torbrowser

Say hi to the new GetTor

Hello people. It's been a while since Google Summer of Code 2014 ended, but I wanted to give you a brief review of the work done on GetTor.


What is GetTor?

GetTor is a program that serves Tor Browser over email. In the past, people would make requests by sending emails to GetTor, which would send back Tor Browser as email attachments. In highly censored countries (and places) where the Tor Project website is blocked, GetTor would be a convenient way for people to get access to Tor Browser.

There were lots of nice features incorporated in GetTor, such as specifying the operating system and language for the package wanted, or sending delay messages to let people know the package was on its way. But Tor Browser started to get larger in size (over 25 MB), to the point where it wasn't longer possible to send it via most email providers.


Revamp

It wasn't long until a solution for this problem came up. The idea consisted on uploading Tor Browser to the cloud (Dropbox) and when someone asked for it via GetTor, a reply with the links for download was sent. This worked quite well, but the fix was far from being complete and at that point the whole GetTor was in need of some love to get back to its shiny days.


Google Summer of Code

All of what I mentioned was listed on the Volunteer page of the Tor Project website, so when I got there looking for a project to work on for the Google Summer of Code, I immediatly considered it into my options, because of the social impact of GetTor as for the technical skills required. I was happy to learn that my proposal got accepted and I was one of the fourteen students selected to work on the Tor Project during the northern hemisphere summer (actually, it was winter here in Chile).

First, I started to work on the design, making sure that when I started to code, most of the ideas I would be implementing were carefully described and discussed. Of course, a lot of things did change over the coding period, some of them small stuff like how the links would be internally stored by GetTor, and some of them not so small, like changing one of the distribution modules.

Anyhow, I don't want to bore you with technical details here, but if you're interested, please read my biweekly reports and check the code repository.


Outcome

The coding period lasted a little more than three months, and I managed to pass both mid-term and final evaluations. But more importantly, the status of GetTor improved significantly during that time. I did a full rewrite of it, focusing on having clean and readable code, and on making it easy to add new distribution modules and cloud providers for storing Tor Browser. Two distribution modules were successfully finished: SMTP, for asking via email; and XMPP, for asking via Jabber (you know, chat style).

Even though the new GetTor is able to manage requests in multiple locales, for now the SMTP module has been deployed with support for English requests only; other locales and modules will eventually/gradually be supported. We will let you know when that happens (soon we hope!).

Almost all of the testing and other minor fixes were done after the Google Summer of Code ended, and this is because I explicitly mentioned to my mentors that I have the intention to keep working on it and to continue as the lead developer if needed. It's not just for the work I did, but more importantly for the possibility of helping other people, specially those that have the bad fortune to live under regimes and/or organizations which think they can impose control on the information you can access, spy on what you do and chase you for what you think. If I have the chance to help avoiding this dystopia, as little as I can, I would certainly do whatever is in my hands, and I invite you to do the same.


Great, but how do I use it?

You can reach GetTor by sending emails to gettor@torproject.org. To ask for Tor Browser, you just have to send an email with the word windows in the body to get it for Windows, osx to get it for Mac OSX, or linux to get it for Linux. The options are case insentitive, so it doesn't matter if you send Linux, or linux, or LiNuX, as long as it describes one of the options mentioned before; if you send anything different from that, you will receive a help message with detailed instructions on how to interact with it. Once you ask for Tor Browser, GetTor will reply to you with Dropbox links to download the required package for your architecture (32/64 bit) and operating system, along with some extra information to help you verify the integrity of the downloaded files. Please note that you can reach GetTor from any email address: gmail, yahoo, hotmail, riseup, etc. The only restriction is that you can do a maximum of three requests in a row, after that you'll have to wait 20 minutes to reach GetTor again. You can find out more about its purpose and how it works here.


Collaborate

The main way to collaborate is to use GetTor and provide feedback! Please tell us what you like, what you don't like, what works smoothly and what doesn't work or could work better; after all, GetTor is here for you, so you should tell us what we need to do :) For this, please open a ticket on the trac system under the GetTor component. You can file anything from usability suggestions/bugs to new development ideas.

On the other hand, I've read lots of people who are interested to collaborate with the Tor Project and they just don't know where to start or they are looking for something easy to collaborate with. The code and work on GetTor is quite straightforward, so if you know some Python and have some free time that you feel you want to give to an awesome open source organization, check the git repository and the tickets and you might find something easy to start with. There are various ideas and things left to do in GetTor, so please join us!


Other options

It's important to note that there are a couple more options to obtain Tor Browser when you cannot access Tor Project's website. The first and easiest is to access the official mirrors: EFF and torservers.net. If those sites are blocked too, you can try using Satori, an app for Google Chrome that distributes various circumvention tools in a difficult-to-block way, making it easy for users to check if the software has been tampered. If after all, you manage to get the Tor Browser but you are not able to reach the Tor network, you might want to use bridges or the pluggable transports. You can read more about that here, here and here.



Thanks

I want to end this blog post by thanking to the Tor Project organization in general for letting me be part of it during the summer and kindly answer any doubt that came up, and to Sukhbir and Nima in particular for their awesome job as mentors, I couldn't have done it without you, thanks a lot guys!

New SSLv3 attack found: Disable SSLv3 in TorBrowser

Hi! It's a new month, so that means there's a new attack on TLS.

This time, the attack is that many clients, when they find a server that doesn't support TLS, will downgrade to the ancient SSLv3. And SSLv3 is subject to a new padding oracle attack.

There is a readable summary of the issue at Adam Langley's blog; it links to other descriptions of the attack.

Tor itself is not affected: all released versions for a long time have shipped with TLSv1 enabled, and we have never had a fallback mechanism to SSLv3. Furthermore, Tor does not send the same secret encrypted in the same way in multiple connection attempts, so even if you could make Tor fall back to SSLv3, a padding oracle attack probably wouldn't help very much.

TorBrowser, on the other hand, is based on Firefox, and has the same protocol downgrade mechanisms as Firefox. I expect and hope the TorBrowser team will be
releasing a new version soon with SSLv3 disabled. But in the meantime, I think you can disable SSLv3 yourself by changing the value of the "security.tls.version.min" preference to "1". (The default value is "0".)

To do that:

  1. Enter "about:config" in the URL bar.
  2. Then you click "I'll be careful, I promise".
  3. Then enter "security.tls.version.min" in the preference "search"
    field underneath the URL bar. (Not the search box next to the URL
    bar.)

  4. You should see an entry that says "security.tls.version.min" under
    "Preference Name". Double-click on it, then enter the value "1" and
    click okay.

You should now see that the value of "security.tls.version.min" is set to one.

(Note that I am not a Firefox developer or a TorBrowser developer: if you're cautious, you might want to wait until one of them says something here before you try this workaround. On the other hand, if you believe me, you should probably do this in your regular Firefox as well.)

Obviously, this isn't a convenient way to do this; if you are uncertain of your ability to do so, waiting for an upgrade might be a good move. In the meantime, if you have serious security requirements and you cannot disable SSLv3, it might be a good idea to avoid using the Internet for a week or two while this all shakes out.

Best wishes to other residents of these interesting times.

Ways to get the Tor Browser Bundle

Below is a collection of resources that will help you get Tor up and running. We also discuss alternative approaches of downloading the Tor Browser Bundle and provide mirrors for all these resources in case torproject.org is blocked.

To start with, please look at Bundle Downloads and determine the best way for you to download the Tor Browser Bundle. After you have downloaded the bundle and before you install/extract it, you should also verify it to make sure the bundle you downloaded is genuine and has not been tampered with; this step is optional but recommended.

We have screencasts (video guides) that will help you with the installation and verification process on Windows, Linux and OS X.

Windows
TBBTraining-DownloadAndVerify-Windows.mp4

Mirror:
torservers.net

Linux
TBBTraining-DownloadAndVerify-Linux.mp4

Mirror:
torservers.net

OS X
TBBTraining-DownloadAndVerify-MacOS.mp4

Mirror:
torservers.net

Text guide for signature verification
https://www.torproject.org/docs/verifying-signatures.html.en

Mirrors:
EFF
torservers.net

Tor Browser Bundle Downloads

torproject.org

https://www.torproject.org/projects/torbrowser.html.en

Mirrors:
EFF
torservers.net

GetTor

GetTor is a program for serving the Tor Browser Bundle through email. This is particulary useful if you cannot access torproject.org or any other mirrors.

To request a bundle from GetTor, send a blank email to gettor@torproject.org. GetTor will then respond with links to the Tor Browser Bundle for all platforms.

Note: GetTor was earlier restricted to requests from Gmail and Yahoo!. This is no longer the case and you can request for bundles from any email address, including Outlook.

Bridges

If you are unable to reach the Tor network after installation (Tor Launcher starts, however the green progress bar stops), you need to use bridges.

Acquiring Bridges

One way to find public bridge addresses is to send an email (from a Gmail or a Yahoo! address) to bridges@bridges.torproject.org with the line 'get bridges' by itself in the body of the mail.

You can also acquire bridges by visiting https://bridges.torproject.org/. If you see that this page is offline, please wait for a few minutes and try again.

Bridge Usage

1. Launch the Tor Browser Bundle
2. Click "Configure"
3. Click "Next" until you reach a page that reads "If this computer's Internet connection is censored, you will need to obtain and use bridge relays"
4. Enter the bridges you received from one of the methods above into the text box
5. Click "Connect"

Pluggable Transports

If you find that using standard bridges fails for you, you can try using the 3.6-beta-1 bundle located on the same downloads page listed above. These bundles included integrated pluggable transport support, and are useful in areas where standard bridges are blocked.

To activate pluggable transports in the 3.6-beta-1 bundle, follow the bridge directions above, however simply select "obfs3" or "fte" when you reach the bridge configuration page (instead of entering bridge addresses yourself).

Support

Still need help? If you have any questions, trouble connecting to Tor network, or need to talk to a human, please contact our support team at:

help@rt.torproject.org for English
help-ar@rt.torproject.org for Arabic
help-es@rt.torproject.org for Spanish
help-fa@rt.torproject.org for Farsi
help-fr@rt.torproject.org for French
help-zh@rt.torproject.org for Mandarin



Written in collaboration with Colin Childs. Screencasts by Sherief Alaa.

What the "Spoiled Onions" paper means for Tor users

Together with Stefan, I recently published the paper "Spoiled Onions: Exposing Malicious Tor Exit Relays". The paper only discusses our results and how we obtained them and we don't talk a lot about the implications for Tor users. This blog post should fill that gap.

First, it's important to understand that 25 relays in four months isn't a lot. It is ultimately a very small fraction of the Tor network. Also, it doesn't mean that 25 out of 1,000 relays are malicious or misconfigured (we weren't very clear on that in the paper). We have yet to calculate the churn rate of exit relays which is the rate at which relays join and leave the network. 1,000 is really just the approximate number of exit relays at any given point in time. So the actual number of exit relays we ended up testing in four months is certainly higher than that. As a user, that means that you will not see many malicious relays "in the wild".

Second, Tor clients select relays in their circuits based on the bandwidth they are contributing to the network. Faster relays see more traffic than slower relays which balances the load in the Tor network. Many of the malicious exit relays contributed relatively little bandwidth to the Tor network which makes them quite unlikely to be chosen as relay in a circuit.

Third, even if your traffic is going through a malicious exit relay, it doesn't mean that everything is lost. Many of the attacks we discovered still caused Firefox' infamous "about:certerror" warning page. As a vigilant user, you would notice that something isn't quite right and hopefully leave the site. In addition, TorBrowser ships with HTTPS-Everywhere which by default attempts to connect to some sites over HTTPS even though you just typed "http://". After all, as we said in the past, "Plaintext over Tor is still plaintext".

Finally, we want to point out that all of these attacks are of course not limited to the Tor network. You face the very same risks when you are connecting to any public WiFi network. One of the fundamental problems is the broken CA system. Do you actually know all the ~50 organisation who you implicitly trust when you start your Firefox, Chrome, or TorBrowser? Making the CA system more secure is a very challenging task for the entire Internet and not just the Tor network.

New Tor Browser Bundles with Firefox 17.0.10esr

Firefox 17.0.10esr has been released with several security fixes and all of the Tor Browser Bundles have been updated. All users are encouraged to upgrade.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.3.25-14)

  • Update Firefox to 17.0.10esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.6
  • Update NoScript to 2.6.8.4
  • Update HTTPS-Everywhere to 3.4.2
  • Firefox patch changes:
    • Hide infobar for missing plugins. (closes: #9012)
    • Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
    • Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
    • Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
    • Remove polipo and privoxy from the banned ports list. (closes: #3661)
    • misc: Fix a potential memory leak in the Image Cache isolation
    • misc: Fix a potential crash if OS theme information is ever absent

Tor Browser Bundle (2.4.17-rc-1)

  • Update Firefox to 17.0.10esr
    https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#f...
  • Update LibPNG to 1.6.6
  • Update NoScript to 2.6.8.4
  • Downgrade HTTPS-Everywhere to 3.4.2 in preparation for this becoming the stable bundle
  • Firefox patch changes:
    • Hide infobar for missing plugins. (closes: #9012)
    • Change the default entry page for the addons tab to the installed addons page. (closes: #8364)
    • Make flash objects really be click-to-play if flash is enabled. (closes: #9867)
    • Make getFirstPartyURI log+handle errors internally to simplify caller usage of the API. (closes: #3661)
    • Remove polipo and privoxy from the banned ports list. (closes: #3661)
    • misc: Fix a potential memory leak in the Image Cache isolation
    • misc: Fix a potential crash if OS theme information is ever absent

New Tor Browser Bundles with Firefox 17.0.5esr

All of the Tor Browser Bundles have been updated to the latest Firefox 17.0.5esr.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-6)

  • Update Firefox to 17.0.5esr
  • Update NoScript to 2.6.59

Tor Browser Bundle (2.4.11-alpha-2)

  • Update Firefox to 17.0.5esr
  • Update NoScript to 2.6.59

New Tor Browser Bundles (security release)

The Tor Browser Bundles have been updated with a very important security fix. As explained in the previous blog post, a user discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This is now fixed and we strongly encourage all users to update. There are a few other bugfixes in this release, including really fixing (for real this time!) the problem with the Mac OS X bundles crashing.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-11)

  • Security release to stop TorBrowser from bypassing SOCKS proxy DNS configuration
  • New Firefox patches:
    • Prevent WebSocket DNS leak (closes: #5741)
    • Fix a race condition that could be used to link browsing sessions together when using new identity from Tor Browser (closes: #5715)
  • Remove extraneous BetterPrivacy settings from prefs.js (closes: #5722)
  • Fix the mozconfig options for OS X so that it really builds everything with clang instead of llvm-gcc (closes: #5740)

New Tor Browser Bundles for Mac OS X

We recently switched our build machine to Lion (OS X 10.7) which had some unintended effects on the Firefox/TorBrowser build. After consulting with Mozilla developers, Sebastian Hahn was able to nail down the problem and provide a fix. The Mac OS X Tor Browser Bundles have been updated so they should stop crashing for everyone now. Thanks for your patience!

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-10)

  • Make TorBrowser stop crashing on random websites by building with clang instead of llvm-gcc. (closes: #5697)

New Tor Browser Bundles

The Tor Browser Bundles have all been updated to the latest Firefox 12.0 as well as a number of other software updates, bugfixes, and new features. We've rebranded Firefox so it should now be more easy to distinguish between it and your normal Firefox. We've also added Korean and Vietnamese to the available languages.

UPDATE: The Mac OS X 64-bit bundles had a minor Vidalia problem that prevented TorBrowser from being launched. They have been updated to 2.2.35-9.1 and are now available on the website.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-9)

  • Update Firefox to 12.0
  • Update OpenSSL to 1.0.1b
  • Update Libevent to 2.0.18-stable
  • Update Qt to 4.8.1
  • Update Libpng to 1.5.10
  • Update HTTPS Everywhere to 2.0.2
  • Update NoScript to 2.3.9
  • Rebrand Firefox to TorBrowser (closes: #2176)
  • New Firefox patches
  • Make the 32-bit Tor Browser Bundle compatible with OS X 10.5

New Tor Browser Bundles

The Tor Browser Bundles have been updated with a bunch of bug fixes.

Important note to Windows users: in the last release we enabled automatic port selection for Tor and this had very unexpected side effects on many Windows machines. It turns out that there are a number of consumer firewalls that don't like things connecting on high ports, which was the default. We're looking into smarter ways to handle this failure mode, but until we find one, we have reverted the behavior to using the previous static port. We're very sorry for the huge inconvenience this caused and hope you will find these bundles more bug-free! As ever, if you don't, please let us know.
https://www.torproject.org/download

Tor Browser Bundle (2.2.32-4)

    Windows fixes

    • Disable automatic port selection to accommodate Windows users with
      firewalls that don't allow connections or traffic on high ports (closes: #3952, #3945)

    Linux fixes

    • Fix Makefile to allow for automatic retrieval of Qt and libpng (closes: #2255)
    • Remove symlinks from tarball (closes: #2312)

    General fixes and updates

    • New Firefox patches
      • Prevent Firefox from loading all system plugins besides Flash (closes: #2826, #3547)
      • Prevent content-preferences service from writing website urls and their settings to disk (closes: #3229)
    • Update Torbutton to 1.4.3
      • Don't let Torbutton inadvertently enable automatic updating in Firefox (closes: #3933)
      • Fix auto-scroll on Twitter (closes: #3960)
      • Allow site zoom information to be stored (closes: #3928)
      • Make permissions and disk errors human-readable (closes: #3649)
Syndicate content Syndicate content