New Stable Tor Browser Bundles

The stable Tor Browser Bundles have all been updated to the latest Tor stable release.

Tor Browser Bundle (2.2.38-1)

  • Update Tor to
  • Update NoScript to 2.5
  • Update HTTPS Everywhere to 2.1

Updated Tor Cloud images with fix for Tor upgrades

The Tor Cloud images for all the seven regions have been updated to include the latest cloud image for stable Ubuntu release 10.04 LTS (Lucid Lynx). These new images are available on the Tor Cloud website.

The new images include a fix to allow Tor to upgrade automatically without requiring user intervention (#6511).

If you are already running a Tor Cloud bridge, you will need to either manually update your image, or set up a new Tor Cloud bridge and terminate the old one. If you decide not to take action, your image will fail to upgrade Tor correctly and will not be running as a bridge.

To manually update your image, do the following:

0. Log on with SSH
1. Open /etc/apt/apt.conf.d/50unattended-upgrades
2. Add the line: Dpkg::Options { --force-confold; }
3. Save and exit

Security vulnerability found in Cyberoam DPI devices (CVE-2012-3372)

Last week, a user in Jordan reported seeing a fake certificate for The user did not report any errors when browsing to sites such as Gmail, Facebook, and Twitter, which suggests that this was a targeted attack. The certificate was issued by a company called Cyberoam. We first believed that this incident was similar to that of Comodo and DigiNotar, and that Cyberoam had been tricked to issue a fake certificate for our website.

After a bit of research, we learned that Cyberoam make a range of devices used for Deep Packet Inspection (DPI). The user was not just seeing a fake certificate for, his connection was actually being intercepted by one of their devices. While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices.

Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key. It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices, and use those for interception.

Ben and I wrote a security advisory and notified Cyberoam of this vulnerability at 17:00 UTC on Saturday, June 30. We made it clear that we intended to publish this blog post and the security advisory on Tuesday, July 3, and encouraged them to respond promptly if they had any comments. At the same time, we notified browser vendors and asked that they blacklist the Cyberoam CA certificate in their browsers.

Cyberoam have not yet commented on this issue, apart from acknowledging our first email and saying that they are looking into it. The Cyberoam CA certificate is not trusted, and so browsers will show users a warning (unless someone has already installed the certificate). Users with the Tor Browser Bundle are not affected.

To check if this CA is installed in your browser, see the following instructions for Internet Explorer, Firefox, Chrome, and Safari. The instructions mention DigiNotar, but they are still valid. If you have more information about this issue, please email

2012 Florence Hackfest

On July 5 and 6 we are holding an open hackfest at the Università degli Studi di Firenze in Florence, Italy.

Please attend if you have some interest in programming, advocacy, marketing, or (network security/anonymity/computer science/etc) research with Tor, or are willing to be persuaded to entertain an interest. :) Tor's a small project (in terms of number of developers) that could really use your help.

The majority language will be English, but there will be some Italian speakers at the hackfest.

More details can be found on the Florence Hackfest wiki page.

See you in Florence!

New Tor Browser Bundles

The Tor Browser Bundles and other packages have all been updated to the latest Tor stable version.

Tor Browser Bundle (2.2.36-1)

  • Update Tor to
  • Update NoScript to 2.3.4
  • Update HTTPS Everywhere to 2.0.5

Introducing the Tor translation glossary

The Tor translation glossary is a glossary used primarily when translating software and documentation for the Tor Project. This glossary contains technical, general, gui and Tor specific terms, as well as names. This glossary can also be used for a more consistent use of technical terms in the source language (English).

Translators can access this glossary from inside Transifex when working on a resource. To view the glossary for a specific language, do the following:

  • Go to our project page on Transifex
  • Choose the language
  • Choose the resource
  • In the box that pops up, click Translate Now

There is a link to the translation glossary right above the source strings and translations, along with a search box and a set of shortcuts. Please help translate the glossary to ensure that translations in your language are consistent across different resources.

Thanks to Shondoit Walker who initially started the work on the Tor translation glossary on

Stockholm Internet Forum Trip Report and Clarifications

The quick trip report

I spent the past week in Sweden for the Stockholm Internet Forum1, to meet up with our funders at Sida2, and to meet some activists looking for help and advice for their cause back in their home countries. Overall, it was a great trip. The Biståndsminister (Minister for Development)3, Gunilla Carlsson, specifically named Tor in her speech as a project she is proud to support and fund.

In the afternoon, I gave a Tor talk to support DFRI 4. The room was in a different building, way in back, with few signs to direct you to it. Hanna from dfri went out to grab people. In a short while, the room was packed, with people standing in the back and people sitting in the window seats. I would say roughly 35 people came and left during the session. I purposely did a quick 30 minute tor talk to leave time for questions. There were lots of questions, most about how to help and improve tor. The TeliaSonera5 people were interested in the intersection of Tor and the EU Data Retention Directive being implemented in Sweden on May 1. I'm not sure if TeliaSonera is for or against data retention. Frank La Rue6, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, was in the room for most of the talk too.

Misconceptions around Tor

Many Europeans thought we were a Swedish company already and were generally surprised to hear we are from the States. The Latin Americans and Middle East people are cautiously supportive of Tor. I kept running into misconceptions about Tor, the charity, the software, and if we're humans or not. Hopefully this post will clear up these misconceptions.

  1. Tor was not started by the US Navy. The US Naval Research Labs (NRL) started a project in the 1990s called onion routing7. Tor uses the basic onion routing principles and applies them to the Internet. The volunteer Tor group started in 2001. The formal charity, The Tor Project, started in 2006. We continue to work with Dr. Paul Syverson from NRL on improving onion routing and therefore Tor.
  2. The goal of Tor is to give you control over your identity and privacy on the Internet. An equal goal is to enable research into anonymous communications on the Internet. We try very hard to make you anonymous by default. With this anonymity, it is up to you where you go, what you do, and what information about yourself you divulge. The goal is that you are in control.
  3. In 2011, Tor received a total of $1.3 million in funding from a few sources: Internews, The Broadcasting Board of Governers, Sida, SRI International, and roughly 700 individual donors. Our forthcoming audit will show the funding and how we spent it. People seem to think Tor is a massive operation with hundreds of millions in funding. We publish our audit reports and financial statements every year after our audit is complete8.
  4. Tor has a paid staff of 13 people. 10 of the 13 are developers and researchers. We have a part-time CFO, a marketing/policy person, and an Executive Director. We rely heavily on thousands of volunteers. We care a great deal about our community. Our core people9 are the most dedicated to improving Tor and have contributed greatly to the cause. We are currently looking to make this 14 people by hiring a dedicated developer10.
  5. We are human. Each of us involved is generally public about who we are and what we do for Tor. As we're only 13 people, we cannot be everywhere at once. We spend very, very little on marketing and advertising. A few of us, namely Roger, Jacob, Andrew, and Karen, do the bulk of public speaking. You can see various videos of our talks, lectures, and speeches in our media archive11.

Overall, the trip to Sweden was successful. And I hope these five points clarify who and what is Tor.

Updated Tor Cloud images, and action required

The Tor Cloud images for all the seven regions have been updated to include the latest cloud image for stable Ubuntu release 10.04 LTS (Lucid Lynx). These new images are available on the Tor Cloud website.

If you are already running a Tor Cloud bridge, you will need to either manually update your image, or set up a new Tor Cloud bridge and terminate the old one. If you decide not to take action, your image may fail to download package updates correctly.

What follows is an important message from the ubuntu-cloud mailing list:

In an effort to improve on reliability of the Ubuntu archive mirrors for EC2 instances, Canonical is replacing the existing EC2 archive mirrors with mirrors backed by Amazon S3. This change itself will be done via modification of DNS entries and will be transparent to users.

However, due to a bug in the http pipelining implementation in S3 a change to apt configuration needs to be made to avoid download errors. We have chosen to deliver this change via a package upgrade in cloud-init.

The action required is one of the following:

  • Upgrade cloud-init using sudo apt-get update ; sudo apt-get install -y cloud-init
  • Launch official AMI's released after 2012-04-01, which will have the fix included
  • Manually disable http pipeline use in apt using echo 'Acquire::http::Pipeline-Depth "0";' | sudo tee /etc/apt/apt.conf.d/99-no-pipelining

Should you choose not to take appropriate action, you will likely experience transient apt downloading errors after the change is implemented. In order to give appropriate time to apply the change, this transition will not occur before April 18, 2012.

Set up a bridge or a relay and join the Tor network today

The Tor network relies on volunteers to donate bandwidth. The more people who run Tor as a bridge or a relay, the faster and safer the network becomes. Tactical Tech created a video to encourage you to join the Tor Network. The video, and information about how you can set up a bridge or a relay, can be found on If you want to help us translate the video into your language, let us know!

The full HD video can be found here:

Refreshed Tor Cloud Images

The Tor Cloud images for all the seven regions have been updated to include the latest cloud image for stable Ubuntu release 10.04.4 LTS (Lucid Lynx). These new images are available on the Tor Cloud website.

Users who wish to update their existing installations can do so with: apt-get update && apt-get dist-upgrade && reboot.

Syndicate content Syndicate content