New Feature: Tor Interpreter


Hi all, after a couple months down in the engine room I'm delighted to announce a new Stem feature for advanced Tor users and developers!

Stem's Interpreter Tutoral

The control interpreter is a new method for interacting with Tor's control interface that combines an interactive python interpreter with raw access similar to telnet. This adds several usability features, such as...

  • Irc-style commands like '/help'.
  • Tab completion for Tor's controller commands.
  • History scrollback by pressing up/down.
  • Transparently handles Tor authentication at startup.
  • Colorized output for improved readability.

This is the last major feature going into the Stem's 1.2.0 release, which is coming out later this month. Until then you can easily give it a whirl with...

% git clone
% cd stem
% ./tor-prompt

Running into an issue? Got a feature request? As always feedback appreciated! -Damian

Tor Weekly News — May 21st, 2014

Welcome to the twentieth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor is out

A new version of the Tor stable branch was released on May 16th: “Tor backports numerous high-priority fixes from the Tor 0.2.5 alpha release series. These include blocking all authority signing keys that may have been affected by the OpenSSL ‘heartbleed’ bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM, and several others.”

For more details, look at the full changelog. The source is available at the usual location. Packages should be coming shortly, if not already available.

Digital Restrictions Management and Firefox

Mozilla’s decision to support playing media with digital restrictions in Firefox by implementing the W3C EME specification has raised a fair amount of controversy. Paul Crable wanted to know what it meant for the Tor Browser.

Mike Perry answered that “simply removing the DRM will be trivial, and it will be high on our list of tasks”.

But he also explained his worries regarding a “per-device unique identifier” that Firefox would provide as part of the implementation: “it is likely that this identifier will soon be abused by all sorts of entities, […] quickly moving on to the advertising industry (why not play a short device-linked DRM video with your banner ad? You get a persistent, device-specific tracking identifier as part of the deal!). I think it is also quite likely that many arbitrary sites will actually deny access to users who do not provide them with such a device-id, if only due to ease of increased revenue generation from a fully identified userbase.”

Mike has raised the issue on Mozilla’s dev-privacy mailing-list where Henri Sivonen replied that device-identifying information will be hashed together with a “per-origin browser-generated secret“ that “persists until the user asks the salt to be forgotten”. So it does not look as gloom as it initially appeared. As always, the devil is in the details.

Miscellaneous news

David Goulet reported on the status of the development of Torsocks 2.0, the library for safely using applications with Tor.

Karsten Loesing posted on the Tor Blog to commemorate the tenth anniversary of the first archived Tor directory, and discussed the different ways in which the public archive of directory data is being used for research and development.

Karsten also notified the community of a change in the compression algorithm used for the tarballs of archived metrics data, which has reduced their total size from 212 gigabytes to 33 — an 85% gain!

Knock is a variant of port-knocking that might be useful in the future for pluggable transports. “As Knock uses two fields in the TCP header in order to hide information and we explicitly want to be compatible with machines sitting in typical home networks”, writes Julian Kirsch, “we thus created a program which tests if Knock would work in your environment.” Please give it a try to help the team figure out if Knock could be deployed in the wild.

Thanks to Jesse Victors, Andrea, Nicholas Merrill, and Martin A. for running mirrors of the Tor Project website!

Michael Schloh von Bennewitz has been busy analyzing a disk leak in Tor Browser: when one copies a significant chunk of text to the clipboard, a temporary file is created with its content. Michael found a possible fix and is welcoming reviews.

Nicolas Vigier has been investigating some extra connections made by the Tor Browser on startup to the local resolver and the default port or the SOCKS proxy.

Shawn Nock proved us once more that talking to ISP is key to run Tor relays on high-speed links. Shawn’s exit node was abruptly shut down by its provider on May 15th. After a well-crafted plea explaining why Tor is important, the provider restored the service on the very same day!

However, dope457 reported that their provider is now giving them trouble for being the operator of a non-exit relay, due to a large amount of traffic on the DNS port (53), which is being used as the ORPort by a recently-established Tor relay, as pointed out by Roman Mamedov.

Now that ICANN is “selling” top-level domain names, Anders Andersson raised concerns about the .onion extension used by Tor. Fortunately, RFC6761 defines a process regarding special-use domain names. Last November, Christian Grothoff, Matthias Wachs, Hellekin O. Wolf, and Jacob Appelbaum submitted a request to reserve several TLDs used in peer-to-peer systems. Hellekin sent an update about the procedure: “the current status quo from the IETF so far is that this issue is not a priority”.

Tor help desk roundup

Local antivirus or firewall applications can prevent Tor from connecting unless they are disabled. Firewall tools that have caused usability issues in the past include Webroot SecureAnywhere AV, Kaspersky Internet Security 2012, Sophos Antivirus for Mac, and Microsoft Security Essentials.

News from Tor StackExchange

The Tor StackExchange site now provides more than 1000 answers to user-supplied questions. However, there are still ~130 questions which need a good answer, so if you happen to know one then please visit the site and help out.

The majority of the questions are about the Tor Browser Bundle, but hidden services also attract a large amount of attention. When it comes to operating systems, there are 42 Windows-related questions, while questions about Tails and Whonix number nearly 50. All your questions about Tor and related software are welcome.

Blue_Pyro uses Orweb on a mobile phone and wants to save images from websites. Abel of Guardian recommended two options: first, a user can use Firefox mobile with privacy enhanced options, or one can try Orfox, a development version of a Firefox-based browser.

Easy development tasks to get involved with

Stem is a Python controller library for Tor. It comes with tutorials and generally has pretty good test coverage. The newly-added example scripts, however, don’t yet have unit tests. Damian Johnson suggested ways to add unit tests for example scripts; if you want to help out, learn how to get started, start writing unit tests for the example scripts, and then comment on the ticket.

The traffic obfuscator obfsproxy should validate command-line arguments appropriately. Right now, it’s printing an error and continuing, but it should really abort. This sounds like a trivial change, but maybe there’s more to fix in the nearby code. If you like Python and want to give it a try, there’s more information for you on the ticket.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, Karsten Loesing, qbi, and Georg Koppen.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

10 years of collecting Tor directory data

Today is the 10th anniversary of collecting Tor directory data!

As the 2004 Tor design paper says, "As of mid-May 2004, the Tor network consists of 32 nodes (24 in the US, 8 in Europe), and more are joining each week as the code matures."

In fact, we still have the original relay lists from back then. The first archived Tor directory dates back to May 15, 2004. It starts with the following lines which are almost human-readable:

published 2004-05-15 07:30:57
running-routers moria1 moria2 tor26 incognito jap dizum
  cassandra metacolo poblano ned TheoryOrg Tonga
  peertech hopey tequila triphop moria4 anize rot52

As of today, May 15, 2014, there are about 4,600 relays in the Tor network and another 3,300 bridges. In these 10 years, we have collected a total of 212 GiB of bz2-compressed tarballs containing Tor directory data. That's more than 600 GiB of uncompressed data. And of course, the full archive is publicly available for download.

Here's a small selection of what people do with this fine archive:

If people want to use the Tor directory archive for their research or for building new applications, or want to help out with the projects listed above, don't hesitate to contact us!

Happy 10th birthday, Tor directory archive!

Tor Weekly News — May 14th, 2014

Welcome to the nineteenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.1 is released

On May 7th, version 3.6.1 of the Tor Browser was released. Apart from updating HTTPS Everywhere and NoScript, the new release mainly solves a regression experienced by proxy users.

The new version should not error out with “You have configured more than one proxy type” anymore.

More monthly status reports for April 2014

More monthly reports from Tor project members have arrived this week with submissions from Nicolas Vigier and Roger Dingledine.

Roger also sent the report for SponsorF. The Tails team has released theirs.

Miscellaneous news

ooniprobe 1.0.2 has been released. The new version brings security fixes, a manpage, a test for Tor bridge reachability among other improvements.

As the Tor blog should migrate away from its current decaying software, Eric Schaefer wrote to tell that he had extracted all blog posts in a format ready for a static site generator. Comments are also available. One option would be to import them in a dedicated commenting system. Tom Purl has setup a test Juvia instance for anyone who wish to give it a shot.

David Fifield released a new round of Tor Browser packages modified to include meek. “Unlike previous bundles […], these ones aren’t configured to use meek automatically. You have to select ‘Configure’ on the network settings screen and then choose meek from the list of transports.” Please give them a try!

Isis Lovecruft rewrote the email bridge distributor in order to fix some fundamental design problems with the old code. Reviews are welcome.

Tor help desk roundup

A relay operator contacted the Tor Help Desk after seeing the following message in the Tor log: “http status 400 ("Fingerprint is marked rejected") response from dirserver ''”.

One might see this message is if one’s relay was found to be vulnerable to the Heartbleed OpenSSL bug and subsequently removed from the Tor consensus. Instructions for upgrading one’s relay are on the Tor project’s blog.

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, Karsten Loesing and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 3.6.1 is released

The first pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features a fix for a regression with using a proxy for normal Tor usage. It does not yet allow the configuration of proxies for pluggable transports. We hope to fix that issue in the following point release.

This is not a security release — feel free to keep using TBB 3.6 if it's working for you.

Here is the complete changelog:

  • All Platforms
    • Update HTTPS-Everywhere to 3.5.1
    • Update NoScript to
    • Bug 11658: Fix proxy configuration for non-Pluggable Transports users
    • Backport Pending Tor Patches:
      • Bug 8402: Allow Tor proxy configuration while PTs are present
    • Note: The Pluggable Transports themselves have not been updated to support proxy configuration yet.

Tor Weekly News — May 7th, 2014

Welcome to the eighteenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor Browser 3.6 is released

The long-awaited Tor Browser 3.6 was finally declared stable on April 29th. Tor Browser 3.6 is the first version to fully integrate pluggable transports, enabling easier access to the Tor network on censored networks. The browser is based on the latest Firefox ESR 24.5.0 and includes a new round of security fixes.

When configuring how to access the Tor network, users can now select one of the included list of obfs3 or fte bridges. Using Flashproxy is also an option, but often requires further configuration on the local firewall and router. Manually specifying bridges is still an option, now with support for the aforementioned pluggable transports.

Many small usability enhancements have been made: Tor error messages are translated, the wording on several dialog windows has been improved based on user feedback, and Mac users now install the browser from the usual disk image format. Turkish localization has also been enabled.

Read the release announcement for a complete changelog. Be sure to upgrade!

Tails 1.0 is out

“Version 1.0 is often an important milestone that denotes the maturity of a free software project. The first public version of what would become Tails was released on June 23 2009 […]. That was almost five years ago. Tails 1.0 marks the 36th stable release since then.”

The release announcement could have not said it better. On top of the simple idea of having a system entirely running in memory that guarantees Tor usage for all network connections, Tails has been extended with an USB installer, automatic upgrades, persistence, support for Tor bridges, MAC address spoofing, an extensive and translated documentation and many more features.

Over Tails 0.23, the new version brings security fixes from Firefox and Tor, an updated I2P, several enhancements to the Tor configuration interface, and the appearance of the new Tails logo.

More details are in the release announcement. For those who have not made use of the integrated updater, time to download the new version!

Monthly status reports for April 2014

The wave of regular monthly reports from Tor project members for the month of April has begun. Georg Koppen released his report first, followed by reports from Arthur D. Edelstein, Sherief Alaa, Karsten Loesing, Lunar, Nick Mathewson, Matt Pagan, Damian Johnson, George Kadianakis, Pearl Crescent, Colin C., Kevin Dyer, Isis Lovecruft, Kelley Misata, Arlo Breault, and Andrew Lewman.

Lunar also reported on behalf of the help desk, Mike Perry for the Tor Browser team, and Arturo Filastò for the OONI team.

Miscellaneous news

The Tails developers warned that two fake public keys have been found bearing email addresses associated with the project; do not trust these keys, or anything they may have been used to sign. You can check the real keys used to sign Tails software on the Tails website.

Erinn Clark alerted users of the Trac-based Tor wiki to the fact that a bug (now fixed) made it possible to register an account with an already-taken username, “overwriting the existing user’s password and thereby taking over the account”. “We recommend users try to login and if you find you are unable to do so, you can reset your password” on the appropriate Trac page.

Following up on previous discussions and a proposal on the topic of how to make hidden services scale, Christopher Baines went on and implemented a prototype, “for one possible design of how to allow distribution in hidden services”. The code and concrete design is up for feedback.

Daniel Martí sent out a list of proposed revisions — arrived at in discussion with other developers on IRC — to the now slightly outdated proposal 140, which forms the basis of his upcoming Google Summer of Code project to implement consensus diffs and so reduce the amount of information downloaded hourly by Tor clients. Among the proposals are support for microdescriptor consensus diffs and a time limit to prevent the leak of information about when Tor was last used; “ideas about what might be missing or needing an update are welcome”, wrote Daniel.

Alpha releases of Orbot v14 are now available for testing. They include support for the obfs3 and ScrambleSuit protocols, thanks to obfsclient.

Griffin Boyce solicited feedback on the first release of Satori, an “app for Google Chrome that distributes circumvention software in a difficult-to-block way and makes it easy for users to check if it’s been tampered with in-transit.”

Kelley Misata announced on the Tor Blog that this year’s Tor Summer Dev Meeting will be held between June 29th and July 4th at the French offices of Mozilla in Paris.

Also on the blog, Andrew Lewman announced that the temporary limit on donations to the Tor Project through Paypal has now been lifted.

Nicolas Vigier announced that the Tor Browser test suite will now be run automatically when a new build is ready. The results will be emailed to the tor-qa mailing list.

Nick Mathewson suggested that proposal 236, which deals with the proposed transition to single guard nodes for Tor clients, should include the retention of multiple guards for directory requests, since “trusting a single source for the completeness and freshness of your directory info is suboptimal.”

Jacob H. Haven, Mikhail Belous, and Noah Rahman each introduced their Tor-related projects for this year’s Google Summer of Code: Jacob’s project is titled “A Lightweight Censorship Analyzer for Tor”, and aims to “allow non-technical users to monitor censorship of Tor occurring in their country/network”; Mikhail will work to implement a multicore version of the tor daemon; and Noah plans on “refactoring Stegotorus more along DRY lines as well as enhancing and updating various handshaking protocols, and getting it ready to merge in upstream changes from its originators at SRI.”

Thanks to NetCologne and fr33tux for running mirrors of the Tor Project website!

Frederic Jacobs invited comments on an alternative Tor icon designed by a friend “for fun”.

Tor help desk roundup

Many users alerted the help desk to a new bug in Tor Browser 3.6 that prevents users from setting a proxy. Developers have said this bug is related to the introduction of Pluggable Transport support; a new Tor Browser release addressing this issue is expected this week.

News from Tor StackExchange

Tom Ritter wonders how the Exit Probability is calculated and wants to know if all values add up to 100 %. If anyone knows a good answer, please don’t hesitate to add it to the question.

user1698 wants to extend the number of Tor relays in a circuit, and asks if it is possible to have one with 5 or 6 nodes. Tom Ritter suggests that this is only possible when one changes the source code. There is another question which deals with extending the number of nodes in a circuit: Steven Murdoch warns the user in his answer that under some circumstances it might be possible to de-anonymize a person who is using this technique. Furthermore alaf discusses the performance, throughput and anonymity of longer circuits.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, qbi and the Tails team.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Paypal Account Limits now resolved

On April 24, 2014 Paypal notified us our account was being limited due to potentially fraudulent donations. According to Paypal, donors were claiming chargebacks to their credit card companies for fraudulent donations or purchases. We solely use Paypal to receive donations and therefore rely on Paypal's systems of validation and fraud detection. As a result of the limitations, a number of donors were denied the ability to donate. We appreciate your donations. As of April 30, the limits on our account have been lifted. Please consider a donation today.

We received around $67,000 from 4,700 individuals donating through Paypal in 2013. These donations are used to keep Tor running and developers improving Tor.

Tor Weekly News — April 30th, 2014

Welcome to the seventeenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor is released

The latest incarnation of the current development branch of Tor, dubbed, was released on April 26th. This release brings mainly security and performance improvements for clients and relays.

As a preventive measure (there being no evidence that the keys have been compromised), authority signing keys that were used while susceptible to the OpenSSL “heartbleed” bug are now blacklisted.

Other improvements include fixing two expensive functions on busy relays, better TLS ciphersuite preference lists, support for run-time hardening on compilers that support AddressSanitizer, and more work on the Linux sandbox code. There are also several usability fixes for clients (especially clients that use bridges), two new TransPort protocols supported (one on OpenBSD, one on FreeBSD), and various other bugfixes.

As Nick Mathewson wrote: “This release marks end-of-life for Tor 0.2.2.x; those Tor versions have accumulated many known flaws”.

Source code is available at the usual location and binary packages have already started to be updated.

Introducing the 2014 Google Summer of Code projects

As announced in February, Tor is once again participating in Google’s Summer of Code program, allowing students and aspiring developers the chance to work on a Tor-related project with funding from Google and expert guidance from Tor Project members. After several months of coordination and discussion, this summer’s successful proposals have now been chosen, and some of the students took to the tor-dev mailing list to introduce themselves and their upcoming work.

Juha Nurmi will continue to work on the already-operational hidden service search engine, while Marc Juarez will be “implementing the building blocks for a future padding-based website fingerprinting countermeasure as a pluggable transport”. Daniel Martí has taken up the challenge of implementing proposal 140, which aims to considerably reduce the size of the network consensus data that Tor clients fetch every hour, and Israel Leiva plans to spruce up the neglected GetTor service, which allows users to download the Tor Browser Bundle even if the Tor website and its mirrors are inaccessible. Amogh Pradeep will be contributing to the Guardian Project’s development of Orfox, a new Android web browser to be used with Orbot, while Kostas Jakeliunas returns to Tor GSoC to construct a new BridgeDB distributor, serving bridge addresses to users in censored areas over Twitter, and possibly other channels as well. Quinn Jarrell will be working on building a pluggable transports combiner that “will allow transports to be chained together to form more varieties of transports and make them harder to detect and block”. Sreenatha Bhatlapenumarthi will pick up the effort of rewriting Tor Weather.

You can read more about each proposal in the respective introductory messages and their replies; a full list of accepted projects is available on the Google Summer of Code website. As Daniel wrote, “comments are very welcome”!

Miscellaneous news

Meejah released version 0.9.2 of txtorcon — the Tor controller library for the Twisted Python framework: “this release adds a few minor bug-fixes and a few API enhancements”.

The Tails team is looking for enthusiasts equipped with a Bluetooth keyboard and mouse to ensure that Tails works properly with such hardware.

Matthew Finkel forwarded a copy of the email that was sent to bridge operators  to warn them about the “Heartbleed” vulnerability, and the actions that should be taken as a result. If you know any bridge operator who might not have filled in their contact information, please forward the message!

Karsten Loesing has been working on switching Onionoo — the web service to retrieve information about the Tor network — to use the Gson library instead of plain string concatenation to format its JSON output. As the change might break some applications, client authors should test their applications and see if everything still works as it should.

Tor help desk roundup

The help desk has been asked why the Tor Project’s hidden service site mirrors are offline. The sites were taken down during the fallout from the Heartbleed security vulnerability. New hidden service addresses were not generated. The sysadmin team has expressed that they no longer wish to maintain these services.

News from Tor StackExchange

Kristopher Ives is working on a card game using Tor. Each user accepts inbound connections through hidden services, and also needs to make outbound connections. Tom Ritter acknowledged it was possible to use only one Tor daemon to do both.

Dan gets the error message “Cannot load XPCOM” whenever Tor Browser is started. Jens Kubieziel pointed to the discussion at #10789. The culprit is WebRoot Internet Security as it prevents the proper loading of all browser components; either uninstalling it or adding DLL files to the whitelist has helped other users.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, qbi, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Syndicate content Syndicate content