Tor is released

by nickm | July 7, 2016

Tor has been released! You can download the source from the Tor website. Packages should be available over the next week or so.

Tor is the second release candidate in the Tor 0.2.8 series. If we find no new bugs or regressions here, the first stable 0.2.8 release will be identical to it. It has a few small bugfixes against previous versions.

PLEASE NOTE: This is a release candidate. We think that we solved all of the showstopper bugs, but we also thought the same thing about crucial bugs may remain. Please only run this release if you're willing to test and find bugs. If no showstopper bugs are found, we'll be putting out as a stable release.

Changes in version - 2016-07-07

  • Directory authority changes:
    • Urras is no longer a directory authority. Closes ticket 19271.
  • Major bugfixes (heartbeat):
    • Fix a regression that would crash Tor when the periodic "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on tor- Reported by "kubaku".
  • Minor features (build):
    • Tor now again builds with the recent OpenSSL 1.1 development branch (tested against 1.1.0-pre6-dev). Closes ticket 19499.
    • When building manual pages, set the timezone to "UTC", so that the output is reproducible. Fixes bug 19558; bugfix on Patch from intrigeri.
  • Minor bugfixes (fallback directory selection):
    • Avoid errors during fallback selection if there are no eligible fallbacks. Fixes bug 19480; bugfix on Patch by teor.
  • Minor bugfixes (IPv6, microdescriptors):
    • Don't check node addresses when we only have a routerstatus. This allows IPv6-only clients to bootstrap by fetching microdescriptors from fallback directory mirrors. (The microdescriptor consensus has no IPv6 addresses in it.) Fixes bug 19608; bugfix on
  • Minor bugfixes (logging):
    • Reduce pointlessly verbose log messages when directory servers can't be found. Fixes bug 18849; bugfix on and Patch by teor.
    • When a fallback directory changes its fingerprint from the hard- coded fingerprint, log a less severe, more explanatory log message. Fixes bug 18812; bugfix on Patch by teor.
  • Minor bugfixes (Linux seccomp2 sandboxing):
    • Allow statistics to be written to disk when "Sandbox 1" is enabled. Fixes bugs 19556 and 19957; bugfix on and respectively.
  • Minor bugfixes (user interface):
    • Remove a warning message "Service [scrubbed] not found after descriptor upload". This message appears when one uses HSPOST control command to upload a service descriptor. Since there is only a descriptor and no service, showing this message is pointless and confusing. Fixes bug 19464; bugfix on
  • Fallback directory list:
    • Add a comment to the generated fallback directory list that explains how to comment out unsuitable fallbacks in a way that's compatible with the stem fallback parser.
    • Update fallback whitelist and blacklist based on relay operator emails. Blacklist unsuitable (non-working, over-volatile) fallbacks. Resolves ticket 19071. Patch by teor.
    • Update hard-coded fallback list to remove unsuitable fallbacks. Resolves ticket 19071. Patch by teor.


Please note that the comment area below has been archived.

July 07, 2016


Again I ask: should the configuration of an existing v0.2.7.6 Tor node be modified to accommodate the v0.2.8.5-rc/v0.2.8.6 changes? If so,what modifications are recommended?

July 08, 2016


Was the status of Urras changed because it was compromised or did the directory authority operator violate one of the "informal criteria" as stated in [1] ? It would be nice to know whether something serious happened or if this is just part of the purge to remove all signs of ioerror aka Jacob Appelbaum's existence and contributions to the Tor Project/community (Just for transparency reasons).


July 08, 2016


I always appreciate the hard this team does. I really do. My concern is that I've read only one minor feature being added. Is most of this projects' time spent squashing bugs because of such huge complicated code?

It seems a bit counter productive to spend so much time and resources bug hunting when the code could just be rewritten and streamlined. There are a few languages this code could benefit from transitioning to. Take the energy that would inevitably be used in the future to solve all of these bugs and instead redirect it to a rewrite.

Things have slowed to a crawl from my perspective. Tons of energy little innovation. Partner with some of the new tech (browser and code) engineers and make things happen. The hidden service protocol is receiving a much needed and appreciated overhaul. The browser on the other hand remains bland uninspired and buggy. Tor core development is inching forward. The codebase is so complex that only an advanced programmer can contribute significantly.

Selfrando is right now the only large step forward I've witnessed not entirely produced by this team. I know there will be many that disagree with me but I'm sure I represent many others who feel the same but wish not to speak up.

I expect a flurry of angry aggressive or disrespectful feedback from this community but I still feel my points are valid. Regardless to what some keyboard thugs my say.

July 09, 2016


What does this mean for Tor users in Russia? Is Tor now illegal in Russia?
Putin Says All Encryption Must Be Backdoored In Two Weeks
Mike Masnick
8 Jul 2016

> A few weeks ago, we wrote about the push by the Russian Duma to pass a massive new surveillance bill that would mandate backdoors to encryption as well as massive data retention requirements for service providers, including saying that they need to store recordings of phone calls. As you may have heard, earlier this week, Russian President Vladimir Putin signed the bill into law. And apparently to prove that he's serious about all of this, Putin has also signed an executive order telling the FSB (the modern version of the KGB) to make sure it gets encryption keys to unlock everything within the next two weeks.
>> After signing controversial anti-terrorist legislation earlier today, President Putin ordered the Federal Security Service (the FSB, the post-Soviet successor to the KGB) to produce encryption keys to decrypt all data on the Internet. According to the executive order, the FSB has two weeks to do it. Responsibility for carrying out Putin's instructions falls on Alexander Bortnikov, the head of the FSB.
> As the article notes, there's a lot of uncertainty here, because in many cases, when things are encrypted locally or where there are private keys, there isn't any way for service providers to turn over any keys.
> ...

July 10, 2016


Hi, how can I download this file for Windows TBB version?
I would like to try and swap out the old one just for fun, geek nerds?

July 10, 2016


Just noticed that the (running on Cloudfare) now displays a "Checking your browser. This may take up to five seconds." message instead of the usual capcha, and with Cloudfare IDed at the bottom of the page.

Interestingly when Tor Browser is closed and re-opened, and the page re-loaded it just goes straight to the page. No message, no capcha! Has the Cloudfare issue been resolved? :)

Do not do this. This means that you have javascript enabled. Cloudflare is fingerprinting, possibly inserting persistent identifiers, eg using DOM/JS - IDB, LocalStorage, ASM, etc. Use a proxy site, google cache, or something to avoid them. Check the storage directory in your profile folder and delete the contents. Important thing is: do not allow javascript access to sites unless you know exactly what you are exposing, have audited your settings, know all Firefox's related config entries. Even then, by hardening your browser, you increase the chances of tracking by browser fingerprint, so the best option is to avoid javascript as much as possible.

July 10, 2016


Addendum: The page does display the "checking your browser" message on closing and opening Tor Browser for a few seconds before loading the page. All other Cloudfare sites appear to be functioning lol as 'normal' though.

July 11, 2016


Sorry, OT, but others may have the same question:

Lately whenever I use Tor Browser (connecting via a bridge) I see a distinctive fingerprint (all zeros) and with no identifying information show up immediately in the list, but it never appears to build circuits. According to (thanks to this service!) the node with a similar fingerprint is a Directory Server, Fast Server, etc. Is this an expected behavior for Onion circuits? Shouldn't the bridge be the first node in each circuit? Or is this the node that David Chasteen built?

July 12, 2016


One question (a bit off topic) Can I install uBlock without diminishing my anonymity?

Let me correct that for you: "People should be using Qubes-Whonix at home (a Xen platform Type I hypervisor), instead of a Type II hypervisor (standard Whonix configurations) with:

1) HVM (“AMD virtualization (AMD-V)”, “Intel virtualization (VT-x)”, “VIA virtualization (VIA VT)”);
2) IOMMU (“AMD I/O Virtualization Technology (AMD-Vi)”, “Intel Virtualization Technology for Directed I/O (VT-d)”); and possibly a
3) TPM (“Trusted Platform Module (TPM)” connected to a “20-pin TPM header” on motherboards).*

*Bonus points if you:

a) run Selfrando Tor Browser in your heavily restricted, minimalist Whonix Workstation appVM
b) can get Coreboot working on your machine
c) use Apparmor restrictions on the Tor browser and other processes
d) use seccomp kernel restrictions
e) use system-wide MAC spoofing for router, ethernet or wi-fi networks

People should realize that running Tor browser on top of a monolithic kernel (Windows, Mac or any normal Linux variant) is asking to be hacked & de-anonymized in the current privacy hostile environment.

They should act accordingly and run Qubes-Whonix if they really care about privacy/anonymity/security. They should also be prepared to re-create their safe Whonix Workstation AppVM if anything suspicious happens while running Tor browser - and it WILL happen.

I just wish the Qubes guys could replace the init-system called SystemD with something else, SystemD has become something much more than a init-system should do, also it is a several-files-withing-a-file in similar way as svchost is on Windows OS, hacking into SystemD and the adversary has access to a whole bunch of things.
Wish the tor dev team could look into the Tails too as it is based on Debian with SystemD, maybe could be something, it is a Debian without SystemD developed by a bunch of former Debian developers who got fed up with the direction of Debian and its use of the nsa friendly SystemD.

July 16, 2016


I have noticed that all hidden service traffic goes through, and if I delete .cab, I can't connect. What is going on?

July 18, 2016


where to get latest tor.exe ??! I don't need that bloody tor browser, actually i dont need tor.exe too, but how possible im starting getting messages like this:

[19.07 01:55:02 2016] Your Tor Software is Out-of-date - You are currently running version " (git-598c61362f1b3d3e)" of the Tor software, which may no longer work with the current Tor network. Please upgrade to the most recent version of the software, which may contain important security, reliability and performance fixes.

Since what that thing start knoking home and check tor version??!!! i didnt let it do in any options, nor in ini/torrc file.

The thing i download and unpack Not let me run tor.exe - IT JUST BLANK response and after few seconds gone from taskmanager too... wtf is going on with you guys??

It sounds like you want the expert bundle from the download page.

As for the version check, the directory authorities publish a list of Tor versions that we think will work with the current network, and your own Tor program compares its version to that list and warns you if it's no longer in the list.

July 24, 2016


Are we going to see 64-bit Tor and 64-bit Tor Browser on Microsoft Windows?

64-bit offers a higher security because malware is mostly only 32-bit.

You should realize that this blog post is about Tor, which is a release of the program called Tor. It is not about the Tor Browser. Maybe you should find the latest blog post about a Tor Browser release, and pose your question there -- or maybe you should ask it on Stackexchange or something where we try to provide more long-term answers.

July 30, 2016


Why IP-CHECK info always shows me the IP that deffers from the exit node in "circuit list" ?

August 02, 2016


What about Lucky Green's bridge authority Tonga? Media reports indicate that bridge authorities are critical to some users.

Also, isn't the directory authority system much better with an odd number of directory authorities? When can we expect a replacement for Urras?

Part of me would like a larger number of directory authorities, but in times like these, a large increase would be suspect. I no longer believe that anyone can be considered a trusted individual. No one.