New Tor Browser Bundles

The Tor Browser Bundles and other packages have all been updated to the latest Tor stable version.

Tor Browser Bundle (2.2.36-1)

  • Update Tor to
  • Update NoScript to 2.3.4
  • Update HTTPS Everywhere to 2.0.5

Introducing the Tor translation glossary

The Tor translation glossary is a glossary used primarily when translating software and documentation for the Tor Project. This glossary contains technical, general, gui and Tor specific terms, as well as names. This glossary can also be used for a more consistent use of technical terms in the source language (English).

Translators can access this glossary from inside Transifex when working on a resource. To view the glossary for a specific language, do the following:

  • Go to our project page on Transifex
  • Choose the language
  • Choose the resource
  • In the box that pops up, click Translate Now

There is a link to the translation glossary right above the source strings and translations, along with a search box and a set of shortcuts. Please help translate the glossary to ensure that translations in your language are consistent across different resources.

Thanks to Shondoit Walker who initially started the work on the Tor translation glossary on

Stockholm Internet Forum Trip Report and Clarifications

The quick trip report

I spent the past week in Sweden for the Stockholm Internet Forum1, to meet up with our funders at Sida2, and to meet some activists looking for help and advice for their cause back in their home countries. Overall, it was a great trip. The Biståndsminister (Minister for Development)3, Gunilla Carlsson, specifically named Tor in her speech as a project she is proud to support and fund.

In the afternoon, I gave a Tor talk to support DFRI 4. The room was in a different building, way in back, with few signs to direct you to it. Hanna from dfri went out to grab people. In a short while, the room was packed, with people standing in the back and people sitting in the window seats. I would say roughly 35 people came and left during the session. I purposely did a quick 30 minute tor talk to leave time for questions. There were lots of questions, most about how to help and improve tor. The TeliaSonera5 people were interested in the intersection of Tor and the EU Data Retention Directive being implemented in Sweden on May 1. I'm not sure if TeliaSonera is for or against data retention. Frank La Rue6, Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, was in the room for most of the talk too.

Misconceptions around Tor

Many Europeans thought we were a Swedish company already and were generally surprised to hear we are from the States. The Latin Americans and Middle East people are cautiously supportive of Tor. I kept running into misconceptions about Tor, the charity, the software, and if we're humans or not. Hopefully this post will clear up these misconceptions.

  1. Tor was not started by the US Navy. The US Naval Research Labs (NRL) started a project in the 1990s called onion routing7. Tor uses the basic onion routing principles and applies them to the Internet. The volunteer Tor group started in 2001. The formal charity, The Tor Project, started in 2006. We continue to work with Dr. Paul Syverson from NRL on improving onion routing and therefore Tor.
  2. The goal of Tor is to give you control over your identity and privacy on the Internet. An equal goal is to enable research into anonymous communications on the Internet. We try very hard to make you anonymous by default. With this anonymity, it is up to you where you go, what you do, and what information about yourself you divulge. The goal is that you are in control.
  3. In 2011, Tor received a total of $1.3 million in funding from a few sources: Internews, The Broadcasting Board of Governers, Sida, SRI International, and roughly 700 individual donors. Our forthcoming audit will show the funding and how we spent it. People seem to think Tor is a massive operation with hundreds of millions in funding. We publish our audit reports and financial statements every year after our audit is complete8.
  4. Tor has a paid staff of 13 people. 10 of the 13 are developers and researchers. We have a part-time CFO, a marketing/policy person, and an Executive Director. We rely heavily on thousands of volunteers. We care a great deal about our community. Our core people9 are the most dedicated to improving Tor and have contributed greatly to the cause. We are currently looking to make this 14 people by hiring a dedicated developer10.
  5. We are human. Each of us involved is generally public about who we are and what we do for Tor. As we're only 13 people, we cannot be everywhere at once. We spend very, very little on marketing and advertising. A few of us, namely Roger, Jacob, Andrew, and Karen, do the bulk of public speaking. You can see various videos of our talks, lectures, and speeches in our media archive11.

Overall, the trip to Sweden was successful. And I hope these five points clarify who and what is Tor.

Updated Tor Cloud images, and action required

The Tor Cloud images for all the seven regions have been updated to include the latest cloud image for stable Ubuntu release 10.04 LTS (Lucid Lynx). These new images are available on the Tor Cloud website.

If you are already running a Tor Cloud bridge, you will need to either manually update your image, or set up a new Tor Cloud bridge and terminate the old one. If you decide not to take action, your image may fail to download package updates correctly.

What follows is an important message from the ubuntu-cloud mailing list:

In an effort to improve on reliability of the Ubuntu archive mirrors for EC2 instances, Canonical is replacing the existing EC2 archive mirrors with mirrors backed by Amazon S3. This change itself will be done via modification of DNS entries and will be transparent to users.

However, due to a bug in the http pipelining implementation in S3 a change to apt configuration needs to be made to avoid download errors. We have chosen to deliver this change via a package upgrade in cloud-init.

The action required is one of the following:

  • Upgrade cloud-init using sudo apt-get update ; sudo apt-get install -y cloud-init
  • Launch official AMI's released after 2012-04-01, which will have the fix included
  • Manually disable http pipeline use in apt using echo 'Acquire::http::Pipeline-Depth "0";' | sudo tee /etc/apt/apt.conf.d/99-no-pipelining

Should you choose not to take appropriate action, you will likely experience transient apt downloading errors after the change is implemented. In order to give appropriate time to apply the change, this transition will not occur before April 18, 2012.

Set up a bridge or a relay and join the Tor network today

The Tor network relies on volunteers to donate bandwidth. The more people who run Tor as a bridge or a relay, the faster and safer the network becomes. Tactical Tech created a video to encourage you to join the Tor Network. The video, and information about how you can set up a bridge or a relay, can be found on If you want to help us translate the video into your language, let us know!

The full HD video can be found here:

Refreshed Tor Cloud Images

The Tor Cloud images for all the seven regions have been updated to include the latest cloud image for stable Ubuntu release 10.04.4 LTS (Lucid Lynx). These new images are available on the Tor Cloud website.

Users who wish to update their existing installations can do so with: apt-get update && apt-get dist-upgrade && reboot.

Updated Tor Cloud images

The Tor Cloud images for all the seven regions have been updated to include the anonymizing relay monitor (arm). This works much like top does for system usage, providing real time statistics for bandwidth, cpu, memory usage, current Tor configuration, connection details etc.

If you're already running a Tor Cloud instance and wish to install arm, connect to your instance with SSH and run sudo aptitude install tor-arm.

Thank you to our donors

2011 was an exciting year for communications security. Online communications helped to support activists in the Middle East's "Arab Spring" as they toppled Tunisia's Ben Ali and Egypt's Mubarak. Tor's entry nodes and hidden "bridge" entry points have seen increased usage from Iran and Syria, as citizens there seek to communicate securely and evade government censorship. Secretary of State Clinton has made Internet Freedom part of the U.S. State Department's agenda, while here in the United States, advertisers have developed more sophisticated ways to track browsers' online activity.

The Tor Project can help, but the censors and snoops are never very far behind. We must keep improving our software and network, researching its security against new threats, and training users to communicate safely. As a non-profit, we depend on your donations of money, relays, and advocacy to keep making progress.

In the past year, Tor released new versions to improve security and blocking resistance, including a same-day fix to a block detected in Iran. We have enhanced translations in more than a dozen languages including Farsi, Arabic, and Chinese; presented security and anonymity research; and taught security practices to groups including journalists, activists, law enforcement, and survivors of domestic violence.

Please help us keep the Internet open and private for all.

If you would like to keep up to date with Tor, please visit our donor thank you page at

Donate securely online at

Announcing the Tor Farsi blog

We are happy to announce the launch of the Tor Farsi blog. The site is created in response to the great reception of Tor and circumvention tools amongst Iranian users. The goal of this site is to be a one-stop place to find Tor related material in Farsi.

The Farsi team will translate white papers, summaries of select posts, and important updates relevant to Tor. We want to create a community of Farsi-speaking Tor users and empower them with information about anonymity and privacy on the Internet. We hope this community will spread this information to others to help them with their Internet anonymity and privacy needs.

Tor is released (security patches)

Tor fixes a critical heap-overflow security issue in Tor's
buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

Tor also fixes several bugs in previous versions, including
crash bugs for unusual configurations, and a long-term bug that
would prevent Tor from starting on Windows machines with draconian
AV software.

With this release, we remind everyone that 0.2.0.x has reached its
formal end-of-life. Those Tor versions have many known flaws, and
nobody should be using them. You should upgrade -- ideally to the
0.2.2.x series. If you're using a Linux or BSD and its packages are
obsolete, stop using those packages and upgrade anyway.

The Tor 0.2.1.x series is also approaching its end-of-life: it will no
longer receive support after some time in early 2012.

Changes in version - 2011-12-16

Major bugfixes:

  • Fix a heap overflow bug that could occur when trying to pull
    data into the first chunk of a buffer, when that chunk had
    already had some data drained from it. Fixes CVE-2011-2778;
    bugfix on Reported by "Vektor".
  • Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
    that it doesn't attempt to allocate a socketpair. This could cause
    some problems on Windows systems with overzealous firewalls. Fix for
    bug 4457; workaround for Libevent versions 2.0.1-alpha through
  • If we mark an OR connection for close based on a cell we process,
    don't process any further cells on it. We already avoid further
    reads on marked-for-close connections, but now we also discard the
    cells we'd already read. Fixes bug 4299; bugfix on,
    which was the first version where we might mark a connection for
    close based on processing a cell on it.
  • Correctly sanity-check that we don't underflow on a memory
    allocation (and then assert) for hidden service introduction
    point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
    bugfix on
  • Fix a memory leak when we check whether a hidden service
    descriptor has any usable introduction points left. Fixes bug
    4424. Bugfix on
  • Don't crash when we're running as a relay and don't have a GeoIP
    file. Bugfix on; fixes bug 4340. This backports a fix
    we've had in the 0.2.3.x branch already.
  • When running as a client, do not print a misleading (and plain
    wrong) log message that we're collecting "directory request"
    statistics: clients don't collect statistics. Also don't create a
    useless (because empty) stats file in the stats/ directory. Fixes
    bug 4353; bugfix on

Minor bugfixes:

  • Detect failure to initialize Libevent. This fix provides better
    detection for future instances of bug 4457.
  • Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
    function. This was eating up hideously large amounts of time on some
    busy servers. Fixes bug 4518; bugfix on
  • Resolve an integer overflow bug in smartlist_ensure_capacity().
    Fixes bug 4230; bugfix on Tor Based on a patch by
    Mansour Moufid.
  • Don't warn about unused log_mutex in log.c when building with
    --disable-threads using a recent GCC. Fixes bug 4437; bugfix on which introduced --disable-threads.
  • When configuring, starting, or stopping an NT service, stop
    immediately after the service configuration attempt has succeeded
    or failed. Fixes bug 3963; bugfix on
  • When sending a NETINFO cell, include the original address
    received for the other side, not its canonical address. Found
    by "troll_un"; fixes bug 4349; bugfix on
  • Fix a typo in a hibernation-related log message. Fixes bug 4331;
    bugfix on; found by "tmpname0901".
  • Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
    occurred when a client tried to fetch a descriptor for a bridge
    in ExcludeNodes. Fixes bug 4383; bugfix on
  • Backport fixes for a pair of compilation warnings on Windows.
    Fixes bug 4521; bugfix on and on
  • If we had ever tried to call tor_addr_to_str on an address of
    unknown type, we would have done a strdup on an uninitialized
    buffer. Now we won't. Fixes bug 4529; bugfix on
    Reported by "troll_un".
  • Correctly detect and handle transient lookup failures from
    tor_addr_lookup. Fixes bug 4530; bugfix on
    Reported by "troll_un".
  • Fix null-pointer access that could occur if TLS allocation failed.
    Fixes bug 4531; bugfix on Found by "troll_un".
  • Use tor_socket_t type for listener argument to accept(). Fixes bug
    4535; bugfix on Found by "troll_un".

Minor features:

  • Add two new config options for directory authorities:
    AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
    Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
    that is always sufficient to satisfy the bandwidth requirement for
    the Guard flag. Now it will be easier for researchers to simulate
    Tor networks with different values. Resolves ticket 4484.
  • When Tor ignores a hidden service specified in its configuration,
    include the hidden service's directory in the warning message.
    Previously, we would only tell the user that some hidden service
    was ignored. Bugfix on 0.0.6; fixes bug 4426.
  • Update to the December 6 2011 Maxmind GeoLite Country database.

Packaging changes:

  • Make it easier to automate expert package builds on Windows,
    by removing an absolute path from makensis.exe command.
Syndicate content Syndicate content