Published on 2021-04-30
Starting July 15, Tor will no longer support v2 onion services
https://blog.torproject.org/v2-deprecation-timeline
If you are an onion site administrator, you must upgrade to v3 onion services as soon as possible.
As we announced last year, v2 onion services will be deprecated and obsolete in Tor 0.4.6.x. As of April 2021, Tor Browser Alpha uses this version of Tor and v2 addresses no longer work in this and future versions of Tor Browser Alpha.
When Tor Browser stable moves to Tor 0.4.6.x in October 2021, v2 onion addresses will be completely unreachable.
Why are we deprecating v2 onion services? Safety. Technologies used in v2 onion services are vulnerable to different kinds of attacks, and v2 onion services are no longer being developed or maintained. The new version of onion services provides improved encryption and enhanced privacy for administrators and users.
It's critical that onion service administrators migrate to v3 onion services and work to inform users about this change as soon as possible.
Read more about the deprecation on our blog: https://blog.torproject.org/v2-deprecation-timeline
Defend Dissent with Tor
https://blog.torproject.org/book-defend-dissent-with-tor
This week, we're highlighting a guest blog post by Glencora Borradaile.
After 4 years of giving digital security trainings to activists and teaching a course called "Communications Security and Social Movements", I've compiled all my materials into an open, digital book - Defend Dissent: Digital Suppression and Cryptographic Defense of Social Movements (https://open.oregonstate.education/defenddissent/) hosted by Oregon State University where I am an Associate Professor. The book is intended for an introductory, non-major college audience, and I hope it will find use outside the university setting.
It should be no surprise that Tor is a star of Defend Dissent. The anonymity that the Tor technology enables turns the internet into what it should be: a place to communicate without everyone knowing your business. As a professor, I love teaching Tor. It is a delightful combination of encryption, key exchange, probability and threat modeling. Find out more about Defend Dissent on our blog.
Domain Shadowing: Leveraging CDNs for Robust Blocking-Resistant Communications
https://blog.torproject.org/anti-censorship-domain-shadowing
What is Domain Shadowing?
Domain shadowing is a new censorship circumvention technique that uses Content Distribution Networks (CDNs) as its leverage to achieve its goal, which is similar to domain fronting. However, domain shadowing works completely differently from domain fronting and is stronger in terms of blocking-resistance.
Compared to domain fronting, one big difference among many is that the user in domain shadowing is in charge of the whole procedure. In other words, the complete system can be solely configured by the user without necessary assistance from neither the censored website nor an anti-censorship organization.
Find out more about Domain Shadowing on our blog, in a guest post from Mingkui Wei.
New Releases
Tor Browser 10.5a15
https://blog.torproject.org/new-release-tor-browser-105a15
(April 26) This version updates Firefox to 78.10esr and Fenix to 88.1.1. In addition, Tor Browser 10.5a15 updates Tor to 0.4.6.2-alpha. This version includes important security updates to Firefox for Desktop and security updates for Android.
Tor Browser 10.0.16
https://blog.torproject.org/new-release-tor-browser-10016
(April 20) This version updates Firefox to 78.10esr. In addition, Tor Browser 10.0.16 updates NoScript to 11.2.4, and adds localization in Burmese. This version includes important security updates to Firefox for Desktop.
Tor 0.4.6.2-alpha
https://blog.torproject.org/node/2018
(April 15) Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several small bugs in previous releases, and solves other issues that had enabled denial-of-service attacks and affected integration with other tools.
Tor Browser 10.5a14
https://blog.torproject.org/new-release-tor-browser-105a14
(April 13) This release updates NoScript to 11.2.4 and updates the Snowflake pluggable transport. This release is the first version that is localized in Burmese, as well.
Tor Browser 10.5a13
https://blog.torproject.org/new-release-tor-browser-105a13
(April 5) This release updates Firefox to 78.9.0esr for desktop and Firefox for Android to 87.0.0. Additionally, we update Tor to 0.4.6.1-alpha and OpenSSL to 1.1.1k and NoScript to 11.2.3. This release includes important security updates to Firefox for Desktop, and similar important security updates to Firefox for Android.
What We're Reading
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about more opportunities to start collaborating: https://community.torproject.org/
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
--
The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
Twitter: https://twitter.com/torproject
Facebook: https://facebook.com/torproject
Instagram: https://instagram.com/torproject
Mastodon: http://mastodon.social/@torproject
Published on 2021-03-31
Get a TLS certificate for your onion site
https://blog.torproject.org/tls-certificate-for-onion-site
We are happy to share the news of another important milestone for .onion services! You can now get DV certificates for your v3 onion site using HARICA (https://www.harica.gr/Contact/GetHarica), a Root CA Operator founded by Academic Network (GUnet) (https://www.gunet.gr/en/), a civil society nonprofit from Greece.
Previously, .onion site administrators who needed a TLS certificate had to either hack other solutions or spend a significant amount of money purchasing an EV certificate. Now with HARICA, acquiring a certificate has become more accessible, but we know that free certificates are ideal and are looking forward to that moment.
We are happy to see people acquiring certificates for their onions (https://www.reddit.com/r/onions/comments/lwaccm/harica_ca_now_supports_issuance_of_dv_onion/). Remember to do it for a v3 onion address since v2 will be deprecated very soon (https://blog.torproject.org/v2-deprecation-timeline)! Read more about getting your own certificate for your onion on your blog (https://blog.torproject.org/tls-certificate-for-onion-site).
Sign now: European initiative for a ban on biometric mass surveillance
https://blog.torproject.org/sign-to-reclaim-your-face
The āReclaim Your Faceā coalition (https://reclaimyourface.eu) has launched a European Citizensā Initiative for a ban on biometric mass surveillance. European Digital Rights (EDRi) and more than fifty organizations are calling to sign the petition. One million signatures must be collected in at least seven EU countries within one year. Read more and sign the petition. (https://blog.torproject.org/sign-to-reclaim-your-face)
Onionize your Workflow with the Onion Guide Fanzine
https://blog.torproject.org/onionize-your-workflow
One way we help human rights defenders and organizations take back their right to privacy online is by helping them to use and set up onion services.
Last year, thanks to the support of Digital Defenders Partnership (https://www.digitaldefenders.org/), we wrote a series of Onion Guides intended to make it easier for our partners to correctly and safely set up their own onion services. To create these Onion Guides, we collected and improved existing disparate information about the benefits of onion services and how to set them up for a website.
You can learn more about the new Onion Guides on our blog (https://blog.torproject.org/onionize-your-workflow) and find the Onion Guide in our community portal (https://community.torproject.org/onion-services/), well as the section on Onion Services in English (https://community.torproject.org/static/images/outreach/print/onion-guide-fanzine-EN.pdf), Spanish (https://community.torproject.org/static/images/outreach/print/onion-guide-fanzine-ES.pdf) and Portuguese (https://community.torproject.org/static/images/outreach/print/onion-guide-fanzine-PT_BR.pdf). Feel free to use it to set up your own .onion site, and let us know how it works for you!
How to contribute to the Tor metrics timeline
https://blog.torproject.org/contribute-to-tor-metrics-timeline
The metrics timeline (https://gitlab.torproject.org/tpo/metrics/timeline) is a database of news and events that may affect Tor Metrics (https://metrics.torproject.org/) graphs. This post is about how you can contribute to the timeline and help keep it up to date.
A timeline of events helps in interpreting graphs. For example, you may look at a graph and ask, "Why did the number of Tor users in Sri Lanka increase for a week in 2018?"
Checking the timeline, we find that at that time in Sri Lanka there was a block of Facebook and other services. A likely explanation for the increase of users is that people were using Tor to access the blocked services.
The metrics timeline is useful but incompleteāfor example, it tends to only include events that make international news. Some past events have a start date but are missing an end date. And some events mark unusual graph features, but do not have an explanation. You can help the Tor Project and people trying to understand use of the Tor network by contributing your knowledge to the metrics timeline. Read more about contributing to the Tor metrics timeline (https://blog.torproject.org/contribute-to-tor-metrics-timeline).
New Releases
Tor Browser 10.0.14
https://blog.torproject.org/new-release-tor-browser-10014
(March 24) This version updates Desktop Firefox to 78.9.0esr. In addition, Tor Browser 10.0.14 updates NoScript to 11.2.3, and Tor to 0.4.5.7.
Tor Browser 10.5a12 (Android Only)
https://blog.torproject.org/new-release-tor-browser-105a12
(March 21) This release updates Fenix to 87.0.0-beta.2. Additionally, we update NoScript to 11.2.3 and Tor to 0.4.6.1-alpha.
Tor 0.4.6.1-alpha
https://blog.torproject.org/node/2011
(March 18) Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It improves client circuit performance, adds missing features, and improves some of our DoS handling and statistics reporting. It also includes numerous smaller bugfixes.
Tor 0.3.5.14, 0.4.4.8, and 0.4.5.7
https://blog.torproject.org/node/2009
(March 16) These releases fix a pair of denial-of-service issues. We recommend that everybody upgrade to one of the releases that fixes these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available to you.
Tor Browser 10.0.13 (Linux Only)
https://blog.torproject.org/new-release-tor-browser-10013
(March 3) This version fixes instability on some Linux distributions.
What We're Reading
"Amazon Delivery Drivers Forced to Sign āBiometric Consentā Form or Lose Job," VICE. (https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job)
"#KeepItOn: Internet shutdowns only cause harm," Business & Human Rights Resource Centre. (https://www.business-humanrights.org/en/blog/keepiton-internet-shutdowns-only-cause-harm/)
"TikTok vs Douyin A Security and Privacy Analysis," Citizen Lab. (https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-privacy-analysis/)
"How to get affordable DV certificates for onion sites," Help Net Security. (https://www.helpnetsecurity.com/2021/03/26/how-to-get-affordable-dv-certificates-for-onion-sites/)
"T-Mobile to Share Customers' Web Browsing Data With Advertisers Unless They Opt Out," PCMag. (https://uk.pcmag.com/networking/132169/t-mobile-to-share-customers-web-browsing-data-with-advertisers-unless-they-opt-out)
"California bans ādark patternsā that trick users into giving away their personal data," The Verge. (https://www.theverge.com/2021/3/16/22333506/california-bans-dark-patterns-opt-out-selling-data)
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about more opportunities to start collaborating: https://community.torproject.org/
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
Published on 2021-02-28
Learning more about our users with a Tor Browser User Survey
https://blog.torproject.org/learning-more-about-tor-users
At the Tor Project we practice user-centered design. This means we put our users at the heart of our development process, making a conscious effort to understand the contexts in which people use our tools and paying particular attention to the bumps they encounter along the way.
Many digital product companies rely heavily on data gathered from invasive tracking scripts to better understand their usersā behavior, further fueling the surveillance economy. However thatās not how we do things at Tor ā instead, we aim to conduct research that respects the basic principles of privacy and consent: https://blog.torproject.org/strength-numbers-usable-tools-dont-need-be-invasive.
To learn more about our users, we launched a new Tor Browser User Survey: https://survey.torproject.org/index.php/217469?lang=en, also available via onion service: http://bogdyardcfurxcle.onion/index.php/217469?lang=en. We'd love to get your feedback! You can learn more about this survey, how it came about, and other opportunities to get involved in UX at Tor on our blog: https://blog.torproject.org/learning-more-about-tor-users.
Anonymous GitLab Ticketing: An Exciting New Project at Tor
https://blog.torproject.org/anonymous-gitlab
Currently, before making a bug report to one of Torās repos, users must sign up for a GitLab account via the TicketLobby (https://gitlab.onionize.space/). Although this is the right approach for many users, it has its limitations.
A new project, the anonymous ticketing portal, is designed to circumvent these limitations, resulting in more complete, private bug reporting, and includes the following features:
- Lightning-fast, anonymous (and lazy) user interface
- Tor-flavored, data-packed, familiar project and issue views
- Super-powered SuperUsers
A test instance of this project is currently live at https://anonticket.onionize.space/, or you can see the repo itself at https://gitlab.torproject.org/tpo/tpa/anon_ticket.
Read more about the anonymous GitLab ticketing system on our blog: https://blog.torproject.org/anonymous-gitlab.
Tor in the Media: 2020
https://blog.torproject.org/tor-media-2020
This year, weāre continuing a new tradition of reviewing media and news stories that mentioned Tor and the Tor Project. Our goal is to highlight what is changing (or not) in the conversation about privacy and censorship, as well as identifying the ways the media discusses Tor in the context of these challenges.
Read our review of Tor in the media in 2020 on our blog: https://blog.torproject.org/tor-media-2020.
Bug Smash Fund, Year 2: Progress So Far!
https://blog.torproject.org/tor-bug-smash-fund-yr2-progress
Last August, we asked you to help us fundraise during our second annual Bug Smash Fund campaign (https://blog.torproject.org/tor-bug-smash-fund-2020-106K-raised). This fund is designed to grow a healthy reserve earmarked for maintenance work, finding bugs, and smashing themāall tasks necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.
We want to share an update! Read about the work made possible with the Bug Smash Fund on our blog: https://blog.torproject.org/tor-bug-smash-fund-yr2-progress.
New Releases
Tor Browser 10.5a11
https://blog.torproject.org/new-release-tor-browser-105a11
This release updates Firefox to 78.8.0esr for desktop and Firefox for Android to 86.1.0. Additionally, we update Tor to 0.4.5.6 and OpenSSL to 1.1.1j.
Tor Browser 10.0.12
https://blog.torproject.org/new-release-tor-browser-10012
This version updates Desktop Firefox to 78.8.0esr and Android Firefox to 86.1.0. In addition, Tor Browser 10.0.12 updates NoScript to 11.2.2, Openssl to 1.1.1j, and Tor to 0.4.5.6.
Tor 0.4.5.6
https://blog.torproject.org/node/2000
This release series introduces significant improvements in relay IPv6 address discovery, a new "MetricsPort" mechanism for relay operators to measure performance, LTTng support, build system improvements to help when using Tor as a static library, and significant bugfixes. The Tor 0.4.5.x release series is dedicated to the memory of Karsten Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
Tor Browser 10.5a10 (Windows Only)
https://blog.torproject.org/new-release-tor-browser-105a10
This version updates Firefox to 78.7.1esr for Windows. This release includes important security updates to Firefox.
Tor Browser 10.5a9 (Android Only)
https://blog.torproject.org/new-release-tor-browser-105a9
This release updates Fenix to 86.0.0-beta.2. Additionally, we update NoScript to 11.2 and HTTPS Everywhere to 2021.1.27.
Tor Browser 10.0.11 (Windows Only)
https://blog.torproject.org/new-release-tor-browser-10011
This version updates Firefox to 78.7.1esr for Windows. This release includes important security updates to Firefox.
Tor Browser 10.0.10
https://blog.torproject.org/new-release-tor-browser-10010
This version increases the availability of version 3 (v3) onion services. The fix is included in the recently released stable tor versions, as well.
Tor 0.3.5.13, 0.4.3.8, and 0.4.4.7
https://blog.torproject.org/node/1990
Tor 0.4.4.7 backports numerous bugfixes from later releases, including one that made v3 onion services more susceptible to denial-of-service attacks, and a feature that makes some kinds of DoS attacks harder to perform.
Tor 0.4.5.5-rc
https://blog.torproject.org/node/1989
Tor 0.4.5.5-rc is the third release candidate in its series. This release fixes an annoyance with address detection code, and somewhat mitigates an ongoing denial-of-service attack.
We're Hiring
Metrics Data Architect
The person in this position will work directly with helping us maintain existing systems, and design new systems for gathering and analyzing data. They will help the rest of the teams understand the data available to improve our tools as well as the Tor network's health. Read the full job description: https://www.torproject.org/about/jobs/metrics-data-architect/
Anti-Censorship Software Developer
This developer will be tasked with improving the user experience and process of finding alternate routes to the Tor network when global censorship events block access to the Tor network. A personal commitment to free and open source software and the application of advanced programming skills for the greater good is essential. Read the full job description. https://www.torproject.org/about/jobs/software-developer-anticensorship/
What We're Reading
"Why you should care about data privacy even if you have ānothing to hideā," Vox. (https://www.vox.com/recode/22250897/facebook-data-privacy-collection-algorithms-extremism)
"South Sudan: Rampant abusive surveillance by NSS instils climate of fear," Amnesty International. (https://www.amnesty.org/en/latest/news/2021/02/south-sudan-abusive-surveillance-by-national-security-service-climate-of-fear/)
"Private dollars are seeding surveillance tech across the US," Smart Cities Dive. (https://www.smartcitiesdive.com/news/private-dollars-are-seeding-surveillance-tech-across-the-us/594615/)
"There Are Spying Eyes Everywhereāand Now They Share a Brain," Wired. (https://www.wired.com/story/there-are-spying-eyes-everywhere-and-now-they-share-a-brain/)
"Amazon says government demands for user data spiked by 800% in 2020," TechCrunch. (https://techcrunch.com/2021/02/01/amazon-government-demands-spiked/)
"Spotify patents tech to recommend songs based on users' speech, emotion," Axios. (https://www.axios.com/spotify-patent-users-speech-recommend-music-6c5ce99d-ca0f-4457-9b87-9d27fcc35527.html)
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about more opportunities to start collaborating: https://community.torproject.org/
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
--
The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
Twitter: https://twitter.com/torproject
Facebook: https://facebook.com/torproject
Instagram: https://instagram.com/torproject
Mastodon: http://mastodon.social/@torproject
Published on 2021-01-29
2020 Fundraising Results: Thank You!
https://blog.torproject.org/use-a-mask-use-tor-thank-you
We are pleased to announce that in 2020, despite the cancellations of in-person events and the sharp decrease in individual donations we saw at the beginning of the pandemic, you helped us to raise $913,110 from individuals, more than any calendar year in the Tor Projectās history. You contributed $376,315 of this figure during the end-of-year campaignāthis includes the generous $100,000 match by the Friends of Tor. (Thatās a 19% increase over last yearās year-end campaign.)
Thank you to everyone who made a donation in 2020! You make it possible to resist the surveillance pandemic. Youāve made it possible for the Tor Project and the tools we support to survive a very difficult time, and to prepare for 2021 with ambitious plans.
Vist the blog for more details about the details of Tor's fundraising in 2020, and what we have prepared for 2021: https://blog.torproject.org/use-a-mask-use-tor-thank-you
The state of IPv6 support on the Tor network
https://blog.torproject.org/state-of-ipv6-support-tor-network
In our last article, published in RIPE's website, (https://labs.ripe.net/Members/tor_grants/a-look-into-the-tor-network-work-on-supporting-ipv6) we described the work that happened in 2020 related to giving IPv6 support (https://blog.torproject.org/ipv6-future-i-hear) to the Tor network.
Tor 0.4.5.1-alpha (https://blog.torproject.org/node/1949) is the first release that includes all the work described in the RIPE article. Relays running 0.4.5.1-alpha are the first to report IPv6 bandwidth statistics.
As of December 2, 2020, 54% of the relays on the network run a version of Tor that supports IPv6. Of the 6852 relays in the network, 3587 are running version 0.4.4 (https://metrics.torproject.org/versions.html) and 8 relays are running the latest Tor version 0.4.5 (https://blog.torproject.org/node/1958). From all those, 1588 are announcing an IPv6 address and port for the OR protocol. 1587 relays are reachable on IPv6 by the directory authorities. 626 permit exiting to IPv6 targets (https://metrics.torproject.org/relays-ipv6.html).
Read more about the state of IPv6 on the Tor network on our blog: https://blog.torproject.org/state-of-ipv6-support-tor-network
In memoriam of Karsten Loesing
blog.torproject.org/in-memoriam-of-karsten-loesing
It's with deep sorrow that we share that our dear friend, colleague, and Tor core contributor Karsten Loesing passed away on the afternoon of Friday, December 18, 2020. No one is prepared for such an unimaginable loss. Our deepest sympathies go to Karsten's family at this moment, his wife and his children.
We all loved him and his contribution to the Tor Project will always be remembered from the depth of our hearts. We will be dedicating our next release of core tor to Karsten's memory.
Rest in peace, Karsten.
New Releases
Tor Browser 10.0.9
https://blog.torproject.org/new-release-tor-browser-1009
This release updates Firefox to 78.7.0esr for desktop and Firefox for Android to 85.1.0. This release includes important security updates to Firefox for Desktop, and similar important security updates to Firefox for Android.
Tor Browser 10.5a8
https://blog.torproject.org/new-release-tor-browser-105a8
This release updates Firefox to 78.7.0esr for desktop and Firefox for Android to 85.1.0. Additionally, we update Tor to 0.4.5.4-rc. This release includes important security updates to Firefox for Desktop, and similar important security updates to Firefox for Android.
Tor 0.4.5.4-rc
https://blog.torproject.org/node/1973
Tor 0.4.5.4-rc is the second release candidate in its series. It fixes several bugs present in previous releases. We expect that the stable release will be the same, or almost the same, as this release candidate, unless serious bugs are found.
Tor Browser 10.5a7
https://blog.torproject.org/new-release-tor-browser-105a7
This release updates Firefox to 78.6.1esr for desktop and Firefox for Android to 85.0.0-beta.7. Additionally, we update Tor to 0.4.5.3-rc. This versions also fixes a crash seen by macOS users on the new M1 processor.
Tor Browser 10.0.8
https://blog.torproject.org/new-release-tor-browser-1008
This release updates Firefox for desktops to 78.6.1esr and Firefox for Android to 84.1.4. This version resolves instability on Apple macOS devices with the new M1 processor.
Tor 0.4.5.3-rc
https://blog.torproject.org/node/1969
Tor 0.4.5.3-rc is the first release candidate in its series. It fixes several bugs, including one that broke onion services on certain older ARM CPUs, and another that made v3 onion services less reliable.
Upcoming Events with Tor
No upcoming events.
What We're Reading
"Tor Projectās crypto donations increased 23% in 2020," Coin Telegraph. (https://cointelegraph.com/news/tor-project-s-crypto-donations-increased-23-in-2020)
"Encryption is vital for attorney-client privilege in the digital era, and lawyers should fight for it," Access Now. (https://www.accessnow.org/encryption-attorney-client-privilege/)
"100 hours in the dark: How an election internet blackout hit poor Ugandans," Thomson Reuters Foundation. (https://news.trust.org/item/20210120134502-2jnhz/)
"You watch TV. Your TV watches back," The Washington Post. (https://www.washingtonpost.com/technology/2019/09/18/you-watch-tv-your-tv-watches-back/)
"Leaked Location Data Shows Another Muslim Prayer App Tracking Users," VICE. (https://www.vice.com/en/article/xgz4n3/muslim-app-location-data-salaat-first)
"DuckDuckGo surpasses 100 million daily search queries for the first
--
The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
Twitter: https://twitter.com/torproject
Facebook: https://facebook.com/torproject
Instagram: https://instagram.com/torproject
Mastodon: http://mastodon.social/@torproject
Published on 2020-12-21
Looking Forward: Tor in 2021
https://blog.torproject.org/tor-in-2021
This year has been difficult for all of us. As individuals, weāve had to adapt to the new normal of COVID-19, and as an organization, the Tor Project also had to adapt to our ānew normalā after we made the difficult decision to let go of one third of our organization. Although challenging, we have managed to reorganize in order to meet the goals we originally set for 2020, and now, itās time to look forward to 2021.
We have shared many of our goals for the next year, including addressing the "Tor is too slow" complaint, supporting the relay operator community, improving network health, developing a Rust Tor implementation, & unblocking Tor through outreach. Read more about our plans from our executive director, Isabela Bagueros: https://blog.torproject.org/tor-in-2021
Moving Tor from Trac to Gitlab
https://blog.torproject.org/node/1957
Tor had been using Trac (https://trac.torproject.org) until June 2020, when we moved to our self-hosted instance of Gitlab administered by the Tor sysadmin team (https://gitlab.torproject.org). We're hoping Gitlab will be a good fit because:
- Gitlab will allow us to collect our different engineering tools into a single application: Git repository handling, Wiki, Issue tracking, Code reviews, and project management tooling.
- Gitlab is well-maintained, while Trac plugins are not well maintained and Trac itself hasn't seen a release for over a year (since 2019).
- Gitlab will allow us to build a more modern approach to handling Continuous Integration for our different projects.
We spent several months fixing and testing problems on data migration, from formatting issues to addressing where the information that lived in Trac should live in Gitlab. We tested the Gitlab instance with a few projects until we jumped into migrating all data from Trac. You can read more about this migration process on our blog: https://blog.torproject.org/node/1957
Watch PrivChat #3 with Edward Snowden
https://torproject.org/privchat
For our third edition of PrivChat on December 11, we brought together some real-life Tor users who shared how Tor has been important for them and their work to defend human rights and freedoms around the world.
Hosted by Edward Snowden, PrivChat featured technologist and privacy researcher Ramy Raoof, librarian and founder of Library Freedom Project, Alison Macrina, and Africa Policy Manager and Global Internet Shutdowns Lead at Access Now, Berhan Taye.
Watch the full PrivChat: Advancing Human Rights with Tor (https://www.youtube.com/watch?v=S2N3GoewgC8), and be on the lookout for our next PrivChat in 2021.
Anti-censorship team report: November 2020
https://blog.torproject.org/anti-censorship-november-2020
Tor's anti-censorship team writes monthly reports to keep the world updated on its progress. This blog post summarizes the anti-censorship work we got done in November 2020. Let us know if you have any questions or feedback!
New Releases
Upcoming Events with Tor
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about more opportunities to start collaborating: https://community.torproject.org/
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
Published on 2020-11-30
Use a Mask, Use Tor: Friends of Tor Matching Donations
https://blog.torproject.org/friends-of-tor-match-2020
Every dollar donated to the Tor Project now through December 31, up to $100,000, will be matched by Friends of Tor (https://torproject.org/donate/donate-usetor-tn-fot). That means your donation will be doubled. Weāre able to offer this match because of generous folks in our community who believe in Tor, privacy online, and the work to resist the surveillance pandemic.
Make a donation today and your gift will be matched, 1:1: https://torproject.org/donate/donate-usetor-tn-fot
Meet the Friends of Tor who generously came forward to make this match possible on our blog: https://blog.torproject.org/friends-of-tor-match-2020
You're Invited: PrivChat with Edward Snowden
The Tor Project's main mission is to advance human rights and freedoms by creating and deploying free and open source anonymity and privacy technologies. People use our technology, namely the Tor network and Tor Browser, in diverse ways. Tor is used by whistleblowers who need a safe way to bring to light information about wrongdoing -- information that is crucial for society to know -- without sharing their identity. Tor is used by activists around the world who are fighting against authoritarian governments and to defend human rights, not only for their safety and anonymity, but also to circumvent internet censorship so their voices can be heard.
For our third edition of PrivChat (https://torproject.org/privchat), we are bringing you some real-life Tor users who will share how Tor has been important for them and their work to defend human rights and freedoms around the world. Hosted by Edward Snowden, featuring technoligist and privacy research Ramy Raoof and librarian and founder of Library Freedom Project, Alison Macrina.
Join us for PrivChat: Advancing Human Rights with Tor on December 11 at 18:00 UTC, 13:00 Eastern, 10:00 Pacific: https://www.youtube.com/watch?v=S2N3GoewgC8
State of the Onion: Tor & Community Updates from 2020
https://www.youtube.com/watch?v=IyWyTypRGWQ
Every year people from the Tor Project and its communities present the State of the Onion, a compilation of updates from our different projects, at conferences around the world. We use this opportunity to talk about highlights of the work weāve accomplished during the year and what we are excited about in the upcoming year.
With COVID-19 pandemic this year, we didnāt have the chance to ātourā our State of the Onion during any face-to-face conferences. So we decided to bring the State of the Onion to you in virtual format.
We invite you to watch the full recording of State of the Onion 2020 on YouTube (https://www.youtube.com/watch?v=IyWyTypRGWQ). Our blog outlines the full program and who took part in the event (https://blog.torproject.org/state-of-the-onion-2020).
Transparency, Openness, and Our 2018 and 2019 Finances
https://blog.torproject.org/transparency-openness-and-our-2018-and-2019-financials
We publish all of our related tax documents for transparency (https://www.torproject.org/about/reports/). After completing standard audits for 2017-2018 and for 2019, our federal tax filings and audits for the last two years are available in full on our website. We've outlined some observations to help you read through the 2018 and 2019 financial documents on our blog: https://blog.torproject.org/transparency-openness-and-our-2018-and-2019-financials.
Digital security tools for human rights defenders
https://blog.torproject.org/hrd-amazon-training
Since July 2020, Narrira Lemos has been working with the Tor Project as a Bertha Fellow (https://berthafoundation.org/bertha-challenge/) to strengthen and promote digital security among individuals and organizations in the Amazonian region of Brazil, where she works with the technological challenges of the people who live there fighting to protect forests. On the blog, Nah outlines her work with rural communities, the impact of the pandemic, and how these human rights defenders use Tor Browser and other digital security tools: https://blog.torproject.org/hrd-amazon-training.
New Releases
Tor 0.4.5.2-alpha
https://blog.torproject.org/node/1958
Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. It fixes several bugs present in earlier releases, including one that made it impractical to run relays on Windows. It also adds a few small safety features.
Tor Browser 10.5a4
https://blog.torproject.org/new-release-tor-browser-105a4
This release updates Firefox to 78.5.0esr for desktop and Fenix to 83.0 for Android. Additionally, we update Tor to 0.4.5.1-alpha. This release includes important security updates both for desktop and Android users.
Tor Browser 10.0.5 (Only Desktop)
https://blog.torproject.org/new-release-tor-browser-1005
This release updates Firefox to 78.5.0esr and updates Tor to 0.4.4.6. This release includes important security updates to Firefox.
Tor Browser 10.5a3
https://blog.torproject.org/new-release-tor-browser-105a3
Tor Browser 10.5a3 updates NoScript to 11.1.5 and libevent to 2.1.12. This release includes important security updates to Firefox.
Tor 0.3.5.12, 0.4.3.7, and 0.4.4.6
https://blog.torproject.org/node/1952
Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- 005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay.
Tor Browser 10.0.4
https://blog.torproject.org/new-release-tor-browser-1004
This release updates NoScript to 11.1.5 and includes an important security update to Firefox.
Tor Browser 10.0.3 (Android Only)
blog.torproject.org/new-release-tor-browser-1003
After many months of design and development we are very happy to announce the release of Tor Browser 10.0.3 for Android. This is the first Android Tor Browser version in the stable 10.0 series. The Desktop version was released at the end of September. We began working on this project in April 2020 with the goal of rebuilding the Android Tor Browser on top of Mozilla's new Android Firefox Browser, Fenix. Over the last six months, we successfully achieved this goal and we reached feature parity with the previous Android Tor Browser version.
What We're Reading
"Browsing internet 'safely' on Android phones becomes easier with this new app," India Times.
https://timesofindia.indiatimes.com/gadgets-news/browsing-internet-safely-on-android-phones-becomes-easier-with-this-new-app/articleshow/79013318.cms
"How Police Can Crack Locked Phonesāand Extract Information," Wired.
https://www.wired.com/story/how-police-crack-locked-phones-extract-information/
"The best way to fight election disinformation is to fight surveillance capitalism," Fight for the Future.
https://fightfortheftr.medium.com/the-best-way-to-fight-election-disinformation-is-to-fight-surveillance-capitalism-d5d835683a9e
"Crypto Wallet Trezor Incorporates āTor Switch' in its Desktop App for Increased Privacy," Bitcoin Exchange Guide.
https://bitcoinexchangeguide.com/crypto-wallet-trezor-incorporates-tor-switch-in-its-desktop-app-for-increased-privacy/
"How the U.S. Military Buys Location Data from Ordinary Apps," Motherboard.
https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
"Tor Project rolls out program to turbo-charge network throughput," The Daily Swig.
https://portswigger.net/daily-swig/tor-project-rolls-out-program-to-turbo-charge-network-throughput
"'Incognito Mode' Is Actually Pretty Useless," VICE.
https://www.vice.com/en/article/y3gzgb/incognito-mode-is-actually-pretty-useless
Upcoming Events with Tor
(ICYMI) Anonymity loves Diversity: The Case of Tor (Foss-North), November 1st, 2020.
https://youtu.be/lBjZOvA2kF4
(ICYMI) State of the Onion: Tor & Community Updates from 2020, November 16, 2020.
https://www.youtube.com/watch?v=IyWyTypRGWQ
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about each of our teams and start collaborating: https://gitlab.torproject.org/tpo/team#Teams
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
Published on 2020-10-29
Use A Mask, Use Tor: Resist the Surveillance Pandemic
https://blog.torproject.org/use-a-mask-use-tor
As many friends and followers of Tor know by now, we spend the final weeks of each year asking for your help as part of our year-end fundraising campaign (https://torproject.org/donate/donate-usetor-tn1). This year hasn't been a normal year at all, not for Tor and not for the rest of the world.
For our 2020 campaign, we wanted a theme that conveys a positive message and speaks to the power of community action. Thatās why we decided on the theme Use a Mask, Use Tor.
To put it simply, using a mask keeps yourself and your communities safe in person. Using Tor keeps yourself and your communities safe online. Both tools help to conceal your identity, can break systems of surveillance, and their widespread use can promote the health of communities while undermining the power of systems bent on dividing us. Using a mask and using Tor helps us stand in solidarity with one another.
Use a mask, use Tor. And now, use your Tor mask! Make a donation of $50 and receive a limited-edition Tor mask: https://torproject.org/donate/donate-usetor-tn1
Every donation made from now through the end of 2020 will count towards our year-end campaign. Be on the lookout for events, giveaways, and new merch available from now until December 31. Read more about the campaign on our blog: https://blog.torproject.org/use-a-mask-use-tor
Tor Browser and Onion Services: Challenges and Opportunities
https://blog.torproject.org/tor-brower-onion-services-challenges-opportunities
Maintaining a browser like Tor Browser has its challenges but also its rewards. It allows us to reach faster adoption of important technologies like onion services, providing a more secure browsing experience for all Tor users. Improving the treatment of onion services on the browser side, however, comes with its own challenges both for users and service providers and it is important to reflect on those as a requirement for future growth.
Thus, we feel it is time to take stock and outline the steps we have taken over the years to improve the user experience and adoption of onion services, the challenges we faced and continue to face, and what the future might look like.
Check out our blog post for how we got where we are today, our challenges, and what's next for Tor Browser and onion services: https://blog.torproject.org/tor-brower-onion-services-challenges-opportunities
Join the Tor Localization Hackathon November 6 - 9
https://blog.torproject.org/tor-l10n-hackathon
Between November 6 and 9, the Tor Project and Localization Lab (https://www.localizationlab.org/) will host the first edition of Tor Project's localization hackathon, the Tor L10n Hackathon. A hackathon is an event where a community hangs out and works together to update, fix, and collaborate on a project. The L10n Hackathon is a totally remote and online event.
In this localization hackathon we're going to work exclusively on the localization of our latest resource, the Tor Community portal. Find out how to join the hackathon on our blog: https://blog.torproject.org/tor-l10n-hackathon
Anti-censorship team report: September 2020
https://blog.torproject.org/anti-censorship-september-2020
Tor's anti-censorship team writes monthly reports to keep the world updated on its progress. This blog post summarizes the anti-censorship work we got done in September 2020. Let us know if you have any questions or feedback!
New Releases
Tor Browser 10.0a9 (Android Only)
https://blog.torproject.org/new-release-tor-browser-100a9
Tor Browser 10.0a9 ships with Fenix 82.1.1. As this is the second alpha version based on Fenix we expect more bugs than usual. Please report them (with steps to reproduce), either on our blog or on Gitlab, or essentially with any other means that would reach us. We are in particular interested in potential proxy bypasses which our proxy audit missed.
Tor Browser 10.5a2
https://blog.torproject.org/new-release-tor-browser-105a2
Tor Browser 10.5a2 ships with Firefox 78.4.0esr, updates NoScript to 11.1.3, and OpenSSL to 1.1.1h. This release includes important security updates to Firefox. Tor Browser 10.5 does not support CentOS 6.
Tor Browser 10.0.2
https://blog.torproject.org/new-release-tor-browser-1002
This release updates Firefox to 78.4.0esr and NoScript to 11.1.3. This release includes important security updates to Firefox. Now Javascript on the Safest security level is governed by NoScript again.
Tor Browser 10.0.1
https://blog.torproject.org/new-release-tor-browser-1001
This release updates NoScript to 11.1.1 and fixes some bugs, including the issue of watching Youtube videos on Windows.
Tor Browser 10.0a8 (Android Only)
https://blog.torproject.org/new-release-tor-browser-100a8
We are happy to announce the first alpha for Android users based on Fenix 81. The Desktop version was released at the end of September. Over the last four months we adjusted our toolchains, finished our proxy audit, re-implemented the user interfaces, and fixed a lot of issues that came down on us due to the switch from Firefox 68esr to Fenix.
What We're Reading
"The Police Can Probably Break Into Your Phone," The New York Times.
https://www.nytimes.com/2020/10/21/technology/iphone-encryption-police.html
"Onions on the side: Tracking Tor availability for reader privacy on major news sites," Freedom of the Press Foundation.
https://freedom.press/news/onions-side-tracking-tor-availability-reader-privacy-major-news-sites/
"Amazon Unveils Drone That Films Inside Your Home. What Could Go Wrong?" The New York Times.
https://www.nytimes.com/2020/09/24/technology/amazon-ring-drone.html
"Bitcoin's Next Upgrade Will Support Tor V3 Addresses," Decrypt.
https://decrypt.co/44640/bitcoins-next-upgrade-will-support-tor-v3-addresses
"CBP Bought 'Global' Location Data from Weather and Game Apps," Motherboard.
https://www.vice.com/en/article/n7wakg/cbp-dhs-location-data-venntel-apps
"Introducing Onion Names for SecureDrop," SecureDrop.
https://securedrop.org/news/introducing-onion-names-securedrop/
"Google is giving data to police based on search keywords, court docs show," CNet.
https://www.cnet.com/news/google-is-giving-data-to-police-based-on-search-keywords-court-docs-show/
Upcoming Events with Tor
Anonymity loves Diversity: The Case of Tor (Foss-North), November 1st, 2020 @ 16:00 - 17:00 (CET).
https://blog.torproject.org/foss-north-2020
Tor Localization Hackathon, November 6 - 9, 2020.
https://blog.torproject.org/node/1946
State of the Onion: Tor & Community Updates from 2020, November 16, 2020 @ 16:00 - 18:00 UTC.
https://blog.torproject.org/state-of-the-onion-2020
Tor Talk at GNU Health Conference 2020, November 20, 2020
https://blog.torproject.org/tor-ghcon-2020
Tor introduction @ LHC (Campinas), November 26 @ 23:00 UTC
https://blog.torproject.org/tor-intro-lhc-2020
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about each of our teams and start collaborating: https://gitlab.torproject.org/tpo/team#Teams
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
Published on 2020-09-29
Updates on the Tor Projectās Board
https://blog.torproject.org/welcome-new-tor-board-members
We would like to share some updates regarding the Tor Projectās Board. We had two members stepping down, Megan Price and Shari Steele, both provided great contributions for the Board that Tor will always be thankful for. And we are grateful to have them as supporters and friends of Tor.
To move forward we decided to invite two new members. We are happy to say both have accepted our invitation and joined the Board. Rabbi Rob, the founder and CEO of Team Cymru and Chelsea Komlo, cryptography and privacy researcher and engineer.
Torās Bug Smash Fund, Year 2: $106,709 Raised!
https://blog.torproject.org/tor-bug-smash-fund-2020-106K-raised
This August, we asked you to help us fundraise for our second annual Bug Smash Fund campaign. This fund is designed to grow a healthy reserve earmarked for maintenance work, finding bugs, and smashing themāall tasks necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly.
In 2019, we raised $86,081, half of which we raised in-person at DEFCON.
In 2020, despite the challenges of COVID-19 and event cancellations, you helped us to raise $106,709!
Censored continent: understanding the use of tools during information controls in Africa: Nigeria, Cameroon, Uganda, and Zimbabwe as case studies.
https://blog.torproject.org/icfp-otf-censored-continent
Between 2019 and 2020, the Tor Project has had the opportunity to serve as the host organization of OTF Information Controls Fellow, Babatunde Okunoye.
As part of his fellowship, Babatunde examined the use of Internet censorship circumvention tools in Cameroon, Nigeria, Uganda, and Zimbabwe, four countries in Africa with varying degrees of Internet censorship, including Internet bandwidth throttling, social media app restrictions, and website blocks. Interviews were done with 33 people, including students, civil society members, people in business, and teachers, revealing how communities mobilized to defeat censorship.
Anti-censorship team report: August 2020
https://blog.torproject.org/anti-censorship-august-2020
Tor's anti-censorship team writes monthly reports to keep the world updated on its progress. This blog post summarizes the anti-censorship work we got done in August 2020. Let us know if you have any questions or feedback!
GSoC 2020: Snowflake Proxy on Mobile
https://blog.torproject.org/gsoc-2020-snowflake-proxy-mobile
Every year the Tor Project hosts interns through programs like Outreachy and Google Summer of Code. Hashik worked with our anti-censorship team on bringing Snowflake proxy to Android. We are happy that HashikĀ had a great time at the Tor Project.
āTorās community is very welcoming; all the Tor core developers are down to earth, humble, and easy to approach for any technical difficulty. Any interested person can barge into their IRC channels and ask any question, and either the developers or the fellow folks in the community would answer our questions.ā
New Releases
Tor 0.4.4.5
https://blog.torproject.org/node/1921
This series improves our guard selection algorithms, adds v3 onion balance support, improves the amount of code that can be disabled when running without relay support, and includes numerous small bugfixes and enhancements. It also lays the ground for some IPv6 features that we'll be developing more in the next (0.4.5) series.
Tor Browser 10
https://blog.torproject.org/new-release-tor-browser-100
Tor Browser 10 ships with Firefox 78.3.0esr, updates NoScript to 11.0.44, and Tor to 0.4.4.5. This release includes important security updates to Firefox.
Android Tor Browser 10 is under active development and we are supporting the current 9.5 series for Android until the new one is ready. We are informed by Mozilla of any issues they learn about affecting the 9.5 series. We expect to release the new Tor Browser for Android based on Fenix in the following weeks.
Tails 4.11
https://blog.torproject.org/new-release-tails-411
This release fixes many security vulnerabilities. You should upgrade as soon as possible.
Tor Browser 10.0a7
https://blog.torproject.org/new-release-tor-browser-100a7
We are happy to announce the third alpha for desktop users based on Firefox 78 ESR. The Android version is under active development and will be available in the coming weeks.
Tor Browser 10.5a1
https://blog.torproject.org/new-release-tor-browser-105a1
Tor Browser 10.5a1 ships with Firefox 78.3.0esr, updates NoScript to 11.0.44, and Tor to 0.4.4.5.
What We're Reading
"Portland, Oregon, passes toughest ban on facial recognition in US," CNET.
https://www.cnet.com/google-amp/news/portland-passes-the-toughest-ban-on-facial-recognition-in-the-us/
"We made the largest Mexican telecommunications operator stop blocking secure internet," GlobalVoices.
https://globalvoices.org/2020/09/08/we-made-the-largest-mexican-telecommunications-operator-stop-blocking-secure-internet/
"Free VPNs are bad for your privacy," Tech Crunch.
https://techcrunch.com/2020/09/24/free-vpn-bad-for-privacy/
"Trump cuts aid for pro-democracy groups in Belarus, Hong Kong and Iran," The Guardian.
https://www.theguardian.com/us-news/2020/sep/24/trump-open-technology-fund-hong-kong-belarus-iran
"U.S. court: Mass surveillance program exposed by Snowden was illegal," Reuters.
https://www.reuters.com/article/us-usa-nsa-spying/u-s-court-mass-surveillance-program-exposed-by-snowden-was-illegal-idUSKBN25T3CK
"Remote Learning During Pandemic Brings Privacy Risks," The Wall Street Journal.
https://www.wsj.com/articles/remote-learning-during-pandemic-brings-privacy-risks-11599039000
"Zimbabweās Speedy Social Media Law Is Africaās Latest Internet Censorship Plot," WT.
https://weetracker.com/2020/08/31/zimbabwe-africa-social-media-laws/
"Private Intel Firm Buys Location Data to Track People to their 'Doorstep'," Motherboard.
https://www.vice.com/en_us/article/qj454d/private-intelligence-location-data-xmode-hyas
Upcoming Events with Tor
Roger keynotes at CyberSec&AI, October 8, 2020.
https://blog.torproject.org/node/1925
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
Published on 2020-08-31
Security news, Bug Smash Fund, #MoreOnionsPorFavor
Hello Tor community,
This month, we decided to write a slightly different newsletter. We want to answer questions you may have regarding news about Torās security.
First, Tor is a secure tool to use. For perspective on how the Tor Project makes decisions about security and development, weāll start with a tweet from Edward Snowden (https://twitter.com/snowden/status/1165391734823669761?lang=en): "I wouldnāt expect any system to be totally secure, much less remain secure forever in the face of adversary advances, but that is not the claim. Security is the process of choosing between "less safe" and "more safeā" and continuing to fork towards safety until you reach 'safe enough.'"
Snowden is right. Like all software, Tor development is a process. The Tor daemon, Tor Browser, onion services, pluggable transports, and many other software we develop are just like any other piece of software - they will have bugs. We are always working to make Tor safer for the largest number of users by prioritizing the most impactful changes.
In that spirit, weād like to talk about two clusters of reports and the action weāve taken.
You may have heard about a series of bugs in Tor being reported as ā0-days.ā These bugs arenāt 0-days. Many of them are open in our bug tracker. We have triaged these tickets and determined they are not high priority, and they do not harm our users' anonymity. We explained more about our decision process regarding these bugs, and what comes next, in a tweet (https://twitter.com/torproject/status/1288955073322602496).
You may have heard about a group of exit relays running sslstrip attacks on the Tor network in May and June 2020. This attack targeted unencrypted HTTP connections to a small number of cryptocurrency exchange websites, and left other traffic alone. These relays have been monitored and excluded from the Tor network since theyāve joined. You can read the full details about the attack, and the next steps to mitigation, on our blog. (blog.torproject.org/bad-exit-relays-may-june-2020) Monitoring the Tor network continuously is very important in catching these kinds of attacks, and given our limited capacity, you can help by donating (https://donate.torproject.org) to help increase our network monitoring capacity, running your own relay (https://community.torproject.org/relay/), or reporting bad relays (https://community.torproject.org/relay/community-resources/bad-relays/).
These reports point to some truths about the Tor Project: (1) We have finite capacity, which has been exacerbated by the financial need to lay off 1/3 of our staff in April. (2) Given our finite capacity, we have to triage and prioritize the work that has the highest impact for our users. (3) We can improve communication with our volunteers, contributors, and users so that our decision making process, and the priority of user security, is more clear. Like this newsletter.
Our blog is another important resource for updates on whatās happening in the Tor world, and is one of the places we will use to improve our communication. This month we published a blog post outlining the two methods we are considering to mitigate DDoS attacks on the Tor network (https://blog.torproject.org/stop-the-onion-denial), which is an example of how we like to discuss problems and potential solutions. Weāve also begun posting monthly reports on anti-censorship activities (https://blog.torproject.org/anti-censorship-july-2020) so you can keep up with our work in this area.
We believe that transparency builds trust. Our work is available for anyone to review and use to learn about Tor. Our code is open. Our development meetings and discussions are open on IRC and mailing list. We welcome those who would like to help review our work for security issues, and when they are found, to use responsible disclosure to report them.
Isabela Bagueros
Executive Director
Final day to donate to the Bug Smash Fund
https://blog.torproject.org/tor-bug-smash-fund-2020
Today, August 31, is the final day of the Bug Smash Fund campaign (https://blog.torproject.org/tor-bug-smash-fund-2020). We owe you a big thank you. This campaign has been more successful than 2019ās, even though we had to overcome a loss of donations from cancelled in-person events. If you havenāt made a contribution to the Bug Smash Fund, and want to help us build a reserve of funds that goes towards finding and fixing bugs and conducting routine maintenance, you still have a chance. Make a donation before the end of the day on August 31 (https://donate.torproject.org), and your contribution will help us smash all the bugs.
End of #MoreOnionsPorFavor campaign
https://blog.torproject.org/more-onions-end-of-campaign
Over the last month, onion services operators and our broad community celebrated and deployed a brand new feature called Onion-Location (https://support.torproject.org/onionservices/onion-location/). The feature, a purple pill in the URL bar, advertises to users that thereās a more secure way to connect to a site by using onion services. Over 60 organisations and individuals -- small, medium, and large onions -- have reached out to us to be part of this campaign. Read more about the success of the #MoreOnionsPorFavor (https://blog.torproject.org/more-onions-end-of-campaign).
New Releases
Tor Browser 10.0a6
https://blog.torproject.org/new-release-tor-browser-100a6
This release ships with Firefox 78.2.0esr, and updates NoScript to 11.0.39. Full changelog.
Tor Browser 9.5.4
https://blog.torproject.org/new-release-tor-browser-954
This release updates Firefox to 68.12.0esr, NoScript to 11.0.38, and HTTPS Everywhere to 2020.08.13. Full changelog.
Tor Browser 10.0a5
https://blog.torproject.org/new-release-tor-browser-100a5
This release ships with Firefox 78.1.0esr but there are a lot more changes that we included compared to the previous alpha version. Full changelog.
0.4.4.4-rc
https://blog.torproject.org/node/1908
Tor 0.4.4.4-rc is the first release candidate in its series. It fixes several bugs in previous versions, including some that caused annoying behavior for relay and bridge operators. Full changelog.
What We're Reading
"AsĆ logramos que el mĆ”s grande operador de telecomunicaciones mexicano dejara de bloquear la internet segura," GlobalVoices.
https://es.globalvoices.org/2020/08/18/asi-logramos-que-el-mas-grande-operador-de-telecomunicaciones-mexicano-dejara-de-bloquear-la-internet-segura/
"A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts," ZDNet.
https://www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/
"Roger Dingledine of the Tor Project talks privacy and COVID-19 apps," Avast.
https://blog.avast.com/cybersecai-connected-qa-with-roger-dingledine-avast
"Poll reveals Americans data privacy frustrations," Axios.
https://www.axios.com/exclusive-poll-reveals-americans-data-privacy-frustrations-16514f76-ff5e-4df1-929e-6ba259268023.html
"A new technique can detect newer 4G 'stingray' cell phone snooping," Tech Crunch.
https://techcrunch.com/2020/08/05/crocodile-hunter-4g-stingray-cell/
"The Age of Mass Surveillance Will Not Last Forever," WIRED.
https://www.wired.com/story/the-age-of-mass-surveillance-will-not-last-forever/
Upcoming Events with Tor
(ICYMI) Walking Onions @ USENIX Security Symposium (recorded virtual event), August 12-14, 2020.
https://www.usenix.org/conference/usenixsecurity20/presentation/komlo
(ICYMI) PrivChat #2 | The Good, the Bad, and the Ugly of Censorship Circumvention (recorded virtual event), August 28.
https://www.youtube.com/watch?v=aOOChyMCZH4
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
--
The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
Twitter: https://twitter.com/torproject
Facebook: https://facebook.com/torproject
Instagram: https://instagram.com/torproject
Mastodon: http://mastodon.social/@torproject
Published on 2020-07-31
Tor's Bug Smash Fund: Year Two!
https://blog.torproject.org/tor-bug-smash-fund-2020
The Bug Smash Fund is back for its second year. In 2019, we launched Torās Bug Smash Fund (https://blog.torproject.org/tors-bug-smash-fund-help-tor-smash-all-bugs) to find and fix bugs in our software and conduct routine maintenance. Maintenance isnāt a flashy new feature, and that makes it less interesting to many traditional funders, but itās what keeps the reliable stuff working--and with your support, we were able to close 77 tickets as a result.
These bugs and issues ranged from maintenance on mechanisms for sending bridges via email and collecting metrics data to improving tor padding, testing, onion services, documentation, Tor Browser UX, and tooling for development. This work keeps Tor Browser, the Tor network, and the many tools that rely on Tor (https://blog.torproject.org/strength-numbers-entire-ecosystem-relies-tor) strong, safe, and running smoothly.
And thereās so much more we can accomplish. Nineteen tickets tagged BugSmashFund (https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues?label_name%5B%5D=BugSmashFund&scope=all&state=all) are still open, and as you know, a big part of building software is ensuring that you can address issues when you find them. As such, starting August 1, every donation we receive during the month of August will count towards the Bug Smash Fund 2020.
Learn more about the Bug Smash Fund and how to contribute: https://blog.torproject.org/tor-bug-smash-fund-2020
#MoreOnionsPorfavor: Onionize your website and take back the internet
https://blog.torproject.org/more-onions-porfavor
Starting July 8th through August 10th, the Tor Project is running a campaign called #MoreOnionsPorfavor to raise awareness about onion sites, that is, websites available over onion services. We recently released a feature called Onion-Location in Tor Browser that announces to users if a website has an onion site available.
Many web administrators have already joined us and made their websites available over onion services and Onion-Location. For example, ProPublica, DEF CON, Privacy International, Riseup.net, Systemli.org, and Write.as.
Join us to make a more secure web! To participate, enable Onion-Location, share your onion site using the hashtag #MoreOnionsPorFavor on your favorite social media, and we'll select some onion service operators to receive a Tor swag. Find out how to launch your onion service and set up Onion-Location: https://blog.torproject.org/more-onions-porfavor
Onion Service version 2 deprecation timeline
https://blog.torproject.org/v2-deprecation-timeline
More than 15 years ago, Onion Service (at the time named Hidden Service) saw the light of day. It was initially an experiment in order to learn more on what the Tor Network could offer. The protocol reached its version 2 soon after deployment.
Version 2 developed into a strong stable product that has been used for over a decade. Since then, onion service adoption has increased drastically, from the .onion tld being standarized by ICANN, to SSL certificates being issued to .onion addresses. Today, onion services support an ecosystem of client applications: from web browsing to file sharing and private messaging.
In 2015, a large scale development effort spanning over 3 years resulted in onion services version 3. On January 9th 2018, Tor version 0.3.2.9 was released which was the first tor supporting onion service version 3. Every single relay on the Tor network now supports version 3. It is also today's default version when creating an onion service.
With onions v3 standing strong, we are at a good position to retire v2. It has completed its course and provided security and privacy to countless people around the world. But more importantly, v2 has created and propulsed a new era of private and secure communication. Prepare for v2 retirement with our planned deprecation timeline: https://blog.torproject.org/v2-deprecation-timeline.
New Releases
Tor 0.3.5.11, 0.4.2.8, and 0.4.3.6 (with security fixes)
https://blog.torproject.org/new-release-tor-03511-0428-0436-security-fixes
These releases fix TROVE-2020-001, a medium-severity denial of service vulnerability affecting all versions of Tor when compiled with the NSS encryption library. (This is not the default configuration.)
Tor 0.4.4.2-alpha
https://blog.torproject.org/node/1899
This is the second alpha release in the 0.4.4.x series. It fixes a few bugs in the previous release, and solves a few usability, compatibility, and portability issues.
Tor Browser 10.0a3
https://blog.torproject.org/new-release-tor-0441-alpha
This is an Android-only release. It updates Firefox to 68.10.1esr and features important security updates to Firefox.
Tor Browser 9.5.2
https://blog.torproject.org/new-release-tor-browser-952
This release updates Firefox to 68.10.1esr. It also includes important security updates to Firefox.
Tor Browser 10.0a2
https://blog.torproject.org/new-release-tor-browser-100a2
This release update Firefox to 68.10.0esr, Tor to 0.4.4.1-alpha, and NoScript to 11.0.32. This release also includes important security updates to Firefox.
What We're Reading
"Homeland Security worries COVID-19 masks are breaking facial recognition, leaked document shows," The Intercept.
https://theintercept.com/2020/07/16/face-masks-facial-recognition-dhs-blueleaks/
"Appeals court blocks Trump appointee's takeover of web nonprofit," Politico.
https://www.politico.com/news/2020/07/21/appeals-court-trump-appointees-web-nonprofit-375753
"A New Map Shows the Inescapable Creep of Surveillance," WIRED.
https://www.wired.com/story/atlas-of-surveillance-eff-law-enforcement-map/
"The Trump Administration is Attacking Critical Internet Privacy Tools," Vice.
https://www.vice.com/en_us/article/v7gz4d/the-trump-administration-is-attacking-critical-internet-privacy-tools
"How to Check Your Devices for Stalkerware," WIRED.
https://www.wired.com/story/how-to-check-for-stalkerware/
"EFF to Court: Trump Appointeeās Removal of Open Technology Fund Leadership Is Unlawful," EFF.
https://www.eff.org/press/releases/eff-court-trump-appointees-removal-open-technology-fund-leadership-unlawfu
Upcoming Events with Tor
(ICYMI) Privacy Enhancing Technologies Symposium (recorded virtual event), July 13-17, 2020.
https://blog.torproject.org/pets-2020
(ICYMI) Tor Project @ Rightscon: The Case for Privacy By Design, June 27, 2020.
https://blog.torproject.org/rightscon-2020
Bornhack (DK), August 11-18, 2020.
https://blog.torproject.org/bornhack-2020
Walking Onions @ USENIX Security Symposium (virtual event), August 12-14, 2020.
https://blog.torproject.org/usenix-security-2020
Join Our Community
Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/
Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet
Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams
Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org
--
The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.
Twitter: https://twitter.com/torproject
Facebook: https://facebook.com/torproject
Instagram: https://instagram.com/torproject
Mastodon: http://mastodon.social/@torproject