New Tor 0.2.4.17-rc packages

There's a new Tor 0.2.4.17-rc to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.4.17-beta-1)

  • Update Tor to 0.2.4.17-rc
  • Update NoScript to 2.6.7.1
  • Update HTTPS Everywhere to 4.0development.11
Anonymous

September 06, 2013

Permalink

The download page you linked doesn't seem to contain 2.4.17-beta-1. I can only see the latest stable version.

Anonymous

September 06, 2013

Permalink

Question.

Why isn't a package in the repo yet? I'm stuck with Tor v0.2.3.25 (git-3fed5eb096d2d187)

Anonymous

September 06, 2013

Permalink

I updated to the latest 0.2.4.17 build, in the message log I have quite a few warnings like this:
[Warning] Your Guard xxxx is failing an extremely large amount of circuits. This could indicate a route manipulation attack, extreme network overload, or a bug. Success counts are 35/151. Use counts are 11/11. 80 circuits completed, 0 were unusable, 45 collapsed, and 5 timed out. For reference, your timeout cutoff is 60 seconds.

I have seen broken SSL handshakes for alongtime all so,infact after running tor, I have had SSL problems on site, even when not using it, figure that out

Anonymous

September 06, 2013

Permalink

Please downgrade Https Everywhere to stable vers !!! this version is going in conflict with NoScript due to continue flood request to clients1.google.com!!!! check it out the requests in vidalia!!

i tried on win7 and unix, both 64bit... this https everywhere version seems going in conflict with noscript... remove one of two solve the problem... downgrade https everywhere to the stable solve the problem too

https everywhere has been broken for alongtime, I think I noticed it acting funny right before that kid in the UK got arrested for looking at facebook. My guess would also be that this is actually what gave up freedom hosting. I also want to point out that companies not working with the FEDs get put put of business, like LAVA bit

I suspect you're seeing shadows in imagining that the https-everywhere bug had anything to do with the freedom hosting guy. But hey, who knows.

As for 'companies that don't work with the feds get put out of business', see the quote from my mail to the journalist at the bottom of
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-p…

Last week I had lunch with an old employee of PGP (back before they sold out), who pointed out that the feds never asked PGP to put a backdoor in, "because they knew it wouldn't work and it would just raise a PR stink".

Anonymous

September 07, 2013

Permalink

Hi!

tor 0.2.4.17 reached your .deb-based repository, but the .rpm-repo (even testing) is still serving tor 0.2.4.16 - I'm too lazy to build my own packages., could you update your packages?

Thanks

Anonymous

September 07, 2013

Permalink

"Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily."
https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

"As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, [it's 1024 RSA/DH] that the NSA is best at cracking."
http://arstechnica.com/security/2013/09/majority-of-tor-crypto-keys-cou…

It's good to see someone mentioned it. Probably the current cryptography implementation Tor uses isn't strong enough to keep the NSA away from our businesses. Hopefully the team considers this issue.

I think we're doing pretty well with the new curve25519 stuff -- better than the 1024 bit RSA and DH, and better than the NIST-specified curves we use for our TLS (link) encryption. See the threads on tor-talk for details -- I shouldn't try to teach you about crypto, even Tor's use of crypto, in a blog comment. :)

Anonymous

September 07, 2013

Permalink

The same problem: at times, perhaps after some inactivity delay, there appear some non-stop connection requests to clients1.google.com:443.
Why??? I have no business connecting to Google.

Look for yourself - monitor the circuits/connections in the Vidalia's Network Map... If the requests are seen, they stop only after Tor Browser is closed.

Thanks.

This happens due https everywhere (beta version) fault.. Downdgrade https everywhere to the lateat STABLE version and this clients1.google connections magically disappears

Anonymous

September 08, 2013

Permalink

I'm going to update, but after reading all these, I'm not sure if that is the right thing to do..It appears I have no choice but to follow Tor's advice to update, the alternative is scary. I would like to mention that Tor is really working hard and fast on keeping the network secure. Thank You Tor Development Team !

Anonymous

September 08, 2013

Permalink

with the dev version of https everywhere in the latest tor build I get (like the poster above) constant connections to clients1.google.com, after downgrading https everywhere to the stable version these connections don't show up.

Anonymous

September 08, 2013

Permalink

Here is a simple diff for Tor Browser Bundle 2.4.17-beta-1:

  1. <br />
  2. $ diff -u Data/Tor/torrc.orig Data/Tor/torrc<br />
  3. --- Data/Tor/torrc.orig 2013-09-05 15:14:47.000000000 +0200<br />
  4. +++ Data/Tor/torrc 2013-09-08 14:38:32.747460844 +0200<br />
  5. @@ -2,6 +2,7 @@<br />
  6. AvoidDiskWrites 1<br />
  7. # Store working data, state, keys, and caches here.<br />
  8. DataDirectory ./Data/Tor<br />
  9. +GeoIPFile ./Data/Tor/geoip<br />
  10. GeoIPv6File ./Data/Tor/geoip6<br />
  11. # Where to send logging messages. Format is minSeverity[-maxSeverity]<br />
  12. # (stderr|stdout|syslog|file FILENAME).<br />

I can confirm that the browsing is unusually slow, a lot slower than on TBB 2.3.25-12. Connections break occasionally. All on Linux 32bit versions.
I see the connections to clients1.google.com:443 as well.

Anonymous

September 08, 2013

Permalink

Why is the source tarball of the 2.4.17-beta-1-dev TBB not posted?

What is the Git URL to get this source myself?

Anonymous

September 08, 2013

Permalink

Warining: Dont use TOR !

The Tor Project has recently released its 2012 Financial Report; the good news is that when it comes to “openness and transparency”, they are second to none. The bad news, however, is really bad: they proudly embrace their “partnership” with the U.S. Government, and falsely assert that in 2012 fully 60% of their funding came from such reactionary and highly secretive organizations as the U.S. Department of Defense, the U.S. State Department and god knows who else! In fact, over 80% of Tor’s funding comes from the US Government. They are trying to make it look like their reliance on the US Government for the vast majority of their funding is on the decline when it’s not; they are just pretending to be funded by NGOs when in fact some of the NGOs are just cut-outs for the Pentagon.

https://fowlchicago.wordpress.com/2013/04/25/tor-project-2012-financial…

Wait, what? Falsely assert?

We published the financial audit summary. Go read it and add the numbers up for yourself. That's the point of giving it to you.

If you're unhappy that some journalist added them up wrong... that's not us.

[Edit: oh, I actually looked at the article. I thought you were quoting http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-p…
But instead you're pointing to this poorly researched garbage. I'm a big fan of openness and discussing things, but you have to start from some correct facts. Those folks don't seem to care about that.]

It is what it is. That's why we tell you about it. We show you all the code and designs and so on that we produce with our funding. Then you can decide what you think of it all.

I'd love to have more funding from other sources -- if you know any that want to fund better anonymity (or circumvention, or privacy, or whatever security property they want to call it) systems, please introduce us.

I guess you're referring to the fact that nearly all the blog comments are spam from SEOers, so we don't let them show up unless they're related to Tor in some way?

You really are good at jumping to incorrect conclusions here aren't you. :(

Yeah. No kidding. We're sure running out of role models in this world. I wish we had more.

We wrote these two answers:
https://www.torproject.org/docs/faq#Backdoor
https://blog.torproject.org/blog/calea-2-and-tor
and I stand by them. If we have to shut down US operations of Tor and let other people pick up the reigns in some safer country, we will. But we're nowhere near that point now -- nobody has even tried to make us do it yet.

But that doesn't mean Tor is perfect -- we need a lot of help in a lot of areas to make it better, and to teach people what it does and doesn't do for them. I have plans to try to explain these issues more clearly to people, but I keep getting distracted by handling press messes, or this latest botnet thing, or fundraising to keep other developers able to focus.

We're big compared to what we used to be, but we're still tiny compared to the system we're up against. Please help grow the community of people working for freedom, including helping to make it more robust against folks who try to tear it down by dividing us.

Thanks. I'm fine with replying to actual facts -- and this fellow was absolutely right, give or take the phrasing.

It's when they belligerently stick to conspiracy theories that it's tough to keep up. I mean, if everything we do is really a conspiracy, and the more open we are the deeper the conspiracy must be ... why come to us to complain about it? :)

US GOVT does not have back doors in TOR.

It doesn't need them when it can already decrypt what it needs to. At this point, it is in their interests to PROMOTE the use of TOR, not shut it down, or threaten it. This will give its adversaries the false sense of security that TOR is actually secure against them. That way, TORs growth will continue and the honey pot will get sweeter.

Seriously, do you really think the Govt will fund an organization whos basic function is to anonymize and encrypt data - the very thing the Govt, as proven by PRISM etc, is trying to avoid ?

If you saw your local police funding a company which issues unregistered guns to anonymous people, would you not find that a little STRANGE ?

Off course TOR will take the money. They are desperate for resources, and they believe it helps legitimize TOR. How can TOR be so bad when even the US GOVT is funding us to this degree ... right ?

.. wrong.

> If you saw your local police funding a company which issues unregistered guns to anonymous people

I know this isn't going to change your mind, but did you know the foreign ministries of most countries actually do that? Just for people in other countries, of course.

Governments are big and complex. You can find a person in the US government who wants just about anything. After all, *they* use and rely on Tor too.

As for legitimizing Tor, basically every possible funder out there would make some folks more comfortable and some folks less comfortable. We pick the ones who want us to do what we already wanted to do. And we turn down the ones who want us to do something we don't want to do.

That said, I totally agree that being this reliant on US govt funding is bad news from a sustainability perspective. I wish we could find some other funders who care about this freedom thing.

Umm so what? That alone does not mean much. The US Government is not a monolith. The best analogy would be a multi-headed hydra. Not all elements of US Government even have the same agenda.

There are elements of government that are making good use of TOR themselves. The NSA probably isn't too fond of it but I would think the CIA is. It would obviously be VERY useful to them in the field - as long as it is actually secure.

The other things, consider how many moles the CIA and armed forces have out there. They want to keep those moles safe(so they keep getting the info).

I don't think the fact that TORproject receives funding is itself ominous. You are reaching hard.

I do not mean to say that diligence is not good. Never FULLY trust anyone. Always keep your eyes open. But so far TORproject has given us every reason to trust them, and no reason not to.

Software development costs money. As much as the people involved likely believe in what they do, these are also real people with real bills that need paid. It takes lots of time for coding and testing every release.

Since they are trying to stay ahead of the game, they need to do this constantly. This is not the sort of project that is handled slowly over time in a bored kid's basement. They need personnel on task constantly, and money is required. Someone offers money... they accept.

The alternative is that they are massively underfunded - this WILL hurt the quality of the program and thus the safety of TOR users. If you are so concerned about their funding sources, go start up a fundraiser along with your own donations so they don't have to rely on whatever funding they can get their hands on.

Anonymous

September 08, 2013

Permalink

Keeps failing during "requesting relay information".

Ive used previous versions of Tor no problem, just upgraded and i can't get it to work.

Also, when i go to settings > advanced and select "edit current torrc" and click save without making any changes on a clean install i get the error

Error at line 1: ""

two of the errors i get in the log are

Sep 09 00:33:00.017 [Notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep 09 00:33:00.017 [Notice] Read configuration file "C:\Users\***\Desktop\Tor Browser\Data\Tor\torrc".

Im assuming these errors mean something is wrong when its creating the torrc file.