Blogs

Tor Browser 6.0a1 is released

A new alpha Tor Browser release is available for download in the 6.0a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

On the usability front we improved the setup wizard UI flow. We also changed the search bar URL for the DuckDuckGo search engine to its onion URL.

On the build system side, we switched the guest build VMs to Debian Wheezy for the Linux version (the previous versions were built using Ubuntu 10.04 LTS).

Here is the complete changelog since 5.5a6:

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.9
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18102+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
  • Build System
    • Linux
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Tor Browser 5.5 is released

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Tails 2.0 is out

We are especially proud to present you Tails 2.0, the first version of Tails based on:

  • GNOME Shell, with lots of changes in the desktop environment.
  • Debian 8 (Jessie), which upgrades most included software and improves many things under the hood.

This release fixes many security issues and users should upgrade as soon as possible.

New features

Tails now uses the GNOME Shell desktop environment, in its Classic mode. GNOME Shell provides a modern, simple, and actively developed desktop environment. The Classic mode keeps the traditional Applications, Places menu, and windows list. Accessibility and non-Latin input sources are also better integrated.

To find your way around, read our introduction to GNOME and the Tails desktop.

Upgrades and changes

  • Debian 8 upgrades most included software, for example:

    • Many core GNOME utilities from 3.4 to 3.14: Files, Disks, Videos, etc.
    • LibreOffice from 3.5 to 4.3
    • PiTiVi from 0.15 to 0.93
    • Git from 1.7.10 to 2.1.4
    • Poedit from 1.5.4 to 1.6.10
    • Liferea from 1.8.6 to 1.10
  • Update Tor Browser to 5.5 (based on Firefox 38.6.0 ESR):

    • Add Japanese support.
  • Remove the Windows camouflage which is currently broken in GNOME Shell. We started working on adding it back but your help is needed!

  • Change to systemd as init system and use it to:

    • Sandbox many services using Linux namespaces and make them harder to exploit.
    • Make the launching of Tor and the memory wipe on shutdown more robust.
    • Sanitize our code base by replacing many custom scripts.
  • Update most firmware packages which might improve hardware compatibility.

  • Notify the user if Tails is running from a non-free virtualization software.

  • Remove Claws Mail, replaced by Icedove, a rebranded version of Mozilla Thunderbird.

Fixed problems

  • HiDPI displays are better supported. (#8659)

  • Remove the option to open a download with an external application in Tor Browser as this is usually impossible due to the AppArmor confinement. (#9285)

  • Close Vidalia before restarting Tor.

  • Allow Videos to access the DVD drive. (#10455, #9990)

  • Allow configuring printers without administration password. (#8443)

Known issues

  • Tor Browser 5.5 introduces protection against fingerprinting but due to an oversight it is not enabled in Tails 2.0. However, this is not so bad for Tails users since each Tails system has the same fonts installed, and hence will look identical, so this only means that it's easy to distinguish whether a user of Tor Browser 5.5 uses Tails or not. That is already easy given that Tails has the AdBlock Plus extension enabled, unlike the normal Tor Browser.

See the current list of known issues.

Installing

We also redesigned completely our download and installation instructions to make it easier to get started with Tails.

For example, you can now verify the ISO image automatically from Firefox using a special add-on.

You can also install or upgrade Tails directly from Debian or Ubuntu using the tails-installer package.

Try our new installation assistant.

Upgrading

Tails changed so much since version 1.8.2 that it is impossible to provide an automatic upgrade. We recommend you follow our new manual upgrade instructions instead.

What's coming up?

The next Tails release is scheduled for March 6.

Have a look at our roadmap to see where we are heading to.

We need your help and there are many ways to contribute to Tails (donating is only one of them). Come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Tor's First Crowdfunding Campaign



When we launched this first crowd funding campaign, we weren’t sure what would happen. We knew we wanted to diversify our funding sources; crowd funding gives us flexibility to do what we think is most important, when we want to do it. It allows us to fund the development of powerful new privacy tools. Or make the ones we have stronger and more resilient. Or pay for things we need like a funded help desk or an Arabic version of our web site.

But we didn’t know if people who like Tor would actually invest in our independence.

Now we do.

Together, our community has contributed $205,874 from 5,265 people to support Tor in this first crowdfunding campaign. We are so excited.

What we’ve seen, we think, is our community in action—our whole community finding ways to support us—by making a donation, or by sending us a bug bounty as GitHub hackers did. By making a matching donation, or just pinging their friends to help out.

Following our theme "This Is What a Tor Supporter Looks Like," you sent in photos of yourselves in Tor t-shirts doing back bends or teaching your daughters how to use Tor browser, or covering your face to preserve your anonymity but trumpet your support for Tor.

You sent fundraising notes to giant email lists. You tweeted screenshots of your donations. You bragged about your Tor relays (thank you) to inspire others. Some of you pointed out that Tor has saved your life.

The international Tor community rose up to support Tor’s independence in every way it could think of. And independence is power. Power to defend the rights of human rights activists. Power to defend the privacy of all of us.

Even though we’re a privacy organization, we found out what a Tor supporter looks like. It's someone who takes action to support their right to privacy.

Thank you.

Our deepest thanks to Tor’s wonderful champions, who put on the T-shirt first and took the plunge to support Tor in our first-ever campaign:

Laura Poitras

Roger Dingledine

Amanda Palmer and baby Anthony

Nick Merrill

Andy Bichlbaum

Molly Crabapple

Rabbi Rob and Lauren Thomas

Shari Steele

Cory Doctorow

Ben Wizner

Daniel Ellsberg and Patricia Marx Ellsberg

Alison Macrina

Edward Snowden

Giordano Nanni

Susan Landau

Ethan Zuckerman

Jacob Appelbaum

By Kate Krauss, for Tor's fundraising team:

Isabela Bagueros, Juris Vetra, Leiah Jansen, Mike Perry, Shari Steele, Sue Gardner, Katherine Bergeron, Nima Fatemi, Sebastian Hahn, Roger Dingledine, Nick Mathewson, Ben Moskowitz, Jacob Appelbaum, Katina Bishop, Colin Childs, and Kate Krauss.

Transparency, Openness, and our 2014 Financials

After completing the standard audit, our 2014 state and federal tax filings are available. We publish all of our related tax documents because we believe in transparency.

Tor's annual revenue in 2014 held steady at about $2.5 million. Tor's budget is modest considering the number of people involved and the impact we have. And it is dwarfed by the budgets that our adversaries are spending to make the world a more dangerous and less free place.

To achieve our goals, which include scaling our user base, we fund about 20 contractors and staff members (some part time, some full time) and rely on thousands of volunteers to do everything from systems administration to outreach. Our relay operators are also volunteers, and in 2014 we grew their number to almost 7,000 — helped along by the Electronic Frontier Foundation's wonderful Tor Challenge, which netted 1,635 relays. Our user base is up to several million people each day.

Transparency doesn't just mean that we show you our source code (though of course we do). The second layer to transparency is publishing specifications to explain what we thought we implemented in the source code. And the layer above that is publishing design documents and research papers to explain why we chose to build it that way, including analyzing the security implications and the tradeoffs of alternate designs. The reason for all these layers is to help people evaluate every level of our system: whether we chose the right design, whether we turned that design into a concrete plan that will keep people safe, and whether we correctly implemented this plan. Tor gets a huge amount of analysis and attention from professors and university research groups down to individual programmers around the world, and this consistent peer review is one of our core strengths over the past decade.

As we look toward the future, we are grateful for our institutional funding, but we want to expand and diversify our funding too. The recent donations campaign is a great example of our vision for future fundraising. We are excited about the future, and we invite you to join us: donate, volunteer, and run a Tor relay.

This Is What a Tor Supporter Looks Like – Jacob Appelbaum

Jacob Appelbaum

Jacob Appelbaum says that a number of Tor's development projects are inspired by the needs of the people that Tor works with around the world. Many of these people are working on the front lines of human rights and political activism.

“When working with Laura Poitras it became clear that there were key areas where improving her ability to use anonymity and encryption software would greatly strengthen her ability to continue her work. We brought some of these concerns and ideas into the initial development of Torbirdy and other Tor development efforts. Often my role is to understand needs of users in a given terrain of struggle and to help with the creation of prototypes to assist them.”

"This is all a team effort - many of our prototypes go on to become full fledged projects. The people involved in the Tor Project are spread across the world and put in an amazing amount of effort."

Both Appelbaum and Tor co-founder Roger Dingledine have taught activists around the world to use Tor. An an example, in Tunisia, they taught people to use encryption tools as part of a larger strategy. The tools themselves are part of a way of thinking about not only security and technology but also about operational security issues more generally. The tactics required to resist mass surveillance, targeted surveillance and repression generally are not merely technical: they are also social, economic and political.

Appelbaum and colleagues have also worked with hundreds of people from around the globe who are fighting for basic human rights in their respective countries, including lawyers, politicians, human rights activists, technologists, medical doctors, journalists and academics. The stakes are sometimes high - many people they have worked with are in danger through extreme surveillance because of their work, and for some, learning to use anonymity and encryption tools like Tor could literally save their lives.

In his context working with and as a journalist, Appelbaum says: “One of the things we’ve found and that we've published, which is good news, is that when the NSA does intercepts on people and they see encrypted messages from their encrypted Jabber chats… they say, `Sorry, can’t decrypt this – it’s off the record.’ That’s great. It means that we are correct: math constrains these systems of surveillance, which include and promote systems of violence and political oppression. Mathematics actually stops them and forces them to move from passive to active actions. It means that we can use cryptography to protect ourselves and to move ourselves into a world where attacks become detectable. Tor and other Free Software encryption tools such as Off-The-Record messaging, Signal and many others aid us in stopping these systems of violence and political oppression from growing.”

Appelbaum goes on to add, "The Tor Project is very lucky to have such a passionate community of developers, relay operators, and volunteers. So much of what we do depends on the generosity of our surrounding community that I am often humbled by their accomplishments. I look forward to campaigns like this one helping to create a more sustainable Tor, so that we can better support and honor the contributions and hard work of everyone involved."

Please join Jacob in supporting the Tor Project today!

Tor Browser 5.5a6-hardened is released

A new hardened Tor Browser release is available. It can be found in the 5.5a6-hardened distribution directory and on the download page for hardened builds.

This release features an important fix for a crash bug in one of our patches. All users are encouraged to update immediately as this bug is probably exploitable if Javascript is enabled. The bug was not exploitable at High security level, or on non-HTTPS websites at Medium-High security level.

Note: There is no incremental update from 5.5a5-hardened available due to bug 17858. We plan to have this fixed for the next release. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a5-hardened:

  • All Platforms
    • Update NoScript to 2.9
    • Update HTTPS Everywhere to 5.1.2
    • Bug 17931: Tor Browser crashes in LogMessageToConsole()
    • Bug 17875: Discourage editing of torrc-defaults

Tor Browser 5.5a6 is released

A new alpha Tor Browser release is available for download in the 5.5a6 distribution directory and on the alpha download page.

This release features an important fix for a crash bug in one of our patches. All users are encouraged to update immediately as this bug is probably exploitable if JavaScript is enabled. The bug was not exploitable at High security level, or on non-HTTPS websites at Medium-High security level.

In the past, signing Windows .exe files on a Linux machine caused verification errors on some Windows 10 systems. This should be fixed by adding the intermediate certificate in the signing process now.

Here is the complete changelog since 5.5a5:

  • All Platforms
    • Update NoScript to 2.9
    • Update HTTPS Everywhere to 5.1.2
    • Bug 17931: Tor Browser crashes in LogMessageToConsole()
    • Bug 17875: Discourage editing of torrc-defaults
    • Bug 17870: Add intermediate certificate for authenticode signing
Syndicate content Syndicate content