I first heard of what was to become the Tor Project around 2002. At that time, I don't think any of us realized how essential Tor was going to be to the Internet freedom movement.
Back in the 1990s, I had been a staff attorney at the Electronic Frontier Foundation (EFF) and was part of the legal team that sued the government on behalf of mathematician Dan Bernstein to make the use of encryption legal for non-military purposes like privacy protection. At that time, releasing encryption on the Internet required a license to be an arms dealer. The government claimed that its classification of encryption as a munition--right alongside B-1 bombers and flamethrowers--was a national security decision, making it difficult to challenge in court. EFF challenged the classification on First Amendment grounds, resulting in a court ultimately ruling that cryptographic source code was protected speech and making the use of encryption legal. This paved the way for electronic commerce, because now credit cards could be used on the Internet, with credit card numbers encrypted as part of the transactions. It also paved the way for individuals to use encryption to protect their private communications.
However, in reality, early attempts at widespread encryption were clunky and hard to use, and very few individuals were actually using encryption to protect their own privacy. Roger Dingledine began work on The Onion Router, or Tor, in 2002. Nick Mathewson was soon to follow (since he wanted it to work on his laptop). Many EFF staffers were familiar with Tor from the outset, and they believed it was one of the most promising tools being developed with the potential for widespread deployment of encryption for individual privacy protection.
In 2004, Nick and Roger approached EFF to see if we could help them find funding. EFF staffers were concerned that the Tor Project would fail if we didn't help. By this time I was EFF's executive director, and in October I asked the EFF board to amend our budget to allow for EFF to fund Tor ourselves. The board voted unanimously on the budget change, and tor.eff.org was born. EFF attorneys helped to write Tor's original FAQ; one of EFF's technologists helped to design the original Tor onion logo; and Tor was generally considered an EFF project at that time. When Nick and Roger were ready to go out on their own, I continued to help as best as I could, having EFF serve as Tor's fiscal sponsor, which enabled them to receive funding with nonprofit status until their own 501(c)(3) determination came through.
I've always been immensely proud of the Tor Project. What started as a proof of concept became what is today the strongest, most censorship-resistant privacy network in the world. Tor is an essential part of the Internet freedom infrastructure. And now I'm back working with Nick and Roger, this time building out Tor's operational side to complement its amazing technology. But building out the organization requires funding that is not restricted. That's why this end-of-year crowdfunding campaign is so important. We need your support to help Tor become sustainable over the long term. We have raised $75,000 since kicking it off, and need your help to break the $100K mark! Please give what you can to The Tor Project today. Don't forget: for a limited time, donations will be matched thanks to the generous contributions of Rabbi Rob and Lauren Thomas!
This release features important security updates to Firefox.
Additionally, we included updated versions for Tor (0.2.7.6), OpenSSL (1.0.1q), NoScript (2.7) and HTTPS-Everywhere (5.1.1). Moreover, we fixed an annoying bug in our circuit display (circuits weren't visible sometimes) and improved our fingerprinting defense against MIME type enumeration.
Tor Browser 5.0.5 comes with a banner supporting our donations campaign. The banner is visible on the about:tor page and features either Roger Dingledine, Laura Poitras or Cory Doctorow which is chosen randomly.
These and all the other changes (minor bug fixes and new features) can be found in the complete changelog since 5.0.4:
- All Platforms
- Update Firefox to 38.5.0esr
- Update Tor to 0.2.7.6
- Update OpenSSL to 1.0.1q
- Update NoScript to 2.7
- Update HTTPS Everywhere to 5.1.1
- Update Torbutton to 188.8.131.52
- Bug 16990: Avoid matching '250 ' to the end of node name
- Bug 17565: Tor fundraising campaign donation banner
- Bug 17770: Fix alignments on donation banner
- Bug 17792: Include donation banner in some non en-US Tor Browsers
- Translation updates
- Bug 17207: Hide MIME types and plugins from websites
- Bug 16909+17383: Adapt to HTTPS-Everywhere build changes
- Bug 16863: Avoid confusing error when loop.enabled is false
- Bug 17502: Add a preference for hiding "Open with" on download dialog
- Bug 17446: Prevent canvas extraction by third parties (fixup of #6253)
- Bug 16441: Suppress "Reset Tor Browser" prompt
- Bug 17747: Add ndnop3 as new default obfs4 bridge
Rabbi Rob Thomas, founder and CEO of Team Cymru, is a member of The Tor Project's Board of Directors, and a loud and proud advocate for Tor and our first fundraising campaign.
Rabbi Rob and his wife have issued a challenge to the Tor community worldwide: donate to Tor by 11:59pm PST on December 31st and they will match your gift, dollar for dollar, up to $18,000..
Rob and his wife Lauren normally make their contributions to the causes they support anonymously, for spiritual purposes. But their deep and long-term support for Tor's sustainability has moved them to make a public challenge. Your gift to Tor will now have twice the impact.
"The internet cannot heal itself in the face of tyrants," Thomas says. "Tor is the salve that heals that wound; Tor is what allows us to route around tyranny."
Our deep gratitude to you Rabbi Rob and Lauren, and to all who join the challenge to #SupportTor.
I am honored to be joining the Tor Project today as the new Executive Director. I've been a big fan of Tor for a long time—ever since I met founders Roger Dingledine and Nick Mathewson in 2004 and learned about the important work they were doing to provide anonymity for online communications. Today Tor is an essential part of the Internet freedom infrastructure. Activists around the world depend on Tor, as do whistleblowers, victims of domestic violence, and regular citizens who care about their privacy.
This incredible team of people has built an amazing organization. I hope to help grow the Tor Project by building a more sustainable infrastructure and a more robust funding base, as well as by achieving greater adoption of Tor products by mainstream Internet users. There's a lot to be done, but I think we'll have fun while working to make the Internet safer and more secure.
I look forward to meeting many of you in the coming weeks and months, and I welcome your ideas and suggestions.
Yours in freedom,
At long last, I am thrilled to announce that our executive director search is now successful! And what a success it is: we have our good friend Shari Steele, who led EFF for 15 years, coming on board to lead us.
We've known Shari for a long time. She led EFF's choice to fund Tor back in 2004-2005. She is also the one who helped create EFF's technology department, which has brought us HTTPS Everywhere and their various guides and tool assessments.
Tor's technical side is world-class, and I am excited that Shari will help Tor's organizational side become great too. She shares our core values, she brings leadership in managing and coordinating people, she has huge experience in growing a key non-profit in our space, and her work pioneering EFF's community-based funding model will be especially valuable as we continue our campaign to diversify our funding sources.
Tor is part of a larger family of civil liberties organizations, and this move makes it clear that Tor is a main figure in that family. Nick and I will focus short-term on shepherding a smooth transition out of our "interim" roles, and after that we are excited to get back to our old roles actually doing technical work. I'll let Shari pick up the conversation from here, in her upcoming blog post.
Please everybody join me in welcoming Shari!
Here comes another stable release!
Tor version 0.2.7.6 fixes a major bug in entry guard selection, as well as a minor bug in hidden service reliability. (For more information on the guard bug, see Roger's preliminary analysis.
You can download the source from the usual place on the website. Packages should be up within a few days.
Changes in version 0.2.7.6 - 2015-12-10
- Major bugfixes (guard selection):
- Actually look at the Guard flag when selecting a new directory guard. When we implemented the directory guard design, we accidentally started treating all relays as if they have the Guard flag during guard selection, leading to weaker anonymity and worse performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered by Mohsen Imani.
- Minor features (geoip):
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2 Country database.
- Minor bugfixes (compilation):
- When checking for net/pfvar.h, include netinet/in.h if possible. This fixes transparent proxy detection on OpenBSD. Fixes bug 17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate".
- Fix a compilation warning with Clang 3.6: Do not check the presence of an address which can never be NULL. Fixes bug 17781.
- Minor bugfixes (correctness):
- When displaying an IPv6 exit policy, include the mask bits correctly even when the number is greater than 31. Fixes bug 16056; bugfix on 0.2.4.7-alpha. Patch from "gturner".
- The wrong list was used when looking up expired intro points in a rend service object, causing what we think could be reachability issues for hidden services, and triggering a BUG log. Fixes bug 16702; bugfix on 0.2.7.2-alpha.
- Fix undefined behavior in the tor_cert_checksig function. Fixes bug 17722; bugfix on 0.2.7.2-alpha.
Being able to build Tor Browser several times in a row and getting exactly the same result each time has been an important feature for a while now. It provides a direct link between the source code we provide and the binary that Tor users are downloading and using to surf the web. This offers a number of benefits to all parties involved:
- Users can verify that they really got the binary they were supposed to get
- Pressure on developers to provide a bullet-proof build and signing setup is reduced
- Incentives to pressure release engineers into inserting backdoors into the code are reduced
From December 1-3, 2015 we had the opportunity to discuss these and other topics around reproducible builds with members of different projects. Thanks to the Linux Foundation, the Open Technology Fund and Google, developers from Debian, FreeBSD, NetBSD, Google, the Guardian Project, Coreboot and Tor (to name just a few) were able to attend. The workshop started with exchanging experiences with already existing systems (like Gitian, which we use for Tor Browser). During the three days of the meeting, work went on to explore together future directions for advocacy, commonly used tools, infrastructure and documentation.
We were especially pleased to see the fruitful collaboration on the operating systems level. While it is good to have a reproducible Tor Browser, the security guarantees that it provides are even stronger if the operating systems and the toolchains used to build it can be created reproducibly as well. Moreover, all participants agreed that non-reproducibility is essentially a defect that needs to be fixed. This allows us to treat workarounds (like using libfaketime to avoid timestamp differences in binaries) as mere band-aids and instead focus on addressing the root causes of non-determinism directly upstream.
Thanks to Allen Gunn and the Aspiration team for the excellent facilitation and all participants for the productive and exciting time. See all of you at the next workshop!