Blogs

Statement from the Tor Project re: the Court's February 23 Order in U.S. v. Farrell

Journalists have been asking us for our thoughts about a recent pdf about a judge deciding that a defendant shouldn't get any more details about how the prosecutors decided to prosecute him. Here is the statement we wrote for them:

"We read with dismay the Western Washington District Court's Order on Defendant's Motion to Compel issued on February 23, 2016, in U.S. v. Farrell. The Court held "Tor users clearly lack a reasonable expectation of privacy in their IP addresses while using the Tor network." It is clear that the court does not understand how the Tor network works. The entire purpose of the network is to enable users to communicate privately and securely. While it is true that users "disclose information, including their IP addresses, to unknown individuals running Tor nodes," that information gets stripped from messages as they pass through Tor's private network pathways.

This separation of identity from routing is key to why the court needs to consider how exactly the attackers got this person's IP address. The problem is not simply that the attackers learned the user's IP address. The problem is that they appear to have also intercepted and tampered with the user's traffic elsewhere in the network, at a point where the traffic does not identify the user. They needed to attack both places in order to link the user to his destination. This separation is how Tor provides anonymity, and it is why the previous cases about IP addresses do not apply here.

The Tor network is secure and has only rarely been compromised. The Software Engineering Institute ("SEI") of Carnegie Mellon University (CMU) compromised the network in early 2014 by operating relays and tampering with user traffic. That vulnerability, like all other vulnerabilities, was patched as soon as we learned about it. The Tor network remains the best way for users to protect their privacy and security when communicating online."

Tor Browser 6.0a2-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a2-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox. Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.

Additionally, we fixed a number of issues found with the release of Tor Browser 5.5, which already got addressed in Tor Browser 5.5.1, and we switched to a Debian Wheezy system for building the hardened series as well.

Note: There is no incremental update from 6.0a1-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 6.0a1-hardened:

Tor Browser 6.0a2-hardened -- February 15 2016

  • All Platforms
    • Update Firefox to 38.6.1esr
    • Update NoScript to 2.9.0.3
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux
  • Build System
    • Linux
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
      • Bug 18198: Building the hardened Tor Browser in a Debian Wheezy VM is broken

Tor Browser 6.0a2 is released

A new alpha Tor Browser release is available for download in the 6.0a2 distribution directory and on the alpha download page.

This release features important security updates to Firefox. Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.

Additionally, we fixed a number of issues found with the release of Tor Browser 5.5, which already got addressed in Tor Browser 5.5.1.

Here is the complete changelog since 6.0a1:

Tor Browser 6.0a2 -- February 15 2016

  • All Platforms
    • Update Firefox to 38.6.1esr
    • Update NoScript to 2.9.0.3
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux

Tor Browser 5.5.2 is released

Tor Browser 5.5.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library.

The full changelog since 5.5.1 is:

Tor Browser 5.5.2 -- February 12 2016

  • All Platforms
    • Update Firefox to 38.6.1esr
    • Update NoScript to 2.9.0.3

Tor Browser 5.5.1 is released

Tor Browser 5.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

Most notably, this release features fixes for regressions caused by our font fingerprinting defense: chinese users should have a functional Tor Browser again and emoji support is restored on OS X and Linux systems (we are still working on a fix for Windows).

Moreover, we fixed an oversight in one of our patches which broke some websites depending heavily on iframes.

The full changelog since 5.5 is:

Tor Browser 5.5.1 -- February 5 2016

  • All Platforms
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux

Tor 0.2.8.1-alpha is released

Tor 0.2.8.1-alpha has been released! You can download the source from the Tor website. Packages should be available over the next several days.

Tor 0.2.8.1-alpha is the first alpha release in its series. It includes numerous small features and bugfixes against previous Tor versions, and numerous small infrastructure improvements. The most notable features are a set of improvements to the directory subsystem.

PLEASE NOTE: This is an alpha release. Expect a lot of bugs. You should really only run this release if you're willing to find bugs and report them.

Changes in version 0.2.8.1-alpha - 2016-02-04

  • Major features (security, Linux):
    • When Tor starts as root on Linux and is told to switch user ID, it can now retain the capability to bind to low ports. By default, Tor will do this only when it's switching user ID and some low ports have been configured. You can change this behavior with the new option KeepBindCapabilities. Closes ticket 8195.
  • Major features (directory system):
    • When bootstrapping multiple consensus downloads at a time, use the first one that starts downloading, and close the rest. This reduces failures when authorities or fallback directories are slow or down. Together with the code for feature 15775, this feature should reduces failures due to fallback churn. Implements ticket 4483. Patch by "teor". Implements IPv4 portions of proposal 210 by "mikeperry" and "teor".
    • Include a trial list of default fallback directories, based on an opt-in survey of suitable relays. Doing this should make clients bootstrap more quickly and reliably, and reduce the load on the directory authorities. Closes ticket 15775. Patch by "teor". Candidates identified using an OnionOO script by "weasel", "teor", "gsathya", and "karsten".
    • Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled directory requests that they receive through their ORPort. You can disable this behavior using the new DirCache option. Closes ticket 12538.

  read more »

Tor Browser 6.0a1-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.0a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Note: There is no incremental update from 5.5a6-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a6-hardened:

  • All Platforms

    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.8.3
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)

Tor Browser 6.0a1 is released

A new alpha Tor Browser release is available for download in the 6.0a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

On the usability front we improved the setup wizard UI flow. We also changed the search bar URL for the DuckDuckGo search engine to its onion URL.

On the build system side, we switched the guest build VMs to Debian Wheezy for the Linux version (the previous versions were built using Ubuntu 10.04 LTS).

Here is the complete changelog since 5.5a6:

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.9
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18102+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
  • Build System
    • Linux
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)
Syndicate content Syndicate content