Lots of new Tor and Vidalia packages

New Vidalia and Tor releases mean lots and lots of new packages. You can download most of them from the download page.

RPM users: we'll have all of the RPMs up within the next 24 hours. Everyone else, read on for Tor Browser Bundle changelogs and other packages.

Bridge-by-Default Bundle

Tor Browser Bundle with Firefox 4

Tor Browser Bundle (2.2.24-1) alpha; suite=osx

  • Update Tor to
  • Update Vidalia to 0.2.12
  • Update NoScript to

Tor Browser Bundle (2.2.24-1) alpha; suite=linux

  • Update Tor to
  • Update Vidalia to 0.2.12
  • Update NoScript to
  • Fix missing extensions by putting them in the right location (closes: #2828)
  • Disable plugin searching (closes: #2827)

Tor Browser Bundle with Firefox 3.6

Windows 1.3.23: Released 2011-04-13

  • Update Vidalia to 0.2.12
  • Fix langpack mistake that made Firefox only use English

Linux 1.1.7: Released 2011-04-12

  • Update Tor to
  • Update Vidalia to 0.2.12
  • Update NoScript to

OS X 1.0.15: Released 2011-04-11

  • Update Tor to
  • Update Vidalia to 0.2.12
  • Update NoScript to

Tor is out

Tor fixes a variety of bugs, including a big bug that
prevented Tor clients from effectively using "multihomed" bridges,
that is, bridges that listen on multiple ports or IP addresses so users
can continue to use some of their addresses even if others get blocked.

Major bugfixes:

  • Fix a bug where bridge users who configure the non-canonical
    address of a bridge automatically switch to its canonical
    address. If a bridge listens at more than one address, it should be
    able to advertise those addresses independently and any non-blocked
    addresses should continue to work. Bugfix on Tor 0.2.0.x. Fixes
    bug 2510.
  • If you configured Tor to use bridge A, and then quit and
    configured Tor to use bridge B instead, it would happily continue
    to use bridge A if it's still reachable. While this behavior is
    a feature if your goal is connectivity, in some scenarios it's a
    dangerous bug. Bugfix on Tor; fixes bug 2511.
  • Directory authorities now use data collected from their own
    uptime observations when choosing whether to assign the HSDir flag
    to relays, instead of trusting the uptime value the relay reports in
    its descriptor. This change helps prevent an attack where a small
    set of nodes with frequently-changing identity keys can blackhole
    a hidden service. (Only authorities need upgrade; others will be
    fine once they do.) Bugfix on; fixes bug 2709.

Minor bugfixes:

  • When we restart our relay, we might get a successful connection
    from the outside before we've started our reachability tests,
    triggering a warning: "ORPort found reachable, but I have no
    routerinfo yet. Failing to inform controller of success." This
    bug was harmless unless Tor is running under a controller
    like Vidalia, in which case the controller would never get a
    REACHABILITY_SUCCEEDED status event. Bugfix on;
    fixes bug 1172.
  • Make directory authorities more accurate at recording when
    relays that have failed several reachability tests became
    unreachable, so we can provide more accuracy at assigning Stable,
    Guard, HSDir, etc flags. Bugfix on Resolves bug 2716.
    - Fix an issue that prevented static linking of libevent on
    some platforms (notably Linux). Fixes bug 2698; bugfix on
    versions (the versions introducing
    the --with-static-libevent configure option).
  • We now ask the other side of a stream (the client or the exit)
    for more data on that stream when the amount of queued data on
    that stream dips low enough. Previously, we wouldn't ask the
    other side for more data until either it sent us more data (which
    it wasn't supposed to do if it had exhausted its window!) or we
    had completely flushed all our queued data. This flow control fix
    should improve throughput. Fixes bug 2756; bugfix on the earliest
    released versions of Tor (svn commit r152).
  • Avoid a double-mark-for-free warning when failing to attach a
    transparent proxy connection. (We thought we had fixed this in, but it turns out our fix was checking the wrong
    connection.) Fixes bug 2757; bugfix on (the original
    bug) and (the incorrect fix).
  • When warning about missing zlib development packages during compile,
    give the correct package names. Bugfix on

Minor features:

  • Directory authorities now log the source of a rejected POSTed v3
    networkstatus vote.
  • Make compilation with clang possible when using
    --enable-gcc-warnings by removing two warning optionss that clang
    hasn't implemented yet and by fixing a few warnings. Implements
    ticket 2696.
  • When expiring circuits, use microsecond timers rather than
    one-second timers. This can avoid an unpleasant situation where a
    circuit is launched near the end of one second and expired right
    near the beginning of the next, and prevent fluctuations in circuit
    timeout values.
  • Use computed circuit-build timeouts to decide when to launch
    parallel introduction circuits for hidden services. (Previously,
    we would retry after 15 seconds.)

Packaging fixes:

  • Create the /var/run/tor directory on startup on OpenSUSE if it is
    not already created. Patch from Andreas Stieger. Fixes bug 2573.

Documentation changes:

  • Modernize the doxygen configuration file slightly. Fixes bug 2707.
  • Resolve all doxygen warnings except those for missing documentation.
    Fixes bug 2705.
  • Add doxygen documentation for more functions, fields, and types.

Vidalia 0.2.12 is released

The new release of Vidalia 0.2.12 is out. We'd also like to congratulate Tomás Touceda on his first release and thank him for all his work and patience in getting this out!

0.2.12 10-Apr-2011

  • Vidalia's SVN repository has been migrated to Git. All branches but
    master have been archived for later review, since SVN trunk had changed
    significantly; they should be reviewed later to determine whether
    they can and should still be merged. All \version $Id$ headers have been
    removed since Git does not support $Id$.
  • As part of the move, Vidalia's Trac is now at:
    All Trac numbers in Vidalia 0.2.12 and beyond refer to the new Trac
    entries. The old Trac is archived for posterity at:
  • Add support for Tor's ControlSocket as an alternative to ControlPort. It
    can be used for Linux maintainers to build a better default interaction
    between Tor and Vidalia by just setting the right permissions and file
    owner on the socket file for the connection. Using ControlSocket means
    you don't need to worry about authentication methods with ControlPort.
    Resolves bug 2091.
  • Add a way to edit arbitrary torrc entries while Tor is running. Now
    Vidalia users have more flexibility for configuring Tor. This change
    doesn't replace editing torrc directly, because on some systems
    (like Debian) Tor can't write to its torrc file. Resolves bug 2083.
  • Remove Vidalia's direct dependency on OpenSSL. This dependency had
    caused Vidalia to fail to run on FreeBSD (due to a bug in the FreeBSD
    ports collection) and Fedora 14 (due to an incompatibility between
    OpenSSL and Fedora's SELinux configuration). Resolves bug 2287 and
  • Restore compatibility with Windows 2000. An update to the MiniUPnPc
    library had introduced an unnecessary dependency on a system library
    not included in Windows 2000. Fixes bug 2612.
  • Fix how the advanced message log window displays message updates when
    messages are coming in too quickly, for example when you're listening
    to debug-level messages from Tor. Fixes bug 2093.
  • Add a what's this? link to the bridge option to explain in a more verbose
    fashion what being a bridge involves. Resolves bug 1995.
  • Prompt users to restart Tor after changing the path to torrc. Fixes bug
  • Disable the directory port configuration field when configuring a
    bridge. A bridge does not need to operate a separate directory port,
    and operating one can make a bridge easier to detect. Fixes bug 2431.
  • When Vidalia asks Tor for a bridge's usage history before anyone has
    used it, correctly report that no clients have used the bridge recently.
    Previously, it would incorrectly warn that it was unable to retrieve the
    bridge's usage history. Fixes bug 2186.

March 2011 Progress Report

Introducing a new monthly progress report format. Since June 2008, I've been posting the monthly reports we write for our sponsors as blog posts. The goal is to share with you, our community, what we do every month in an easy to understand, summarized way.

Over the past year, I've had a few requests to make these monthly progress reports into a file format people can take with them for reading offline. For all of 2011, I'm going to be attaching a PDF file (generated by LaTeX) to the reports.

I've gone back to January 2011 and February 2011 and attached the files to each post, respectively.

The PDF includes graphs and is generally much easier to read than printing the blog post to a PDF file.

The March 2011 Progress Report is attached to this post.

Vidalia: get involved!

Hello everyone, for those who don't know me, I'm the one that's taking care of Vidalia these days.

The other day I was contacted by paulproteus in the #vidalia IRC channel about an initiative they (OpenHatch) are organizing called "Build It".

The idea

Open Source projects live and die depending on contributors and people that want to see the project evolve, but this isn't so easy sometimes.
The guys behind the Build It initiative have a theory about this difficulty:

"...lots of users of free desktop software want to get involved in customizing or contributing to the project's development, but they haven't gotten to the first step of getting the program to compile."

Since I'm a Gentoo user for years now, the compilation part comes naturally to me and I haven't thought of this issue that way but it's an interesting approach.

The event

This week, people involved in Vidalia and other Open Source projects will be at a specific time online to help users (future developers, may be :) ) jump over this compilation wall. Particularly, Vidalia is scheduled for this Friday at 13:00 UTC in the same place as usual: #vidalia at OFTC.

While this event is taking place on a particular day and a particular time, I'm online all the time (even when I'm not in front of the computer). So if you want to contribute to Vidalia or any of the projects around Tor (or Tor itself), don't hesitate, just get online and start typing, but be patient and stick around. Also, you'd probably want to read this:

If you want to know more about the Buld It initiative, you can ask in #openhatch at Freenode, or read here:

tails anonymous operating system, version 0.7 released

The latest in the series, tail 0.7 livecd/liveusb anonymous operating system is released. The Amnesic Incognito Live System, version 0.7, is built on top of Debian Squeeze. The full changelog is available at

Highlight include updated Tor, better hardware and 3G modem support, https everywhere, more anonymity and privacy fixes, debian squeeze-based for updated software all around.

You can get it at

Arm Release 1.4.2


Hi, the next release of arm is now available. This one was focused on a full rewrite of the connection panel, improving its maintainability, performance, and (best of all) features. When rendered, the panel's baseline cpu usage is less than half of its previous incarnation, along with providing far more information...

- Full paths for your currently active Tor circuits
- Identification of the applications attached to your socks, hidden service, and control ports
- Identifying exit connections and the common uses for ports they're attached to
- Much better accuracy in identifying client and directory connections
- Expanded path information when there's space available (thanks to Fabian Keil)

... and many, many more enhancements and fixes. For the full list see:

Also, thanks to pyllyukko arm is now on so there's simple install options available for:
Debian, Ubuntu, Gentoo, Arch Linux, and Slackware

As always, screenshots and downloads are available from the project's homepage:

Cheers! -Damian

Trip report: Taipei

I visited Taipei for several days at the end of March to do some Tor talks and generally spread the Tor gospel to another near-China country. I ended up doing five Tor talks in three days.

The motivation was to find technical people in Taiwan and teach them more about the problems that Tor is facing, so they can be aware of these issues as they do their own part to make the world a safer place. I visited Hong Kong a few years ago, and did a talk at Hong Kong University as well as some meetings with human rights people. Many people I met said "if you want policy people, go to Hong Kong; if you want technical people, go to Taiwan." So I did.

The first talk was at the Open Source Developers Conference (OSDC 2011). I had a 75 minute keynote slot, and there were perhaps 200 people in the audience — mostly industry people with an interest in free software. Some of the participants, like Shun-Yun Hu, were quite technical and would make great local Tor advocates. I also got a chance to teach other speakers like Ingy and Jesse Vincent about what needs doing in Tor-land.

The second talk was to a group of 30 or 40 graduate students and professors at Táidà, the main Taiwanese university. They understood the security angles better than the OSDC audience, but what surprised me most was how few of them were aware of the recent political events in the Middle East. One of the most valuable aspects of Tor from an academic perspective is how it is a role model for security research influencing broader society.

The third talk was to a group of human rights activists and nonprofit organizers. I've left out names to protect the innocent; let me know if you need an introduction and I'd be happy to connect you. There were some very interesting lawyers, as well as more technical activists who work hard to make sure that Taiwan remains a free society.

The fourth talk was at the Institute of Information Science at Academia Sinica, the main Taiwanese research institution. I met with Peter Schwabe, a crypto post-doc who works with djb. I also did an interview for the Open Source Software Foundry — Taiwan's government-sponsored free software advocacy and education organization. You won't find one of those in the United States!

My last talk was to the Taipei Open Source Software User Group (TOSSUG), a group of 10 or 20 quite smart technical folks. They were by far my best audience in terms of understanding the technical side and also knowing why Tor is relevant to their society. Hopefully we'll get some volunteer developers and/or Google Summer of Code students.

Here are the slides I used, though the actual content changed from talk to talk. Overall, it was a worthwhile trip: I got to learn more about Taiwan's perspective on China and its censorship (which will help me in future talks and in planning Tor's future), people in Taiwan got to learn more about Tor, and I helped bootstrap a "human rights and Tor" community there. I've been invited back for two larger security conferences (in July and August), but alas they probably won't fit into my schedule, since I need to balance my time between advocacy, trainings, and actually getting development work done.

If you are in Taiwan and want some introductions, or you're somewhere else and want a Tor person to come do some trainings or talks, let me know!

Syndicate content Syndicate content