Tor released

Tor fixes a big bug in hidden service availability, fixes a variety of other bugs that were preventing performance experiments from moving forward, fixes several bothersome memory leaks, and generally closes a lot of smaller bugs that have been filling up trac lately.

Changes in version - 2010-08-18
o Major bugfixes:
- Stop assigning the HSDir flag to relays that disable their
DirPort (and thus will refuse to answer directory requests). This
fix should dramatically improve the reachability of hidden services:
hidden services and hidden service clients pick six HSDir relays
to store and retrieve the hidden service descriptor, and currently
about half of the HSDir relays will refuse to work. Bugfix on; fixes part of bug 1693. read more »

HTTPS Everywhere Firefox addon helps you encrypt web traffic

Today the EFF and the Tor Project are launching a public beta of a new Firefox extension called HTTPS Everywhere.

This Firefox extension was inspired by the launch of Google's encrypted search option. We wanted a way to ensure that every search our browsers sent was encrypted, including the search box and URL bar features. At the same time, we were also able to encrypt most or all of the browser's communications with other popular sites that support SSL, but don't provide it by default.

Our approach is based on the NoScript STS implementation, but is more expressive in the manner in which HTTPS-enforcing rules are written. read more »

Plaintext over Tor is still plaintext

Recently, a few articles have been published regarding Tor, Wikileaks, and snooping data coming out of the Tor network. I write to remind our users, and people in search of privacy enhancing technology, that good software is just one part of the solution. Education is just as important. This is why there is a warning on the Tor download page about what Tor does and does not do. We also have a FAQ entry about this topic. Any plaintext communication over the Internet is open to intercept. This is true if the transport mechanism is email, http, tor, or carrier pigeons. Tor does not magically encrypt the Internet from end to end. Tor does wrap your traffic in encrypted layers as it transports it through the Tor network. read more »

New Linux packaging of Tor and Vidalia now available

As announced here,, we now produce rpms and debs of Tor and Vidalia for easier installation.

When using ubuntu, opensuse, fedora, centos/redhat, or debian, you can simply add our repositories to your package management application (yum, apt, apttitude, zypper, etc) and always have the latest -stable or -alpha tor and vidalia.

This is a direct result of hiring Erinn in December.

EFF's Panopticlick and Torbutton

The EFF has recently released a browser fingerprinting test suite that they call Panopticlick. The idea is that in normal operation, your browser leaks a lot of information about its configuration which can be used to uniquely fingerprint you independent of your cookies.

Because of how EFF's testing tool functions, it has created some confusion and concern among Tor users, so I wanted to make a few comments to try to clear things up. read more »

Tor Project infrastructure updates

You should upgrade to Tor or

In early January we discovered that two of the seven servers that run directory
authorities were compromised (moria1 and gabelmoo), along with, a new server we'd recently set up to serve
metrics data and graphs. The three servers have since been reinstalled
with service migrated to other servers.

We made fresh identity keys for the two directory authorities, which is
why you need to upgrade.

Moria also hosted our git repository and svn repository. We took the
services offline as soon as we learned of the breach. It appears the
attackers didn't realize what they broke into -- just that they had
found some servers with lots of bandwidth. The attackers set up some ssh
keys and proceeded to use the three servers for launching other attacks.
We've done some preliminary comparisons, and it looks like git and svn
were not touched in any way. read more »

Tor and Censorship: lessons learned

Roger recently gave a talk at 26C3 about our experiences with various censorship technologies.

In the aftermath of the Iranian elections in June, and then the late September blockings in China, we've learned a lot about how circumvention tools work in reality for activists in tough situations. I'll give an overview of the Tor architecture, and summarize the variety of people who use it and what security it provides. Then we'll focus on the use of tools like Tor in countries like Iran and China: why anonymity is important for circumvention, why transparency in design and operation is critical for trust, the role of popular media in helping – and harming – the effectiveness of the tools, and tradeoffs between usability and security. After describing Tor's strategy for secure circumvention (what we thought would work), I'll talk about how the arms race actually seems to be going in practice.

The slides of the presentation can be found at the bottom of this post.

We've mirrored the full 700MB video of the presentation at

Installing and using Tor

Thanks to Rob at Freedom House for putting together some videos about how to get, install, and use Tor, Tor Browser Bundle, and Bridges.

Freedom House has put together other videos on various tools to use to stay secure online at,

Check them out and leave constructive feedback. I'm sure Rob will appreciate help with translating these videos as well.

Tor released

Tor marks the fourth -- and hopefully last -- release
candidate for the 0.2.1.x series. It lays the groundwork for further
client performance improvements, and also fixes a big bug with directory
authorities that were causing them to assign Guard and Stable flags

The Windows bundles also finally include the geoip database that we
thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
should actually install Torbutton rather than giving you a cryptic
failure message (oops).

This is a release candidate! That means that we don't know of any
remaining show-stopping bugs, and will be the new stable if
there are no problems. Please test it, and tell us about any problems
that you find.

Changes in version - 2009-07-02
Major features: read more »

  • Clients now use the bandwidth values in the consensus, rather than

Measuring Tor and Iran

I've been fielding some calls from the press about Tor and Iran. Someone quoted me as saying "double the clients from Iran over the past few days". We wondered, what are the real numbers? What does our network see from Iran? Is port 443 or https:// really blocked? Here's what we've discovered in the past day of working with the new metrics we've developed to be safe to collect without compromising anyone's anonymity. read more »

Syndicate content Syndicate content