tor

Tor help desk expands with four more languages

When we first launched the Tor help desk back in November 2011, we provided support in English and Farsi. We recently expanded the help desk with four more languages: Arabic, French, Mandarin, and Spanish. The help desk is a best effort service with no guarantees, but we generally respond within 48 hours.

For support in English, email help@rt.torproject.org. For other languages, try:

help-ar@rt.torproject.org for Arabic
help-es@rt.torproject.org for Spanish
help-fa@rt.torproject.org for Farsi
help-fr@rt.torproject.org for French
help-zh@rt.torproject.org for Mandarin

Introduction to Digital Security With the CIJ

On Monday the 25th of March, the Centre for Investigative Journalism in London organized a free event where journalists could learn more about digital security. I was invited to speak about Tor, other speakers covered OTR, TrueCrypt, GPG, and mobile security.

The attendees were divided into five groups, and each speaker had 20-25 minutes with each group. I gave out USB sticks with the Tor Browser Bundle, the Pluggable Transports Bundle, the short user manual, and the 2012 annual report.

I talked a bit about the history of Tor and the Tor Project, discussed a few different threats, mentioned hidden services, listed a few examples of real world use, and helped everyone get the Tor Browser Bundle up and running. I did not have access to a projector or whiteboard, so I did my best to illustrate how Tor works by drawing boxes, arrows, blobs, and stick figures on a piece of paper.

A number of people asked if we had some sort of document or manual explaining all the topics covered at this event. I mentioned Security in a box and the FLOSS Manuals, but also pointed out that there is currently no single document available, that I am aware of, which explains all of these topics.

I have previously discussed creating such a document with the Rory Peck Trust, which is a London based organization that specializes in safety, security and professional development for freelance journalists. I mentioned this again when I met with them the day after the CIJ event, and I’m looking forward to seeing the end result in a few months.

Thanks to the Centre for Investigative Journalism for hosting the event and inviting me.

JOIN US - Tor Project Boston Hack Day Event - March 20, 2013 - Hosted by Boston University's Department of Computer Science

Join us for a unique public hack day event where you will have an opportunity to work in a highly collaborative, interactive environment with Tor's team of technology and research experts. Topics for the day will be determined by the attendees; so bring your ideas, questions, projects and technical expertise with you! Continental breakfast will be provided.

Wednesday, March 20, 2012
9 am until 5 pm
BU Computer Science Dept, 111 Cummington Mall, Boston, MA - ROOM 148
Directions: http://www.bu.edu/cs/about/directions-and-contact/

Hosted by Boston University's Department of Computer Science

For more information or questions contact, execdir@torproject.org.

New Tor Browser Bundles with Firefox 17.0.3esr

We've updated all of the bundles with Firefox 17.0.3esr. This includes significant changes to Torbutton and its interaction with Firefox, in addition to many new patches being added to Firefox, which are outlined below.

Very important: if you've been using the Tor Browser Bundles with Firefox 10.0.x, you must not attempt to overwrite it with the new bundle. Open these into their own directory and do not copy any profile material from older TBB versions.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-4)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

The following Firefox patch changes are also included in this release:

  • Isolate image cache to url bar domain (closes: #5742 and #6539)
  • Enable DOM storage and isolate it to url bar domain (closes: #6564)
  • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Tor Browser Bundle (2.4.10-alpha-2)

  • Update Firefox to 17.0.3esr
  • Downgrade OpenSSL to 1.0.0k
  • Update libpng to 1.5.14
  • Update NoScript to 2.6.5.7
  • Firefox patch changes:
    • Exempt remote @font-face fonts from font limits (and prefer them).
      (closes: #8270)
      • Remote fonts (aka "User Fonts") are not a fingerprinting threat, so
        they should not count towards our CSS font count limits. Moreover,
        if a CSS font-family rule lists any remote fonts, those fonts are
        preferred over the local fonts, so we do not reduce the font count
        for that rule.
      • This vastly improves rendering and typography for many websites.
    • Disable WebRTC in Firefox build options. (closes: #8178)
      • WebRTC isn't slated to be enabled until Firefox 18, but the code
        was getting compiled in already and is capable of creating UDP Sockets
        and bypassing Tor. We disable it from build as a safety measure.
    • Move prefs.js into omni.ja and extension-overrides. (closes: #3944)
      • This causes our browser pref changes to appear as defaults. It also
        means that future updates of TBB should preserve user pref settings.
    • Fix a use-after-free that caused crashing on MacOS (closes: #8234)
    • Eliminate several redundant, useless, and deprecated Firefox pref settings
    • Report Firefox 17.0 as the Tor Browser user agent
    • Use Firefox's click-to-play barrier for plugins instead of NoScript
    • Set the Tor SOCKS+Control ports to 9150, 9151 respectively on all platforms
      • This fixes a SOCKS race condition with our SOCKS autoport configuration
        and HTTPS-Everywhere's Tor test. Firefox 17 appears to cache proxy
        settings per URL now, which resulted in a proxy error for
        check.torproject.org if we lost the race.
  • Torbutton was updated to 1.5.0. The following issues were fixed:
    • Remove old toggle observers and related code (closes: #5279)
    • Simplify Security Preference UI and associated pref updates (closes: #3100)
    • Eliminate redundancy in our Flash/plugin disabling code (closes: #1305)
    • Leave most preferences under Tor Browser's control (closes: #3944)
    • Disable toggle-on-startup and crash detection logic (closes: #7974)
    • Disable/remove toggle-mode code and related observers (closes: #5279)
    • Add menu hint to Torbutton icon (closes: #6431)
    • Make Torbutton icon flash a warning symbol if TBB is out of date (closes: #7495)
    • Perform version check every time there's a new tab. (closes: #6096)
    • Rate limit version check queries to once every 1.5hrs max. (closes: #6156)
    • misc: Allow WebGL and DOM storage.
    • misc: Disable independent Torbutton updates
    • misc: Change the recommended SOCKSPort to 9150 (to match TBB)

New Firefox 17 and Tor alpha bundles

We have some test Tor Browser Bundles available for testing! They contain Firefox 17.0.2esr which we're planning to switch to in February. Just as a reminder: these are alpha bundles. We're still testing them ourselves but we want to get them out for wider circulation so we can find out about any dealbreaker bugs before moving Firefox 17 into the stable bundles. For the more sophisticated users out there, we'd love it if you could run Wireshark with the bundles and let us know if you see anything untoward.

Alpha Tor Browser Bundles can be downloaded here:

https://www.torproject.org/projects/torbrowser.html.en

All of the Tor packages have been updated with Tor 0.2.4.9-alpha as well.

https://www.torproject.org/download/download-easy

Tor Browser Bundle (2.4.9-alpha-1)

  • Update Firefox to 17.0.2esr
  • Update Tor to 0.2.4.9-alpha
  • Update Torbutton to 1.5.0pre-alpha
  • Update NoScript to 2.6.4.3
  • Update HTTPS-Everywhere to 4.0development.5
  • Add Mozilla's PDF.js extension to give people the ability to read PDFs in
    TBB
  • Prevent TBB from trying to access the X session manager (closes: #5261)
    • Firefox patch changes:
    • Isolate image cache to url bar domain (closes: #5742 and #6539)
    • Enable DOM storage and isolate it to url bar domain (closes: #6564)
    • Include nsIHttpChannel.redirectTo API for HTTPS-Everywhere (closes: #5477)
  • Misc preference changes:
    • Disable DOM performance timers (dom.enable_performance) (closes: #6204)
    • Disable HTTP connection retry timeout (network.http.connection-retry-timeout) (closes: #7656)
    • Disable full path information for plugins (plugin.expose_full_path) (closes: #6210)
    • Disable NoScript's block of remote WebFonts (noscript.forbidFonts) (closes: #7937)

Hacking Against Domestic Violence

This January the Tor Project is supporting the Central America Domestic Violence Hackathon. The goal of this effort is to address the challenge of domestic violence by building technology solutions to assist agencies that work to support victims and advance efforts to bring perpetrators to justice.

This is being done by supporting communities on the ground in six Central America countries and Washington, DC. Already some of the organizations involved, including SecondMuse and the World Bank, have worked with these communities to define problems with potential for technical solutions. Next, these problems will be refined and then hacked on at a series of coordinated hackathons on January 26th and 27th, 2013.

We want to invite the Tor community to join us in this process. How can you help? There are two ways:

  1. Join the collaboration around defining strong problems. You can do this by reading the problem definitions and adding your comments, questions, and ideas. These problems have been generated primarily by non-technical organizations and your insight from a technical perspective can be invaluable. This includes feasibility, use cases, privacy and security concerns, existing solutions, and more.
  2. Join us on January 26th and 27th in one of the seven locations: Guatemala, El Salvador, Honduras, Nicaragua, Costa Rica, Panama, or Washington, DC.

We believe we can make a difference on domestic violence, and we need you.

Finally, if you'd like to get involved on a deeper level by organizing a problem refinement event, meeting with organizations in these locations, helping organize a hackathon, or more - contact the team running this project at vdhackathon@secondmuse.com.

New Tor Browser Packages with Tor 0.2.3 upgrade

After a year of testing, new tor browser bundles which include the new stable branch of Tor are now available. A full changelog is available for every operating system.

The Tor 0.2.3.x stable branch represents over a year of work on improvements to the core Tor technology behind Tor Browser.

Tor Browser is available for download at https://www.torproject.org/download/download-easy.html.en

Software updates included in this release are:

Tor Browser Bundle (2.3.25-1)

  • Update Tor to 0.2.3.25
  • Update Firefox 10.0.11esr
  • Update Vidalia to 0.2.21
  • Update NoScript to 2.6.2

Updated Tor Cloud images

The Tor Cloud images for all the eight regions have been updated with a minor fix in the rc.local script. In addition, all private bridge images now include Obfsproxy. You will not need to start a new instance if you are already running a Tor Cloud instance with Ubuntu Precise.

Updated Tor Cloud images

The Tor Cloud images for all the seven regions have been updated to include the latest cloud image for stable Ubuntu release 12.04.1 LTS (Precise Pangolin). These new images are available on the Tor Cloud website. You will not need to start a new instance you are already running a Tor Cloud instance with Ubuntu Precise.

Obfsproxy Bridges in the Amazon Cloud

The Tor Cloud images for all the seven regions have been updated to fix a bug found in the unattended-upgrades configuration. The normal bridge images have also been updated to include obfsproxy, which attempts to help users circumvent censorship by transforming the Tor traffic between the client and the bridge.

If you are already running a Tor Cloud bridge, you will need to either manually update your image, or set up a new Tor Cloud bridge and terminate the old one. If you decide not to take action, your image will fail to upgrade Tor correctly and will not be running as a bridge.

If you just want to fix the bug in the unattended-upgrades configuration, do the following; log on with SSH and edit /etc/apt/apt.conf.d/50unattended-upgrades to say precise instead of lucid.

Syndicate content Syndicate content