Tor released

by phobos | January 5, 2009

Tor fixes many more bugs, some of them security-related.

Changes in version - 2008-12-25
New directory authorities:

  • gabelmoo (the authority run by Karsten Loesing) now has a new
    IP address.

Security fixes:

  • Never use a connection with a mismatched address to extend a
    circuit, unless that connection is canonical. A canonical
    connection is one whose address is authenticated by the router's
    identity key, either in a NETINFO cell or in a router descriptor.
  • Avoid a possible memory corruption bug when receiving hidden service
    descriptors. Bugfix on

Major bugfixes:

  • Fix a logic error that would automatically reject all but the first
    configured DNS server. Bugfix on Possible fix for
    part of bug 813/868. Bug spotted by coderman.
  • When a stream at an exit relay is in state "resolving" or
    "connecting" and it receives an "end" relay cell, the exit relay
    would silently ignore the end cell and not close the stream. If
    the client never closes the circuit, then the exit relay never
    closes the TCP connection. Bug introduced in;
    reported by "wood".
  • When we can't initialize DNS because the network is down, do not
    automatically stop Tor from starting. Instead, retry failed
    dns_inits() every 10 minutes, and change the exit policy to reject
    *:* until one succeeds. Fixes bug 691.

Minor features:

  • Give a better error message when an overzealous init script says
    "sudo -u username tor --user username". Makes Bug 882 easier for
    users to diagnose.
  • When a directory authority gives us a new guess for our IP address,
    log which authority we used. Hopefully this will help us debug
    the recent complaints about bad IP address guesses.
  • Detect svn revision properly when we're using git-svn.
  • Try not to open more than one descriptor-downloading connection
    to an authority at once. This should reduce load on directory
    authorities. Fixes bug 366.
  • Add cross-certification to newly generated certificates, so that
    a signing key is enough information to look up a certificate.
    Partial implementation of proposal 157.
  • Start serving certificates by (identity digest, signing key digest)
    pairs. Partial implementation of proposal 157.
  • Clients now never report any stream end reason except 'MISC'.
    Implements proposal 148.
  • On platforms with a maximum syslog string length, truncate syslog
    messages to that length ourselves, rather than relying on the
    system to do it for us.
  • Optimize out calls to time(NULL) that occur for every IO operation,
    or for every cell. On systems where time() is a slow syscall,
    this fix will be slightly helpful.
  • Exit servers can now answer resolve requests for addresses.
  • When we download a descriptor that we then immediately (as
    a directory authority) reject, do not retry downloading it right
    away. Should save some bandwidth on authorities. Fix for bug
    888. Patch by Sebastian Hahn.
  • When a download gets us zero good descriptors, do not notify
    Tor that new directory information has arrived.
  • Avoid some nasty corner cases in the logic for marking connections
    as too old or obsolete or noncanonical for circuits.

Minor features (controller):

  • New CONSENSUS_ARRIVED event to note when a new consensus has
    been fetched and validated.
  • When we realize that another process has modified our cached
    descriptors file, print out a more useful error message rather
    than triggering an assertion. Fixes bug 885. Patch from Karsten.
  • Add an internal-use-only __ReloadTorrcOnSIGHUP option for
    controllers to prevent SIGHUP from reloading the
    configuration. Fixes bug 856.

Minor bugfixes:

  • Resume using the correct "REASON=" stream when telling the
    controller why we closed a stream. Bugfix in
  • When a canonical connection appears later in our internal list
    than a noncanonical one for a given OR ID, always use the
    canonical one. Bugfix on Fixes bug 805.
    Spotted by rovv.
  • Clip the MaxCircuitDirtiness config option to a minimum of 10
    seconds. Warn the user if lower values are given in the
    configuration. Bugfix on Patch by Sebastian.
  • Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
    user if lower values are given in the configuration. Bugfix on Patch by Sebastian.
  • Fix a race condition when freeing keys shared between main thread
    and CPU workers that could result in a memory leak. Bugfix on Fixes bug 889.

Minor bugfixes (hidden services):

  • Do not throw away existing introduction points on SIGHUP (bugfix on
    0.0.6pre1); also, do not stall hidden services because we're
    throwing away introduction points; bugfix on Spotted
    by John Brooks. Patch by Karsten. Fixes bug 874.
  • Fix a memory leak when we decline to add a v2 rendezvous
    descriptor to the cache because we already had a v0 descriptor
    with the same ID. Bugfix on

Deprecated and removed features:

  • RedirectExits has been removed. It was deprecated since
  • Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
    has been called EXTENDED_EVENTS since
  • Cell pools are now always enabled; --disable-cell-pools is ignored.

Code simplifications and refactoring:

  • Rename the confusing or_is_obsolete field to the more appropriate
    is_bad_for_new_circs, and move it to or_connection_t where it
  • Move edge-only flags from connection_t to edge_connection_t: not
    only is this better coding, but on machines of plausible alignment,
    it should save 4-8 bytes per connection_t. "Every little bit helps."
  • Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
    for consistency; keep old option working for backward compatibility.
  • Simplify the code for finding connections to use for a circuit.

Original signed announcement at


Please note that the comment area below has been archived.

January 10, 2009


Roger Dingledine recently said that file sharing consumes the majority of Tor's overall bandwidth, and that this is considered to be a problem. I was just wondering whether you shouldn't simply invite these users by encouraging a network of non-exit file sharing clients who could provide a wealth of middle nodes that would prop up the network, not clog the exit nodes, and improve anonymity for Tor's more serious uses.

July 30, 2009


I still think the user should be allowed to use CircuitBuildTimeouts all the way down to 1. A sensible user will set this figure as low as their network will allow, raising it until their response time for circuits is acceptable.

This is what I do.