Security news, Bug Smash Fund, #MoreOnionsPorFavor

Published on 2020-08-31

Security news, Bug Smash Fund, #MoreOnionsPorFavor

Hello Tor community,

This month, we decided to write a slightly different newsletter. We want to answer questions you may have regarding news about Tor’s security.

First, Tor is a secure tool to use. For perspective on how the Tor Project makes decisions about security and development, we’ll start with a tweet from Edward Snowden (https://twitter.com/snowden/status/1165391734823669761?lang=en): "I wouldn’t expect any system to be totally secure, much less remain secure forever in the face of adversary advances, but that is not the claim. Security is the process of choosing between "less safe" and "more safe’" and continuing to fork towards safety until you reach 'safe enough.'"

Snowden is right. Like all software, Tor development is a process. The Tor daemon, Tor Browser, onion services, pluggable transports, and many other software we develop are just like any other piece of software - they will have bugs. We are always working to make Tor safer for the largest number of users by prioritizing the most impactful changes.

In that spirit, we’d like to talk about two clusters of reports and the action we’ve taken.

You may have heard about a series of bugs in Tor being reported as “0-days.” These bugs aren’t 0-days. Many of them are open in our bug tracker. We have triaged these tickets and determined they are not high priority, and they do not harm our users' anonymity. We explained more about our decision process regarding these bugs, and what comes next, in a tweet (https://twitter.com/torproject/status/1288955073322602496).
You may have heard about a group of exit relays running sslstrip attacks on the Tor network in May and June 2020. This attack targeted unencrypted HTTP connections to a small number of cryptocurrency exchange websites, and left other traffic alone. These relays have been monitored and excluded from the Tor network since they’ve joined. You can read the full details about the attack, and the next steps to mitigation, on our blog. (blog.torproject.org/bad-exit-relays-may-june-2020) Monitoring the Tor network continuously is very important in catching these kinds of attacks, and given our limited capacity, you can help by donating (https://donate.torproject.org) to help increase our network monitoring capacity, running your own relay (https://community.torproject.org/relay/), or reporting bad relays (https://community.torproject.org/relay/community-resources/bad-relays/).

These reports point to some truths about the Tor Project: (1) We have finite capacity, which has been exacerbated by the financial need to lay off 1/3 of our staff in April. (2) Given our finite capacity, we have to triage and prioritize the work that has the highest impact for our users. (3) We can improve communication with our volunteers, contributors, and users so that our decision making process, and the priority of user security, is more clear. Like this newsletter.

Our blog is another important resource for updates on what’s happening in the Tor world, and is one of the places we will use to improve our communication. This month we published a blog post outlining the two methods we are considering to mitigate DDoS attacks on the Tor network (https://blog.torproject.org/stop-the-onion-denial), which is an example of how we like to discuss problems and potential solutions. We’ve also begun posting monthly reports on anti-censorship activities (https://blog.torproject.org/anti-censorship-july-2020) so you can keep up with our work in this area.

We believe that transparency builds trust. Our work is available for anyone to review and use to learn about Tor. Our code is open. Our development meetings and discussions are open on IRC and mailing list. We welcome those who would like to help review our work for security issues, and when they are found, to use responsible disclosure to report them.

Isabela Bagueros Executive Director

Final day to donate to the Bug Smash Fund

https://blog.torproject.org/tor-bug-smash-fund-2020

Today, August 31, is the final day of the Bug Smash Fund campaign (https://blog.torproject.org/tor-bug-smash-fund-2020). We owe you a big thank you. This campaign has been more successful than 2019’s, even though we had to overcome a loss of donations from cancelled in-person events. If you haven’t made a contribution to the Bug Smash Fund, and want to help us build a reserve of funds that goes towards finding and fixing bugs and conducting routine maintenance, you still have a chance. Make a donation before the end of the day on August 31 (https://donate.torproject.org), and your contribution will help us smash all the bugs.

End of #MoreOnionsPorFavor campaign

https://blog.torproject.org/more-onions-end-of-campaign

Over the last month, onion services operators and our broad community celebrated and deployed a brand new feature called Onion-Location (https://support.torproject.org/onionservices/onion-location/). The feature, a purple pill in the URL bar, advertises to users that there’s a more secure way to connect to a site by using onion services. Over 60 organisations and individuals -- small, medium, and large onions -- have reached out to us to be part of this campaign. Read more about the success of the #MoreOnionsPorFavor (https://blog.torproject.org/more-onions-end-of-campaign).

New Releases

Tor Browser 10.0a6 https://blog.torproject.org/new-release-tor-browser-100a6 This release ships with Firefox 78.2.0esr, and updates NoScript to 11.0.39. Full changelog.

Tor Browser 9.5.4 https://blog.torproject.org/new-release-tor-browser-954 This release updates Firefox to 68.12.0esr, NoScript to 11.0.38, and HTTPS Everywhere to 2020.08.13. Full changelog.

Tor Browser 10.0a5 https://blog.torproject.org/new-release-tor-browser-100a5 This release ships with Firefox 78.1.0esr but there are a lot more changes that we included compared to the previous alpha version. Full changelog.

0.4.4.4-rc https://blog.torproject.org/node/1908 Tor 0.4.4.4-rc is the first release candidate in its series. It fixes several bugs in previous versions, including some that caused annoying behavior for relay and bridge operators. Full changelog.

What We're Reading

"Así logramos que el más grande operador de telecomunicaciones mexicano dejara de bloquear la internet segura," GlobalVoices. https://es.globalvoices.org/2020/08/18/asi-logramos-que-el-mas-grande-operador-de-telecomunicaciones-mexicano-dejara-de-bloquear-la-internet-segura/

"A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts," ZDNet. https://www.zdnet.com/article/a-quarter-of-the-alexa-top-10k-websites-are-using-browser-fingerprinting-scripts/

"Roger Dingledine of the Tor Project talks privacy and COVID-19 apps," Avast. https://blog.avast.com/cybersecai-connected-qa-with-roger-dingledine-avast

"Poll reveals Americans data privacy frustrations," Axios. https://www.axios.com/exclusive-poll-reveals-americans-data-privacy-frustrations-16514f76-ff5e-4df1-929e-6ba259268023.html

"A new technique can detect newer 4G 'stingray' cell phone snooping," Tech Crunch. https://techcrunch.com/2020/08/05/crocodile-hunter-4g-stingray-cell/

"The Age of Mass Surveillance Will Not Last Forever," WIRED. https://www.wired.com/story/the-age-of-mass-surveillance-will-not-last-forever/

Upcoming Events with Tor

(ICYMI) Walking Onions @ USENIX Security Symposium (recorded virtual event), August 12-14, 2020. https://www.usenix.org/conference/usenixsecurity20/presentation/komlo

(ICYMI) PrivChat #2 | The Good, the Bad, and the Ugly of Censorship Circumvention (recorded virtual event), August 28. https://www.youtube.com/watch?v=aOOChyMCZH4

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

The Tor Project is a US 501(c)(3) non-profit organization advancing human rights and freedoms by creating and deploying free and open-source anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding.

Twitter: https://twitter.com/torproject Facebook: https://facebook.com/torproject Instagram: https://instagram.com/torproject Mastodon: http://mastodon.social/@torproject

Tor's Bug Smash Fund: Year Two!

Published on 2020-07-31

Tor's Bug Smash Fund: Year Two!

https://blog.torproject.org/tor-bug-smash-fund-2020

The Bug Smash Fund is back for its second year. In 2019, we launched Tor’s Bug Smash Fund (https://blog.torproject.org/tors-bug-smash-fund-help-tor-smash-all-bugs) to find and fix bugs in our software and conduct routine maintenance. Maintenance isn’t a flashy new feature, and that makes it less interesting to many traditional funders, but it’s what keeps the reliable stuff working--and with your support, we were able to close 77 tickets as a result.

These bugs and issues ranged from maintenance on mechanisms for sending bridges via email and collecting metrics data to improving tor padding, testing, onion services, documentation, Tor Browser UX, and tooling for development. This work keeps Tor Browser, the Tor network, and the many tools that rely on Tor (https://blog.torproject.org/strength-numbers-entire-ecosystem-relies-tor) strong, safe, and running smoothly.

And there’s so much more we can accomplish. Nineteen tickets tagged BugSmashFund (https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues?label_name%5B%5D=BugSmashFund&scope=all&state=all) are still open, and as you know, a big part of building software is ensuring that you can address issues when you find them. As such, starting August 1, every donation we receive during the month of August will count towards the Bug Smash Fund 2020.

Learn more about the Bug Smash Fund and how to contribute: https://blog.torproject.org/tor-bug-smash-fund-2020

#MoreOnionsPorfavor: Onionize your website and take back the internet

https://blog.torproject.org/more-onions-porfavor

Starting July 8th through August 10th, the Tor Project is running a campaign called #MoreOnionsPorfavor to raise awareness about onion sites, that is, websites available over onion services. We recently released a feature called Onion-Location in Tor Browser that announces to users if a website has an onion site available.

Many web administrators have already joined us and made their websites available over onion services and Onion-Location. For example, ProPublica, DEF CON, Privacy International, Riseup.net, Systemli.org, and Write.as.

Join us to make a more secure web! To participate, enable Onion-Location, share your onion site using the hashtag #MoreOnionsPorFavor on your favorite social media, and we'll select some onion service operators to receive a Tor swag. Find out how to launch your onion service and set up Onion-Location: https://blog.torproject.org/more-onions-porfavor

Onion Service version 2 deprecation timeline

https://blog.torproject.org/v2-deprecation-timeline

More than 15 years ago, Onion Service (at the time named Hidden Service) saw the light of day. It was initially an experiment in order to learn more on what the Tor Network could offer. The protocol reached its version 2 soon after deployment.

Version 2 developed into a strong stable product that has been used for over a decade. Since then, onion service adoption has increased drastically, from the .onion tld being standarized by ICANN, to SSL certificates being issued to .onion addresses. Today, onion services support an ecosystem of client applications: from web browsing to file sharing and private messaging.

In 2015, a large scale development effort spanning over 3 years resulted in onion services version 3. On January 9th 2018, Tor version 0.3.2.9 was released which was the first tor supporting onion service version 3. Every single relay on the Tor network now supports version 3. It is also today's default version when creating an onion service.

With onions v3 standing strong, we are at a good position to retire v2. It has completed its course and provided security and privacy to countless people around the world. But more importantly, v2 has created and propulsed a new era of private and secure communication. Prepare for v2 retirement with our planned deprecation timeline: https://blog.torproject.org/v2-deprecation-timeline.

New Releases

Tor 0.3.5.11, 0.4.2.8, and 0.4.3.6 (with security fixes)

https://blog.torproject.org/new-release-tor-03511-0428-0436-security-fixes

These releases fix TROVE-2020-001, a medium-severity denial of service vulnerability affecting all versions of Tor when compiled with the NSS encryption library. (This is not the default configuration.)

Tor 0.4.4.2-alpha

https://blog.torproject.org/node/1899

This is the second alpha release in the 0.4.4.x series. It fixes a few bugs in the previous release, and solves a few usability, compatibility, and portability issues.

Tor Browser 10.0a3

https://blog.torproject.org/new-release-tor-0441-alpha

This is an Android-only release. It updates Firefox to 68.10.1esr and features important security updates to Firefox.

Tor Browser 9.5.2

https://blog.torproject.org/new-release-tor-browser-952

This release updates Firefox to 68.10.1esr. It also includes important security updates to Firefox.

Tor Browser 10.0a2

https://blog.torproject.org/new-release-tor-browser-100a2

This release update Firefox to 68.10.0esr, Tor to 0.4.4.1-alpha, and NoScript to 11.0.32. This release also includes important security updates to Firefox.

What We're Reading

"Homeland Security worries COVID-19 masks are breaking facial recognition, leaked document shows," The Intercept.

https://theintercept.com/2020/07/16/face-masks-facial-recognition-dhs-blueleaks/

"Appeals court blocks Trump appointee's takeover of web nonprofit," Politico.

https://www.politico.com/news/2020/07/21/appeals-court-trump-appointees-web-nonprofit-375753

"A New Map Shows the Inescapable Creep of Surveillance," WIRED.

https://www.wired.com/story/atlas-of-surveillance-eff-law-enforcement-map/

"The Trump Administration is Attacking Critical Internet Privacy Tools," Vice.

https://www.vice.com/en_us/article/v7gz4d/the-trump-administration-is-attacking-critical-internet-privacy-tools

"How to Check Your Devices for Stalkerware," WIRED.

https://www.wired.com/story/how-to-check-for-stalkerware/

"EFF to Court: Trump Appointee’s Removal of Open Technology Fund Leadership Is Unlawful," EFF.

https://www.eff.org/press/releases/eff-court-trump-appointees-removal-open-technology-fund-leadership-unlawfu

Upcoming Events with Tor

(ICYMI) Privacy Enhancing Technologies Symposium (recorded virtual event), July 13-17, 2020.

https://blog.torproject.org/pets-2020

(ICYMI) Tor Project @ Rightscon: The Case for Privacy By Design, June 27, 2020.

https://blog.torproject.org/rightscon-2020

Bornhack (DK), August 11-18, 2020.

https://blog.torproject.org/bornhack-2020

Walking Onions @ USENIX Security Symposium (virtual event), August 12-14, 2020.

https://blog.torproject.org/usenix-security-2020

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

Tor Browser 9.5 makes onion services easier to find and use

Published on 2020-06-30

Tor Browser 9.5 makes onion services easier to find and use

https://blog.torproject.org/new-release-tor-browser-95

Tor's onion routing remains the best way to achieve end-to-end anonymous communication on the internet. With onion services (.onion addresses), website administrators can provide their users with anonymous connections that are metadata-free or that hide metadata from any third party. Onion services are also one of the few censorship circumvention technologies that allow users to route around censorship while simultaneously protecting their privacy and identity.

With our latest Tor Browser release, we've made onion services easier to discover, remember, and use. Here's what's new:

Onion Location

Website publishers now can advertise their onion service to Tor users by adding an HTTP header. When visiting a website that has both an .onion address and Onion Location enabled via Tor Browser, users will be prompted about the onion service version of the site and will be asked to opt-in to upgrade to the onion service on their first use.

Onion Authentication

Onion services administrators who want to add an extra layer of security to their website can now set a pair of keys for access control and authentication. Tor Browser users can save keys and manage them via about:preferences#privacy in the Onion Services Authentication section.

URL Bar Security Indicators

Browsers traditionally rendered sites delivered via a secure transport protocol with a green lock icon. But in mid-2019, the formerly green lock icon became gray, intending to de-emphasize the default (safe) connection state and, instead, putting more emphasis on broken or insecure connections. We have updated Tor Browser security indicators to make it easier for users to understand when they are visiting a non-secure website.

Error Pages for Onion Services

In this release, we have improved the way Tor Browser communicates with users about service-, client-, and network-side errors that might happen when they are trying to visit an onion service. Tor Browser now displays a simplified diagram of the connection and shows where the error occurred. We want these messages to be clear and informative without being overwhelming. Onion Names

Because of cryptographic protections, onion service URLs are not easy for humans to remember (ie, https://torproject.org vs. http://expyuzz4wqqyqhjn.onion/). This makes it hard for users to discover or return to an onion site. For this release, we partnered with Freedom of the Press Foundation (FPF) and the Electronic Frontier Foundation's HTTPS Everywhere to develop the first proof-of-concept human-memorable names for SecureDrop onion services addresses.

Read about all of the onion service improvements in Tor Browser 9.5: https://blog.torproject.org/new-release-tor-browser-95

Save Open Technology Fund, #SaveInternetFreedom

https://blog.torproject.org/save-open-technology-fund

The Tor Project has joined the voices around the world from the internet freedom community and in the U.S. Congress to express concerns about the rapid firing of key personnel and dissolution of the board of directors at the four agencies (Middle East Broadcasting, Radio Free Asia, Radio Free Europe/Radio Liberty, and the Open Technology Fund) under the U.S. Agency for Global Media (USAGM).

Of most immediate concern to Tor is the future of the Open Technology Fund (OTF) and its crucial mission, since 2012, of providing funding for technology that enables free expression, helps people circumvent censorship, and obstructs repressive surveillance.

Read our full statement and sign the open letter to Congress: https://blog.torproject.org/save-open-technology-fund. Help #SaveInternetFreedom.

Introducing PrivChat

https://torproject.org/privchat

PrivChat is brand-new a fundraising event series held to raise donations for the Tor Project. Through PrivChat, we will bring you important information related to what is happening in tech, human rights, and internet freedom by convening experts for a chat with our community.

For our first ever PrivChat, we brought together Carmela Troncoso, Assistant Professor at EPFL (Switzerland); Daniel Kahn Gillmor, Senior Staff Technologist for ACLU’s Speech, Privacy, and Technology Project; and Matt Mitchell, hacker and Tech Fellow at the Ford Foundation, to chat with us about privacy in the context of the COVID-19 pandemic, contact tracing, privacy, and the uprising in the U.S. against systemic racism.

If you missed the lived PrivChat, you can watch the recorded version here: https://youtu.be/gSyDvG4Z308. If you're interested in attended the next PrivChat, stay up-to-date on this page: https://torproject.org/privchat.

The value of Tor and anonymous contributions to Wikipedia

https://blog.torproject.org/the-value-of-anonymous-contributions-wikipedia

According to a recently published research paper co-authored by researchers from Drexel, NYU, and the University of Washington, Tor users make high-quality contributions to Wikipedia. And, when they are blocked, as doctoral candidate Chau Tran, the lead author describes, "the collateral damage in the form of unrealized valuable contributions from anonymity seekers is invisible."

By examining more than 11,000 Wikipedia edits made by Tor users able to bypass Wikipedia's Tor ban between 2007 and 2018, the research team found that Tor users made similar quality edits to those of IP editors, who are non-logged-in users identified by their IP addresses, and first-time editors. The paper notes that Tor users, on average, contributed higher-quality changes to articles than non-logged-in IP editors. Read more about the value of anonymous contributions to Wikipedia: https://blog.torproject.org/the-value-of-anonymous-contributions-wikipedia

GSoC and Outreachy 2020 projects

We're pleased to announce that the Tor Project is hosting students this summer as part of Google Summer of Code and Outreachy, thanks to support from DIAL Open Source Center. Find out more about the students and their projects: https://blog.torproject.org/gsoc-outreachy-2020

New Releases

Tor 0.4.4.1-alpha https://blog.torproject.org/new-release-tor-0441-alpha This is the first alpha release in the 0.4.4.x series. It improves our guard selection algorithms, improves the amount of code that can be disabled when running without relay support, and includes small bugfixes and enhancements.
Tor Browser 10.0a1 https://blog.torproject.org/new-release-tor-browser-100a1 This release updates Firefox to 68.9.0esr, and HTTPS-Everywhere to 2020.5.20. In addition, Snowflake is now available for testing on Android.
BridgeDB 0.10.1 https://blog.torproject.org/new-release-bridgedb-010-1 This release includes improvements to BridgeDB's email autoresponder, changes to the distribution mechanism, improvements to the UI, and a "howto" box that explains how people add bridges to Tor Browser.

What We're Reading

"How Surveillance Has Always Reinforced Racism," WIRED. https://www.wired.com/story/how-surveillance-reinforced-racism/
"Tactics to secure your smartphone before joining a protest," Amnesty International. https://www.amnesty.org/en/latest/campaigns/2020/06/tactics-to-secure-phone-before-a-protest/
"Zoom admits to shutting down activist accounts at the request of the Chinese government," Tech Crunch. https://www.techcrunch.com/2020/06/11/zoom-admits-to-shutting-down-activist-accounts-at-the-request-of-the-chinese-government/
"Google Sued for $5 Billion for Tracking Users, Even Those Using 'Incognito' Mode," VICE. https://www.techcrunch.com/2020/06/11/zoom-admits-to-shutting-down-activist-accounts-at-the-request-of-the-chinese-government/

Events with Tor

(ICYMI) Tor Browser 9.5 Release | Onion-Location and new features (recorded virtual event), June 5, 2020. https://www.youtube.com/watch?v=arjXJ2NY--E
(ICYMI) PrivChat with Tor | Online Privacy in 2020: Activism & COVID-19 (recorded virtual event), June 23, 2020. https://www.youtu.be/gSyDvG4Z308
(ICYMI) Circumventing Internet Censorship with Tor @ Internet Measurement Village (recorded virtual event), June 30, 2020. https://blog.torproject.org/imv-circumventing-censorship

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

Unveiling the new Tor Community portal

Published on 2020-05-29

Unveiling the new Tor Community portal

https://blog.torproject.org/community-portal

Community is at the core of Tor's success, popularity, and survival. We would not have a network with the security properties it has if it weren’t for the thousands of volunteer relay operators. We would not have Tor Browser if it weren’t for our open source community. People would not know about Tor if it weren’t for our community of trainers and translators who help us make sure educational information about Tor and our tools are accessible to everyone. We also count on a community of researchers, designers, developers, bug reporters, documentation writers, and many more to keep Tor strong.

It's about time that the Tor Project has a dedicated place to help you!

This month, we officially launched our Community portal. This is part of our continuous effort to better organize all of our different content into portals. The Community portal contains six sections: Training, Outreach, Onion Services, Localization, User Research, and Relay Operations.

Training

https://community.torproject.org/training

Inside of the Training section, you will find slides, risk assessment templates, and materials to help you organize your own Tor training with your group or organization. Because of the pandemic, we recommend you run these activities online, instead of in person, with your local community or affinity group. Check out our blog post on remote work to learn about the tools we recommend: https://blog.torproject.org/remote-work-personal-safety

Outreach

In the Outreach section, you'll find our events calendar, materials like flyers and pamphlets to spread the word about Tor, and instructions on how to run your own Tor meetup in your city. https://community.torproject.org/outreach/

Onion Services

The Onion Services section includes guides, tools, and explanations about onion services and their privacy and security benefits. https://community.torproject.org/onion-services/

Relay Operators

The Relay Operators section is dedicated to explaining the different types of nodes on the network, how to install a relay on different platforms, where to find technical support, and how to be part of the relay operators community. https://community.torproject.org/relay/

User Research

In the User Research section you will find our Research Guidelines, our reports on previous research and methodologies, and Tor Personas, a tool that helps us to human-center our design and development processes. https://community.torproject.org/user-research/

Localization

In the Localization section, you can learn how to plug in to this work and which projects need help. https://community.torproject.org/localization/

Test of Time: Celebrating Onions

https://blog.torproject.org/test-of-time-celebrating-onions

This month, the pre-Tor onion routing paper, "Anonymous Connections and Onion Routing" by Paul Syverson, David Goldschlag, and Michael Reed from IEEE S&P 1997, received the Test of Time Award by the IEEE Symposium on Security and Privacy in Oakland.

This award recognizes papers published at IEEE’s flagship security conference that have made a lasting impact on the field. This work introduced many ideas that would later be important for Tor’s design.

New Releases

Tor Browser 9.5a13

https://blog.torproject.org/new-release-tor-browser-95a13

This release updates NoScript to version 11.0.26, and Tor to 0.4.3.5. This is expected to be the final alpha release of Tor Browser 9.5.

Tor 0.4.3.5

https://blog.torproject.org/node/1872

This release adds support for building without relay code enabled, functionality needed for OnionBalance with v3 onion services, refactoring of configuration and controller functionality, and bug and performance fixes.

Tor Browser 9.5a12

https://blog.torproject.org/new-release-tor-browser-95a12

This release updates Firefox to 68.8.0esr, NoScript to 11.0.25, OpenSSL to 1.1.1g, and Tor to 0.4.3.4-rc. Android Tor Browser now includes Tor built using the reproducible build system.

Tor Browser 9.0.10

https://blog.torproject.org/new-release-tor-browser-9010

This release features important security fixes to Firefox and updates Firefox to 68.8.0esr, NoScript to 11.0.25, and OpenSSL to 1.1.1g. Please make sure you update your Tor Browser.

What We're Reading

"Since I Met Edward Snowden, I’ve Never Stopped Watching My Back," The Atlantic. https://www.theatlantic.com/magazine/archive/2020/06/edward-snowden-operation-firstfruits/610573/
"Women on Web website censored in Spain," Magma. https://blog.magma.lavafeld.org/post/women-on-web-blocking/
"Senate Votes to Allow FBI to Look at Your Web Browsing History Without a Warrant," Vice. https://www.vice.com/en_us/article/jgxxvk/senate-votes-to-allow-fbi-to-look-at-your-web-browsing-history-without-a-warrant
"Coronavirus will turn your office into a surveillance state," WIRED. https://www.wired.co.uk/article/coronavirus-work-office-surveillance
"New bill threatens journalists’ ability to protect sources," Tech Crunch. https://techcrunch.com/2020/05/01/new-bill-threatens-journalists-ability-to-protect-sources/

Upcoming Events with Tor

Postponed. Netdev 0x14, Vancouver. June 16, 2020 - June 19, 2020.

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay/

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

COVID-19's impact on Tor

Published on 2020-05-06

COVID-19's impact on Tor

https://blog.torproject.org/covid19-impact-tor

Tor, like much of the world, has been caught up in the COVID-19 crisis. Like many other nonprofits and small businesses, the crisis has hit us hard, and we have had to make some difficult decisions.

We had to let go of 13 great people who helped make Tor available to millions of people around the world. We will move forward with a core team of 22 people, and remain dedicated to continuing our work on Tor Browser and the Tor software ecosystem.

The world won’t be the same after this crisis, and the need for privacy and secure access to information will become more urgent. In these times, being online is critical and many people face ongoing obstacles to getting and sharing needed information. We are taking today’s difficult steps to ensure the Tor Project continues to exist and our technology stays available.

We are terribly sad to lose such valuable teammates, and we want to let all our users and supporters know that Tor will continue to provide privacy, security, and censorship circumvention services to anyone who needs them. This won't affect our releases, Tor network and Tor Browser releases will continue as scheduled.

The most impactful way to help the Tor Project at this time is to become a monthly donor. Reoccurring, unrestricted income makes our budget more predictable and sustainable. If you'd like to make a donation, please consider monthly giving.

https://donate.torproject.org/monthly-giving

New Releases

Tor 0.4.3.4-rc

This is the first release candidate in its series. It fixes several bugs from earlier versions, including one affecting DoS defenses on bridges using pluggable transports.

https://blog.torproject.org/new-release-candidate-tor-0434-rc

Tor Browser 9.5a11

This release updates Firefox to 68.7.0esr, NoScript to 11.0.23, and OpenSSL to 1.1.1f. In addition, this update features important security fixes to Firefox and it includes improved usability for onion services.

https://blog.torproject.org/new-release-tor-browser-95a11

Tor Browser 9.0.9

This release features important security fixes to Firefox. Please make sure you update your Tor Browser.

https://blog.torproject.org/new-release-tor-browser-909

Tails 4.5

The Tails team is happy to publish Tails 4.5, the first version of Tails to support Secure Boot. This release also fixes many security vulnerabilities. You should upgrade as soon as possible.

https://blog.torproject.org/new-release-tails-45

Tor Browser 9.5a10

This release features important security fixes to Firefox. Please make sure you update your Tor Browser.

https://blog.torproject.org/new-release-tor-browser-95a10

Tor Browser 9.0.8

This release features important security fixes to Firefox. Please make sure you update your Tor Browser. Full changelog. https://blog.torproject.org/new-release-tor-browser-908

What We're Reading

"Brave whistleblowers are being punished for saving lives during a pandemic," Freedom of the Press Foundation. https://freedom.press/news/brave-whistleblowers-saving-lives-coronavirus-covid-pandemic/
"The EARN IT Act Violates the Constitution," Electronic Frontier Foundation. https://www.eff.org/deeplinks/2020/03/earn-it-act-violates-constitution
"You'll discover how @torproject protects our internet browsing," The Cypherpunk Chronicles. https://www.youtube.com/watch?v=bDNJGsPx-2Y
"UK government using confidential patient data in coronavirus response," The Guardian. https://www.theguardian.com/world/2020/apr/12/uk-government-using-confidential-patient-data-in-coronavirus-response

Upcoming Events with Tor

Postponed. BSides. Barcelona, Spain. May 08, 2020.
Postponed. CryptoRave, São Paulo, Brazil. May 15, 2020 - May 16, 2020.

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://community.torproject.org/relay

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

Remote Work and Personal Safety

Published on 2020-03-31

Remote Work and Personal Safety

English: https://blog.torproject.org/remote-work-personal-safety

Spanish: https://blog.torproject.org/Conectadas-seguras-tiempos-cuarentena

Portuguese: https://blog.torproject.org/trabalho-remoto-seguranca-pessoal

Italian: https://blog.torproject.org/lavoro-remoto-sicurezza-personale

This is a novel and troubling situation we’re in globally. As a remote, international organization developing tools for online safety, we’d like to share some of our tips about working from home and retaining your rights to privacy and freedom of expression.

Remote Working

Since incorporated in 2006, the Tor Project and its community have largely operated remotely. Whenever possible, we use free and open source tools that share our commitment to advancing the human rights to privacy and freedom of expression online. Here’s what we’re using now to stay connected:

IRC. The bulk of our online conversations happen in open channels on IRC, like #tor-project, #tor-dev, and #tor-www among others. If you want to chat with us about Tor, you can find us in #tor. No matter what chat tool your organization may use, we recommend setting up an off-topic channel or direct messaging the person you want to connect with. The opportunity to interact on a more personal level by sharing news and just bantering without interfering with core channel topics is invaluable. You don’t need to share an email address or personal identifying information to register or use IRC.

Nextcloud. This productivity platform could be your alternative to G Suite. We use it for collaborative docs, calendars, and file storage.

Riseup pads. We use these for agendas, taking notes, and drafting blog posts. They don’t save indefinitely, so this isn’t for storage, but ephemerality can keep sensitive information safe. There’s no account needed, only a web browser.

For people working with at-risk groups or sensitive information, these will be particularly helpful:

Tor Browser. Using Tor Browser for searches, logging into accounts, or collaborating protects you from trackers on websites, surveillance from your ISP or anyone monitoring your network, and from censorship enacted by your ISP or government. If you are a health provider or first responder conducting sensitive searches that could be tied to people visiting you or other more easily monitorable activities, Tor Browser is a tool that can protect you and the people you serve.

"I'm a doctor in a very political town. When I have to do research on diseases and treatment or look into aspects of my patients' histories, I am well aware that my search histories might be correlated to patient visits and leak information about their health, families, and personal lives. I use Tor to do much of my research when I think there is a risk of correlating it to patient visits." - Anonymous Tor User

Signal. For 1:1 messaging, calls, and small group chats, we use Signal, the open source messaging app. It’s end-to-end encrypted, and you can set messages containing sensitive information to expire.

Jitsi Meet. For voice and video meetings, Jitsi Meet is a staple. It’s open source, encrypted, and no accounts are necessary to use it. Just choose a meeting address, say https://meet.jit.si/onionsforall, and share that link. Try this before turning to Zoom, which has come under scrutiny for its lack of transparency.

OnionShare. OnionShare allows you to securely and anonymously share a file of any size without any third parties. If you need to share critical resources with individuals or groups, the latest version of OnionShare also allows you to spin up an onion site only accessible over the Tor network.

share.riseup.net. This is a web-based tool for speedily sharing smaller files (up to 50mb). We frequently drop riseup links into our IRC channels to share photos and screenshots.

If you’re still not finding the right tool to fit your coworking needs, anarcat, SysAdmin at the Tor Project, has more recommendations for Remote presence tools for social distancing: https://anarc.at/blog/2020-03-15-remote-tools/

Personal Safety

Home isn’t a safe space for everyone. We realize that there are many people who are suddenly at home more often and in relationships that put them at risk of harm. If you are seeking help in a relationship or are in contact with someone who needs help, we recommend using Tor Browser to seek information or assistance without leaving a trace of that search or browsing history. The National Network to End Domestic Violence has additional recommendations you can follow.

The same goes for anyone researching sensitive personal topics, be they womens’ health resources, immigration resources, or information about medical or mental health conditions: Using Tor Browser, in combination with its default search engine DuckDuckGo, can help you keep your personal information to yourself, empower you with the ability to choose what you share, and allow you to access critical information and resources that may be blocked or under scrutiny.

"I use Tor Browser to research about mental diseases, e.g. depression, that occur in our family. I don't want anyone to know about these diseases who I don't want to tell. That's why I use Tor for researching about anything related to these diseases." - Anonymous Tor User

Many of the tools for coworking we outlined above, including Jitsi, Signal, and OnionShare, can help you communicate more safely in difficult circumstances.

Stay Connected

These are uncertain times, and it’s critical we stay connected and do our part to keep each other safe. If you have any questions about Tor, how Tor or any of these other tools may be helpful to you, join us in #tor on IRC.

If you want to get involved with our work, we welcome you to join our community. We are a small nonprofit organization with a big mission: to make privacy and freedom the default online, and our work is made possible by countless volunteer contributors around the world. We hope you'll join us.

We are just one of countless online communities where you could make an impact, so if you’re not finding the right fit, keep exploring. This could also be an opportunity to start your own.

Cooking with Onions: Reclaiming the Onionbalance //

https://blog.torproject.org/cooking-onions-reclaiming-onionbalance

Onionbalance is one of the standard ways onion service administrators can load balance onion services, but it didn't work for v3 onions. Until now. We just released a new version of Onionbalance that supports v3 onion services.

The core functionality remains the same: Onionbalance allows onion service operators to achieve the property of high availability by allowing multiple machines to handle requests for an onion service.

If you are already familiar with configuring Tor onion services, setting up Onionbalance is simple. Check the precise setup instructions on our documentation page. Read more: https://blog.torproject.org/cooking-onions-reclaiming-onionbalance

New Releases

Tor Browser 9.0.7 https://blog.torproject.org/new-release-tor-browser-907

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19. In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript.

Tor 0.3.5.10, 0.4.1.9, and 0.4.2.7

https://blog.torproject.org/new-releases-03510-0419-0427

This is the third stable release in the 0.4.2.x series. It backports numerous fixes from later releases, including a fix for TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha.

Tor 0.4.3.3-alpha

https://blog.torproject.org/new-release-tor-04330-alpha

Tor 0.4.3.3-alpha fixes several bugs in previous releases, including TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha.

Tor Browser 9.5a8

https://blog.torproject.org/new-release-tor-browser-95a8

This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.

Tor Browser 9.0.6

https://blog.torproject.org/new-release-tor-browser-906

This release updates Firefox to 68.6.0esr and NoScript to 11.0.15.

Tor Browser 9.5a7

https://blog.torproject.org/new-release-tor-browser-95a7

This release resolves breakage introduced in version 9.5a6 where non-en-US versions are not starting up.

What We're Reading

"As Coronavirus Surveillance Escalates, Personal Privacy Plummets," NYTimes.

https://nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html

https://www.nytimes3xbfgragh.onion/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html

"Expertos en privacidad admiten que la crisis permite un uso excepcional de datos personales," El Pais.

https://elpais.com/tecnologia/2020-03-21/expertos-en-privacidad-admiten-que-la-crisis-permite-un-uso-excepcional-de-datos-personales.html

"How to use the Tor Browser’s tools to protect your privacy," The Verge.

https://www.theverge.com/2020/2/21/21138403/tor-privacy-tools-private-network-browser-settings-security

"Locked-Down Lawyers Warned Alexa Is Hearing Confidential Calls," Bloomberg.

https://www.bloomberg.com/news/articles/2020-03-20/locked-down-lawyers-warned-alexa-is-hearing-confidential-calls

Upcoming Events with Tor //

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

Tor in the News, We're Hiring, IFF CFP, Releases

Published on 2020-02-27

Tor in the Media: 2019

https://blog.torproject.org/tor-media-2019

In 2019, mainstream coverage of privacy wins and challenges increased, and with that, so did coverage of the Tor Project. We are proud of what we accomplished last year and proud that our work advancing human rights to privacy and freedom online has caught the attention of outlets such as BBC, WIRED, Deutsche Welle, and NPR. Not only did they write about us, but some of these big names also began using and promoting our tools.

We’ve broken down 2019 coverage into sections: Tor’s Reach and Accessibility, Anti-Censorship, Onion Adoption, Ecosystem Impact, Cryptocurrency, and Advocacy. Check out the more comprehensive list of coverage.

Tor’s Reach and Accessibility

Inspired by major advancements in Tor Browser’s design, integration of Tor tabs in Brave browser, and the alpha release of Tor Browser for Android, Lily Hay Newman at Wired declared 2019 the year to try Tor.

"In truth, Tor has been relatively accessible for years now, largely because of the Tor Browser,
which works almost exactly like a regular browser and does all the complicated stuff for you in
the background. But in 2018 a slew of new offerings and integrations vastly expanded the available
tools, making 2019 the year to finally try Tor. You may even end up using the network without realizing it."

As people become more aware of how tech giants exploit their information, Tor was also cited as privacy-first alternative to Chrome.

As part of our goal to make Tor available to everyone online who needs it, we knew we needed to meet people where they are using the internet: on their mobile devices. In 2019, we made it "easier than ever" for people to use Tor by making it available on Android, and this development was written about by several publications.

Anti-Censorship

In addition to improved accessibility and privacy protections, our anti-censorship work made headlines. OONI, a project under Tor, was recognized for its contributions to documenting evidence of internet censorship worldwide.

Several outlets promoted Snowflake, an extension we released, now in an experimental stage, which empowers users of those browsers to help Tor users circumvent censorship.

Onion Adoption

To help users in censored countries reach their content, BBC, Deutsche Welle, and Mada Masr have joined ProPublica, The New York Times, and BuzzFeed News to set up onion addresses using Tor onion services. In addition to those outlets promoting their onion mirrors, other news sites also picked up on the BBC announcement. Due to the enhanced privacy and security properties onion addresses provide, in addition to their ability to help censored users bypass blocks, we expect this trend to continue. We will be focusing on scaling to meet this demand in 2020.

Ecosystem

Not all Tor benefits come from directly connecting to the network, using Tor Browser, or implementing onion services. Our innovations and techniques also help to raise the bar for privacy and security in other technologies and were written about for doing so. Firefox users now benefit from our security and privacy features, including an anti-fingerprint technique called "letterboxing." Mozilla is also exploring using Tor for a ‘Super Private Browsing’ mode. In 2019, Mozilla announced a research grant regarding Tor integration to Firefox. Currently the Firefox team is exploring testing a prototype using an add-on integration.

Cryptocurrency

This year, we were a trailblazing nonprofit organization regarding our acceptance of cryptocurrency donations. Many people in the cryptocurrency community share Tor's values of privacy and freedom online and expressed excitement about contributing to Tor through a variety of new cryptocurrencies. As one of the first nonprofits to accept cryptocurrencies on such a wide scale, we also set an example for other organizations to follow.

Advocacy

Our mission extends beyond developing tools that advance the human rights to privacy and freedom online; we also advocate for their use and other relevant critical issues necessary for a world where Tor thrives. We are proud to have joined in several campaigns in 2019 to uphold our values and speak out against dangerous demands to weaken encryption and increase surveillance.

2019 was a big year in the news for Tor, and as the demand for privacy online increases, we expect the stories to continue in 2020 as we focus on promoting our tools as the backbone of an internet that puts privacy first, by design.

Check out a more comprehensive list of Tor's media coverage: https://blog.torproject.org/tor-media-2019

We're Hiring an Executive Assistant

https://www.torproject.org/about/jobs/executive-assistant/

The Executive Assistant is responsible for providing high-level administrative support to the Executive Director. This position will actively manage the ED’s schedule, handle internal and external executive-level communications, and coordinate special projects and events. This position is full-time and remote; someone in the Eastern time zone strongly preferred.

Tor Village at IFF: Call for Proposals

During this year's Internet Freedom Festival (IFF), we're organizing a village with activities on privacy, anonymity, and anti-censorship based around Tor. IFF will take place from April 20 - 24 2020 in Valencia, Spain, and the Tor Village will take place on the last two days, April 23 and 24. Proposals can be made in English or Spanish. Proposals should be sent by March 10th at 23:59 UTC to iff@torproject.org. Proposals sent after the deadline or by other means will not be accepted.

Check out some activity ideas and how to submit: https://blog.torproject.org/tor-village-iff-2020-call-proposals

New Releases

BridgeDB 0.9.3

https://blog.torproject.org/new-release-bridgedb-093

When ISPs or governments block access to the Tor network, our users rely on bridges to connect. With BridgeDB, we tackle the problem of how to get bridges to censored users while making it difficult for censors to get all bridges. We recently released BridgeDB version 0.9.3, which comes with bug fixes and new features.

Tor Browser 9.5a5

https://blog.torproject.org/new-release-tor-browser-95a5

This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.3.2-alpha. We also added a new default bridge.

Tor Browser 9.0.5

https://blog.torproject.org/new-release-tor-browser-905

This release updates Firefox to 68.5.0esr, NoScript to 11.0.13, and on desktop, Tor to 0.4.2.6. We also added a new default bridge and backported a few improvements from the alpha series.

Tor 0.4.3.2-alpha

https://blog.torproject.org/new-release-tor-0432-alpha

This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody running the previous alpha should upgrade and look for bugs in this one instead.

What We're Reading

"Hacker Eva Galperin Has a Plan to Eradicate Stalkerware," Andy Greenberg, WIRED.

https://www.wired.com/story/eva-galperin-stalkerware-kaspersky-antivirus/

"Brazilian Judge Declines to Move Forward With Charges Against Glenn Greenwald 'for Now,'" Murtaza Hussain, The Intercept.

https://theintercept.com/2020/02/06/glenn-greenwald-intercept-brazil-charges/

"How schools are using kids' phones to track and surveil them," Alfred Ng, CNET.

https://www.cnet.com/news/how-schools-are-using-kids-phones-to-track-and-surveil-them/

Upcoming Events with Tor

Netdev 0x14. Vancouver, Canada. March 17, 2020 - March 20, 2020. https://blog.torproject.org/net-dev-vancouver

Bitcoin2020. San Francisco, USA. March 27, 2020 - March 28, 2020. https://blog.torproject.org/bitcoin2020-sanfrancisco

IFF and Tor Village. Valencia, Spain. April 20, 2020 - April 24, 2020. https://blog.torproject.org/iff-tor-village-valencia

BSides. Barcelona, Spain. May 08, 2020. https://blog.torproject.org/b-sides-barcelona-2020

CryptoRave, São Paulo, Brazil. May 15, 2020 - May 16, 2020. https://blog.torproject.org/cryptorave-sao-paulo-2020

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

Bug Smash, Advocacy, What We're Reading, Events

Published on 2020-01-30

Tor's Bug Smash Fund: Progress So Far

https://blog.torproject.org/tor-bug-smash-fund-progress

At the beginning of August 2019, we asked you to help us build our very first Bug Smash Fund. This fund will ensure that the Tor Project has a healthy reserve earmarked for maintenance work and smashing the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly. Together we raised $86,081.

So far, we've marked 77 tickets with BugSmashFund. As of today, 56 of those tickets have been closed, and 21 of them are still in progress. With this reserve, we've been able to fix bugs and complete necessary maintenance on core tor, bridgedb, Snowflake, and Metrics, as well as complete the Tor Browser ESR 68 migration. Roughly half of the Bug Smash Fund remains available for allocation, and we will continue to tag relevant maintenance work and bug fixing tickets that will be covered with this reserve. Thank you for supporting this work. Find out what tickets we've closed so far: https://blog.torproject.org/tor-bug-smash-fund-progress

Help Stop the Sale of Public Interest Registry to a Private Equity Firm

https://act.eff.org/action/help-stop-the-sale-of-public-interest-registry-to-a-private-equity-firm

Last month it was suddenly announced that the nonprofit that owns the .ORG domain registry was planning to sell it to a private equity firm, Ethos Capital. This could impact the millions of individuals and organizations that have a .ORG website, including the Tor Project, subjecting them to potential censorship and leaving the door open for price increases on domain registration and renewals.

Please take action today and add your name to the twenty-thousand individuals who have opposed the sale.

Buying a smart phone on the cheap? Privacy might be the price you have to pay

https://privacyinternational.org/advocacy/3320/open-letter-google

https://privacyintyqcroe.onion/advocacy/3320/open-letter-google

Research by Privacy International shows that cheap smartphones come with a hidden cost: pre-installed apps that can't be deleted and that leak your data.

We're telling Google it's time to take action on pre-installed apps. Add your voice here: https://privacyinternational.org/petition.

Privacy isn't about having something to hide.

We believe technology must be designed in an ethical way that respects people's digital rights. Privacy cannot be an afterthought with room for interpretation by businesses that thrive on exploiting us online. Privacy must be the default.

https://www.nytimes.com/2019/12/29/technology/california-privacy-law.html

https://www.nytimes3xbfgragh.onion/2019/12/29/technology/california-privacy-law.html

New Releases

Tor 0.4.3.1-alpha

https://blog.torproject.org/new-alpha-release-tor-0431-alpha

This is the first alpha release in the 0.4.3.x series. It includes improved support for application integration of onion services, support for building in a client-only mode, and newly improved internal documentation (online at https://src-ref.docs.torproject.org/tor/). It also has numerous other small bugfixes and features, as well as improvements to our code's internal organization that should help us write better code in the future.

Tor Browser 9.5a4

https://blog.torproject.org/new-release-tor-browser-95a4

This new alpha release picks up security fixes for Firefox 68.4.0esr and 68.4.1esr. In addition, this release updates the bundled NoScript extension to its latest version.

Tor Browser 9.0.3 & 9.0.4

https://blog.torproject.org/new-release-tor-browser-903

https://blog.torproject.org/new-release-tor-browser-904

9.0.4 fixes a critical security issue in Firefox: CVE-2019-17026.

9.0.3 picks up security fixes for Firefox 68.4.0esr. We also updated Tor to 0.4.2.5 for the desktop versions. On Android we fixed a possible crash after the bootstrap.

Stem 1.8

https://blog.torproject.org/new-release-stem-18

Stem is a Python library for interacting with Tor. With it you can script against your relay, descriptor data, or even write applications like Nyx.

What We're Reading

"Reporters Face New Threats From the Governments They Cover," James Risen, The New York Times. [.onion]

https://nytimes3xbfgragh.onion/2020/01/26/opinion/greenwald-brazil-reporter.html

https://nytimes.com/2020/01/26/opinion/greenwald-brazil-reporter.html

"Both the Trump administration and the right-wing Brazilian government of President Jair Bolsonaro seem to have decided to experiment with such draconian anti-press tactics..."

"The Trump Administration's Lies About Encryption Are Putting Our Privacy in Danger," Trevor Timm.

http://gen.medium.com/the-trump-administrations-lies-about-encryption-are-putting-our-privacy-in-danger-1291d5582283

"The Trump administration is now engaged in a multipronged effort to pressure tech companies to weaken encryption protecting the privacy of billions of people. And make no mistake: They are blatantly lying about it to try to get their way."

"You Are Now Remotely Controlled," Shoshana Zuboff, The New York Times.

https://www.nytimes3xbfgragh.onion/2020/01/24/opinion/sunday/surveillance-capitalism.html

https://nytimes.com/2020/01/24/opinion/sunday/surveillance-capitalism.html

"Surveillance capitalists exploit the widening inequity of knowledge for the sake of profits. They manipulate the economy, our society and even our lives with impunity, endangering not just individual privacy but democracy itself."

Upcoming Events with Tor

FOSDEM. Belgium, Brussels. 1-2 February 2020. https://blog.torproject.org/tor-fosdem-2020-brussels

FOSDEM's Interview with Pili, Tor Project, Project Manager: https://fosdem.org/2020/interviews/pili-guerra/

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://donate.torproject.org

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

Digital Rights are Human Rights

Published on 2019-12-26

Interview with Cindy Cohn, EFF Executive Director & Tor Board Member

https://blog.torproject.org/interview-cindy-cohn-eff-executive-director

Cindy Cohn, Executive Director of the Electronic Frontier Foundation (EFF) and Board Member of the Tor Project, was named one of America's Top 50 Women in Tech 2018 by Forbes. As a tireless defender of digital rights, we wanted to get her take on the state of the internet today, recent victories and challenges ahead, and Tor’s role in taking back the internet.

How would you describe the internet today?

Disempowering. Between surveillance business models, national security surveillance, and ineffective legal and technical protections, many people feel that they have no power to protect their security and privacy.

But the good news is that we can regain control and more people than ever are demanding a course change. Tor is a critical tool to helping us make that shift.

What do you think are some key victories that have happened in the past year to advance privacy and freedom online?

Tor and the Tor network just keeps getting stronger, more important, and easier to use. That’s amazing and a testament to the fierce, powerful and smart people who develop, support, maintain, and protect it.

I’m also heartened by the growing recognition across the world that privacy and security are linked and that technical, legal, and policy work is all needed to protect them.

I’m biased, but I think that a major step toward protecting people’s privacy as they cross the US border came in the Alasaad case EFF and the ACLU handled, where the court agreed with us that the US government needs reasonable suspicion to search the devices that people carry.

The ongoing efforts to encrypt the web and increase awareness about security tools and practices are also cause for celebration.

What challenges do you think privacy advocates and developers will face in the next year online?

I think the rise of authoritarianism around the world will continue to present challenges for privacy advocates and developers. One of the key things that would-be dictators know is that they have to prevent the people from being able to speak and learn things confidentially. This means more attacks on encryption.

I think that advocates and developers will need to continue to stand up for encryption and also ultimately will have to address the need to re-decentralize the internet. The pressures on the tech giants to make sure that no one can have a private conversation online will continue. We need to be ready and build out alternatives.

What is the internet you would like to see in the future?

We need to build a world where everyone has free (as in speech) access to read, speak, create, and control their experience, including creating their own tools and protecting their own privacy. A world where humans have the legal, policy, and cultural support and protection to do so. Where individuals have the strength and processing power to take on larger organizations, whether government or corporate, as well as to be protected from them. A world where our technology, whether as simple as an email or as complex as an AI system, is trustworthy and loyal to us.

Why do you think people should support and care about Tor?

If you care about maintaining (or creating) a society that can change — where ideas can grow and information can be learned free of control by governments or corporations — then Tor is one of the critical tools that you should support and care about.

Tor protects the canaries in the coal mines.

Even if you personally don’t need the protection that Tor offers, standing up for Tor is standing with the people who take risks to keep the rest of us informed about some of the most dangerous and important facts and issues facing the planet.

The Next Chapter of Anti-Censorship

https://blog.torproject.org/next-chapter-anti-censorship

The video from the Tor Project Co-Founder Roger Dingledine's DEF CON 2019 talk ("The Tor Censorship Arms Race: The Next Chapter") is now up.

YouTube version (for those who can tolerate surveillance capitalism): https://www.youtube.com/watch?v=ZB8ODpw_om8
Original mp4 from DEF CON's onion service (download it and play it locally, since playing it in a browser doesn't display video): m6rqq6kocsyugo2laitup5nn32bwm3lh677chuodjfmggczoafzwfcad.onion/DEF%20CON%2027/DEF%20CON%2027%20video%20and%20slides/DEF%20CON%2027%20Conference%20-%20Roger%20Dingledine%20-%20The%20Tor%20Censorship%20Arms%20Race%20The%20Next%20Chapter.mp4
Backup mp4 for those who can't reach onion services: freehaven.net/~arma/DEF%20CON%2027%20Conference%20-%20Roger%20Dingledine%20-%20The%20Tor%20Censorship%20Arms%20Race%20The%20Next%20Chapter.mp4
Slides (pdf): freehaven.net/~arma/slides-dc19.pdf

This talk gets you up to speed on all the ways governments have tried to block Tor, walks through our upcoming steps to stay ahead of the arms race, and gives you some new—easier—ways that let you help censored users reach the internet safely.

Digital Rights are Human Rights

https://blog.torproject.org/digital-rights-are-human-rights

At the Tor Project, we build technologies that defend and promote the human rights to privacy and freedom. More than just a way to exercise an individual right, it’s a collective collaboration and movement that generates a common good for all. Everyone can use this open and secure network as infrastructure that has privacy as a default feature of its design. The Tor network promotes a radical decentralization with onion services, so you can run your own service without a dedicated IP address or having a domain name, all done privately and securely. Tor also promotes net neutrality, since it doesn't modify the traffic based on who is accessing it or which sites they are visiting. In other words, it's what we've always wanted the internet to be. Find out about how we've been working directly with human rights defenders to help them protect themselves online.

Modularizing Key Aspects of the Tor Network, Supported by MOSS

https://blog.torproject.org/modularizing-key-aspects-tor-network-moss

In 2018, the Tor Project was awarded a grant from Mozilla’s Open Source Support (MOSS) program’s Mission Partners track to improve Tor's codebase. The network team spent the last 12 months working on creating a Tor network codebase that is:

Easier to scale, more flexible, and faster in order to handle more users;
Easier for Tor developers, third-party developers, and researchers to navigate; and
Easier to adopt, contribute to, and improve.

In order to reach towards those goals, the network team:

Reduced module complexity and maintenance burden;
- Developed new architecture for several key Tor modules;
Implemented better tooling;
Improved testing for several key Tor modules; and
Improved our documentation.

The biggest change introduced thanks to this project is a generic publish-subscribe mechanism for delivering messages internally. It is meant to help us improve the modularity of our code by avoiding direct coupling between modules that don't actually need to invoke one another.

For example, there are numerous parts of our code that might need to take action when a circuit is completed: a controller might need to be informed, an onion service negotiation might need to be attached, a guard might need to be marked as working, or a client connection might need to be attached. But many of those actions occur at a higher layer than circuit completion: calling them directly is a layering violation and makes our code harder to understand and analyze. With message-passing, we can invert this layering violation: circuit completion can become a "message" that the circuit code publishes, and to which higher-level layers subscribe. This means that circuit handling can be decoupled from higher-level modules and stay nice and simple.

The network team also continued earlier work that began in Tor 0.3.5 to make our code behave more modularly with its startup and teardown logic. Many tor modules now function as "subsystems" that are initialized, shut down, and updated with a standard interface, rather than with the confusing system of calls that was used before. Read more: https://blog.torproject.org/modularizing-key-aspects-tor-network-moss

Take Back the Internet with Us

"Technology doesn't need to come at the expense of privacy. Connectivity doesn't need to cost us our self-determination. With your help, we can keep Tor growing and improving to be what the world needs: a way to help take back the internet for freedom and human rights." - Nick Mathewson, Co-Founder, The Tor Project

Donate today, and Mozilla will match your donation. https://torproject.org/donate/donate-tbi-tn3

New Releases

Tor Browser 9.5a3 https://blog.torproject.org/new-release-tor-browser-95a3 This new alpha release picks up security fixes for Firefox 68.3.0esr and updates our external extensions (NoScript and HTTPS Everywhere) to their latest versions. Among other things, we made some cleanups in torbutton and fixed localization in the Android bundles. We also add three new locales: lt (Lithuanian), ms (Maylay), and th (Thai).

Tor 0.4.2.5 (also 0.4.1.7, 0.4.0.6, and 0.3.5.9) https://blog.torproject.org/new-release-0425-also-0417-0406-and-0359 This is the first stable release in the 0.4.2.x series. This series improves reliability and stability, and includes several stability and correctness improvements for onion services. It also fixes many smaller bugs present in previous series.

Tor Browser 9.0.2 https://blog.torproject.org/new-release-tor-browser-902 This new stable release is picks up security fixes for Firefox 68.3.0esr and updates our external extensions (NoScript and HTTPS Everywhere) to their latest versions. Apart from backports for patches that already landed in alpha releases and fixing an error in our circuit display and improving our letterboxing support, Tor Browser 9.0.2 provides properly localized Android bundles again as well.

Upcoming Events with Tor

Censorship Resistance für den Anonymisierungsdienst Tor. Hagenberg, Austria. 9 January 2020. https://blog.torproject.org/events/censorship-resistance-fur-den-anonymisierungsdienst-tor-hagenberg

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://torproject.org/donate/donate-tbi-tn2

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

A Surveillance-Free Internet, Events, New Releases

Published on 2019-11-21

We Can Choose an Internet Without Surveillance

https://blog.torproject.org/we-can-choose-internet-without-surveillance

The surveillance dystopia is building up all around us, and the business model that has taken over the internet is largely to blame. In the surveillance economy, whenever we choose to use an application or a device, we are often forced to subject ourselves to unrestricted abuse of our private data. ISPs and big corporations are not only logging our activities, but often selling that information to third party data analysis and marketing companies like Cambridge Analytica and Dataminr.

The effects of the surveillance economy are terrifying. Our online activity has been used to influence elections by shaping how politically motivated entities can spread personally targeted misinformation. We have also seen these companies sign contracts with law enforcement and authoritarian governments to use this information to unjustly target activists, minorities, and at-risk communities.

Even if you have not immediately felt or experienced a direct consequence of being surveilled, the idea you may be surveilled can have chilling consequences on your daily life.

PEN America surveyed over 520 American writers to understand if and how surveillance was influencing their work. 1 in 6 writers said they had avoided speaking or writing on a topic they thought would subject them to surveillance.

Just the fear of surveillance can turn us into self-censors. This fear can stop us from exercising intellectual freedom and curiosity. If we think we are being watched, our behavior changes. Our mental state changes as well. According to research conducted by Christopher Burr at the Digital Ethics Lab at the University of Oxford, the effects of surveillance on the brain can "be just as mentally taxing as mental disorders like depression, and can even cause symptoms similar to post-traumatic stress disorder."

The spread of surveillance is not inevitable. We can fight against facial recognition technology and invasive searches, stand up for encryption, and demand privacy by design from service providers.

The internet is not just a network of computers—it's a network of people. We hold great power in deciding its future.

Our Website + Tor Browser Now Available in Catalan

Sabem que és més fàcil utilitzar alguna cosa en el vostre propi idioma. Si mai no heu provat el navegador Tor, avui és el dia. Prova-ho ara: https://torproject.org/ca

Take Back the Internet with Us

https://torproject.org/donate/donate-tbi-tn2

Donate today, and Mozilla will match your donation.

New Releases

Tor Browser 9.5a2 https://blog.torproject.org/new-release-tor-browser-95a2 This new alpha release contains various bug fixes and improvements. Among them, we improved the letterboxing experience.

Tor 0.4.2.4-rc https://blog.torproject.org/new-release-candidate-tor-0424-rc Tor 0.4.2.4-rc is the first release candidate in its series. Packages should be available over the coming weeks, with a new alpha Tor Browser release likely by Dec 3.

Tor Browser 9.0.1 https://blog.torproject.org/new-release-tor-browser-901 This release fixes regressions and improves upon our 9.0 release.

Upcoming Events with Tor

V Jornades Internacionals de dones en el sector TIC. Barcelona, Spain. 22 November 2019. https://blog.torproject.org/events/v-jornades-internacionals-de-dones-en-el-sector-tic-barcelona

WoSec and InfoSecGirls Workshop. Pune, India. 30 November 2019. https://blog.torproject.org/events/wosec-and-infosecgirls-workshop-pune

Reproducible Builds Summit. Marrakesh, Morocco. 3-5 December 2019. https://blog.torproject.org/events/reproducible-builds-summit-marrakesh-2019

Hackers Next Door. Brooklyn, New York. 14-15 December 2019. https://blog.torproject.org/events/hackers-next-door-brooklyn

What We're Reading

Federal Court Rules Suspicionless Searches of Travelers' Phones and Laptops Unconstitutional. EFF. "In a major victory for privacy rights at the border, a federal court in Boston ruled today that suspicionless searches of travelers' electronic devices by federal agents at airports and other U.S. ports of entry are unconstitutional." https://www.eff.org/press/releases/federal-court-rules-suspicionless-searches-travelers-phones-and-laptops

Join Our Community

Getting involved with Tor is easy. Run a relay to make the network faster and more decentralized: https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

Run a bridge to help censored users access Tor: https://blog.torproject.org/run-tor-bridges-defend-open-internet

Learn about each of our teams and start collaborating: https://trac.torproject.org/projects/tor/wiki/WikiStart#Teams

Donate to help keep Tor fast, strong, and secure. https://torproject.org/donate/donate-tbi-tn2

Twitter: https://twitter.com/torproject

Facebook: https://facebook.com/torproject

Instagram: https://instagram.com/torproject

Mastodon: http://mastodon.social/@torproject

« Previous | 4 | Next »