Blogs

Tor Browser 5.5a5-hardened is released

We are pleased to announce the second release in our hardened Tor Browser series. The download can be found in the 5.5a5-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q) and NoScript (2.7). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes), isolated SharedWorkers to the first-party domain and improved our font fingerprinting defense.

On the usability side we improved the about:tor experience and started to use the bundled changelog to display new features and bug fixes after an update (instead of loading the blog post into a new tab). We'd love to hear feedback about both.

On the hardening side we are compiling Firefox with -fwrapv now. This is mitigating possible issues with some types of undefined behavior in Mozilla's code.

Tor Browser 5.5a5-hardened comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

Note: There are no incremental updates from 5.5a4-hardened available this time due to a bug we detected while building. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a4-hardened:

  • Update Firefox to 38.5.0esr
  • Update Tor to 0.2.7.6
  • Update OpenSSL to 1.0.1q
  • Update NoScript to 2.7
  • Update Torbutton to 1.9.4.2
    • Bug 16940: After update, load local change notes
    • Bug 16990: Avoid matching '250 ' to the end of node name
    • Bug 17565: Tor fundraising campaign donation banner
    • Bug 17770: Fix alignments on donation banner
    • Bug 17792: Include donation banner in some non en-US Tor Browsers
    • Bug 17108: Polish about:tor appearance
    • Bug 17568: Clean up tor-control-port.js
    • Translation updates
  • Update Tor Launcher to 0.2.8.1
    • Bug 17344: Enumerate available language packs for language prompt
    • Code clean-up
    • Translation updates
  • Bug 12516: Compile Tor Browser with -fwrapv
  • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
  • Bug 15564: Isolate SharedWorkers by first-party domain
  • Bug 16940: After update, load local change notes
  • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
  • Bug 17747: Add ndnop3 as new default obfs4 bridge
  • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
  • Bug 17369: Disable RC4 fallback
  • Bug 17442: Remove custom updater certificate pinning
  • Bug 16863: Avoid confusing error when loop.enabled is false
  • Bug 17502: Add a preference for hiding "Open with" on download dialog
  • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
  • Bug 16441: Suppress "Reset Tor Browser" prompt

Tor Browser 5.5a5 is released

A new alpha Tor Browser release is available for download in the 5.5a5 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q) and NoScript (2.7). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes), isolated SharedWorkers to the first-party domain and improved our font fingerprinting defense.

On the usability side we improved the about:tor experience and started to use the bundled changelog to display new features and bug fixes after an update (instead of loading the blog post into a new tab). We'd love to hear feedback about both.

Tor Browser 5.5a5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

Here is the complete changelog since 5.5a4:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update Torbutton to 1.9.4.2
      • Bug 16940: After update, load local change notes
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Translation updates
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 16441: Suppress "Reset Tor Browser" prompt
  • Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
  • OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface

Tor Browser 5.0.6 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox which we missed in our update to Tor Browser 5.0.5. We are sorry for this inconvenience.

This change is the only one in the changelog since 5.0.5:

  • All Platforms
    • Bug 17877: Tor Browser 5.0.5 is using the wrong Mozilla build tag

The changes made in 5.0.5 are the following:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

This is What a Tor Supporter Looks Like: Shari Steele



Shari Steele and Her Daughter Hanna

I first heard of what was to become the Tor Project around 2002. At that time, I don't think any of us realized how essential Tor was going to be to the Internet freedom movement.

Back in the 1990s, I had been a staff attorney at the Electronic Frontier Foundation (EFF) and was part of the legal team that sued the government on behalf of mathematician Dan Bernstein to make the use of encryption legal for non-military purposes like privacy protection. At that time, releasing encryption on the Internet required a license to be an arms dealer. The government claimed that its classification of encryption as a munition--right alongside B-1 bombers and flamethrowers--was a national security decision, making it difficult to challenge in court. EFF challenged the classification on First Amendment grounds, resulting in a court ultimately ruling that cryptographic source code was protected speech and making the use of encryption legal. This paved the way for electronic commerce, because now credit cards could be used on the Internet, with credit card numbers encrypted as part of the transactions. It also paved the way for individuals to use encryption to protect their private communications.

However, in reality, early attempts at widespread encryption were clunky and hard to use, and very few individuals were actually using encryption to protect their own privacy. Roger Dingledine began work on The Onion Router, or Tor, in 2002. Nick Mathewson was soon to follow (since he wanted it to work on his laptop). Many EFF staffers were familiar with Tor from the outset, and they believed it was one of the most promising tools being developed with the potential for widespread deployment of encryption for individual privacy protection.

In 2004, Nick and Roger approached EFF to see if we could help them find funding. EFF staffers were concerned that the Tor Project would fail if we didn't help. By this time I was EFF's executive director, and in October I asked the EFF board to amend our budget to allow for EFF to fund Tor ourselves. The board voted unanimously on the budget change, and tor.eff.org was born. EFF attorneys helped to write Tor's original FAQ; one of EFF's technologists helped to design the original Tor onion logo; and Tor was generally considered an EFF project at that time. When Nick and Roger were ready to go out on their own, I continued to help as best as I could, having EFF serve as Tor's fiscal sponsor, which enabled them to receive funding with nonprofit status until their own 501(c)(3) determination came through.

I've always been immensely proud of the Tor Project. What started as a proof of concept became what is today the strongest, most censorship-resistant privacy network in the world. Tor is an essential part of the Internet freedom infrastructure. And now I'm back working with Nick and Roger, this time building out Tor's operational side to complement its amazing technology. But building out the organization requires funding that is not restricted. That's why this end-of-year crowdfunding campaign is so important. We need your support to help Tor become sustainable over the long term. We have raised $75,000 since kicking it off, and need your help to break the $100K mark! Please give what you can to The Tor Project today. Don't forget: for a limited time, donations will be matched thanks to the generous contributions of Rabbi Rob and Lauren Thomas!

Tor Browser 5.0.5 is released

A new stable release for Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q), NoScript (2.7) and HTTPS-Everywhere (5.1.1). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes) and improved our fingerprinting defense against MIME type enumeration.

Tor Browser 5.0.5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.

These and all the other changes (minor bug fixes and new features) can be found in the complete changelog since 5.0.4:

  • All Platforms
    • Update Firefox to 38.5.0esr
    • Update Tor to 0.2.7.6
    • Update OpenSSL to 1.0.1q
    • Update NoScript to 2.7
    • Update HTTPS Everywhere to 5.1.1
    • Update Torbutton to 1.9.3.7
      • Bug 16990: Avoid matching '250 ' to the end of node name
      • Bug 17565: Tor fundraising campaign donation banner
      • Bug 17770: Fix alignments on donation banner
      • Bug 17792: Include donation banner in some non en-US Tor Browsers
      • Translation updates
    • Bug 17207: Hide MIME types and plugins from websites
    • Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
    • Bug 16863: Avoid confusing error when loop.enabled is false
    • Bug 17502: Add a preference for hiding "Open with" on download dialog
    • Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
    • Bug 16441: Suppress "Reset Tor Browser" prompt
    • Bug 17747: Add ndnop3 as new default obfs4 bridge

Double Your Donation: Rabbi Rob and Lauren Thomas Announce Matching Challenge for #SupportTor



Rabbi Rob Thomas

Rabbi Rob Thomas, founder and CEO of Team Cymru, is a member of The Tor Project's Board of Directors, and a loud and proud advocate for Tor and our first fundraising campaign.

Rabbi Rob and his wife have issued a challenge to the Tor community worldwide: donate to Tor by 11:59pm PST on December 31st and they will match your gift, dollar for dollar, up to $18,000..

Rob and his wife Lauren normally make their contributions to the causes they support anonymously, for spiritual purposes. But their deep and long-term support for Tor's sustainability has moved them to make a public challenge. Your gift to Tor will now have twice the impact.

"The internet cannot heal itself in the face of tyrants," Thomas says. "Tor is the salve that heals that wound; Tor is what allows us to route around tyranny."

Our deep gratitude to you Rabbi Rob and Lauren, and to all who join the challenge to #SupportTor.

Greetings from Tor's New Executive Director


Shari Steele

I am honored to be joining the Tor Project today as the new Executive Director. I've been a big fan of Tor for a long time—ever since I met founders Roger Dingledine and Nick Mathewson in 2004 and learned about the important work they were doing to provide anonymity for online communications. Today Tor is an essential part of the Internet freedom infrastructure. Activists around the world depend on Tor, as do whistleblowers, victims of domestic violence, and regular citizens who care about their privacy.

This incredible team of people has built an amazing organization. I hope to help grow the Tor Project by building a more sustainable infrastructure and a more robust funding base, as well as by achieving greater adoption of Tor products by mainstream Internet users. There's a lot to be done, but I think we'll have fun while working to make the Internet safer and more secure.

I look forward to meeting many of you in the coming weeks and months, and I welcome your ideas and suggestions.

Yours in freedom,
Shari Steele

Announcing Shari Steele as our new executive director

At long last, I am thrilled to announce that our executive director search is now successful! And what a success it is: we have our good friend Shari Steele, who led EFF for 15 years, coming on board to lead us.

We've known Shari for a long time. She led EFF's choice to fund Tor back in 2004-2005. She is also the one who helped create EFF's technology department, which has brought us HTTPS Everywhere and their various guides and tool assessments.

Tor's technical side is world-class, and I am excited that Shari will help Tor's organizational side become great too. She shares our core values, she brings leadership in managing and coordinating people, she has huge experience in growing a key non-profit in our space, and her work pioneering EFF's community-based funding model will be especially valuable as we continue our campaign to diversify our funding sources.

Tor is part of a larger family of civil liberties organizations, and this move makes it clear that Tor is a main figure in that family. Nick and I will focus short-term on shepherding a smooth transition out of our "interim" roles, and after that we are excited to get back to our old roles actually doing technical work. I'll let Shari pick up the conversation from here, in her upcoming blog post.

Please everybody join me in welcoming Shari!

Syndicate content Syndicate content