Plain Vidalia Bundles to be Discontinued (Don't Panic!)

Over the past few years, Tor has gotten more popular and has had to grow and change to accommodate a highly varied userbase. One aspect of this is getting the software into users' hands and having it immediately do what they want it to, while also not allowing them to inadvertently deanonymize themselves because they missed a configuration step or didn't understand which applications were using Tor and which were not. As a result, we have standardized on the Tor Browser Bundle for all platforms and are currently promoting it as our only fully supported client experience.

Since the Tor Browser Bundle offers the best current protection, we are moving to a client/server model for packages, and consequently the "plain" Vidalia bundles will be discontinued by the end of the year and no longer recommended for client usage. We've started rolling out server Vidalia bundles for Windows, which you can test by going to the download page.

There are currently (and will continue to be) three types of server bundles available:

  • Bridge-by-default Vidalia bundle
  • This configures Tor to act as a bridge by default, so as soon as you install it and run it, you will be helping censored users reach the Tor network. You can read more about bridges here. This bundle still includes Torbutton and Polipo, but those will be removed in the next release (date to be determined).

  • Relay-by-default Vidalia bundle
  • This configures Tor to run as a non-exit relay by default. This means you will serve as either a guard or middle node and help grow the size of the Tor network. You can read more about Tor relay configuration here.

  • Exit-by-default Vidalia bundle
  • This configures Tor to run as an exit relay by default. Exit nodes are special, as they allow traffic to exit from the Tor network to the plain internet, and anyone who has not already looked into the risks associated with running an exit relay should read our tips for running an exit node with minimal harassment

We've started creating a Tor Browser Bundle FAQ, but we'd like to hear your concerns so we can provide answers where necessary, documentation for alternative setups, and fix the software where answers are insufficient. We have several months before Tor Browser Bundle is the only option, so please help us make it as good as possible! If you have bugs to file, please don't file them in the blog comments -- use our bug tracker for that.

after updating to 0.3.3.9

October 20, 2011

Permalink

And you plan that any end user must be don't able to change defaul configuration of the Tor?
And what about the Tor for UNIX-like systems?!
Did that mean that the Tor team intend to end supporting *nix-packages of the Tor or so?!
It seems to me that the beginning of the end of the Tor net...

after updating to 0.3.3.9

October 20, 2011

Permalink

I have noticed the changes on the download page in recent time. Even considering those changes the page, in my opinion, still presents too many options for the average user.

Heck, even an experienced user is presented with too many options.

after updating to 0.3.3.9

October 20, 2011

Permalink

Well, as long as you still release source code to plain-old-tor, this doesn't bother me at all.

after updating to 0.3.3.9

October 21, 2011

Permalink

In *nix system Tor-browser and Tor-daemon must be separated. Only system-daemon Tor (such as "debian-tor") with restricted capabilities (with shell absense) can be easy integrated with SELinux.

Instead, your current decision ruin too much possibilities: SELinux, transparent firewalling, parallel per-user X-servers sessions for isolated browsers, isolating within Virtual Machines.

Yes, average users don't bother about it. You make a great work to widespread Tor to masses. It's good to create normalising users anonymous pattern, but not good to inner security against code execution exploites. And more advanced users enforced to be in this average situation too.

If Tor Vidalia and TBB started with permissions of one user, then weakest point -- Firefox (patched Aurora) is a easiest way to deanonimizing user if code execution escalation can be done. This is ordinary and regurarly vulnerability in the browser. And this is ideally open source "backdoor" -- deanonimizing tor-users will be just a "nonmalicious third party software mistake", not close related to the Torproject itself.

This is a real scenario with the Tor-network, full of honeypot-hidden services, special bugged with deanonimizing code against "average users". Or exit nodes injectincting exploites to traffic.

I understand your concern. I am right there with you on the desirability of least privilege for anything that faces the network. It was a tough call for me to give up my SELinux profile for Firefox in order to make the jump to TBB myself. I resisted it for a long time.

However, we made the call that more people were at risk due to misconfiguration exploits than 0day in the actual code. This seemed evident over the years with experience with services like decloak.net, as well as studies that placed the amount of properly configured Torbutton users at less than 20% of our HTTP userbase.

So we made the tradeoff to make that case better at the expense of some edge cases for power users.

Our hope was that the expert users who were aware of those edge cases would help each other fix them. Lunar^, our resident debian developer, I'm sure would love SELinux profiles for isolating the browser and the tor daemon of TBB, as he is working on equivalent debian packages for them. You can find him on #tor-dev on irc.oftc.net (6697 is ssl).

I understand your decision but why don't make a source code of separate Tor Browser which can be used with *nix Tor daemon and place its tarball into torproject repos? Or at least make howto about detachment it from sources of TBB and even though such howto in FAQ or etc.?
Probably, I (and many *nix-users) am more power user than average windows user but I am not a programmer and I have no such skills in coding as you, Roger or other Tor developers.
And, I think, that the most of Tor developers operates *nix-systems by themselves.
Could you tell the community your own decisions for yourselves?

after updating to 0.3.3.9

October 21, 2011

Permalink

An excellent initiative!

You are spot-on in focusing on what truly matters (bridge, middle node, exit node) and removing all the rest from the decision and installation processes of the user.

after updating to 0.3.3.9

October 21, 2011

Permalink

To be clear, you will still be updating and supporting "client only" versions of the Tor Bundle in addition to these "Server" configurations?

after updating to 0.3.3.9

October 21, 2011

Permalink

i dont want a tor browser bundle. i dont have the bandwidth to run a relay but i need tor from time to time. so make sure the after last tor vidalia bundle i can just overwrite any tor files (tor.exe. tor resolve.exe etc) with subsequent ones from tor updates. or u could just produce an update bundle for tor vidalia non relay installations. or maybe u could tell ppl 'if u want to run a client only tor vidalia torbutton with ur current get any relay bundle and change the setting to client only from default'. some of us like to use the latest firefox you see, despite any concerns u have with it. kthx

after updating to 0.3.3.9

October 21, 2011

Permalink

re: previous comment about wanting to use vidalia not be forced to use torbrowser bundle for thickos:
forgot to mention i run firefox 7.0.1 with torbutton, refcontrol, adblock plus, vidalia and have set it up to use privoxy not polipo

You seem to lack some critical understanding of the issues, a perfect example of *why* you should use Tor Browser Bundle. E.g., you should not use privoxy or polipo any longer. The *only* reason they were used in the first place is due to Firefox having crappy SOCKS code, however, since v5 of Firefox that issues has been fixed. Thus, there is zero need for a http proxy such as privoxy or polipo. Furthermore, neither of those proxies should be used to 'scrub' traffic because they cannot 'scrub' HTTPS traffic, only HTTP ... a MAJOR fail.

So please, don't assume you can use Firefox as you are without a greater understating of the issues. Also, TorButton will soon not be available as a .xpi download, so you won't be able to use your current MO much longer.

Well, that's obvious. I never claimed otherwise. Calm down and re-read what I wrote. There is *zero* reason to use Privoxy with Tor, now that Firefox SOCKS code is patched.

In fact, using Privoxy or Polipo will most likely SLOW DOWN your surfing. And like I wrote, neither can 'scrub' HTTPS. I never wrote Privoxy can't "handle HTTPS", I wrote it can't 'scrub' HTTPS, e.g., referrer spoofing, etc. Please, learn about these issues, otherwise I hope you are happy looking like a loon. Scurbing HTTPS *has* to be done _WITHIN_ the browser, or use a MITM scheme with Privoxy (which will never happen because it's stupid and dangerous).

Now please, 'take a chill pill' and take time to reflect on what I wrote. Geeze!

looking like a loon is better that looking like a know-it-all, self important douche with superficial pretence of knowledge.

"There is *zero* reason to use Privoxy with Tor, now that Firefox SOCKS code is patched."

Firefox is not the only application ppl use with Tor. Read and learn, and stop spreading false info: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS

In the case of the questioner, she/he was ONLY asking about Firefox. So, my comments stand as true, in that case, which is the only case I was commenting on. Now, take your logical fallacies elsewhere, you need not try such lame Ad Hominem attacks against me ...

And just so you're aware, here is a little fact you have ever-so-conveniently 'overlooked': it was only after the questioner claimed what I wrote was "bullshit" did I loose patience with said person.

You wrote about "referrer spoofing" but you exclude this function from TBB (and from newest TB) for some technical problems.
Do you intend in the future recover this features and do you plan to work with that technical problems? Sorry...

ahh well i been avoiding https over tor anyway cos i felt wary about it. but surely torbutton handles that? so privoxy not doing it wouldnt be an issue? or did i get that wrong?
i have been considering dumping torbutton and privoxy anyways since firefox 5, and just having ff set up to ONLY use tor. i know i wouldnt need torbutton for this but i do like vidalia for the network map, the new id option, the message log and bandwidth map. vidalia would be irrelevant if i am using tor from ff correct?
i have read a post here that torbrowser disables all addons u try to install. i NEED adblock plus, for one site which would become unusable due to a stupidly placed advert. i am not about to start emailing the admin (on principle since this would basically be negating the point of tor by giving away my ip via my email account thus exposing me to MORE worthless adverts), so how would torbrowser deal with this kind of 'attack' by a govt on a site? will u add more code to torbrowser bundle to enable adblock style adblocking controls? wouldnt this begin the bloating process which inevitably leads to exploits needing patches needing patches for exploits from previous patches etc. like ff is getting to and IE has pioneered ? thx for previous answer and hoping for u to point me to answers!

A) Don't avoid https. It is always better than http. (That's not to say that it's perfect, but it removes or reduces some really bad attacks and basically has no downsides -- assuming you're using Torbutton.)

B) You don't need privoxy. Feel free to use it if you like it though.

C) You need to use Torbutton when you're using Tor. It's not just there to configure your proxy settings. It does dozens of other things to keep you safe. See https://www.torproject.org/torbutton/en/design/

D) Torbrowser disables *plugins* (like flash and adobe pdf reader), but not *addons* (like adblockplus). You're free to add whatever addons you like -- be careful picking them though, since they could screw up your privacy.

Right now it's no fun to upgrade your TBB every week and also keep your own addons installed. We're working on ways to make that more bearable.

thx for the help! u have allayed some of my concerns at least, and reminded me that torbutton does more than handle cookies. i had thought that i wouldnt need it if i just disabled all plugins and java in firefox and manually cleaned cookies with an addon, disabled history and cache etc in ff options. i have had to become competent in using regedit already because my non tor browser uses java and when java updates it installs things in ff also, with no remove option just disabe/enable (AVG also does this with linkscanner toolbar, but thats easier to find and remove with regedit), this would not be necessary if i understand the TBB correctly because it doesnt install, its stand alone. when u have gotten the addon thing sorted i will take a look at TBB which would mean i could then use firefox for my non tor browser, but i wonder if there would be any conflict issues if running TBB and a ff not using tor simultaneously? i think that to run IE while using tor in my current setup is inadvisable because IE seems to want to keep track of what sites u go to even in the tor browser! at least when i experimented long ago, a site i only visited in ff over tor appeared in IE8 history! i say this for the benefit of ppl who havent read how to use tor but may have come here reading the blog btw and tx again for ur answers!

Could using addons creat threats of de-anonymizing tor-users through making by adversary browser profile of users?
And what do you thinks about using bookmarks in TBB?

"forgot to mention i run firefox 7.0.1 with torbutton, refcontrol, adblock plus, vidalia and have set it up to use privoxy not polipo"

Could you please post a link to a link giving detailed instruction on achieving your set-up ?
TIA

it wast that hard to do, i googled 'use privoxy with tor' and a site came up i cant remember the link. it explained what u had to edit in the privoxy config.txt and what to put in the right boxes in vidalia options to run privoxy on start up. i wont try to say myself because i tried to help someone else do it and it was an epic failure. i am not good with explaining sorry.

after updating to 0.3.3.9

October 21, 2011

Permalink

Which of the upcoming 3 Tor Browser Bundles would you recommend for someone who needs Tor occasionally, runs Windows and who is on 56k dialup ( yes, there are a few of us still around )?

after updating to 0.3.3.9

October 22, 2011

Permalink

is it bad for syrian and iranian users?
our internet is under control and censore... how can we be bridges or relay when we have traffic limit and censore?
please belp us and sorry for bad english

after updating to 0.3.3.9

October 22, 2011

Permalink

Dear beloved TOR team

Oh My God!

Why stop Vidalia bundles completely?
Why not give people both options just like you already do today ?

Many people who use your software like me use it not just for browser but also for Messengers or other programs.

So why not give that tremendously valuable option anymore ? It is extremely important.

Experienced user want to use not just for browser.

Please give both options :(

After you have started torbrowser, you can use any progam with the bundled tor. They are also working on a way to keep tor and vidalia running after you have closed the torbrowser. From the faq:

Q) I want to leave Tor Browser Bundle running but close the browser.
A) We're working on a way to make this possible on all platforms. Please be patient.

after updating to 0.3.3.9

October 24, 2011

Permalink

I have a system-daemon Tor thus I don't need a Torbrowser bundle. What I need is a Torbrowser: no user-daemon Tor, no Vidalia... only the browser.

after updating to 0.3.3.9

October 24, 2011

Permalink

I am very concerned about the TOR network. A small group of bad children are flooding the network with a childhood attack of DoS and DDoS. The attack is targeting the Hidden Wiki, the Freedom Hosting and other services and web sites.

Since these fools started their fun, I'm noticing that the network is very slow and many sites such as onion are down. This group of idiots that it is possible to overthrow nearly all the network running a few lines of code.

Those Guy Fawkes' clowns are part of the nazi-anonymous gaystapo ideology cops group. They want to dictate what is allowed and what is forbidden inside the anonymous network.

What should be a place of freedom of expression has been converted into an example of intolerance and violence of the few against the many. I fear the day when Christian or Islamic groups began to attack the sites about drugs, about atheism. I imagine also the risk that governments use this type of attack against the network.

after updating to 0.3.3.9

October 24, 2011

Permalink

If misconfiguration is your main concern: move "expert" downloads to a separate page - with appropriate warnings and instructions.

If the cost of maintaining several pieces of software is your main concern: don't be coy about it, just say so. It's understandable.
- kthxby

after updating to 0.3.3.9

October 24, 2011

Permalink

As a long time Vidalia bundle and also SeaMonkey user I wonder why this step is necessary.

I really do not wish to switch to Firefox, let alone transfer bookmarks etc. to it.

Why force SeaMonkey users into Firefox?
Please do keep those Vidalia bundles alive.

We don't have the skill/time/money/patience to try to audit and patch Seamonkey or other browsers out there to be safe to use with Tor. See also https://www.torproject.org/docs/faq#TBBOtherBrowser

That said, see also https://www.torproject.org/docs/faq#TBBCloseBrowser
Eventually I expect it should become easy for you to install the Tor Browser Bundle, tell it you don't want to use the browser it comes with, and then configure your other applications to use it. We just don't want that to be the default way to use it, or too many people are going to use unsafe configurations and not realize that they're unsafe.

after updating to 0.3.3.9

October 25, 2011

Permalink

Hi erinn,

Removing the option to runs "client only" is a serious mistake, many users of Tor are on low capacity/bandwidth connections and just not able to afford the extra cost involved.
I certainly agree with your ideals of growing the network, i vehemently disagree with your method of achieving it.

Forcing users to contribute by removing the option to "run as client only" is nothing short of blackmail .

I would seriously suggest you rethink before heading down that path.

I will not panic at this point in time as i hope you realise the mistake and continue with the option of "run as client only".

Extremely disappointed at the moment.

Ah. Sounds like you're misinterpreting Erinn's post as meaning that there will be no easy way to just be a Tor client anymore. There will be: use the Tor Browser Bundle. It's designed as exactly that "client only" approach that you describe.

It's the "install Vidalia and Tor onto your hard drive and hope you set up everything else correctly on your own" package that we're discontinuing. I've watched too many people shoot themselves in the foot with trying to set up the rest of it.

This answers one of my concerns as well. I use Tor on several different platforms in a few places — and in some places running as a relay is not an option.

after updating to 0.3.3.9

October 25, 2011

Permalink

I am using the osx (intel) TBB latest version. I downloaded a few extra add-ons like RefControl, Ghostery etc. When I use the TBB the following day I find my add-ons have been disabled with the words "not compatible" next to its name!! This has happened three times so far. This is a concern giving the impression that one is not anonymous and is being watched. Who is doing this? Is this not allowed and is automatically disabled by Aurora?

Each addon has a list of Firefox versions that it claims to be compatible with. If Firefox sees an addon that doesn't say it's compatible with that version of Firefox, it tells you that it's incompatible.

Sounds like the authors of the addons you have chosen have not updated their addons to declare compatibility with the most recent versions of Firefox.

You'd probably get exactly the same behavior if you downloaded vanilla Firefox 7.0.1 yourself and tried to install those addons to it.

after updating to 0.3.3.9

October 25, 2011

Permalink

Tor is dead if you try to force people to route 3rd Party traffic. This will give the authorities the arguments to outlaw Tor.

It's time to introduce a Darwin award for Open Source projects committing suicide!

after updating to 0.3.3.9

October 26, 2011

Permalink

SUGGESTION

I imagine it would be necessary a prominent warning on the download page, saying that to set up a non-exit relay, bridge or exit relay is necessary to have open doors at the web connection.

In my country all domestic connections have the inbound conections blocked by our ISP by default. I can not configure a service that depends on inbound conections because of this restriction.

If I need an inbound conection I will need to make a vpn with a proxy or pay a very expensive conections called "comercial conection".

after updating to 0.3.3.9

October 26, 2011

Permalink

On October 25th, 2011 Anonymous said:

"Tor is dead if you try to force people to route 3rd Party traffic"

It is a much greater problem than that,

My friends in Iran are not able to run 3rd party traffic as the government there are able to track them down should they do it.

They face extremely punitive punshment should they be caught to the point of being shot dead.

They run a site highlighting Iranian government atrocities and are pushing for democracy in Iran.

Thousands of people would be put in extreme risk of their lives if the functon of "run as client only" was removed.

Last time i checked, Tor was meant to assist people in preventing government serveillance and giving the oppressed the ability to get the truth out there.

You also say,

"This will give the authorities the arguments to outlaw Tor."

It already is, in Iran i have freinds that have been both detained and jailed/punished as a result of using Tor to get their message out, granted they made mistakes that gave them away.

What were the mistakes?

Using bridges and running nodes !!!

On the site they/we run it is common knowledge that visitors should only access via Tor in "run as client only" mode.
Any other method would place the visitor at great risk.

These circumstance i relate are in Iran only from my personal knowledge.

What about all the other people out their trapped in countries ruled by despotic regimes that have no compunction about putting a bullet through your head should you wish to "blog" about their opposition to government actions ?

Sorry for the long post however i am seriously worried, lives may be lost if the ability to "run as client only" in an easy to use bundle is removed.

I completely agree. We're not going to remove the ability to run Tor as a client only.

We're just trying to make it easier to run Tor safely. There are a *lot* of people in Iran right now -- like, hundreds of thousands of people -- who have potentially really dangerous Tor configurations and don't know it. That really scares me.

after updating to 0.3.3.9

October 26, 2011

Permalink

To those worried about a "client only" option being removed: it isn't, at least completely, Tor Browser Bundle still provides that. Unless you configure it otherwise, of course (maybe that should be prevented altogether). You may have misunderstood the blog post.

Though I'm not sure why getting rid of the client-only Vidalia Bundle is necessary or desired. After all, other applications than just the browser may benefit of using Tor, while having it as a vanilla multi-purpose local installation.

I still think providing a separate securely configured Tor Browser to be run on top of any Tor installation, whether a "portable" (as in current TBB) or a "system", would be the simplest and most versatile solution. This would eliminate the temptation to attempt to configure Firefox with Torbutton by oneself and possibly screw something up. It would also take into account users with transparent torification, those with relays etc. and on the other hand the usage of separate programs such as IMs, gpg, ssh, socksifiers... without opening the browser.

To not scatter development, the TBB distribution could then just be said "Tor Browser" and the "portable" Vidalia+Tor part glued together.

Not being too involved with the development of Tor, though, I don't know how easily the above could be implemented or current designs changed. Features that rely on the integration of TBB come to mind as possible challenges, such as the recent "New Identity" of Torbutton. Does it need its own Vidalia in between to work? Or ControlPort privileges? Does it matter if it does? (I know, it's probably explained in the bug tracker, can't bother to check right now, just giving an example...)

after updating to 0.3.3.9

October 27, 2011

Permalink

I am totally confused. I have read the post several times and cannot even understand what the change is. Please rewrite the blog post in a coherent manner. Here is a template:

Right now, we offer the following options:

For Linux: A table by distribution, listing the separate tor, privoxy, and even Vidalia options available.

For Mac: Same as above.

For Windows: Same as above

We have found that this is causing problems (list problems). Therefore, we are discontinuing the items marked in red above.

The new options will be:

New table as above, but probably smaller since some options are being taken away.
The ramifications are that:

Linux servers: For each distribution, discuss how the package changes will occur and which configurations will no longer be possible.

Linux clients: Same thing as above.

Mac servers: Same thing as above.

Mac clients: Same as above

Windows servers and clients: same.

I look forward to a coherent discussion and being able to actually understand what is being done. Saying that Tor is taking away "plain" vidalia packages is totally incomprehensible to someone running a server on Gentoo, for example.

Regards.

after updating to 0.3.3.9

October 28, 2011

Permalink

I do not understand why Tor needs to install a different copy of Firefox in order to work. I am very nervous about letting Tor copy over my Firefox installation which is customized with a number of plug-ins. I do not browse in Tor very often - most of my browsing is done outside of it. Yet I keep my relay running whenever my computer is on. Now I can't do this?

I am concerned about the compromises, although I think Anonymous was right to do what they did. I agree that it does not sound like a "Tor flaw." Servers addressed on the onion are still physically out there and can be pinged and vulnerability scanned at random. All Tor says it will do is prevent them from being ID'd to their traffic, from their traffic.

Yet, when Vidalia started up this morning and popped me up a window, the only new version I was offered was the browser bundle. Sorry, but if I had to replace my browser to run Tor, I would never have become part of the Tor network to begin with. I will continue to run my relay until you shut me down, to help people under censored regimes. But no more versions.

The Tor Browser Bundle doesn't install anything. It's a self-contained set of applications. It won't overwrite or mess with anything from your other Firefox install.

That said, if you're running a relay, great! Keep up the good work and thanks for helping the world. The Vidalia relay bundle is for you.

https://www.torproject.org/download/download has lots of options including the Vidalia bundles. https://www.torproject.org/download/download-easy has fewer options.

after updating to 0.3.3.9

October 28, 2011

Permalink

There's a couple points that aren't clear to me. Can the configurations of these new bundles be changed or are the relay, bridge, and exit node settings locked?

Not everyone wants to use FireFox. Myself, I'm a SeaMonkey user and will not be installing FireFox. Please keep an option available for non FireFox users. I rarely need Tor for my own use but I do run an exit node because others need them. Like a few others have voiced, if this becomes a "no choice" scenario, I'll run the present relay/exit node until it no longer works.

It would also be appreciated if you do not discontinue Vidalia. I realize that it isn't necessary for Tor to work, but it's convenient to have the bandwidth graph, network map and message log all available from a single interface.

after updating to 0.3.3.9

October 28, 2011

Permalink

Bump my post from two days ago. I am the one who said I am totally confused. There is no coherent explanation of the changes. Is there anyone here who thinks it is a good explanation of the changes to say "Plain Vidalia Bundles to be discontinued, don't panic."

Roger's (arma) post above this one is hardly a complete explanation of what is available for the various distributions and user groups. Yeah, it is hard to write complete documentation and explain your work to users. Sorry, but that's part of the job.