Tor Browser Downloads Are Up in 2017

by tommy | August 21, 2017

We love releasing new features and giving talks about where the Tor Network is going next. Still, it’s good to take stock every now and then, especially when we can share good news.

The Tor Metrics website provides all sorts of information about the Tor Network, including how fast the network is, or how many daily users it has. The Metrics team recently expanded the Metrics page with a Mozilla grant, strengthening the infrastructure used to collect data.

One of the things Tor Metrics measures is how many times Tor Browser has been downloaded, and we decided to investigate how the first six months of 2017 measures up to the same time last year. Data from Tor Metrics tells us there was a 1.4 million increase in the number of Tor Browser downloads in the first six months of this year, compared to the same period last year. In all, download numbers increased from 16.1 million to 17.5 million.

The more Tor, the better

More Tor is good for lots of reasons: it means that journalists, activists, and other privacy-conscious individuals are taking steps to evade internet censorship or stop websites from tracking them as they browse the web. An increase in the number of Tor Browser downloads could also be evidence of some new censorship event, when users circumvent internet censors to access online resources and communities.

Privacy protections rolled back by the US government in March gave ISPs free reign to collect and sell your private information. We’re delighted that more people are realizing that there’s an alternative to the pervasive tracking and surveillance that many websites, ISPs, and agencies carry out.

Tor makes every user look the same, and the diversity of our user base is part of what makes Tor strong. The more people who use the network, the better Tor’s anonymity.

Browser download numbers don’t tell us everything -- we have no way of knowing many of those downloads are repeat downloaders, or for how long they stay using Tor. Those would be privacy-invasive metrics, and we don’t gather such information. But we still think that this number is meaningful, and we’re glad to see it increasing.

As always, you can download Tor Browser here. Why not make the Tor Network stronger and faster for everyone by running a relay?

Comments

Please note that the comment area below has been archived.

hunter2 (not verified) said:

August 21, 2017

Permalink

When I see updates in Tails [Synaptic] for packages like "Tor", should I upgrade via the auto-configured .onion repositories? Or wait for the next release of Tails for it to ship with these updates? TIA

Someone from Tails Project please correct me ASAP if I am wrong about anything in my response to the following question:

> When I see updates in Tails [Synaptic] for packages like "Tor", should I upgrade via the auto-configured .onion repositories? Or wait for the next release of Tails for it to ship with these updates? TIA

As a long-time Tails user, according to my understanding, you should avoid regularly using synaptic at all while using Tails, and you should not try to upgrade anything from the Debian repos (or elsewhere). While Tails is based upon Debian stable, it features a rather delicate mix of reconfigurations and other tweaks which are intended to make Tails do one thing very well: serve as an "amnesiac" operating system, which is to say, to leave no trace in hardware after you end a Tails session. The other thing it does very well is anonymous browsing, and in the near future we hope it will do anonymous chat very well too. The danger in "upgrading" software in your Tails system via the Debian repos is that you might break something, causing your Tails system to leak information, which could be dangerous.

In contrast, if you also use Debian stable as your "non-amnesiac" operating system, you should absolutely use the onion repos, check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos.

Users of Whonix and other privacy-anonymity-enhancing operating systems should follow the advice of the developers of those systems regarding how and when to upgrade software.

Social justice advocates, civil libertarians and scientific/human-rights researchers who use both Tails (amnesiac OS) and Debian (non-amnesiac OS) tend to keep their Debian system offline except for software updates, and to use it for specialized purposes, but to use Tails for almost all interactions with the wider world. This provides little protection against "close-access" technical attacks leveraging stray electronic emanations, but our enemies may sometimes be reluctant to use anything they learn that way, in their ongoing attempts to retaliate against us, for fear of revealing their darkest methods to the entire world, so every little thing we can do to make ordinary methods (malware etc) hard for them can help us protect ourselves and our families from state-sponsored attack.

Very kind of you, thank you.

However, I thought it was encouraged in Tails to update via the built-in .onion repositories? It not, why would such work go into them and why do they exist?

= Debian and Tor Services available as Onion Services
https://blog.torproject.org/blog/debian-and-tor-services-available-onio…

= And
https://onion.debian.org/
https://onion.torproject.org/
https://packages.debian.org/apt-transport-tor

= Debian and Tor Services available as Onion Services
https://bits.debian.org/2016/08/debian-and-tor-services-available-as-on…

One configures according on his own needs : tail_cd is not built with only one profile in mind.

usually you should not use an old version especially on a live cd :
- repos is for downloading the stable & verified software , rarely for the last updated version.
- it is better to use the last version of tail & download the last version of tor (e.g.) from the project.site.

# In contrast, if you also use Debian stable as your "non-amnesiac" operating system, you should absolutely use the onion repos, check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos.

# you should absolutely use the onion repos.
- it is not recommended (outdated) : download Tor from torproject.org.
# updates, and upgrade your Debian system regularly via the onion repos.
- it is not recommended (default=stable=maintained): set hkps_debian source.
# check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos..
- it is not recommended (source-list/version) : configure the depo.

In a previous comment, I carelessly advised:

>> In contrast, if you also use Debian stable as your "non-amnesiac" operating system, you should absolutely use the onion repos, check them daily (if possible) for updates, and upgrade your Debian system regularly via the onion repos.

Oops! I forgot to stress a very important point: if you use Debian as your non-amnesiac OS, you should certainly use the onion mirrors of the Debian repos to update your system, with the exception of Tor Browser, which you should replace with the latest version from torproject.org (make sure to use Debian gpg to check the detached signature of the tarball before you unpack it!) as soon as a new version becomes available (your Tor Browser will alert you when it notices that a newer version is available).

Actually, depending upon what is installed in your Debian system, there may be a few other things which you should update from non-Debian sources. Debian offers a nice script to check for debian packages which do not have ongoing support from the Debian security team, generally because critical bugfixes come too rapidly for Debian to keep up with them, so you should probably look for that and install it.

> However, I thought it was encouraged in Tails to update via the built-in .onion repositories?

You were? Maybe you have seen something from tails.boum.org that I missed, but if so can you cite the link?

I would welcome correction if I am wrong, but AFAIK Tails does *not* advise updating a Tails system from the Debian repos. If you were to do that, you would certainly want to use the onion mirrors while using Tails, but AFAIK the problem is that you might break something in Tails. For example, some of the versions of standard software included in Tails have config files tweaked by the Tails developers to prevent information leaks, or to prevent breaking other tweaks in Tails, and if you overwrote those, you could break something, which could be dangerous.

"You were? Maybe you have seen something from tails.boum.org that I missed, but if so can you cite the link?"

I don't recall reading anything about it. Maybe a warning should be added about this?

"Tails does *not* advise updating a Tails system from the Debian repos."

Thanks. FWIW, if it is *bad* to do this, perhaps the system could be [crippled] configured in a way so that updates are impossible? Otherwise, someone out there is going to do it. And we know how many people read websites and documentation!

"If you were to do that, you would certainly want to use the onion mirrors while using Tails,"

Which I was enjoying, but I I'll cease doing so within Tails.

"but AFAIK the problem is that you might break something in Tails. For example, some of the versions of standard software included in Tails have config files tweaked by the Tails developers to prevent information leaks, or to prevent breaking other tweaks in Tails, and if you overwrote those, you could break something, which could be dangerous."

Oh shit! Thanks for the info!

Oops, my comment didn't render properly, anyway I said:
Hiro still has a small bit of work, there's still the <li class="menu-item-about-tor"...
and <li class="menu-item-about-donate" i.e. the "ABOUT TOR - DONATE" at the very top.

Most people I see write Tor incorrectly either pirate stuff or hate Tor.
Although even Cloudflare can capitalize it correctly when they trolled you during their spike in reCAPTCHA-walls.

Paul (UK) (not verified) said:

August 22, 2017

Permalink

A few years ago I would use TOR occasionally to bypass the unauthorized content filtering (including a false positive blocking my employer) on my mobile phone. Then the UK's "Snooper's Charter" was introduced with all it's privacy problems even before the risk of hackers steeling and selling my data. Now the TOR browser is almost my default. Keep up the good work TOR people!

37celsius (not verified) said:

August 22, 2017

Permalink

your article is nicely & friendly written but ...
- have you tried/used Tor before upload it ?
- 7.0.4 is broken
- there is an incompatibility between TBB & amnesia
- it is more an usa tool for usa guys in restricted area than an international open movement
- running a relay is reserved for the enterprise, firm, organization (hospital, transport/police station included) which provide a good & fast/modern bandwidth and do know manage their business contract/contact.
- as soon as i post (or run a relay as individual user) i am not anymore anonymous and they will come knock at the door, a day or an other, asking me their 10 000$ (that i saved during few years coin by coin).
Have a good day ( without eclipse for 100 years now).

Random Answers:

- please define "broken", AFAIK TBB 7.0.4 "works" as usual for our tiny fraction of the user base (as upgraded from previous releases, all initially installed on Debian GNU/Linux hosts, via torbrowser-launcher package)

- please define "amnesia", AFAIK it is, for example, the OS user name in Tails "the amnesic incognito live system". Tails 3.1 was released two weeks ago and integrates TBB 7.0.4 also (I read the announcement, didn't try it as yet but it should be safe to assume it rocks as usual)

- yes, the Internets remain far from a global network at planet scale, the scope of the problem is a lot wider than affecting just Tor, only half of human being are "somewhat" connected in "some way" to "something". Still, have you tried Tor Bridges?

- some individuals have published their experiences running relays and this post seems to target the millions of lucky ones who are nowadays connected via FTTH in the ranges of 2-50ms of latency and 50-1000 Mbps of bandwidth

- I understood nothing about your last point

please define "amnesia"
Tails is designed to "forget" all data on shutdown. It has absolutely no memory of previous sessions.

...well, it may, if and depending on how much, you are making use of Tails' Persistence feature.

(and I know why the OS user is named "amnesia" in Tails, my "please define amnesia" question above was a first response to celcius37's vague statement)

The topic is Metrics :
not tail, not 704, not white & black fingers
[Tor Browser] 7.0.4 is broken : https-everywhere failed etc. if you installed it from the depo ; maybe it works on but (download = ok) 7.0.4 is broken. the next update will solve the issue.
if you are ; you & others bloggers:posters too lazy for doing your own research & bad educated (linux = educate yourself first) , no one can help you :
e.g whatisamnesia (on the tor blog it is very fun) ; douseonionsondebian (from atailuserwhohaveneveruseddebian lol) ; racisminamerica vs usingonions ; (ididnotknowthatthecolorofmyskinwasapassportforafreeusage).
i think that a forum or a Tor|Blog set in different language or translated pushing a button could solve a lot of misunderstood : in short ; are the comments relevant/related to the article :
Tor Browser Downloads Are Up in 2017 / Metrics.

Regards.

Give us a break please, this is like in a cafe where some people chat and ask not-so-related questions because they're either lazy or confused about where to post them. At the same time, bar tenders appear to be out of it or in vacation or whatever, so they moderate stuff they should not and let trollesque thoughs go through.. Have a nice day!

@ reset_dane:

Given that the Tor community tends to be more sympathetic with anarchic philosophies than some other communities, and given the fact that TP folk are busy with many critical issues more urgent than blog moderation, you probably should learn to accept a certain level of chaos in the blog comments.

That said, if Tor-related-but-not-post-topic-related comments bother you so much, why not join those who have suggested that TP follow the example of Bruce Schneier by posting on Fridays a blog post inviting users to ask/suggest anything (as long as it is Tor related or TP related)?

This could serve as a stop gap for providing feedback by anon channels until better technological solutions become available, while allowing people like you to avoid seeing OT topics, simply by skipping over the regular Friday blog.

anarchism is well understood where it lived & was born _ usa guys do not so i do not think that the blog was built with anarchic philosophies in mind and i thank them for their open mind.
That's solved 2 false arguments : yours.
your conclusion is wrong : i am not a moderator of the Tor|Blog so regulating the chaos is not my job.
Don't forget that ****** is usually maintained by volunteers , not to be confused with a post-sales customer service organization (and an UNO politic civil movement).

i like read the comments of the others but i do not want to be involved/manipulated ...the comment about racism was done on this topic because the last topic (tor support anti racism movement) was censored so it was really off-topic & spam.
Tail is a live operating system but recommended by Tor (a software/app) and the best place for discussing about Tail is certainly not on the Torblog ... you will not have the same support...

Usually , the users do not want to be known or become like an interference in the work or the life of the others. Posting, asking, providing some help/solutions and bringing few good responses is also that anybody can do (as linux user , it is like a reflex) easily.

some free chat (prism-break .org) and network , with the help of a large community, allow everybody to say everything without any risk of censure or bad reaction.

Regards.

> anarchism is well understood where it lived & was born _ usa guys do not

If you are trying to suggest that anarchist movements are a recent development in the US, the historical facts do not support that claim. Between 1890 and 1914 several heads of states were assasinated by anarchists, including a US President. A few years later Wall Street was attacked by a horse-cart bomb (the scars from that bombing are still visible).

If you are trying to suggest that only the Russian political conciousness is informed by anarchism, that too is debatable: the libertarian movement in the US is heavily influenced by the writings of Ayn Rand, whose ideas have rather visible ties to contemporary Russian anarchists.

One of the most interesting anarchist treatises in recent years comes from a former UK diplomatic service member, which underlines the point that well-informed anarchists can be found in many countries.

It Matters To Me (not verified) said:

August 23, 2017

Permalink

I posted a serious question, about be(com)ing a more active user by running a relay, and how this involvment may be trashed or protected. It appears to have been moderated for a day. I know it may not appear as "100% positive energy" but it meant to be constructive. Please, would you dare to publish it? Thanks.

Anonymous (not verified) said:

August 23, 2017

Permalink

> Why not make the Tor Network stronger and faster for everyone by running a relay?

1. Is it safe to do that from home?

2. Do you need a personal domain name?

3. Will it violate your terms of service with your ISP?

4. What is the minimal bandwidth needed?

1. It is safe to do that from your home, assuming your home is not in a country where Tor is illegal.
2. You do not need a personal domain name. Tor relays work without them. Although, while not strictly necessary, it is often a good idea to get a reverse domain name if you are running an exit, though.
3. It depends on the ISP. Some are friendly toward Tor, others not so much. Most are fine with you running non-exit relays, though.
4. You can donate as little bandwidth as you want, but note that Tor will use as much bandwidth as is available, so you will have to set strict limits in the config file.

This is very helpful; much appreciated, thanks!

In previous Tor Project posts suggesting that enthusiasts run relays, this critical information has been missing, which is a pity because it is very hard or impossible to find elsewere at torproject.org site.

My bandwidth is probably too small to allow me to be on the internet myself and also to run a small relay node from home, but do you have a link to a suggested config for low bandwidth users in case I dare to experiment a bit? Most desirable would be the ability to run a relay when I am not using the Internet myself, but this could be problem if it interrupts someone else's Tor circuits. Would it be feasible to put code into the Tor client which tells existing circuits, so to speak, to create new circuits because the server is about to go down temporarily, or something like that?

I need a text based tutorial, a video wont work, and I need a tutorial from TorProject.

@Tor Project people: how about an offical post on "How to set up a Tor Relay on a Raspberry Pi" which does not assume that the reader has previous experience setting up a server?

Question: any word from Tails Project on when Tails Server will be ready? Will this be suitable for running a Tor Relay on a Raspberry Pi?

most of free projects are volunteers projects & a banner is often on their site : paypal/bitcoin.

@Tor project people : "How to set up a Tor Relay on a Raspberry Pi" : it is not their job & raspberry is not a Torproject but if someone do wish write an article about that, why not ?

Tail project are on Tail site (contact them by e_mail) like raspberry how-to are on their one.
i do not understand _maybe a genius idea, maybe a confusion_ how a Tails project could run on a raspberry ? - sorry for my lack of intelligence ...a "tor"box can be used (pre-configured or set as relay and you will have support) : it is cheap, you buy one and plug it : done !

you will find on the raspberry site and others similar projects a lot of how-to & help (contact them by e-mail).

Anonymous (not verified) said:

August 23, 2017

Permalink

I have been using TOR as my main browser for half a year now, as well as changing my OS from Windows 7 to Linux. The viruses have gone right down to 1 from about a 50 a year in 8 months of a year. After the introduction of snoopers charter in the UK, my father has also decided to do the same, as he needs a new computer anyway, and he'll also (hopefully) be running a bridge relay for those in Russia who were recently banned from using TOR, VPN's and proxies

metrics (not verified) said:

August 23, 2017

Permalink

Metrics counts a negative/false value of the number of download.
- firefox & tor allowed the update of the addon : https-everywhere.
- https addon is broken in tor & in firefox.
- Use at your own risk.

FIX :
- uncheck update in 7.0.4
- Open "about:config" and set "browser.urlbar.trimURLs" to "false" in order to prevent the "http://" prefix from being omitted.

Sh*t happens (and it's not the end of the World), yes https-everywhere appears in bad shape.

But unchecking updates is IMMO, a bad idea. What is your source for this recommendation?

Instead, paying more attention while browsing could help, even more when entering data. For examples, looking at URL before you click them (they appear at the bottom left at mouse hoover), watching out for mix-content warnings, allowing javascript only when necessary.

Subsidiary question: would EFF/whoever in charge of HTTPS-E nowadays, be able to publish an emergency update (even if it meant a code revert to start with)? Looks annoying to many users, just guessing.

Random User (not verified) said:

August 30, 2017

Permalink

I just meant to ask if that could even be an option in that case, technically (a look at the ticket made me doubt), and if so, whether downstream/TB would value any such instant/short-life "update", generally. I know where they are, helped writing rules in HTTPS-E early days and trust you all to do the right thing™ anyway :)

I can see it's a moot point as you say, if indeed TB next fix-release is expected shortly, still it reminds me about e.g. past torbrowser-launcher issues in Debian repos, for example: also likely to have affected adoption rate (while it's the middle of holidays for kids and students in a large part of the connected world). I wonder how much your metrics can really tell about this, probably not much?

Every now and then, little things discourage privacy-concerned users who we had introduced TB and it's only when we ask them again how their usage goes, they tell us they had given up on it.

Random User (not verified) said:

September 01, 2017

Permalink

I did not expect anything (just like I said) and yes I bothered to read the ticket. Badly I suppose, hence my doubt and previous question about the feasibility of an HTTPS-E "regression-update". Testing their latest release would not hurt me anyway, so I did. FWIW, I'm (still) not complaining about anything at all. Have a nice day :)

lostsomewhere (not verified) said:

August 30, 2017

Permalink

Amnesia has another bugs which 2 are funs :
1a - install both set TorBrowser (noscript_https-tab_forcehttps&cookiesprotected) & close it.
1b - then open Torsandbox (terminal) and you will see your noscript settings in TB be copied in the noscript-tab of the Torsandbox.
2a - open Torsandbox (terminal) _ set it _ close it then open it again :
2b - the version unstable downgrades to the stable version 7.0.4. with the bad update.
it is not important that it could be reproducible or not ; i think it is fun to see an update becomes suddenly a stable downgrade ;) which contains some big bugs/corruption/hacks.
do the Tor team & eff staff & noscript team use Tor ? i have a big doubt suddenly like a bug in my trust chain.

Based off that description, I can't figure out what you're trying to do, or what the problem could be.

File a bug report on trac with detailed step by step instructions on how to reproduce your problem.

Wnt (not verified) said:

August 23, 2017

Permalink

I have to admit I never actually downloaded Tor before two days ago. I downloaded it to read the Daily Stormer, not because I believe that codswallop they're selling (I'm actually somewhere down their list of people up against the wall after the revolution comes...) but because I believe in their right to say it.

The banning of the Stormer marks a sea change in who uses the "dark web". Before it was a handful of idealists, plus clients who were doing or saying things that were actually illegal. I might believe unabashedly in unrestricted freedom of speech but that doesn't mean I want to go to a kiddie porn site or a credit card number auction house and test my browser security just as a show of ideological purity. So the "dark web" lacked *destinations*, as far as I could tell - at least, destinations I would feel safe or interested in going to. But with the Stomer, we now see the crooked cabal behind the domain name racket has finally shown their true colors. They're not content simply chiseling away our money any more - they want to decide what we read and what we can't. And that means that there is now an .onion link required for a site that is entirely legal to read. And with the apparent banning of the Daily Rebel by one DNS, soon another. The slippery slope won't stop there -- before long you won't be able to look at pictures of a bull-fight or read an editorial praising enforcement of immigration law without going to the "dark web". Simply put, as of this week, the "dark web" became the only real internet there is. Not having a Tor browser is not having an Internet browser.

To be sure, I don't know if Tor can survive success -- I don't know if the only reason it was ever allowed is because practically nobody used it. It is possible that a coordinated campaign of idiots DDOSing and doxxing node operators and software developers will leave the network in shambles. If they do, of course, it will be no step forward against racism. A person with half a brain should be able to see that if racists resort to meeting in person to exchange "El Paquete" like the Cubans under Castro, those meetings will include hand-offs of more than just computer files, and vulnerable minority members who happen to be found near them will be in real danger. But far more damaging in the long run is that if racists aren't allowed to speak, people will no longer know that they have nothing persuasive to say. Worse than that, they will actually begin to believe that racism has been vanquished, even as vastly disproportionate numbers of blacks languish in prison cells, even as the same holier-than-thou tech overlords like Facebook invent mechanisms like "social credit" and "artificial intelligence" to allow businesses all over the world to discriminate against blacks systematically without being "racist".

# I don't know if the only reason it was ever allowed is because practically nobody used it.
a lot of persons are using pgp & tor but , at home, few let tor running 24/24.
Tor metrics must be happy to know that the more freedom of speech is prohibited the more tor users increase their download from tor-project (onionshare e.g).
i do not care of u.s.a problems : they have created it from scratch , it does not exist outside : social credit or ai comes from u.s.a bankers innovation.
i do not like the false assertion saying that racism is bad or melting-pot is the right attitude :
the incompatibility between human being is an evidence which imperialism/colonialism is the source.

I have noticed the same thing for many months and have the same question.

I think it's quite possible that this is innocuous, but I also think someone knowledgeable should check up on the issue.

I along with others appear to have posted this question to several places on the web and there has been no real solid answer so far, nothing but kick the can type of shit.

The best "places on the web" to post this question, are not here but Tails wonderlands (tails.boum.org).

Trying to answer this here, it indicates a (temporary?) error to obtain an essential file from the Debian archive via its official onion mirrors (as announced on onion.debian.org). First, make sure you are running the latest stable version of Tails (3.1 as of writing) and if it occurs again, you could use the hammer (systemctl restart tor.service) to force building new circuits and then, just try again (apt update).

There are always been alternative to "web forums" AFAIK, browse Tails website to learn about them.

Anyway, this might be wider in scope than just Tails (I didn't investigate that particular issue), see Ned Ryerson's links

> There are always been alternative to "web forums" AFAIK, browse Tails website to learn about them.

First, I am assuming we are talking about anon comms, so mailing lists and IRC unprotected by Tor are out. If you are making a different assumption you should clarify.

Second, I have used Tails since zero point something. Over the years the comms channels with the devs has evolved greatly, in part owing to events beyond their control, but it has always been very difficult.

Whisperback can be useful in small doses but many users may not realize that Whisperback does not encrypt comments by default, and if no valid email and public key is provided, Tails cannot reply. So this is at best one-way communication.

Despite these issues, Tails is a wonderful product and I think everyone should use it often.

Various people have offered email/XMPP clearnet/onion services in the past, without rejecting Tor users. Are there none left? I can guess why Tails support moved from IRC to XMPP, Tails OS still includes a preconfigured Pidgin client for both over Tor. Does it fail?

That is true, and I agree it is a serious problem, one which Tails Project is working to mitigate, but it is a hard problem.

Another is the difficulty of rapidly acquiring (e.g. from random system noice) high quality entropy when your system has only recently booted up, which poses a problem for cryptography. Once high-quality entropy generators become more widely available, this should be solvable.

Nevertheless, Tails is an essential tool, especially for applications where using an "amnesiac OS" is crucially important. Such applications are often off-line, so that the above problems are less relevant.

(-:

There's a thread at TAILS' Developer Mailing List:
https://mailman.boum.org/pipermail/tails-dev/2017-August/011610.html

No solution from them, yet. Expect that link to disappear though. They had a users type of ML open twice and twice they closed it to the public. What good is a ML if you can't specify a public one for users?

And there's this at the Debian Users Mailing List:

https://lists.debian.org/debian-user/2017/08/msg01420.html
With no solution yet, either! But at least some users tried to help. One would think this matter would be passed on to whomever runs the hidden service!

> The best "places on the web" to post this question, are not here but Tails wonderlands (tails.boum.org).

It's been posted to TAILS -and- Debian mailing lists with no solution in sight. Posting here is an attempt for this bug to catch more eyes, being as this is Tor, TAILS, and Debian related.

> force building new circuits and then, just try again

Tried and failed even after system reboots. This is why I'm posting this issue here as well, more eyes and the lack of a solution.

Just to clarify:

When I am updating my non-amnesiac OS (Debian stable) via the onion mirrors, I sometimes experience problems including the one you mentioned (other issues may be related to server load). As someone mentioned, restarting (Debian) Tor service with systemctl sometimes works. If not, try waiting a few hours (off-line) then try again. In my experience rebooting makes no difference, these problems appear to be issues with the onion mirrors.

According to my understanding, you should *not* use the onion mirrors to try to update a Tails system, but rather wait for the next issue of Tails to appear. Regardless of whether you boot from a R/O DVD (the most secure method) or a USB (much more convenient but less secure).

It seems there is considerable interest from the Debian community in using the onion mirrors, so I hope the people who maintain the onions will post a followup in this blog, correcting any misunderstandings which have arisen among users.

> I'm seeing this in Tails when I refresh the package repositories

Oops, previously overlooked "in Tails". AFAIK, Tails does not intend anyone to try to update software on their Tails system using the onion mirrors for the Debian repositories, although you should follow that route when you are using your non-amnesiac OS, if you use Debian.

However, I have noticed this issue when updating Debian stable via the onion mirrors. AFAIK it is innocuous, but I worry. Good answers would have to come from the people who maintain the onion mirrors. Since I think they sometimes read this blog, perhaps they can look into the issue?

Anonymous (not verified) said:

August 25, 2017

Permalink

Big malware time? Look at the metric figures for the netherlands 2017-07-28 / 2017-08-25. 7 to 8 times higher than the usual average of 35.000 and 45.000 users at most.
By the way, you would't believe it months ago and also kept censoring warnings on this topic on your website, but the dutch have finally their big surveillance law and it will be starting at the first of january 2018 (officially).
Reason enough to use Torbrowser because the dutch will wiretap all traffic that is trespassing and they will share it worldwide. But that is probably not the reason for this 8 time doubling usertraffic. Dutch privacy awareness is not really a general topic and therefor not a reason to change internet behavior.
Any how, I guess that dutch surveillance teams will absolutely try to focus on timing attacks and all the tricks you can do when controlling or monitoring dutch (entry/middle and exit)nodes. Maybe it is better tot totally stay away from dutch nodes, dutch unencrypted websites an (free) services (and servers gifts anybody?) at all!

> By the way, you would't believe it months ago and also kept censoring warnings on this topic on your website, but the dutch have finally their big surveillance law and it will be starting at the first of january 2018 (officially).

I don't know why TP appears to sometimes censor well-intentioned warnings from users, but it's possible that they already knew about developments in NL from other sources. It's also possible that they know something we don't about political threats inside the US, where TP is based. So while I sometimes share your frustration about apparent censorship even in this blog, I think we all need to try to give TP employees the benefit of the doubt.

The UK and NL dragnets are global in scope, particularly for Tor users, so we should all be at least somewhat concerned. UK is part of FVEY, and NL has been very close to US FBI for many years (as was discussed in this blog several years ago), and FBI attacks computers all over the world, so...

Dutch people, British people, and US people should certainly use Tor Browser (or Tails) for all their browsing. We are all, it seems, at risk.

> 8 times higher than the usual average of 35.000 and 45.000 users at most.

Could this be related to a new family of tor nodes? Nusenu?

Intels all over the planet have long been snooping as much as they can, irrespective to their legal frameworks. Themselves are crying and crying they'd have no other choice to carry on, qualifying their own practices "a-legal" openly, to press their parliaments pass batches of new bills in emergency procedures to cover their *sses retroactively.

Sure, more encryption won't hurt koalas. Knowing what percentage of relays are actually run by which Intels, is another story.

> more encryption won't hurt koalas.

The book Future Crimes by Marc Goodman should scare the bejesus out of ordinary computer users who have somehow missed all the bad news about consumer device insecurities. Given that Goodman is a former FBI agent, it is not surprising that Tor users will disagree with the unrelentingly dark portrait he paints of Tor, but the interesting fact in this context is that after leaving FBI and spending time with computer experts, Goodman broke with FBI doctrine and in his book strongly *supports* strong crypto for all. Thus I urge TP's media team to read the book because I think this can be useful in persuading powerful US Congresspersons that FBI doctrine is dead wrong when it comes to encryption.

Goodman also acknowledges advice from Steve Santorelli, another person with US LEA background, who is only one hop from the Tor Project board, so Goodman is "selectable" by NSA under the two hops calling circle policy (reduced from three hops by Obama but possibly secretly increased again bhy Drumpkim).

It appears possible to me that if TP reaches to Goodman, we might be able to persaude him that he is wrong about Tor too. This is not inconsistent with my warning about bringing TLA moles into TP, because all TP employees would be fully aware of his strong TLA connections when they speak to him.

> Intels all over the planet have long been snooping as much as they can, irrespective to their legal frameworks.

The most dangerous spooks are arguably employed by NSA, although I think we should all be very worried about CN, RU, an increasing number of MEA (Middle East and Africa) nations, and even EU (e.g. UK, DE, FR, and as someone else mentioned NL). The book American Spies by Jennifer Grannick (formerly of EFF) is a superb survey, focusing on the issue of the enormous and shocking illegality of the NSA enterprise, and the way in which US TLA's abuse language to disguise this illegality. Possibly the best chapter in the book is her impassioned defense of unbackdoored cryptography for all. Thus I urge TP's media team to read this book also, so that they can use its arguments in discussions with journalists and policy advisors.1

Thank you for your post.
The book Future Crimes by Marc Goodman > it is translated in different language and if a free download is provided by yourself or another guy ; i should read it.
book American Spies by Jennifer Grannick (formerly of EFF) > same.
the real challenge is create a community and make the encryption a right, not a path for their interest.

We noticed the strange increase in users from the Netherlands. There are also recent unexplained increases in the Seychelles, Lithuania, and Romania. Here is a post about it: https://lists.torproject.org/pipermail/metrics-team/2017-August/000428.html.

We have a wiki page where we keep track of occurrences like these, and write explanation when we know of them: MetricsTimeline. You're welcome to add entries to the page.

The same data also appears (in a read-only form) on the Tor Metrics site: Tor Metrics News.

COPY AND PASTE (not verified) said:

August 26, 2017

Permalink

IF YOU RESTART YOUR TOR BROWSER WHY IS THE CLIPBOARD ON YOUR CPU NOT CLEARED? YOU CAN COPY AND SAVE AND RESTART TOR AND STILL PASTE PREVIOUS CLIPBOARD FROM TOR INTO NEW TOR...IS THAT SAFE?

That's what your clipboard is designed to do, it's not a bug, it's a feature (provided by your OS) and has nothing to do with Tor Browser.

NOW RELAX AND STOP SHOUTING! :)

If you find this unsafe, read about "Security by Isolation" and read about virtual machines and sandboxes, SubGraph OS, Whonix, Qubes, etc.

> That's what your clipboard is designed to do, it's not a bug, it's a feature (provided by your OS)

I don't disagree with that as far as it goes, but I fear you (and the devs) are overlooking abuses of the clipboard by the bad guys (spooks, crims). The Snowden leaks include documents showing that NSA/TAO is interested in messing with the clipboard, which should set off alarm bells IMO.

Tor Browser is different from other browsers in that TB users are more endangered by exploitable flaws.

@ ALL CAPS:

Really, please do turn off your caps lock, it isn't helping us to understand your issue.

> but I fear you (and the devs) are overlooking abuses of the clipboard

See the second part of my previous comment.

> by the bad guys

These have a lot more attack surface, than time to exploit it all :) I don't look at Tor/i2p/* as magic fortresses for individual secrets, but as tools to increase costs of surveillance and censure, for use by the largest part of the population.

Not quite there yet, according to Metrics we're in progress, and back on topic! :)

costs of surveillance and censure, for use by the largest part of the population.

Yes, I entirely agree with that.

It's an arms race, and contrary to what some naysayers would have us believe, dramatically raising the costs for and (exposure) risks to attackers appears to be an achievable goal.

Many thanks to all the devs and other citizens who are working towards this end!

BYPASSCAPTCHA (not verified) said:

August 26, 2017

Permalink

HOW TO BYPASS THE CAPTCHA ANY WAY TO STORE A UNIVERSAL CACHE THAT EVEYRONE CAN USE TO BYPASS THE CATCPCHA? THAT THING IS ANNOYING!

Metrics : TorBrowser (not verified) said:

August 27, 2017

Permalink

torproject.org : dane-validated successfully

does tor browser dane-validate successfully ?
i have not found an information about that and do not see a hidden dane validator in the addon.

is dane yet implemented in a hidden way ?
is dane a danger running tor browser ?
why have you chosen ocsp ?
does dane interfere with https -everywhere ?
could dane do a better job than ocsp ?

Metrics : do you think that with these minor updates/improvement the number of download of Tor will increase or decrease (incompatibility:crash) ?

Saumyaa (not verified) said:

August 28, 2017

Permalink

Hi this is saumyaa whanted to know how to access .onion sites i have orbot installed also installed orfox

https_september2 (not verified) said:

September 02, 2017

Permalink

no thanks eff bug !
https-everywhere 2017.8.31 still broken !
last updated september 2 2017
setting/icon is locked on blue : block all uncrypted request (unchecked blocked)
special humour day or glamour cia gay
do they use their add-on ?
that's a shame !
(and no link_email for report it)

by the way , is an .onion without https safe (mitm ?) ?