TURKTRUST, a certificate authority in Mozilla’s root program, mis-issued two intermediate certificates to customers. TURKTRUST has scanned their certificate database and log files and confirmed that the mistake was made for only two certificates.
This is not a Firefox-specific issue. Nevertheless, we are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.
All users are strongly encouraged to upgrade.
There was also a new Tor 0.2.4.7-alpha release and all alpha packages have been updated with that.
A note about the Vidalia bundles:
The plain Vidalia bundles have been discontinued. We apologize for any confusion or inconvenience that this has caused for our users. In order to continue to use the Vidalia bundle as a client, download one of the available bundles, go into the Vidalia "Settings" menu and click "Run as a client only".
Tor Browser Bundle (2.3.25-2)
- Update Firefox to 10.0.12esr
- Update Libevent to 2.0.21-stable
- Update HTTPS Everywhere to 3.1.2
- Update NoScript to 184.108.40.206
Tor Browser Bundle (2.4.7-alpha-1)
- Update Firefox to 10.0.12esr
- Update Tor to 0.2.4.7-alpha
- Update Libevent to 2.0.21-stable
- Update HTTPS Everywhere to 4.0development.4
- Update NoScript to 220.127.116.11
Over the past few years, Tor has gotten more popular and has had to grow and change to accommodate a highly varied userbase. One aspect of this is getting the software into users' hands and having it immediately do what they want it to, while also not allowing them to inadvertently deanonymize themselves because they missed a configuration step or didn't understand which applications were using Tor and which were not. As a result, we have standardized on the Tor Browser Bundle for all platforms and are currently promoting it as our only fully supported client experience.
Since the Tor Browser Bundle offers the best current protection, we are moving to a client/server model for packages, and consequently the "plain" Vidalia bundles will be discontinued by the end of the year and no longer recommended for client usage. We've started rolling out server Vidalia bundles for Windows, which you can test by going to the download page.
There are currently (and will continue to be) three types of server bundles available:
- Bridge-by-default Vidalia bundle
- Relay-by-default Vidalia bundle
- Exit-by-default Vidalia bundle
This configures Tor to act as a bridge by default, so as soon as you install it and run it, you will be helping censored users reach the Tor network. You can read more about bridges here. This bundle still includes Torbutton and Polipo, but those will be removed in the next release (date to be determined).
This configures Tor to run as a non-exit relay by default. This means you will serve as either a guard or middle node and help grow the size of the Tor network. You can read more about Tor relay configuration here.
This configures Tor to run as an exit relay by default. Exit nodes are special, as they allow traffic to exit from the Tor network to the plain internet, and anyone who has not already looked into the risks associated with running an exit relay should read our tips for running an exit node with minimal harassment
We've started creating a Tor Browser Bundle FAQ, but we'd like to hear your concerns so we can provide answers where necessary, documentation for alternative setups, and fix the software where answers are insufficient. We have several months before Tor Browser Bundle is the only option, so please help us make it as good as possible! If you have bugs to file, please don't file them in the blog comments -- use our bug tracker for that.
Vidalia 0.2.10 changed the way we deal with the geoip databases by dropping the remote geoip lookups. This caused a lot of headaches for OS X users because of the layout of the package, but it's fixed in this version. You can download the new version here.
Please let us know if you have further problems by reporting a bug.
On August 27th, we released Vidalia 0.2.3. This fixes some more bugs with "Who has used by bridge" functionality and switches to Qt signals for event handling.
The updated Vidalia packages can be found at https://www.torproject.org/vidalia
The changes are: read more »
- Create the data directory before trying to copy over the default
Vidalia configuration file from inside the application bundle on Mac
OS X. Affects only OS X drag-and-drop installer users without a
previous Vidalia installation.
- Change all Tor event handling to use Qt's signals and slots mechanism
instead of custom QEvent subclasses.
- Fix another bug that resulted in the "Who has used my bridge?" link
initially being visible when the user clicks "Setup Relaying" from
the control panel if they are running a non-bridge relay.
(Ticket #509, reported by "vrapp")
- Always hide the "Who has used my bridge?" link when Tor isn't running,
As highlighted in the 0.2.2.1-alpha release notes, the Vidalia Bundle for OS X includes some major changes. Many of these are for ease of use and user experience improvements. The release of OS X 10.6 (Snow Leopard) gave me a fine excuse to release the improvements.
It's best to un-install Tor/Vidalia and then install this new bundle; rather than upgrade. If you want to upgrade, you'll need to update the paths for Tor and Polipo in the Vidalia Settings window.
There has been a lot of testing since this test release of the drag and drop installer for OS X in January. The main goal was to make installation far easier, less error prone, and keep all of the bundle in a single directory for easier configuration and un-installation. read more »
Tor 0.2.2.1-alpha disables ".exit" address notation by default, allows
Tor clients to bootstrap on networks where only port 80 is reachable,
makes it more straightforward to support hardware crypto accelerators,
and starts the groundwork for gathering stats safely at relays.
We've been improving our packages and bundles:
Packaging changes: read more »
- Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X
installer bundles. See
for details of what's new in Vidalia 0.2.3.
- Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta.
- OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific
configuration file, rather than the old Privoxy.
- OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as
x86-only for better compatibility with OS X 10.6, aka Snow Leopard.
A while ago there was a thread on OR-TALK that devolved into
"why does Tor still ship ancient privoxy?"
"why are you shipping polipo with the Tor Browser Bundle instead of current privoxy?"
For those interested, the thread is here, http://archives.seul.org/or/talk/Jul-2009/msg00063.html.
Scott had a good argument for why we should update the bundles to the latest privoxy, and I agree, we should. But then I started thinking about why we needed a proxy at all. Almost all browsers support socks5 direct, isn't that faster than a middleman proxy?
This got me thinking about why polipo is in the TBB, but not the other packages. The TBB "feels faster" when using Tor than using the installed Tor, Vidalia, and Privoxy. However, I couldn't find any actual testing of performance of polipo vs. privoxy vs. socks5 direct. read more »
I asked for community feedback in this post about drag and drop installation of the Vidalia bundle for Apple's OS X. In working with the Vidalia team, we now have a drag and drop installer. This is experimental. It's designed for a clean install. It won't migrate your settings, nor will it configure anything for you. Upon installing, your milk may sour and your salt may run off with your pepper. Now that the disclaimers are over, here's what it contains and does do for you. read more »
It includes Universal binaries for:
- Vidalia version 0.2.0-svn r3425
- Polipo 1.0.4 configured to use Tor as a socksproxy
- Tor 0.2.1.10-alpha compiled with prefix and bindir set to /Applications/Vidalia.app
A few weeks ago, I watched some non-technical OS X users attempt to install the Vidalia-Tor Bundle. Many of them tried to drag the installation package to Applications. A few were surprised it required an installation at all.
In Vidalia trunk I committed a different way to install Vidalia, Tor, and Polipo. In this new dmg, you just open it up and drag the Vidalia icon into Applications. You now have Tor, Vidalia, and Polipo pre-configured and running completely out of Applications. While this works well for users that never installed Tor/Vidalia before, it doesn't work so well for existing installations.
Is it smart to think users will un-install their existing Vidalia/Tor bundle before using the drag and drop installation method? My inclination is that it isn't smart. This installation method also removes the ability to automatically install Torbutton for Firefox. read more »
Jacob Appelbaum joins us to help out with:
- developing a translation portal. This should help us find translators
and make their updates easier.
- coordinating the Tor translation team and getting parts that need
- helping to better document Tor for non-technical users.
- writing an auto-responder to use Google's gmail to deliver Tor to
users who request it
- helping to get auto-updating for Tor and Vidalia working seamlessly
- maintaining the code that runs the tor exitlist
- generally advocating Tor
Matt Edman joins the Tor Project. Matt joins to help us enhance Tor's
interactions with Vidalia. Specifically, he's working on:
- integrating upnp libraries into vidalia to make it easier to setup servers
- displaying Tor's startup status more visually in Vidalia to help users
understand what's going on as Tor starts
- assist with making translating Vidalia's interface and help files
easier for translators
- helping to flesh out proposals in queue on or-dev
- helping to get auto-updating or Tor and Vidalia working seamlessly
- tackling the "matt" section of the TODO file.
Welcome Jacob and Matt!