New Releases: Tor 0.3.5.12, 0.4.3.7, and 0.4.4.6

by nickm | November 12, 2020

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.4.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

We've also released 0.3.5.12 (changelog) and 0.4.3.7 (changelog) today. You can find the source for them at https://dist.torproject.org/, along with older releases.

Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- 005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay.

Changes in version 0.4.4.6 - 2020-11-12

  • Major bugfixes (security, backport from 0.4.5.1-alpha):
    • When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. Resolves TROVE-2020-005.
  • Minor features (directory authorities, backport from 0.4.5.1-alpha):
    • Authorities now list a different set of protocols as required and recommended. These lists have been chosen so that only truly recommended and/or required protocols are included, and so that clients using 0.2.9 or later will continue to work (even though they are not supported), whereas only relays running 0.3.5 or later will meet the requirements. Closes ticket 40162.
    • Make it possible to specify multiple ConsensusParams torrc lines. Now directory authority operators can for example put the main ConsensusParams config in one torrc file and then add to it from a different torrc file. Closes ticket 40164.

 

Use a Mask, Use Tor: Friends of Tor Matching Donations up to $100,000

by alsmith | November 9, 2020

Starting today through December 31, every dollar donated to the Tor Project, up to $100,000, will be matched by Friends of Tor. That means that your donation will make double the impact. We’re able to offer this match because of generous folks in our community who believe in Tor, privacy online, and the work to resist the surveillance pandemic.

New alpha release: Tor 0.4.5.1-alpha

by nickm | November 1, 2020

There's a new alpha release available for download. If you build Tor from source, you can download the source code for Tor 0.4.5.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time this month, assuming we get #40172 figured out.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual. We'll be trying to put out putting out stable backport releases in the next week or so.

Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It improves support for IPv6, address discovery and self-testing, code metrics and tracing.

This release also fixes TROVE-2020-005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay. To mount this attack, the adversary would need to actively extend circuits to an incorrect address, as well as compromise a relay's legacy RSA-1024 key. We'll be backporting this fix to other release series soon, after it has had some testing.

Here are the changes since 0.4.4.5.

Changes in version 0.4.5.1-alpha - 2020-11-01

  • Major features (build):
    • When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
  • Major features (metrics):
    • Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.

 

Use A Mask, Use Tor: Resist the Surveillance Pandemic

by alsmith | October 21, 2020

As many friends and followers of Tor know by now, we spend the final weeks of each year asking for your help as part of our year-end fundraising campaign. For our 2020 campaign, we wanted a theme that conveys a positive message and speaks to the power of this kind of community action. That’s why we decided on the theme Use a Mask, Use Tor.