Welcome to the twenty-fifth issue of Tor Weekly News, the weekly newsletter that covers what is happening in the ever-updating Tor community.

Tor 0.2.4.19 is out

After more than a year in the making, Roger Dingledine announced the first stable release in the Tor 0.2.4 series, as well as the dedication of this series to the memory of Aaron Swartz (1986-2013).

Tor 0.2.4 boasts a large number of major new features, among them a new circuit handshake, improved link encryption, a flexible approach to the queueing of circuit creation requests, and the use of “directory guards” to defend against client-enumeration attacks. You can consult the full changelog in Roger’s announcement, and download the source code from the website.

As no code changes have been made since the previous release candidate, there is no reasons for users of tor 0.2.4.18-rc to upgrade in a hurry.

Tor Browser Bundle 3.5rc1 is out

Mike Perry announced the first release candidate in the Tor Browser Bundle 3.5 series, and strongly encouraged users to update in anticipation of the imminent end-of-life of both the 2.x stable and 3.0 series, following Mozilla's deprecation of Firefox 17 ESR, on which both are based.

This release also includes a number of important security updates, alongside various bugfixes and usability improvements; for this reason as well, users should upgrade as soon as possible.

Tails 0.22 is out

Tails saw its 35th release on December 11th. It incorporates many major and minor improvements and bugfixes, and opens up the new incremental-upgrade feature for beta-testing.

As this is the first release to feature a browser based on the Firefox 24 ESR series, some small inconveniences found their way in. Have a look at the known issues before giving it a go.

Nevertheless, it fixes several important security issues, so it is recommended that all users upgrade as soon as possible.

Torservers.net awarded $250,000 grant

The Torservers.net team announced that they have received a $250,000 organizational grant, to be spread over two years, from the Digital Defenders Partnership, which in its own words was “established to provide rapid response to threats to internet freedom.”

With this grant, wrote Moritz Bartl, “participating Torservers organizations will be able to sustain at least 3 Gbit/s of exit traffic, and 2000 fast and up-to-date bridges.”

In order to make the most efficient use of this significant contribution to the Tor network while maintaining its diversity, wrote Moritz, “we need to find seven more organizations that are willing to rent servers for a period of at least 2 years”, adding that “we really want to avoid having organizations run both high bandwidth exit relays and a larger number of Tor bridges: An operator should not see both traffic entering the Tor network and traffic leaving the Tor network” .

For this reason, he called for groups interested in supporting the Tor network to get in contact, in order to discuss how they can best set up and maintain Tor services. The first such partnership will be with the Institute for War and Peace Reporting's Cyber Arabs group.

If you represent an organization that could make this much-needed contribution to the Tor network, please contact the Torservers.net team, or join them at the Tor relay operators meetup during the upcoming Chaos Communication Congress in Hamburg.

Miscellaneous news

The Tails team reported on the vast amount of activity that occurred during November 2013. Coming up in the next few Tails releases are an updated I2P, a new clock applet with configurable timezone, better localization, incremental upgrades, safer persistence, MAC spoofing…

meejah announced the release of txtorcon 0.8.2, and warned users that they should upgrade if they use that program’s TCP4HiddenServiceEndpoint feature, in order to fix a bug that allows listening on hosts other than 127.0.0.1.

Kevin P Dyer announced the 0.2.2 release of fteproxy, which “includes the removal of gmpy as a dependency, additional documentation to explain the significance of language theoretical algorithms, and bounds checking of the input/output of our (un)ranking algorithms”; this hot on the heels of 0.2.1, in which he “focused on breaking away from heavyweight dependencies: OpenFST and boost”.

Mike Perry shared his thoughts regarding the presence of the Tor Browser Bundle in centralized repositories such as the Apple App Store or Google Play, and the possibilities for attack that these stores open up.

Ondrej Mikle warned users of Enterprise Linux 5 that Tor RPM packages will no longer be built for their platform, owing to an “increasing number of required workarounds”.

Karsten Loesing published a summary of the past, present and the future of the Tor Metrics project, which he maintains, offering some context for the various changes that have recently been announced.

Lunar sent reports from the Tor help desk for October and November.

Jacob Appelbaum recapped his work over the last few months — from June to December — in a slew of reports (June, July, August, September, October, November, December).

Tor help desk roundup

Occasionally users who need the Pluggable Transports Tor Browser Bundle will download the Vidalia Bridge Bundle instead, which is less useful for users trying to circumvent state censorship. The Vidalia Bridge Bundle is only available for Windows and is configured by default to turn the client machine into a bridge. None of the Vidalia Bundles are designed to use Pluggable Transports.

This issue of Tor Weekly News has been assembled by harmony, Lunar, dope457, and Matt Pagan.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!