Tor 0.2.8.5-rc is released

Tor 0.2.8.5-rc has been released! You can download the source from the Tor website. Packages should be available over the next week or so.

Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8 series. If we find no new bugs or regressions here, the first stable 0.2.8 release will be identical to it. It has a few small bugfixes against previous versions.

PLEASE NOTE: This is a release candidate. We think that we solved all of the showstopper bugs, but we also thought the same thing about 0.2.8.4-rc: crucial bugs may remain. Please only run this release if you're willing to test and find bugs. If no showstopper bugs are found, we'll be putting out 0.2.8.6 as a stable release.

Changes in version 0.2.8.5-rc - 2016-07-07

  • Directory authority changes:
    • Urras is no longer a directory authority. Closes ticket 19271.
  • Major bugfixes (heartbeat):
    • Fix a regression that would crash Tor when the periodic "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on tor-0.2.8.1-alpha. Reported by "kubaku".
  • Minor features (build):
    • Tor now again builds with the recent OpenSSL 1.1 development branch (tested against 1.1.0-pre6-dev). Closes ticket 19499.
    • When building manual pages, set the timezone to "UTC", so that the output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha. Patch from intrigeri.
  • Minor bugfixes (fallback directory selection):
    • Avoid errors during fallback selection if there are no eligible fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch by teor.
  • Minor bugfixes (IPv6, microdescriptors):
    • Don't check node addresses when we only have a routerstatus. This allows IPv6-only clients to bootstrap by fetching microdescriptors from fallback directory mirrors. (The microdescriptor consensus has no IPv6 addresses in it.) Fixes bug 19608; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (logging):
    • Reduce pointlessly verbose log messages when directory servers can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and 0.2.8.1-alpha. Patch by teor.
    • When a fallback directory changes its fingerprint from the hard- coded fingerprint, log a less severe, more explanatory log message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor.
  • Minor bugfixes (Linux seccomp2 sandboxing):
    • Allow statistics to be written to disk when "Sandbox 1" is enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and 0.2.6.1-alpha respectively.
  • Minor bugfixes (user interface):
    • Remove a warning message "Service [scrubbed] not found after descriptor upload". This message appears when one uses HSPOST control command to upload a service descriptor. Since there is only a descriptor and no service, showing this message is pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha.
  • Fallback directory list:
    • Add a comment to the generated fallback directory list that explains how to comment out unsuitable fallbacks in a way that's compatible with the stem fallback parser.
    • Update fallback whitelist and blacklist based on relay operator emails. Blacklist unsuitable (non-working, over-volatile) fallbacks. Resolves ticket 19071. Patch by teor.
    • Update hard-coded fallback list to remove unsuitable fallbacks. Resolves ticket 19071. Patch by teor.
Anonymous

July 07, 2016

Permalink

Again I ask: should the configuration of an existing v0.2.7.6 Tor node be modified to accommodate the v0.2.8.5-rc/v0.2.8.6 changes? If so,what modifications are recommended?

Sorry, but where can I download this Tor file, please write a direct link or discription, where I can find it. Thanks

Anonymous

July 08, 2016

Permalink

Was the status of Urras changed because it was compromised or did the directory authority operator violate one of the "informal criteria" as stated in [1] ? It would be nice to know whether something serious happened or if this is just part of the purge to remove all signs of ioerror aka Jacob Appelbaum's existence and contributions to the Tor Project/community (Just for transparency reasons).

[1] https://gitweb.torproject.org/torspec.git/tree/attic/authority-policy.t…

Anonymous

July 08, 2016

Permalink

I always appreciate the hard this team does. I really do. My concern is that I've read only one minor feature being added. Is most of this projects' time spent squashing bugs because of such huge complicated code?

It seems a bit counter productive to spend so much time and resources bug hunting when the code could just be rewritten and streamlined. There are a few languages this code could benefit from transitioning to. Take the energy that would inevitably be used in the future to solve all of these bugs and instead redirect it to a rewrite.

Things have slowed to a crawl from my perspective. Tons of energy little innovation. Partner with some of the new tech (browser and code) engineers and make things happen. The hidden service protocol is receiving a much needed and appreciated overhaul. The browser on the other hand remains bland uninspired and buggy. Tor core development is inching forward. The codebase is so complex that only an advanced programmer can contribute significantly.

Selfrando is right now the only large step forward I've witnessed not entirely produced by this team. I know there will be many that disagree with me but I'm sure I represent many others who feel the same but wish not to speak up.

I expect a flurry of angry aggressive or disrespectful feedback from this community but I still feel my points are valid. Regardless to what some keyboard thugs my say.

Anonymous

July 09, 2016

Permalink

What does this mean for Tor users in Russia? Is Tor now illegal in Russia?

https://www.techdirt.com
Putin Says All Encryption Must Be Backdoored In Two Weeks
Mike Masnick
8 Jul 2016

> A few weeks ago, we wrote about the push by the Russian Duma to pass a massive new surveillance bill that would mandate backdoors to encryption as well as massive data retention requirements for service providers, including saying that they need to store recordings of phone calls. As you may have heard, earlier this week, Russian President Vladimir Putin signed the bill into law. And apparently to prove that he's serious about all of this, Putin has also signed an executive order telling the FSB (the modern version of the KGB) to make sure it gets encryption keys to unlock everything within the next two weeks.
>
>> After signing controversial anti-terrorist legislation earlier today, President Putin ordered the Federal Security Service (the FSB, the post-Soviet successor to the KGB) to produce encryption keys to decrypt all data on the Internet. According to the executive order, the FSB has two weeks to do it. Responsibility for carrying out Putin's instructions falls on Alexander Bortnikov, the head of the FSB.
>
> As the article notes, there's a lot of uncertainty here, because in many cases, when things are encrypted locally or where there are private keys, there isn't any way for service providers to turn over any keys.
> ...

and what is putin?

Hi, how can I download this file for Windows TBB version?
I would like to try and swap out the old one just for fun, geek nerds?

Just noticed that the theregister.co.uk (running on Cloudfare) now displays a "Checking your browser. This may take up to five seconds." message instead of the usual capcha, and with Cloudfare IDed at the bottom of the page.

Interestingly when Tor Browser is closed and re-opened, and the page re-loaded it just goes straight to the page. No message, no capcha! Has the Cloudfare issue been resolved? :)

Do not do this. This means that you have javascript enabled. Cloudflare is fingerprinting, possibly inserting persistent identifiers, eg using DOM/JS - IDB, LocalStorage, ASM, etc. Use a proxy site, google cache, or something to avoid them. Check the storage directory in your profile folder and delete the contents. Important thing is: do not allow javascript access to sites unless you know exactly what you are exposing, have audited your settings, know all Firefox's related config entries. Even then, by hardening your browser, you increase the chances of tracking by browser fingerprint, so the best option is to avoid javascript as much as possible.

Addendum: The page does display the "checking your browser" message on closing and opening Tor Browser for a few seconds before loading the page. All other Cloudfare sites appear to be functioning lol as 'normal' though.

Sorry, OT, but others may have the same question:

Lately whenever I use Tor Browser (connecting via a bridge) I see a distinctive fingerprint (all zeros) and with no identifying information show up immediately in the list, but it never appears to build circuits. According to torstatus.blutmagie.de (thanks to this service!) the node with a similar fingerprint is a Directory Server, Fast Server, etc. Is this an expected behavior for Onion circuits? Shouldn't the bridge be the first node in each circuit? Or is this the node that David Chasteen built?

One question (a bit off topic) Can I install uBlock without diminishing my anonymity?

i do and the more that do torifies us all :D

Installing nonstandard addons can change your fingerprint and potentially increase attack surface.

when we add or remove addons we may become more unique, but does it really increase the attack surface, then how if I may ask.

People should be using Whonix at home since a long time and Tails in public places.

www.whonix.org

Let me correct that for you: "People should be using Qubes-Whonix at home (a Xen platform Type I hypervisor), instead of a Type II hypervisor (standard Whonix configurations) with:

1) HVM (“AMD virtualization (AMD-V)”, “Intel virtualization (VT-x)”, “VIA virtualization (VIA VT)”);
2) IOMMU (“AMD I/O Virtualization Technology (AMD-Vi)”, “Intel Virtualization Technology for Directed I/O (VT-d)”); and possibly a
3) TPM (“Trusted Platform Module (TPM)” connected to a “20-pin TPM header” on motherboards).*

*Bonus points if you:

a) run Selfrando Tor Browser in your heavily restricted, minimalist Whonix Workstation appVM
b) can get Coreboot working on your machine
c) use Apparmor restrictions on the Tor browser and other processes
d) use seccomp kernel restrictions
e) use system-wide MAC spoofing for router, ethernet or wi-fi networks

qubes-os.org

People should realize that running Tor browser on top of a monolithic kernel (Windows, Mac or any normal Linux variant) is asking to be hacked & de-anonymized in the current privacy hostile environment.

They should act accordingly and run Qubes-Whonix if they really care about privacy/anonymity/security. They should also be prepared to re-create their safe Whonix Workstation AppVM if anything suspicious happens while running Tor browser - and it WILL happen.

I just wish the Qubes guys could replace the init-system called SystemD with something else, SystemD has become something much more than a init-system should do, also it is a several-files-withing-a-file in similar way as svchost is on Windows OS, hacking into SystemD and the adversary has access to a whole bunch of things.
Wish the tor dev team could look into the Tails too as it is based on Debian with SystemD, maybe Devuan.org could be something, it is a Debian without SystemD developed by a bunch of former Debian developers who got fed up with the direction of Debian and its use of the nsa friendly SystemD.

I have noticed that all hidden service traffic goes through onion.cab, and if I delete .cab, I can't connect. What is going on?

where to get latest tor.exe ??! I don't need that bloody tor browser, actually i dont need tor.exe too, but how possible im starting getting messages like this:

[19.07 01:55:02 2016] Your Tor Software is Out-of-date - You are currently running version "0.2.4.23 (git-598c61362f1b3d3e)" of the Tor software, which may no longer work with the current Tor network. Please upgrade to the most recent version of the software, which may contain important security, reliability and performance fixes.

Since what that thing start knoking home and check tor version??!!! i didnt let it do in any options, nor in ini/torrc file.

The thing i download and unpack torbrowser-install-6.0.2_en-US.exe.zip. Not let me run tor.exe - IT JUST BLANK response and after few seconds gone from taskmanager too... wtf is going on with you guys??

It sounds like you want the expert bundle from the download page.

As for the version check, the directory authorities publish a list of Tor versions that we think will work with the current network, and your own Tor program compares its version to that list and warns you if it's no longer in the list.

Are we going to see 64-bit Tor and 64-bit Tor Browser on Microsoft Windows?

64-bit offers a higher security because malware is mostly only 32-bit.

You should realize that this blog post is about Tor 0.2.8.5-rc, which is a release of the program called Tor. It is not about the Tor Browser. Maybe you should find the latest blog post about a Tor Browser release, and pose your question there -- or maybe you should ask it on Stackexchange or something where we try to provide more long-term answers.

Why IP-CHECK info always shows me the IP that deffers from the exit node in "circuit list" ?

The cloudflare check is getting irritating.

can anyone give me the link of it

What about Lucky Green's bridge authority Tonga? Media reports indicate that bridge authorities are critical to some users.

Also, isn't the directory authority system much better with an odd number of directory authorities? When can we expect a replacement for Urras?

Part of me would like a larger number of directory authorities, but in times like these, a large increase would be suspect. I no longer believe that anyone can be considered a trusted individual. No one.