, 2013

Welcome to the 26th issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

The 3.x series of the Tor Browser Bundle is now stable

After more than a year of work, Mike Perry has officially blessed the 3.5 release of the Tor Browser Bundle as the new stable release. Improving on the previous stable series, it features a deterministic build system for distributed trust, a new integrated interface to interact with Tor and all the improvements from Tor 0.2.4.

Users of the previous 2.x series might be a little disoriented by the user interface changes. David Fifield, Matt Pagan and others have been compiling the most frequent questions heard after the switch. Until the integrated browser interface catches up, new Vidalia bundles are now available for those who need them. Erinn Clark is ironing out the remaining integration issues.

With the discontinuation of Firefox 17 ESR, the new release had to be pushed to users to avoid exposing them to security holes. Firefox 24 ESR, on which the Tor Browser is now based, should be supported by Mozilla for approximately one year. This will leave our browser hackers some time to focus more on user experience improvements, test automation, and better resistance to fingerprinting issues.

Several tutorials, videos, and bits of documentation might now in one way or another be out-of-date in many places. Please help report them or, even better, write up some updated versions.

This release is quite a milestone for the project. Update and enjoy!

The Tor Project now accepts donation in Bitcoin

As is often pointed out in the press, the majority of the Tor Project’s financial support comes from US government-linked organizations. In the ongoing effort to offer as many possible ways for individuals and organizations to give help to the project, Bitcoin donations are now being accepted.

As Roger Dingledine wrote in a subsequent comment: “We really need to get some funding for core Tor development, and especially for improving Tor’s anonymity, because none of our current funders care enough about the anonymity side of Tor. Outreach and blocking-resistance are great topics, but we can’t let the anonymity part rot.”

Head over to the donations page to learn more about how to chip in with Bitcoins or other currencies.

Tor is out

The first update to the new stable branch of Tor has been released on December 23rd. It fixes an issue that would create more preemptive circuits than actually need, and a security issue related to poor random number generation.

The latter affects “users who 1) use OpenSSL 1.0.0 or later, 2) set ‘HardwareAccel 1’ in their torrc file, 3) have ‘Sandy Bridge’ or ‘Ivy Bridge’ Intel processors, and 4) have no state file in their DataDirectory (as would happen on first start). Users who generated relay or hidden service identity keys in such a situation should discard them and generate new ones.”

The source code is already available from the usual location. Update packages and bundles should be ready soon.

Tor events at the 30th Chaos Communication Congress

The Chaos Computer Club will be holding its 30th Congress in Hamburg between the 27th and the 30th of December, and as usual there are a number of Tor-related talks and events scheduled.

Following their session on the Tor ecosystem at 29c3, Tor Project members Roger Dingledine and Jacob Appelbaum will be giving a talk entitled “The Tor Network: We’re living in interesting times”, in which they discuss the Project’s work over the last few years, with special reference to “major cryptographic upgrades in the Tor network, interesting academic papers in attacking the Tor network, major high profile users breaking news about the network itself, discussions about funding, FBI/NSA exploitation of Tor Browser users, botnet related load on the Tor network, and other important topics”.

Their talk will be followed by a discussion involving everyone interested in helping Tor at the NoisySquare assembly. The Tor ecosystem is now made up of more than forty different projects, and there are sure to be ways you can help. Bring your skills and your energy! will be holding a meeting of Tor relay operators and organizations, featuring “quick presentations on recent and future activities around”, to be followed by the official members’ meeting of the German partner organization, Zwiebelfreunde e.V.

#youbroketheinternet will hold a session on the future of crypto routing backends: “Even the IETF is now considering that Onion Routing should be a fundamental capability of the Internet. How would that look in practice?”

If you are attending the Congress, feel free to come along and participate in these sessions; if not, you should be able to catch up with the talks online.

Miscellaneous news

Anthony G. Basile released version 20131216 of Tor-ramdisk, a “uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy.” This new release is the first to ship the 0.2.4 branch of Tor.

For those who like hazardous experiments, intrigeri sent a call for testing an experimental Tails image with preliminary UEFI support — users of Apple hardware should be particularly interested. anonym also announced that test images from the MAC spoofing branch were available.

Nick Mathewson sent his now-monthly review of the status of Tor’s proposals. Karsten Loesing followed-up by commenting on several of those related to the directory protocol. Have a look, you might also be able to move things forward!

Many thanks to John Sweeney of, Jeremy J. Olson of EPRCI, and for running mirrors of the Tor Project website.

Karsten Loesing has been experimenting with replacementsfor the “fast exits” graphs that would convey a better feeling of the network growth. He also deployed a new visualization for the fraction of connections used uni-/bidirectionally.

Tor help desk roundup

Multiple users have now emailed the help desk regarding a particular type of “ransomware” that encrypts the hard drive of Windows computers and won’t give users the decryption key until a payment is made. Victims of this malware have emailed the help desk because the ransomware message includes a link to a tor hidden service site. Malware victims wanted to know how to install the Tor Browser, or thought the Tor Project was the source of the malware.

The Tor Project does not make malware; in the past Tor developers have worked with anti-virus developers to help stop other types of malware. Users affected might find useful information in the guide assembled by If you have not been affected, the story might be a good reminder to think about your backups.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan and dope457.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser Bundle 3.5 is released

Update 12/20: Test builds of Pluggable Transport bundles are now available. See inline and see the FAQ link for more details.

The 2.x stable series of the Tor Browser Bundle has officially been deprecated, and all users are encouraged to upgrade to the 3.5 series.

Packages are now available from the Tor download page as well as the Tor Package archive.

For now, the Pluggable Transports-capable TBB is still a separate package, maintained by David Fifield. Download them here: We hope to have combined packages available in a beta soon.

For people already using TBB 3.5rc1, the changes are not substantial, and are included below.

However, for users of TBB 2.x and 3.0, this release includes important security updates to Firefox. All users are strongly encouraged to update immediately, as we will not be making further releases in the 2.x or 3.0 series.

In terms of user-facing changes from TBB 2.x, the 3.x series primarily features the replacement of Vidalia with a Firefox-based Tor controller called Tor Launcher. This has resulted in a vast decrease in startup times, and a vast increase in usability. We have also begun work on an FAQ page to handle common questions arising from this transition -- where Vidalia went, how to disable JavaScript, how to check signatures, etc.

The complete changelog for the 3.x series describes the changes since 2.x.

The set of changes since the 3.5rc1 release is:

  • All Platforms
    • Update Tor to
    • Update Tor Launcher to
      • Bug 10382: Fix a Tor Launcher hang on TBB exit
    • Update Torbutton to
      • Misc: Switch update download URL back to download-easy

Tor Weekly News — December 18th, 2013

Welcome to the twenty-fifth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the ever-updating Tor community.

Tor is out

After more than a year in the making, Roger Dingledine announced the first stable release in the Tor 0.2.4 series, as well as the dedication of this series to the memory of Aaron Swartz (1986-2013).

Tor 0.2.4 boasts a large number of major new features, among them a new circuit handshake, improved link encryption, a flexible approach to the queueing of circuit creation requests, and the use of “directory guards” to defend against client-enumeration attacks. You can consult the full changelog in Roger’s announcement, and download the source code from the website.

As no code changes have been made since the previous release candidate, there is no reasons for users of tor to upgrade in a hurry.

Tor Browser Bundle 3.5rc1 is out

Mike Perry announced the first release candidate in the Tor Browser Bundle 3.5 series, and strongly encouraged users to update in anticipation of the imminent end-of-life of both the 2.x stable and 3.0 series, following Mozilla's deprecation of Firefox 17 ESR, on which both are based.

This release also includes a number of important security updates, alongside various bugfixes and usability improvements; for this reason as well, users should upgrade as soon as possible.

Tails 0.22 is out

Tails saw its 35th release on December 11th. It incorporates many major and minor improvements and bugfixes, and opens up the new incremental-upgrade feature for beta-testing.

As this is the first release to feature a browser based on the Firefox 24 ESR series, some small inconveniences found their way in. Have a look at the known issues before giving it a go.

Nevertheless, it fixes several important security issues, so it is recommended that all users upgrade as soon as possible. awarded $250,000 grant

The team announced that they have received a $250,000 organizational grant, to be spread over two years, from the Digital Defenders Partnership, which in its own words was “established to provide rapid response to threats to internet freedom.”

With this grant, wrote Moritz Bartl, “participating Torservers organizations will be able to sustain at least 3 Gbit/s of exit traffic, and 2000 fast and up-to-date bridges.”

In order to make the most efficient use of this significant contribution to the Tor network while maintaining its diversity, wrote Moritz, “we need to find seven more organizations that are willing to rent servers for a period of at least 2 years”, adding that “we really want to avoid having organizations run both high bandwidth exit relays and a larger number of Tor bridges: An operator should not see both traffic entering the Tor network and traffic leaving the Tor network” .

For this reason, he called for groups interested in supporting the Tor network to get in contact, in order to discuss how they can best set up and maintain Tor services. The first such partnership will be with the Institute for War and Peace Reporting's Cyber Arabs group.

If you represent an organization that could make this much-needed contribution to the Tor network, please contact the team, or join them at the Tor relay operators meetup during the upcoming Chaos Communication Congress in Hamburg.

Miscellaneous news

The Tails team reported on the vast amount of activity that occurred during November 2013. Coming up in the next few Tails releases are an updated I2P, a new clock applet with configurable timezone, better localization, incremental upgrades, safer persistence, MAC spoofing…

meejah announced the release of txtorcon 0.8.2, and warned users that they should upgrade if they use that program’s TCP4HiddenServiceEndpoint feature, in order to fix a bug that allows listening on hosts other than

Kevin P Dyer announced the 0.2.2 release of fteproxy, which “includes the removal of gmpy as a dependency, additional documentation to explain the significance of language theoretical algorithms, and bounds checking of the input/output of our (un)ranking algorithms”; this hot on the heels of 0.2.1, in which he “focused on breaking away from heavyweight dependencies: OpenFST and boost”.

Mike Perry shared his thoughts regarding the presence of the Tor Browser Bundle in centralized repositories such as the Apple App Store or Google Play, and the possibilities for attack that these stores open up.

Ondrej Mikle warned users of Enterprise Linux 5 that Tor RPM packages will no longer be built for their platform, owing to an “increasing number of required workarounds”.

Karsten Loesing published a summary of the past, present and the future of the Tor Metrics project, which he maintains, offering some context for the various changes that have recently been announced.

Lunar sent reports from the Tor help desk for October and November.

Jacob Appelbaum recapped his work over the last few months — from June to December — in a slew of reports (June, July, August, September, October, November, December).

Tor help desk roundup

Occasionally users who need the Pluggable Transports Tor Browser Bundle will download the Vidalia Bridge Bundle instead, which is less useful for users trying to circumvent state censorship. The Vidalia Bridge Bundle is only available for Windows and is configured by default to turn the client machine into a bridge. None of the Vidalia Bundles are designed to use Pluggable Transports.

This issue of Tor Weekly News has been assembled by harmony, Lunar, dope457, and Matt Pagan.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Announcement: The Tor Project is now accepting Bitcoin Donations

Over the past year, we have received many requests for us to accept bitcoin donations. After careful consideration and research, we are thrilled to announce that effective today The Tor Project is accepting bitcoin donations. In partnership with Bitpay, bitcoins can easily and directly be donated to support Tor’s ongoing mission of being the global resource for privacy technology advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. Check out our donations page now. Bitcoin donations received by The Tor Project will be converted directly to US Dollars.

Our decision to accept bitcoins has been well thought out and researched from a financial accounting perspective with an eye on passing our required annual A-133 audit. We believe we are the first US 501(c)3 non-profit organization to test acceptance of bitcoins and attempt to pass the US Government A-133 Audit Standard. Our 2013 audit results, along with our past financial documents, will be made available on our website once complete in 2014.

The Tor Project is also proud to be in the company of other visible non-profit organizations accepting bitcoins including EFF and Wordpress.

Why is this important? The Tor Project needs your donations to continue our mission and to keep the Tor suite of technologies ahead with the growing threats to privacy and anonymity around the world. Your donation made TODAY, through bitcoin, Paypal, Amazon Payments,, checks, money orders or bank transfers, will provide greater security and privacy for millions around the world who use Tor every day.

Help us continue our mission!

Tor Browser Bundle 3.5rc1 Released

The first release candidate in the 3.5 series of the Tor Browser Bundle is now available from the Tor Package Archive:

This release includes important security updates to Firefox.

Moreover, the Firefox 17esr release series has been deprecated by Mozilla. This means the imminent end of life for our 2.x and 3.0 bundle series. All 3.0 users are strongly encourage to update immediately, as we will not be making further releases in that series. If this release candidate survives the next few days without issue, this release candidate will be declared stable, and we will officially deprecate the current stable 2.x Tor Browser Bundles and declare their versions out of date as well.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.2.0esr
    • Update NoScript to
    • Update HTTPS-Everywhere to 3.4.4tbb (special TBB tag)
      • Tag includes a patch to handle enabling/disabling Mixed Content Blocking
    • Bug 5060: Disable health report service
    • Bug 10367: Disable prompting about health report and Mozilla Sync
    • Misc Prefs: Disable HTTPS-Everywhere first-run tooltips
    • Misc Prefs: Disable layer acceleration to avoid crashes on Windows
    • Misc Prefs: Disable Mixed Content Blocker pending backport of Mozilla Bug 878890
    • Update Tor Launcher to
      • Bug 10147: Adblock Plus interferes w/Tor Launcher dialog
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 9984: Support running Tor Launcher from InstantBird
      • Misc: Support browser directory location API changes in Firefox 24
    • Update Torbutton to
      • Bug 10352: Clear FF24 Private Browsing Mode data during New Identity
      • Bug 8167: Update cache isolation for FF24 API changes
      • Bug 10201: FF ESR 24 hangs during exit on Mac OS
      • Bug 10078: Properly clear crypto tokens during New Identity on FF24
      • Bug 9454: Support changes to Private Browsing Mode and plugin APIs in FF24
  • Linux
    • Bug 10213; Use LD_LIBRARY_PATH (fixes launch issues on old Linux distros)

Tails 0.22 is out

Tails, The Amnesic Incognito Live System, version 0.22, is out.

All users must upgrade as soon as possible: this release fixes numerous security issues.

Download it now but first, please consider testing the incremental upgrade.


  • Security fixes
    • Upgrade to Iceweasel 24.2.0esr that fixes a few serious security issues.
    • Stop migrating persistence configuration and access rights. Instead, disable all persistence configuration files if the mountpoint has wrong access rights.
    • Upgrade to NSS 3.15.3 that fixes a few serious security issues affecting the browser.
  • Major improvements
    • Switch to Iceweasel 24.2.0esr and Torbutton 1.6.5.
    • Incremental upgrades are ready for beta-testing.
  • Bugfixes
    • Fix Vidalia startup.
    • Disable DPMS screen blanking.
    • Fix checking of the persistent volume"s ACL.
    • Sanitize more IP and MAC addresses in bug reports.
    • Do not fail USB upgrade when the "tmp" directory exists on the destination device.
  • Minor improvements
    • Clearer warning when deleting the persistent volume.
    • Use IBus instead of SCIM.
    • Always list optimal keyboard layout in the greeter.
    • Fix on-the-fly translation of the greeter in various languages.
    • Update I2P to and rework its configuration.

See the online Changelog for technical details.

Known issues

  • The Unsafe Browser cannot connect to the Internet (ticket #6479). This can be workaround"ed by setting network.proxy.socks_remote_dns to false on the about:config web page.
  • Keyboard shortcuts use QWERTY mapping instead of AZERTY on French keyboard (ticket #6478). This may impact other keyboard layouts as well.
  • TorBrowser takes too long to shutdown (ticket #6480).
  • TorBrowser proposes to share the microphone with websites (ticket #6481).
  • htpdate uses a different User-Agent than the Tor Browser (ticket #6477).
  • The included Linux 3.10-3 (version 3.10.11-1) kernel has a few known security issues.
  • Longstanding known issues.

I want to try it or to upgrade!

Go to the download page but first, please consider testing the incremental upgrade.

As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.

What's coming up?

The next Tails release is scheduled for January 21.

Have a look to our roadmap to see where we are heading to.

Would you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Syndicate content Syndicate content