2017 Was a Big Year for Tor

by tommy | January 3, 2018

 

We achieved a lot in the last 12 months.

The free and open internet was under attack in 2017, but Tor was there to fight for privacy and security every step of the way. 

Here are just some of the ways we kept Tor and the fight for internet freedom strong: 

  • We released our next-generation onion services featuring cutting-edge crypto algorithms and improved authentication schemes.
  • We released a big update to Tor Browser, which brought major security improvements to Tor, isolating attacks on our software so they don’t compromise a user’s computer. This process is called sandboxing, and it works by separating Tor network processes from rest of a user’s computer, denying malicious actors access to users’ files, documents, and IP address. Sandboxed Tor Browser is available for Mac and Linux and is coming soon to Windows.
  • We launched our first public bounty, paying people to #HackTor (responsibly!). To date, we’ve paid out over $7,000.
  • Our friends at OONI released the ooniprobe app, a tool for monitoring network surveillance and censorship. They also documented censorship in Thailand, Myanmar, Indonesia, Egypt, Cuba, Catalonia, and Pakistan.
  • We redesigned our Tor Metrics website and launched the a whole host of new features, including Relay Search.
  • We launched our support wiki, making it easier to find answers to frequently asked questions about Tor.
  • We added a new feature to the Tor network, changing how traffic gets distributed and preventing the network from becoming overwhelmed.

What’s Next

We have big plans for 2018, too. In the next 12 months, we’ll port Tor to mobile (building on work we laid out before), make it easier for third-party developers to integrate Tor’s privacy and security protections into their apps, and make Tor more user-friendly, so that more people can obtain, install, and run Tor, giving more people a highly secure way of browsing the internet without being tracked or monitored or having their personal information shared and exploited.

Join us

We want you to be a part of this important work. We’re always looking for volunteers to help make the world’s strongest privacy software even better. You can help us make the network faster and more decentralized by running a relay, especially if you live in a part of the world where we don’t have a lot of relays yet. If you can, please donate to Tor today

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

January 03, 2018

Permalink

Many thanks to Tor Project for helping to keep us safe(r)!

Suggestions for future projects:

o new version of the ooniprobe for Raspberry Pi--- the net neutrality repeal makes it more urgent than ever to closely monitor problems with US internet,

o onion mirrors for FAA's complete ADS-B feed (e.g. for sousveillance of federal spy planes and special forces contractors spyplanes over US locales),

o at NYC Tor meetups, brainstorm how onion mirrors can improve cybersecurity for city agencies/hospitals and NYC citizens interacting with same, and how to try to explain this to NYC legislators,

o campaign to persuade more US journalists to (wisely) use Tor and other cybersecurity/anonymity/privacy enhancing tools, e.g. (perhaps) Tor Messenger.

This is what I get:

> TICKET_CREATE privileges are required to perform this operation on Ticket #None. You don't have the required permissions.

Maybe you can do it for me, eh?

Attention Shari:

o implement policies to ensure that at all times (even holiday seasons) a designated Tor person is tasked with performing emergency actions.

A health check of the onion mirrors for Debian would count as an emergency action, I think, when people are reporting mysterious problems trying to obtain one of the most critical linux kernel security patches ever issued by Debian Project.

warning (not verified) said:

January 03, 2018

Permalink

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

it is written on the top of the tor blog : did you notice it ?

Anonymous (not verified) said:

January 04, 2018

Permalink

Sandboxed Tor Browser is available for Mac and Linux and is coming soon to Windows.

[citation needed] Also "Sandboxed Tor Browser" is IMHO useless right now especially considering the next major ESR upgrade version 60 which will have tight sandboxing by default across the board.

Yes, I am aware that for over a week the Debian patches have been available which (we hope) prevent basic Meltdown attacks (and possibly some Spectre attacks), but they have *not* been available from the onion repos, at least not when I try to fetch them.

I hope other Tor users will find the following useful:

[Third attempt to post!!!]

It seems that two broad new classes of general purpose attacks, having the general nature of side-channel attacks, which potentially leak memory and destroy the isolation between kernel space and user space, called Spectre and Meltdown respectively, both based on exploiting the "speculative processing" built into almost any modern CPU, will endanger every computer user in the world, now and for decades to come. Vulnerable devices include servers, desktop PCs, laptops, smart phones, routers, and pretty much anything with a [modern] CPU made during the last few decades. Some IOT CPUs may not incorporate the "speculative execution" which is the basis for the Meltdown/Spectre attacks.

According to my understanding, Meltdown attacks in particular may have dire immediate implications for the Tor network, and I hope Tor Project will have some official comment.

Here are some links to some of the best articles I have found on Meltdown/Spectre and my own precis of the situation:

Two useful FAQs:

https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-b…
Meltdown and Spectre FAQ: Fix for Intel CPU flaws could slow down PCs and Macs

https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-com…
Spectre and Meltdown processor security flaws – explained

Overview for non-technical users:

https://www.nytimes.com/2018/01/03/business/computer-flaws.html
Researchers Discover Two Major Flaws in the World’s Computers
Cade Metz and Nicole Perlroth

When and how the flaws were found:

https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-f…
Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw At the Same Time
The vulnerabilities behind the devastating Meltdown and Spectre attacks have existed for decades. Four groups of researchers independently found them within mere months of each other.
Andy Greenberg
7 Jan 2018

Implications for USG and other governments pushing government agencies toward cloud computing:

thehill.com
Critical computer flaws set up security challenge in Washington
Morgan Chalfant and Ali Breland

Sketchy explanations of some relevant technical details:

https://www.wired.com/story/critical-intel-flaw-breaks-basic-security-f…
A Critical Intel Flaw Breaks Basic Security for Most Computers
Joan Cros

arstechnica.com
“Meltdown” and “Spectre”: Every modern processor has unfixable security flaws
Immediate concern is for Intel chips, but everyone is at risk.
Peter Bright

My takeaway (please correct me if I got anything wrong!):

o Debian has patched its version of Linux kernel to prevent (we hope) basic Meltdown attacks, and last year introduced changes which may hinder some Spectre attacks, and Tails 3.4 (just released) incorporates these critical security patches,

o Firmware updates and other OS patches may also help prevent basic Meltdown attacks,

o Meltdown attacks pose a more urgent threat than Spectre attacks in the short term and appear to affect any device using any Intel CPU made in recent decades, but Spectre attacks may prove more dangerous in the months, years, and decades to come,

o Meltdown attacks can potentially enable a remote attacker abusing a javascript exploit (for example) to destroy the isolation of kernel memory on a running computer (using Tor Browser say), and possibly run malicious code,

o Meltdown attacks can nullify the benefits of kernel memory address randomization,

o OS patches and firmware updates which mitigate the dangers from currently known Meltdown attacks could significantly degrade performance of processes which must often switch between kernel space and user space memory, such as cryptography and network operations (both absolutely essential to Tor); ordinary non-Tor browsing may see less of a performance impact from Meltdown mitigations,

o Spectre attacks are even more general and affect essentially any server, laptop, PC, smart phone, and even some IoT devices (not sure about Raspberry Pi), and amount to general purpose memory leaks which potentially allow user processes to obtain security critical information from other processes, including processes running with root privileges, including information such as cryptographic keys which must be stored somewhere in the RAM of a running computer,

o Spectre attacks appear to be harder to develop but no-one can yet conceive any OS patches or firmware updates which will surely prevent these; the only real fix is a complete redesign of modern processors; it appears possible to hope that in coming months and years patches for individual applications may lessen the danger from particular Spectre attacks, but it will be years or decades before most users are truly immune,

o To mitigate Spectre attacks a tricky case by case analysis of every item of user software will be needed; developers will need to find just the right place to insert tricky commands intended to make it more difficult to mount a Spectre attack,

o Meltdown and Spectre attacks are particularly dangerous because they appear to share a key advantage for attackers of successful cryptanalysis of a "high security" "trusted" cryptosystem: traditional forensic analysis will find no trace of successful Meltdown or Spectre attacks,

o Meltdown is perfectly suited for sophisticated attackers who may wish to illicitly and undetectably steal information from (for example) CIA containers in the Amazon cloud, but while Amazon claims to have already patched almost all of its cloud servers, performance hits of up to 30% will cost them, and in order to mitigate against Spectre, Amazon will need to replace its entire server inventory, once immunized CPUs become available--- which could be years in the future,

o It is difficult to find any positive aspect in any of this, but some researchers hope that ultimately these developments may force hardware engineers to take security more seriously in early design work, and ultimately moving to cloud computing could be helpful if chip makers can respond quickly enough by rolling out immunized designs, provided that cloud providers actually replace flawed hardware (which would apparently require replacing all their servers once new designs become available),

o Looking a decade or more into the future, perhaps quantum computing may eventually be able to detect illicit reads of quantum cryptographic keys, or even to prevent these attacks?

A few notable quotes from the above cited articles:

o [The Hill] Still, research shows that exploiting the vulnerabilities themselves leave virtually no clues, which Ackerman called “haunting.” “There would be nothing or little to nothing for me to say this bad guy took data,” said Ackerman, a former FBI forensics examiner who worked on cybercrime cases.

o [NYT] the Meltdown flaw affects virtually every microprocessor made by Intel, which makes chips used in more than 90 percent of the computer servers that underpin the internet and private business operations.

o [Wired] Ben Gras, a security researcher with Vrije Universiteit Amsterdam who specializes in chip-level hardware security, says that the attacks represent a deep and serious security breach. "With these glitches, if there's any way an attacker can execute code on a machine, it can’t be contained anymore," he says. (Gras was clear that he hadn't participated in any research that unearthed or reproduced the vulnerability, but he has watched the revelations of Intel's vulnerability unfold in the security community.) "For any process that’s untrusted and isolated, that safety is gone now," Gras adds. "Every process can spy on every other process and access secrets in the operating system kernel."

o [Wired] [Meltdown attacks] allow malicious code to not only locate the kernel in memory [defeating Kernel Address Space Layout Randomization], but steal that memory's contents, too. "Out of the two things that were speculated, this is the worst outcome," Bosman says.

o [Arstechnica] For systems with Intel chips, the impact [of Meltdown attacks] is quite severe, as potentially any kernel memory can be read by user programs.

o [The Guardian] Meltdown is “probably one of the worst CPU bugs ever found” according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention. The problem with Meltdown is that anything that runs as an application could in theory steal your data, including simple things such as javascript from a web page viewed in a browser.

o [The Guardian] Due to the separation of the application and kernel memory required by the various operating systems to prevent the [Meltdown] flaw being used to access protected data... tasks that constantly require the kernel do to things, such as writing files to disk or sending data over a network, could be significantly slower due to the increased time it will take for the processor to switch between the application memory and the kernel memory... browsing and general computing activities are unlikely to be affected, but those that involve lots of writing files may become slower.

o [PC World] There may be no hardware solution to Spectre, which “tricks other applications into accessing arbitrary locations in their memory.” Software needs to be hardened to guard against it.

o [Arstechnica] Spectre attacks can be used both to leak information from the kernel to user programs, but also from virtualization hypervisors to guest systems. Sensitive pieces of code could be amended to include "serializing instructions"—instructions that force the processor to wait for all outstanding memory reads and writes to finish (and hence prevent any speculation based on those reads and writes)—that prevent most kinds of speculation from occurring. ARM has introduced just such an instruction in response to Spectre, and x86 processors from Intel and AMD already have several. But these instructions would have to be very carefully placed, with no easy way of identifying the correct placement.

o [Arstechnica] The most vulnerable users are probably cloud service providers; Meltdown and Spectre can both in principle be used to further attacks against hypervisors, making it easier for malicious users to break out of their virtual machines.

o [The Hill] Many [US] government agencies are in the process of moving data from legacy systems to cloud-based systems, something Stuntz and other experts say shifts the financial risk away from the government to tech companies and would save money long term.

o [The Hill] “Meltdown” can be mitigated by software patches. Microsoft and Google have already issued emergency patches for their systems, though experts say the patches could degrade the performance of devices by 20 to 30 percent when applied. “This is a very large and urgent project for federal IT staff to complete within short timelines,” said Paul Kocher, Senior Technology Adviser at Rambus and one of the researchers who discovered the vulnerabilities. Fully mitigating Spectre is more daunting, with experts saying it may ultimately warrant a redesign of the hardware. “As a longer-term outcome, computing devices need to be engineered differently for security vs. performance,” Kocher said. “Government may play a significant role in this as well, both by supporting continued security research as well as setting procurement requirements.” Government organizations may have to entirely replace systems in the future, a pricey task that may not fit into some agencies budgets. “We’re talking about an average, $1,000 per computer versus a free software patch,” said Devin Ackerman, senior director of the cybersecurity and investigations practice at risk mitigation firm Kroll. “Basically, I am replacing the entire computer with something that is a newer generation, something that is no longer susceptible to this exploit at a hardware level.”

o [The Hill] The vulnerabilities could allow hackers to pilfer sensitive data from virtually all modern computing devices, ranging from computers to smartphones to cloud infrastructure. Experts believe that they may be the most dangerous computer processor flaws to date. The Department of Homeland Security issued guidance on the matter late Wednesday, noting that while operating system updates could help mitigate the issues, the only true solution would be to replace computer processing units' hardware. This means that mitigating the flaws will likely cost federal, state and local governments a significant amount of time, money and effort.

o [The Hill] “If exploit code is developed, this could be catastrophic for [governments]. Another downside is that governments don’t typically update their technology very quickly which means that their processors may already have challenges keeping up with requirements from the latest operating systems and bloated applications,” said Cole. “Add to that mix a vendor patch that's expected to slow down a system as much as thirty percent and you could have a number of challenges for governments that do implement the patch quickly with crashing computers or systems that run too slow to accomplish their tasks,” Cole continued.

o [PC World] Google [Project Zero] says “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the OS you’re running or whether you have a desktop or laptop. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “near zero” risk because of the way its chip architecture is designed.

o [PC World] While Intel may address the fundamental hardware problem in future chips, the fix for PCs in the wild needs to come from the operating system manufacturer, as a microcode update alone won’t be able to properly repair it.

o [Wired] Linux developers have already released a [patch mitigating against Meltdown attacks], apparently based on a paper recommending deep changes to operating systems known as KAISER, released earlier this year by researchers at the Graz University of Technology.

Official comments from Tor Project on how Meltdown and Spectre attacks may impact the Tor network, and the anonymity/cybersecurity/privacy of individual users of Tor products such as Tor Browser, would be very welcome.

Anonymous (not verified) said:

January 09, 2018

Permalink

@t0mmy:

Can you get in touch with whoever maintains the onion mirrors for the Debian repo?

I think the same error (failure to change 2017 to 2018) may be responsible for the apparent failure of the onions to pick up any of the security patches since New Years Day. In particular the critical kernel patch for Meltdown.

TIA

The Russian Society for the Prevention of Cruelty to Trolls has issued a manifesto denouncing Tor Project's alleged attempts to censor alleged RU troll posts, according to the American Society for the Promulgation of Fake News. Hmm... now where's that link, ok yes nytimes.com

TorIsLife (not verified) said:

January 05, 2018

Permalink

Thank you to everyone who has in any way contributed to Tor Project this year.

Looking at https://atlas.torproject.org I've noticed that the total number of relays has decreased this year. What could be the reason for that? The need to fight censorship is getting bigger, so I would expect the number of relays to keep growing or at least stay the same. What I also find strange is that the number of Tor users grew a lot this year, but there have been years were that number would only get smaller.

> An obvious new form of attack that the Tor Blog should talk about soon.

An alternative explanation which in the absence of contrary evidence I find plausible is that more journalists, political activists, union organizers, bloggers, grandmas, etc. are recognizing that they are put at risk by the dragnet, and are adopting Tor in order to protect themselves, their families, friends and colleagues.

But I too would like to see TP comment on the increase.

AFAIR, there was an old discussion of this topic in tor relays TP mailing list. Maybe even there is a ticket. Brief outcome: it doesn't look like a botnet.

anonymous (not verified) said:

January 06, 2018

Permalink

this is the best tool browser in 2017.
privacy and freedom of expression is Tor's Brain and Heart.
expecting more features in 2018.Using Tor means safety anywhere.Trust Tor.

Now we are eager to donate a more funds to this safety browser to grow in 2018.

from
a journalists

Anonymous (not verified) said:

January 07, 2018

Permalink

Looking forward to attention in the mobile areas. Orfox hasn't been updated in a year. Orbot gets updates fairly often but not as often as core Tor on the desktop. It could use some modernization too I think. I believe with the newer versions of android Orbot is getting kicked out of memory due to battery optimization. I have to force stop Orbot and the app I'm trying to use, then start Orbot, then the app, otherwise the connection will just time out.

It will be nice to see issues like this and most importantly security updates being addressed. Thank you!

It's pretty easy. Step one: go here and download Tor Browser:

https://www.torproject.org/download/download-easy.html.en

(several languages other than english are also available)

Step two: go here and if possible donate some money to keep Tor Project running:

https://donate.torproject.org/pdr

Step three: go here and consider volunteering your time:

https://donate.torproject.org/pdr

Step four: if you have a fast internet connection, go here and consider running a relay:

https://www.torproject.org/docs/tor-doc-relay.html.en

Reading this blog is one way to stay in touch with what is happening in Torspace. There are also mailing lists and other resources you can find here:

https://www.torproject.org/index.html.en

Paul Migdale (not verified) said:

January 07, 2018

Permalink

I am very much a newbie with all this. I understand that you have some sort of protection by not advertising your true location. I also get that the browser can take you to hidden web sitez. So here is myquestion how do you decide to go somewhere that you dont know exists? As well the association of the dark web and criminal activity, what is it? I dont want to be a criminal but I would like to know what they can do and perhaps a walk through example of one of these things. I am desperate to find a non destructive hobby that is exciting and hopefully illegal. I am all for freedom of speech and the right to have access to all knowledge. Its funny cause before I looked into this I had no idea places could be blocked from information. I can see that I woulf want to be blocked from a racost site, but at the same time I would like the final decision where or what I see to be my choice.

> hopefully illegal

You probably meant to write "NOT illegal", yes?

> I also get that the browser can take you to hidden web sitez.

Tor Browser allows you to surf to onion sites.

> So here is myquestion how do you decide to go somewhere that you dont know exists?

Here's one easy way: many important onion site addresses are openly published.

For example, here is a list of Debian onions:

https://onion.debian.org/

So to see an onion mirror of the Debian home page, type or paste into the URL bar of your Tor Browser the following address:

http://sejnfjrq6szgca7v.onion/

(Note that clicking on the links may take you to a non-onion Debian page.)

One benefit of using onions rather than https (clearweb) pages is that malicious redirections by attackers sufficiently sophisticated to mess with PKI are more likely to be noticed if everyone uses an onion, because it will be much harder for even a sophisticated attacker to redirect just a few specific individuals rather than everyone.

> As well the association of the dark web and criminal activity, what is it?

FBI disinformation. Don't pay them any mind.

Name (not verified) said:

January 08, 2018

Permalink

When will Tor Browser be adopting the code safety features in Firefox that help to alleviate Meltdown?

AFAIK ESR doesn't seem to be affected since they have an option disabled can't recall what it is, and if it is affected then Mozilla will release a new ESR and you'd get your Tor Browser relase.

There will be some in the next regular release on Jan 23 we hear, coming with Firefox 52.6.0. We are not as much affected as non-ESR Firefox versions as SharedArrayBuffers are not available and we have reduced timing precision for a bunch of timers for a while now.

Actually, if test is positive you are SURE vulnerable to Spectre. If the test is negative you are MAYBE not vulnerable to Spectre.
This test was negative in each and every unpatched browser that I tried, and yet another test on spectre was positive.

But all the current proof of concepts use Javascript so if you disable javascript you're good anyway.

> But all the current proof of concepts use Javascript

Underlining the point so many have made so often in comments in this blog, that enabling Javascript by default really might not be a good idea. (Although disabling it by default is likely to confuse newbies when they first try Tor Browser.)

> so if you disable javascript you're good anyway.

Against the first generation of Meltdown attacks. The prospect of further Meltdown attacks (and possibly worse, Spectre attacks) are what worry me.

Still one important point is that all the experts agree that everyone should keep doing all the smart stuff (keeping their systems patched, avoiding mindlessly clicking on links, etc) they were doing already. Many currently known Meltdown/Spectre attacks to require the attacker to have gained a foothold on your device (phone, laptop, desktop, server) by conventional exploit means, so there is every reason to try to prevent them from getting that initial break.

> link is broken

The totality of all web pages on the internet contain many links, so you need to be more specific.

> all i get is chinese

Assuming you were using Tor Browser, perhaps the Tor circuit you were using (entry-relay-exit nodes) happened to terminate in an exit node which happens to be located in a nation where the offical language is some Chinese language, e.g. Mandarin? If so, some thoughtlessly configured websites will assume you must expect to see the Chinese language version of their site.

This often happens to be at certain news sites, where I see FR or DE depending on where the exit router happens to be. I take this as excuse to practice my language skills!

Are you sure it's not available in the onion repo? Looks like it is to me.

For example for stretch on amd64:
http://sgvtcaew4bxjd7ln.onion/debian-security/pool/updates/main/l/linux…

Note that the patch is (so far) only available for stretch and wheezy, and only for 64-bit - so if you are on a 32-bit OS or on any other version of debian other than stretch or wheezy, that might explain why you haven't seen a patch yet.

Some relevant information: I have been able to obtain Tail 3.4 which does incorporate the kernel patches which mitigate against Meltdown attacks (and some Spectre attacks). However, I use Debian stable with updates via the onion mirrors and for more than a week I have been watching security patches accumulate, which as of today are:

[13 Jan 2018] DSA-4086 libxml2 - security update
[12 Jan 2018] DSA-4085 xmltooling - security update
[12 Jan 2018] DSA-4084 gifsicle - security update
[11 Jan 2018] DSA-4083 poco - security update
[09 Jan 2018] DSA-4082 linux - security update
[08 Jan 2018] DSA-4081 php5 - security update
[08 Jan 2018] DSA-4080 php7.0 - security update
[07 Jan 2018] DSA-4079 poppler - security update
[04 Jan 2018] DSA-4078 linux - security update
[30 Dec 2017] DSA-4077 gimp - security update
[30 Dec 2017] DSA-4076 asterisk - security update

But I have not seen ANY of these showing up the onion mirrors. I have seen one section(which last year loaded fine) consistently failing to load when I try to load the changes since my last update, but this doesn't appear to explain the failure to see any of the 2018 patches to date.

In the above, the linux security updates are the critical patches which ameliorate Meltdown attacks.

The situation may have changed in the past few hours--- I'll check again and report back, with the indulgence of the moderators, but I'm quite certain that the patches which have been available for almost one week were *NOT* appearing when I tried to update via the onion mirrors.

I do not know when, if ever, my reply will be posted, but as of Sun 14 Jan 2018 UTC, I can confirm that the security critical patches to the Debian linux kernel (available since 4 Jan) are *not* appearing in the onion mirrors, and in fact *none* of the security patches issued by Debian in 2018 have appeared. Not one.

My laptop is 64 bit and I need that patch.

@ Shari: not for the first time, I find myself saying that part of the job description of the CEO of Tor Project is surely to ensure that security critical actions are taken promptly. The way a CEO usually does this, as I understand it, is to assign particular employees to execute critical tasks in the event of an emergency. Arrangements must be made in advance when someone goes on vacation.

I use Debian stable on a 64 bit machine. I write this while using Tails 3.4 which would not run if the machine did not have 64 bit CPU, so there is no question about that.

From onion.debian.org (the PKI cert for this https site appears to check out):

> In particular, once you have the apt-transport-tor package installed, the following entries should work in your sources list for a Debian system:
>
> deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
> deb tor+http://vwakviie2ienjx6t.onion/debian stretch-updates main
> deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main

And that's essentially what I have in my synaptic. (I'll check more carefully later that the onion addresses in my synaptic have not been mysteriously modified.) The coverage of the onion mirrors was expanded after Peter P created that page, so I added some more after "main", but my synaptic was able to fetch security updates (and other updates) in late Dec 2017 just fine, and something which worked in 31 Dec 2017 should not suddenly stop working on 1 Jan 2018.

I have been using the onion mirrors from the time the service was first offered, mostly without too much trouble, and I consider this service invaluable. But since 1 Jan 2018 my computer has not seen *any* of the security patches published by Debian. The patched linux kernel should definitely appear from debian-security "main".

Is the problem that someone forgot to change 2017 to 2018 in some script?

Pages such as the one from which I just quoted should *always* included a "last modified on..." statement which is carefully updated when anything changes. However, it doesn't, and that is also a problem IMHO.

Humor: spellcheck suggested that "sgvtcaew4bxjd7ln" should be "indefatigueableness", and this should indeed be the motto of the mainainers of security critical Tor/Debian services.

As of Mon 15 Jan 2018 UTC, the onion mirrors of the Debian repos still appear to be broken.

I checked carefully that I am using the onion addresses and format given in Peter Palfrader's post in this blog from 2016 (with jessie -> stretch). My settings worked until 31 Dec 2017 and I suspect the problem might be that someone forgot to change 2017 to 2018 in some config.

> For example for stretch on amd64:
> http://sgvtcaew4bxjd7ln.onion/debian-security/pool/updates/main/l/linux

I do not believe that is a valid check of the onion fetch, although I would welcome correction from a Tor Project or Debian Project employee who knows how these onions mirrors work.

As of Jan 9, still has not appeared. Did the maintainer forget to change 2017 to 2018 in some configuration or script?

This kernel patch is one of the most critical ever issued, please investigate why no patches since New Years are appearing in the onion mirrors!

TIA

Once again, I repeat: I see patches appearing in the onion mirrors. Did you not read what I said?

If you expect people to help you, you need to at least bother to explain what symptoms you are seeing so others can reproduce them. And don't assume that just because something (appears to be) broken for you that it's broken for everyone.

Start with at least: what architecture + version of debian, and which packages you are expecting to see updates for... I assume you've already checked that internet (and tor) are working properly on your system?

Thanks for your reply (although I still desire comment from Debian or Tor Project employees).

I did try to post a comment with more detailed information but it never appeared.

> I see patches appearing in the onion mirrors.

But do you have a Debian stable 64 bit system and did you try to actually upgrade your kernel and other modified packages using the onion mirrors? I understand that you appeared to use Tor Browser (?) to check that the upgrades *should* be available, which is interesting, but has anyone been able to actually install any package upgrades released after 1 Jan 2018 from the onion mirrors?

One of the questions I have been trying to get TP to answer is this: the original post by Peter Palfrader announcing the onion mirrors, and the onions page at Debian, offer three specific lines to be added to sources.list. But
o these sources.list lines refer to "jessie" not "stretch".
o these sources.list lines only mention "main" but after users protested "contrib" and "non-free" were added.
Unfortunately, after the rollover from jessie to stretch neither TP nor DP posted new instructions. So I tried to modify the suggested lines last year "in the obvious way" (e.g. changing "jessie" to "stretch") and the modified lines appeared to be working fine until 1 Jan 2018. If I had not made these changes, of course Synaptic would not have been able to fetch upgrades to Debian stable after the rollover from jessie to stretch. I did make the changes and until 1 Jan 2018 was able to obtain all package upgrades from the onion mirrors.

> don't assume that just because something (appears to be) broken for you that it's broken for everyone.

I didn't. One reason why I am asking whether others who use Debian stable and have been updating their systems using the onion mirrors for some time noticed the updates no longer work since 1 Jan 2018.

> Start with at least: what architecture + version of debian

I am writing this while using Tails 3.4 (which *does* incorporate the patches I have not been able to obtain for my own Debian system yet) booted from a live DVD, so the easiest way for me to answer this is:

64 bit Debian stable for a laptop with an Intel chip.

I did check my /proc/version while running the flawed Debian (offline) and I definitely am still running the last kernel released *before* 1 Jan 2018, which is *not* immunized (we hope) against Meltdown. I also see +u3 instead of +u4 (or something like that), again showing that I have not been able to obtain the patched kernel. Of course, I would have known if I were trying to install a new kernel because it takes time to fetch and requires my intervention (calling Synaptic).

> and which packages you are expecting to see updates for...

*All* upgrades (security patches and any others) issued by Debian since 1 Jan 2018. I see a number including the critical kernel patches listed in the security.announce list, which I can access via Tails. Not all of these apply to my Debian system, but a half dozen do, and I have not been able to install any of them as I was prior to 1 Jan 2018.

> I assume you've already checked that internet (and tor) are working properly on your system?

They appear to be. I think the fact that updating from the onion mirrors worked fine (was able to obtain all package upgrades using synaptic) until 1 Jan 2018 and has not worked (am not able to install more recent package upgrades using synaptic) suggests that something has gone wrong. As you noted above, a key question is whether something has gone wrong for everyone or just for me.

In order to test this, I think others need to report whether upgrading their Debian stable packages from the onion mirrors is still working for them (i.e. that they able to install normally patches more recent than 1 Jan 2018).

Anonymous (not verified) said:

January 09, 2018

Permalink

Tails 3.4 is now available, and it incorporates the latest Linux kernel patches which should prevent known Meltdown attacks and some Spectre attacks.

See tails.boum.org

Meltdown / Spe… (not verified) said:

January 10, 2018

Permalink

For Meltdown, if your kernel is Linux, plz upgrade it to a fixed version.
For Spectre, there is no universal fix yet, I think our best bet is to set the security level in Tor Browser to high and only enable javascript when absolutely necessary.

I agree, adding that all the cybersecurity stuff most of us have been doing all along (regularly updating our systems, avoiding to click on dodgy links) is still worthdoing despite the amazingly disastrous consequences of the complete breakage of the distinction between kernel space and user space memory, because it appears that some currently known examples of Meltdown and Spectre attacks require the attacker to have already gained sufficient access to your device to run their malicious code on it.

My problem is that I rely on the onion mirrors to obtain security upgrades for Debian, and so for I have not seen *any* upgrades from 2018 appear when I use "reload" in Synaptic. But I know from the security-announce mailing list archive that about a dozen have already appeared, including the critical patch to the kernel which should help prevent basic Meltdown attacks.

"high": this blog does not work unless you set the slider to "medium" or "low". I write this using Tails 3.4 which does include the linux kernel patched to defend against basic Meltdown, and also with some patches which could prevent some Spectre attacks.

Very surprised… (not verified) said:

January 12, 2018

Permalink

Why is the main venue for discussion on Tor and Meltdown/Specter this comments thread? It's almost halfway into January, shouldn't there be a top level blog post to set out the Tor Project's mitigation plan? Very surprised and disappointed by the inaction shown so far. -

Anonymous (not verified) said:

January 13, 2018

Permalink

From the announcement of the new stable Tor:

> Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)

I see that the new Tails signing subkey is ed25519.

Great stuff, thanks all!

Richard (not verified) said:

January 14, 2018

Permalink

Great going in 2017.

It would be great if the community can develop a simpler user guide for TOR. Something non tech people can easily use. This can increase TOR users.

I have made one here https://darkwebnews.com/tor-guide/

I would be happy help and make a better one for TOR community.

Anonymous (not verified) said:

January 14, 2018

Permalink

OT: I'm not sure where to drop my question so I raise it here.

How safe or unsafe is it to use real name accounts with Tor Browser?

I know that SSL can protect against bad exit nodes to a certain degree but not every bad exit node behaves in an obvious way which for instance provokes browser alerts.

Perhaps using Tor Browser to access real name accounts is not a good idea, when the bank, email provider or company where one is customer knows the user identity anyway?

it is safe without javascript.
few email provider allow that. few company allow an anonymous account so you must access with your real name but you can ask to the admin a pseudo. a bank allows anonymous access , you must ask an alias.
if email provider bank or company do not allow an anonymous access , it is not your account but their account.
is it safe to access in their account with your real name ? it is strongly recommended and not at all anonymous of course but .if they know who you are they should not know where you are.

Not a TP employee or a network engineer, just a user like you, but FWIW:

I have tried to suggest that if banks used onions for their customer account interface, this might provide improved cybersecurity, provided that customers seperate Tor Browser sessions where they wish to surf anonymously from Tor Browser sessions where they wish to log in to some on-line real name account. I do not claim to have attempted to really think this idea through, and I certainly have not tested it, but I have suggested this would be a suitable topic for brainstorming, e.g. at future NYC Tor meetups.

Softwwareiscrap (not verified) said:

January 15, 2018

Permalink

slow as shit on Windows, slow as hell on Android. I updated the browser and always says out of date. Completely pointless

Anonymous (not verified) said:

January 16, 2018

Permalink

3rd day the browser [7.0.11] is not working, i installed a new DMG and try on 2 computers, both don't open the browser. only a warning window that it's not working

Anonymous (not verified) said:

January 22, 2018

Permalink

Followup on the problems with the onion mirrors for the Debian repositories which are described in comments above:

These problems seem to be resolved. Over the weekend I saw what appear to be normal (if undesirable) delays, probably due to server overload, but I have been able to upgrade a variety of architectures, both stable (Debian 9, "stretch") and oldstable (Debian 8, "jessie"), both 32 bit and 64 bit, to obtain the crucial anti-Meltdown kernel patch.

After you download the new kernel (and other packages with security upgrades) and reboot, if you have a stable/oldstable system of the most common type (amd64 for 64 bit PCs and laptops) your /proc/version should show respectively
linux-image-4.9.0-5-amd64
linux-image-3.16.05-amd64
If you have another architecture look in debian.org (using Tor Browser of course!) for the package lists and look up "linux-image" to find the current kernel for your architecture.

Hope this is helpful to other Debian users!

I consider the onion mirrors a long-needed and critical resource for endangered users all over the world. We know from Snowden leaked documents that NSA routinely inserts malware "on the fly" into software being downloaded by "targets", including people who think they are downloading from official "trusted" repositories. Further, they abuse bug reports and system update queries to try to catalog all the unplugged security vulnerabilities on every computing device in the world, just in case NSA/TAO and friends decide to try to "gain a persistent presence" on a particular device (often a server inside a telco, bank, or newspaper). Other nations no doubt do much the same. Thus, Debian users who get their upgrades from the onion mirrors likely gain very considerable protection from some of the nastiest tricksters, in several ways:
o extra confidence they are reaching genuine "trusted" repositories
o extra confidence adversaries will find it more difficult to know they are vulnerable to some publicly known problem before a patch becomes available and before the user can download the patch.

The patched Debian linux kernels became available on 4 Jan and 9 Jan and it is troubling that it apparently took until the weekend of 20 Jan for them to show up in the onion mirrors. I trust TP and DP are working to ensure this situation is not repeated, and that the onions have enough capacity to deal with heavy load at times when everyone is trying to obtain a widely publicized and critical security patch. (Smart users upload all security patches as they become available, but many wait until they hear reports which really frighten them.)

Anonymous (not verified) said:

January 22, 2018

Permalink

Someone commented in the (closed) Library freedom thread:

> can't exist as long as encryption (pgp e.g.) & to be the owner of our hardware will be prohibited in almost (not all) countries/territories/regions.

I am concerned that this situation might come to pass if we do not work hard to prevent it, but AFAIK this is not currently true: neither PGP nor owning a computer outright are explicitly outlawed in "almost all countries".

I agree that some countries appear to try hard to make using Tor and even open source generally "effectively illegal" (or at least "strongly discouraged") without actually making these literally illegal. Sadly, one country where our enemies are trying very hard to make Tor illegal is the USA, where Tor is based. However, I think Tor is not without friends and it may still make sense to follow the strategy which TP has traditionally followed, of working to ensure that Tor remains fully legal in "the West" while also working to extend "Western" freedoms to Asia, Africa, Latin America, maybe even (one day) China and Russia, and while working to decrease or even eliminate TP's financial dependence upon grants tied to a specific government with often double plus ungood "national interests" (the USA).