Tor Project blog

New Release: Tor Browser 15.0.10

2026-04-21T00:00:00Z

Tor Browser 15.0.10 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 15.0.9 is:

All Platforms
- Updated OpenSSL to 3.5.6
- Bug tor-browser#44749: Check search engines parameter replacements
- Bug tor-browser#44852: Rebase Tor Browser stable onto 140.10.0esr
- Bug tor-browser#44859: Backport Bugzilla 1666613: Display XML error pages in the browser directionality while force LTRing the XML code itself, without the use of intl.css
- Bug tor-browser#44863: Backport Security Fixes from Firefox 150
- Bug tor-browser-build#41775: Update list of Snowflake STUN servers in default bridge line, 2026 edition
Windows + macOS + Linux
- Updated Firefox to 140.10.0esr
- Bug tor-browser#44288: New identity fails to block loading a custom home page
Android
- Updated GeckoView to 140.10.0esr
Build System
- All Platforms
  - Bug tor-browser-build#41767: Add jwilde to allowed signer for browser projects
- Windows + Linux + Android
  - Updated Go to 1.25.9

Code audit for Tor VPN completed by Cure53

2026-04-15T00:00:00Z

Over the past several years, the Tor Project has been working to expand its mobile privacy offerings, including the development of TorVPN and its supporting components. This work is aimed at making Tor-based protections more accessible while maintaining strong security guarantees.

As part of this effort, in June 2025, Cure53 conducted a penetration test and source code audit of TorVPN for Android.

The assessment covered both the Android application and the underlying Onionmasq networking layer responsible for DNS resolution and traffic handling.

Audit findings

The audit covered two primary areas:

TorVPN for Android: the mobile application responsible for routing device traffic through the Tor network
Onionmasq / Tunnel Interface for Arti: the Ruse-based networking tunnel layer handling low-level network traffic forwarding, including TCP/UDP parsing, DNS resolution, and routing to the Tor network through Arti.

Key findings

The audit found that Tor’s core integration remains robust, with no fundamental issues in tunnel establishment or routing. Most findings instead cluster around two areas: incomplete input validation and weaknesses in DNS handling that could enable denial-of-service conditions in certain rare conditions.

Additional issues included cryptographic hardening suggestions (such as certificate pinning and randomness), and typical mobile security concerns like plaintext configuration storage and lack of root detection.

Next steps

All findings are being tracked and addressed as part of ongoing security work. This audit helps prioritize improvements around validation, resource management, and the use of established libraries for security-critical functionality.

Read the full audit report

For detailed findings and recommendations, please see the complete audit report here

New Release: Tails 7.6.2

2026-04-15T00:00:00Z

This release is an emergency release to fix an important security vulnerability in the confinement of Tor Browser.

Changes and updates

Update Flatpak to 1.16.6, which fixes CVE-2026-34078, a major sandbox escape vulnerability. Using this vulnerability, an attacker could break the security confinement of Tor Browser and access all files that don't require an administration password, including in the Persistent Storage.

This vulnerability can only be exploited by a powerful attacker who has already exploited another vulnerability to take control of Tor Browser.

For more details, read our changelog.

Get Tails 7.6.2

To upgrade your Tails USB stick and keep your Persistent Storage

Automatic upgrades are available from Tails 7.0 or later to 7.6.2.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails 7.6.2 on a new USB stick

Follow our installation instructions.

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 7.6.2 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.

A Server That Forgets: Exploring Stateless Relays

2026-04-08T00:00:00Z

Running Tor relays requires constant work against adversaries, private and state-backed, who try to undermine the network by attacking the nodes that make it up. On top of that, some operators have to deal with seizures, raids, and direct physical access to hardware. There are precedents in Austria, Germany, the United States, Russia, and likely many others. In those instances, the server can become a liability.

Tor exists because we want to shield internet users from unwanted surveillance. The network is designed so that no single operator or server can reconstruct who is talking to whom. Journalists, activists, and whistleblowers depend on that holding up. A relay that can be seized and its contents handed over erodes the very trust the system depends on. And that's a problem we want to solve.

In this post we explore how a stateless, diskless operating system can improve relay security, from firmware to user space, with a focus on software integrity and physical attack resistance. This work comes from the experience of Osservatorio Nessuno running exit relays in Italy. Managing relays varies greatly depending on context, technical capability, budget, and jurisdiction. We hope to stimulate discussion rather than propose a single model.

What stateless means

A stateless system doesn't store anything between reboots. Every time it starts, it begins from a known, fixed image, just like Tails does. The idea of running a Tor relay entirely in RAM isn't new. Tor-ramdisk, a uClibc-based micro Linux distribution built for exactly this purpose, dates back to at least 2015.

For relay operators, this approach raises the security bar by enforcing better behaviors by design:

Physical attack resistance. If the machine is seized or cloned, there is nothing to analyze. Depending on the setup, the extraction of relay keys might become infeasible.

Declarative configuration. The system is version controlled. A stateless system cannot drift from its declared configuration, since every boot is a fresh apply.

Immutable runtime. The filesystem is read-only. Even if an attacker gains code execution, they cannot persist anything across a reboot.

Reproducibility. A system that doesn't change between reboots is easier to verify and, eventually, to reproduce and audit.

Why Tor relays are hard to make stateless

Tor relays build reputation over time: a relay that has been running for months earns bandwidth flags that make it more useful to the network. That reputation is tied to a long-term cryptographic identity key. Lose those keys and the relay loses its identity, and as such is reputation in the network, starting from scratch.

Thus, the relay's identity must survive reboots without being extractable. A key stored on disk can be seized and copied; a key stored in a security chip such as the TPM might be more challenging for attackers.

Beyond the identity key, a relay accumulates a state file containing bandwidth history and other temporary information. Discarding it on every reboot degrades performance, and running entirely in RAM means the OS has to fit in memory, with no possibility of swapping to disk. Whenever processes exceed available memory, the kernel's OOM killer terminates them outright. In practice, replacing glibc's allocator with jemalloc or mimalloc reduces Tor's memory footprint significantly, from around 5.7 GB to under 1.2 GB on a busy guard relay, largely by avoiding fragmentation from high-churn directory cache objects.

The TPM as the primary tool

A TPM (Trusted Platform Module) is a dedicated hardware chip on the motherboard that stores cryptographic keys and performs operations with them without ever exposing the private key to the operating system. It can seal a secret: bind it to a specific measured state of the machine, so the key can only be used if the TPM sees the exact same software stack it saw when the key was created.

For a stateless relay, this means the identity key survives reboots, as it lives in the hardware, but can't be conventionally extracted even with physical access. TPMs also support remote attestation: the chip can prove to an external system what software the machine was started with, backed by a hardware-rooted signature. This makes it possible to verify what a node is running without trusting the operator.

The TPM doesn't solve everything. Tor's usage of ed25519-based keys are not supported by the TPM chips, so the key is encrypted by the TPM but still stored as a byte string in non-volatile memory, meaning it is still technically possible to export it.

Sealing also requires deciding upfront what software state the TPM will trust. When you update the kernel or bootloader, the measured state changes, and you have to re-seal the TPM by predicting what the next boot will look like.

Existing approaches

Different operators have tackled this problem at different points on the trade-off curve between simplicity and depth of security.

Minimal ramdisk. The simplest approach: run everything in RAM, manage keys manually. Tor-ramdisk has done this since 2015. Identity keys are exported and imported over SCP; rebooting without doing so means starting over. No TPM, no attestation, no verified boot — just the guarantee that RAM doesn't survive a power cut. It remains a meaningful improvement over a conventional disk-based setup.

VM-based ramdisk. Emerald Onion runs per-relay Alpine Linux images (66 MB each) on a Proxmox hypervisor. The VMs boot entirely into RAM with no persistent storage attached. Identity is managed with Tor's OfflineMasterKey feature: the long-term master key is generated offline and never touches the relay. Updates are image rebuilds, rollback is trivial, and no special hardware is required.

Bare metal with TPM-backed identity. Patela, our tool, takes a more hardware-focused approach. The relay boots via stboot, a bootloader that fetches and cryptographically verifies a signed OS image before handing off control. Once running, the node pulls its configuration from a central server over mTLS, though a potentially compromised server can deny service but cannot push credentials or extract keys from the node. The relay's identity key lives in TPM non-volatile memory, bound to the measured boot state. It survives reboots but can't be extracted even with physical access. The trade-off is operational complexity: bare metal is required and re-sealing is needed after updates.

Open problems

Some of these problems are specific to our setup; others affect any stateless relay deployment.

Re-sealing after updates. When the software stack changes, the TPM's measured state changes too. Automating this, which implies predicting what the boot measurements will look like after an update, is one of the harder unsolved problems. Tooling like systemd-pcrlock is moving in this direction, but it's not turnkey yet.

Stateless reboots versus upgrades. We use standard unattended upgrades for the Tor binary. But a reboot reverts to the OS image, which contains the previous version, a causing an involuntary downgrade. Reconciling automatic security updates with stateless images is something we haven't fully solved.

Memory constraints. No swap means processes that exceed available memory are killed without warning. Tor's memory usage is hard to predict at runtime. The allocator replacement described above helps enormously, but the fundamental constraint remains.

Network stability. Persistent updates can only be applied rebuilding the images and booting it again. A relay that restarts frequently risks losing its Stable flag, which affects how much traffic the network sends to it.

Future directions

Remote attestation. Sealing binds a key to a machine state. Attestation lets the node prove that state to an external party. A verifier, suach as a configuration server or eventually the Tor directory authorities, can issue a cryptographic challenge that only a node running the expected software stack can answer correctly. This turns boot integrity from a local property into something verifiable remotely, reducing operator trust.

Transparency logs. Once you have a measured boot chain, you can publish it. A relay operator provides a recipe for a reproducible build; anyone can recompute the expected hash and verify it matches what the TPM reports. An append-only transparency log can make these attestations publicly auditable. The Tor community could run an independent monitor to track this across the relay fleet.

Confidential computing. The VM-based approach can be extended with technologies like AMD SEV-SNP, which isolate a guest VM's memory from the hypervisor itself. This too, is useful to reduce operator trust, and can reduce the security gap between the VM and bare-metal approaches.

Smaller hardware. Walking onions, a proposed Tor protocol extension, would remove the need for nodes to hold an entire view of the network locally. Getting arti and related tools to run on smaller hardware would open up possibilities for devices that currently can't afford the resource cost.

Conclusion

For applications like Tor, being stateless can bring multiple benefits: helps both prevent attacks and operator errors, and with further research and work could improve the overall network trustworthiness.

Stateless systems come with real operational costs and genuinely hard unsolved problems, even for project and organizations with more resources. But they can serve as a foundation for improving privacy infrastructure, and similar concepts and frameworks could be applied to other parts of the stack.

This work started at the Tor Community Gathering in 2025, and it's ongoing. If you run relays, work on Tor tooling, or have thought about any of these open problems, we'd like to hear from you.

References

New Release: Tails 7.6.1

2026-04-08T00:00:00Z

This release is an emergency release to fix important security vulnerabilities in Tor Browser.

Changes and updates

Update Tor Browser to 15.0.9, which fixes several vulnerabilities in Firefox 140.9.1.

We are not aware of these vulnerabilities being exploited in practice.

Update the Tor client to 0.4.9.6.
Update Thunderbird to 140.9.0.
Update some firmware packages. This improves support for newer hardware: graphics, Wi-Fi, and so on.

For more details, read our changelog.

Get Tails 7.6.1

To upgrade your Tails USB stick and keep your Persistent Storage

Automatic upgrades are available from Tails 7.0 or later to 7.6.1.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails 7.6.1 on a new USB stick

Follow our installation instructions:

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 7.6.1 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.

New Release: Tor Browser 15.0.9

2026-04-07T00:00:00Z

Tor Browser 15.0.9 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 15.0.8 is:

All Platforms
- Updated Tor to 0.4.9.6
- Updated NoScript to 13.6.15.1984
- Bug tor-browser#44837: Rebase Tor Browser stable onto 140.9.1esr
Windows + macOS + Linux
- Updated Firefox to 140.9.1esr
Android
- Updated GeckoView to 140.9.1esr
Build System
- All Platforms
  - Bug tor-browser-build#41758: Rename tools/signing/deploy-legacy to tools/signing/redeploy-update_responses-release
- Windows + macOS
  - Bug tor-browser-build#41741: Create a 13.5-specific update path

New Alpha Release: Tor Browser 16.0a5

2026-04-01T00:00:00Z

Tor Browser 16.0a5 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

⚠️ Reminder: The Tor Browser Alpha release-channel is for testing only. As such, Tor Browser Alpha is not intended for general use because it is more likely to include bugs affecting usability, security, and privacy.

Moreover, Tor Browser Alphas are now based on Firefox's betas. Please read more about this important change in the Future of Tor Browser Alpha blog post.

If you are an at-risk user, require strong anonymity, or just want a reliably-working browser, please stick with the stable release channel.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 16.0a4 is:

All Platforms
- Updated NoScript to 13.6.14.90101984
- Updated Tor to 0.4.9.6
- Bug tor-browser#43858: Clean out deprecated or unused methods in TorConnect
- Bug tor-browser#44251: Drop pt_config.json meek-azure migration logic
- Bug tor-browser#44546: Rename appearance-chooser-item to setting-chooser-item after we reach nightly 149
- Bug tor-browser#44621: Move about:torconnect back to browser
- Bug tor-browser#44702: Rebase alpha onto 149.0a1
- Bug tor-browser#44720: Migrate New Identity commit to Tor Browser
- Bug tor-browser#44753: Drop TorProvider.isBootstrapDone
- Bug tor-browser#44755: Trusted Types (Firefox 148 and above) + Web Workers broken on Safer Level
- Bug rebase-149#44757: Update tests for removed Services.search [tor-browser]
- Bug tor-browser#44761: Safer Level's worker patching filters out Worker constructor options
- Bug tor-browser#44763: Disable WebGPU until audited
- Bug tor-browser#44764: Review Mozilla 2012344: Hide main AI settings when the feature is blocked
- Bug tor-browser#44765: Review Mozilla 1972073: Convert Sidebar to config-based prefs
- Bug tor-browser#44767: Safer Level's worker patching throws on new about:blank frames with Trusted Types
- Bug tor-browser#44772: Review Mozilla 1980264: Canvas randomization is too slow
- Bug tor-browser#44778: Safer Level: xray causes patched TrustedTypePolicy instances to be unusable by content.
- Bug tor-browser#44801: Redact onion origins from Location.ancestorOrigins.
- Bug tor-browser#44814: Disable trustpanel until our new designs are ready
Windows + macOS + Linux
- Updated Firefox to 149.0a1
- Bug tor-browser#44714: The browser opens a new about:blank tab in 148
- Bug tor-browser#44780: AIFeature.sys.mjs failures in 149 desktop builds
- Bug tor-browser#44781: Use a static page title for about:torconnect
- Bug tor-browser#44793: privacy.spoof_english console error in about:preferences
- Bug tor-browser#44797: Clean up about:torconnect styling
- Bug tor-browser#44799: Onionize toggle in about:tor uses blue text color
Android
- Updated GeckoView to 149.0a1
- Bug tor-browser#43790: Address "Various android workarounds" commit introduced in the 138 rebase
- Bug tor-browser#44332: Fix android tor logs screen issues presented in 144 rebase
- Bug tor-browser#44594: DoH is visible on Android
- Bug tor-browser#44653: Disable "Allow search suggestions in private sessions" prompt presented in RR 148 android
- Bug tor-browser#44694: Remove new "Tab bar" feature on Android
- Bug tor-browser#44698: Clean up comments in AccountSettingsFragment.kt. FIXME: Update A-S
- Bug tor-browser#44700: Untracked change to HomepageHeader.kt
- Bug tor-browser#44751: Noscript (and likely any extension) can be accidently turned off on Android alpha
- Bug tor-browser#44752: Remove new expanded toolbar option on Android due to fingerprintability
- Bug tor-browser#44785: Fix SiteSecurityRobot.kt after the 149 rebase
- Bug tor-browser#44788: Extensions are unreachable via 3 dot menu in alpha (android)
- Bug tor-browser#44789: Icon of "New Circuit" is not centered but lies in top left corner
Build System
- All Platforms
  - Bug tor-browser#43180: Remove translation CI 13.5 legacy extension
  - Bug tor-browser-build#41758: Rename tools/signing/deploy-legacy to tools/signing/redeploy-update_responses-release
  - Bug tor-browser-build#41766: Use gzip for all platforms for Go vendoring
- Windows + macOS
  - Bug tor-browser-build#41741: Create a 13.5-specific update path
- macOS
  - Bug tor-browser-build#41753: Allow running custom commands when vendoring Go dependencies

Arti 2.2.0 released: HTTP CONNECT, RPC, and Relay development.

2026-03-31T00:00:00Z

Arti is our ongoing project to create a next-generation Tor implementation in Rust. We're happy to announce the latest release, Arti 2.2.0.

This release adds support for using HTTP CONNECT rather than SOCKS, when connecting to the Tor network via Arti. This previously-experimental feature is now included a full build, and will then be enabled by default. The HTTP CONNECT protocol is available over the same port as SOCKS.

The RPC client library (arti-rpc-client-core) now supports non-blocking requests, and integration with application event loops. And the RPC system now supports administrative access to the Arti instance, via a new "superuser" facility.

We also fixed a low-severity security issue, TROVE-2026-005, which would somewhat weaken DoS resistance in in certain unusual embedded build configurations.

Behind the scenes we have been working on relay support, including relay channels and circuits, and directory server functionality (mirrors and authorities). As ever there are also lots of bugfixes, cleanups, and test and CI improvements.

For full details on what we've done, including API changes, and for information about many more minor and less-visible changes, please see the CHANGELOG.

For more information on using Arti, see our top-level README, and the documentation for the arti binary.

Thanks to everybody who's contributed to this release, including hjrgrn, HydroxideUnlaced, Nihal, and Tobias Stoeckmann.

Also, our deep thanks to our sponsors for funding the development of Arti!

New Release: Tails 7.6

2026-03-26T00:00:00Z

New features

Automatic Tor bridges

You can now learn about Tor bridges directly from the Tor Connection assistant in Tails.

Tor bridges are secret Tor relays that hide that you are connecting to Tor. If connecting to Tor is blocked from where you are, you can use a bridge as your first Tor relay to circumvent this censorship.

In Tails 7.6, choose Connect to Tor automatically when opening Tor Connection. If access to the Tor network is blocked, the bridge configuration screen offers a new option called Ask for a Tor bridge based on your region.

This feature uses the same technology as the connection assistant in Tor Browser outside of Tails, which was introduced in Tor Browser 11.5 (July 2022).

Tails downloads information about bridges that are most likely to work in your region from the Moat API of the Tor Project. To circumvent censorship, this connection is disguised as a connection to another website using domain fronting.

GNOME Secrets

In Tails 7.6, the Secrets password manager replaces KeePassXC.

Secrets has a simpler interface and is better integrated in the GNOME desktop. For example, accessibility features, such as the screen keyboard and cursor size, are working again with Secrets.

Secrets offers to unlock your previous KeePassXC database automatically, because both Secrets and KeePassXC use the same file format to store passwords.

If you miss more advanced features from KeePassXC , you can install KeePassXC as additional software.

The main keyboard shortcuts of Secrets are similar to the ones of KeePassXC , with Shift in addition to Ctrl :

Shift+Ctrl+C : copy password
Shift+Ctrl+V : copy address
Shift+Ctrl+B : copy username
Shift+Ctrl+T : copy one-time password

To see the full list of keyboard shortcuts of Secrets , press Ctrl+?.

Changes and updates

Update Electrum from 4.5.8 to 4.7.0.
Update Tor Browser to 15.0.8.
Update Thunderbird to 140.8.0.
Update most firmware packages. This improves support for newer hardware: graphics, Wi-Fi, and so on.

Fixed problems

Translate the confirmation dialog that appears before saving the language and keyboard layout on the USB stick. (#21448)

Fix the Learn More button in the Thunderbird migration notification. (#21455)

Fix automated upgrades in Turkish. (#21466)

For more details, read our changelog.

Get Tails 7.6

To upgrade your Tails USB stick and keep your Persistent Storage

Automatic upgrades are available from Tails 7.0 or later to 7.6.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails 7.6 on a new USB stick

Follow our installation instructions:

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 7.6 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.

New Release: Tor Browser 15.0.8

2026-03-24T00:00:00Z

Tor Browser 15.0.8 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 15.0.7 is:

All Platforms
- Updated NoScript to 13.6.12.1984
- Bug tor-browser#44663: NoScript behavior on “Safer” security level prevents integrity checks for dynamically loaded javascript
- Bug tor-browser#44680: Properly handle subdocuments created by data: URLs
- Bug tor-browser#44761: Safer Level's worker patching filters out Worker constructor options
- Bug tor-browser#44771: Rebase Tor Browser stable onto 140.9.0esr
- Bug tor-browser#44784: Backport Security Fixes from Firefox 149
- Bug tor-browser-build#41738: Allow to specify an unsupportedURL on update responses
Windows + macOS + Linux
- Updated Firefox to 140.9.0esr
- Bug tor-browser#44327: ERROR: Your Tor Browser profile cannot be loaded. It may be missing or inaccessible
- Bug tor-browser#44386: Firefox profiles no longer work in Tor Browser 15.0
Linux
- Bug tor-browser#44657: Backport tor-browser#44394: Do not read default prefs from /etc/firefox
Android
- Updated GeckoView to 140.9.0esr
Build System
- Windows + Linux + Android
  - Updated Go to 1.25.8
  - Bug tor-browser#44249: Backport tor-browser-build#41580: Update Go major to 1.25.x