Planet Tor

@blog November 6, 2023 - 00:00 • 5 days ago
New Release: Tor Browser 13.0.3 (Android)

Tor Browser 13.0.3 is now available from the Tor Browser download page and also from our distribution directory.

This is an emergency release which resolves a critical bug in the tor domain isolation system initialization. Please see tor-browser#42222 for more details.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.0.2 is:

...
@blog November 2, 2023 - 00:00 • 9 days ago
New Alpha Release: Tor Browser 13.5a1

Tor Browser 13.5a1 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 115.4.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 119.

The full changelog since Tor Browser 13.0a6 is:

...
@blog November 1, 2023 - 00:00 • 10 days ago
Who do you help when you support the Tor Project?

Right now, the Tor network, Tor Browser, onion services, Snowflake, and the ecosystem of tools and services built and maintained by the Tor Project are protecting the privacy of millions of people. Because of the way the Tor network and all Tor tools are designed, there’s no way for us to know what users are doing from a technical perspective. (That’s privacy by design.) Instead, in order to understand how different people use Tor, we ask! And in this blog post, we’re highlighting just some of the stories Tor users have shared with us (explicitly, with consent) about how Tor makes a difference in their lives.

Who you help when you power Tor with a donation

My parents were very strict. They used to look through my browsing history… I wasn't doing anything wrong, but I didn't like that. Tor helped me very much. I educated myself… It got me out of the social bubble and I was able to get insights, ideas, and views from many different social groups. I would never be free without Tor. And I am not talking just about digital freedom. I am talking about physical freedom as well.

[Tor] helped us Iranians a lot in this systematic internet censorship in Iran. I use Orbot and voice my protest against the Iranian government and I get access to the real news of developments. On behalf of myself and all the people of Iran, I am grateful.

I started using Tor when I suddenly saw ads for travel agencies on unrelated sites after I was looking into flight options. I was really disgusted with how my search history from one website got shared to another website just to show me tailored ads. To prevent this from happening again in the future, I started using Tor. Tor nowadays just gives me peace of mind.

Image of anonymous user story 1

Tor has allowed me to freely express myself as a transgender lesbian while keeping my online identities separate from work, family, and most friends.

Tor helps me bypass blocking and get more privacy. For example, many wonderful websites, such as foreign services or the websites of the Russian opposition, have been blocked.... Luckily, with Tor I can access this… without it, many very important sources of useful information would be inaccessible.

Tor Browser / Orbot / Tails helped me so much during the 2019-2020 Hong Kong protests as a pro-democracy activist in Hong Kong. It allowed me to read / write / organize freely during the protests.

Image of anonymous user story 2

How to contribute

Make a donation:

This year, more than ever, we need those who can make a donation to the Tor Project to do so. The demand for strong privacy online is mounting, and as a small organization, every donation makes a difference. If you value the privacy that Tor provides to yourself or to the people like we've featured in this blog post, please make a donation today.

Donate Button

Share your story:

We know that especially this year, resources are stretched thin, and not everybody is in a position to donate money. But you can contribute in a meaningful way, by participating in our recent survey and sharing your story.

We’ve launched a new survey designed to help us learn more about common beliefs and attitudes towards encryption, its importance in your day-to-day online interactions, and how it affects your trust in digital communication technologies.

Your participation is priceless and will go a long way in ensuring the success and relevance of our outreach and advocacy efforts. Please be as specific as you can without putting yourself at risk.

Thank you!

...
@blog October 31, 2023 - 00:00 • 11 days ago
Arti 1.1.10 is released: Assembling the onions

Arti is our ongoing project to create a next-generation Tor client in Rust. Now we're announcing the latest release, Arti 1.1.10

Arti 1.1.10 continues work on support for onion services in arti. And we are so very close! With this release, we can (technically) run as an onion service... though not yet in a useful way. (Onion services don't yet recover correctly after a restart, outdated keys are not removed, and we are missing other important security features.) You can find a list of what we still need to do on the bugtracker.

For full details on what we've done, and for information about many smaller and less visible changes as well, please see the CHANGELOG.

For more information on using Arti, see our top-level README, and the documentation for the arti binary.

Thanks to everybody who's contributed to this release, including Alexander Færøy, Emil Engler, gil, halcyon, Jani Monoses, Jim Newsome, LowLandMink543, Neel Chauhan, and Trinity Pointard!

Also, our deep thanks to Zcash Community Grants and our other sponsors for funding the development of Arti!

...
@blog October 31, 2023 - 00:00 • 11 days ago
New Release: Tails 5.19

New features

Closing a Tor circuit from Onion Circuits

You can now close a given Tor circuit from the Onion Circuits interface. This can help replace a particularly slow Tor circuit or troubleshoot issues on the Tor network.

Addition of sq-keyring-linter

At the request of people who use SecureDrop to provide secure whistleblowing platforms across the world, we added the sq- keyring-linter package. sq-keyring-linter improves the cryptographic parameters of PGP keys stored in their airgapped machines.

Changes and updates

  • Update Tor Browser to 13.0.1.

  • Update the Tor client to 0.4.8.7.

  • Update Thunderbird to 115.4.1.

  • Update the Linux kernel to 6.1.55.

Fixed problems

For more details, read our changelog.

Known issues

None specific to this release.

See the list of long-standing issues.

Get Tails 5.19

To upgrade your Tails USB stick and keep your Persistent Storage

  • Automatic upgrades are available from Tails 5.0 or later to 5.19.

You can reduce the size of the download of future automatic upgrades by doing a manual upgrade to the latest version.

  • If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.

To install Tails on a new USB stick

Follow our installation instructions:

The Persistent Storage on the USB stick will be lost if you install instead of upgrading.

To download only

If you don't need installation or upgrade instructions, you can download Tails 5.19 directly:

Support and feedback

For support and feedback, visit the Support section on the Tails website.

...
@blog October 27, 2023 - 00:00 • 15 days ago
New Release: Tor Browser 13.0.2 (Android)

Tor Browser 13.0.2 is now available from the Tor Browser download page and also from our distribution directory.

This release is identical to our 13.0.1 release, but fixes an issue with the Android apk version-code which collided with our 13.0 releases. This colliding version code prevented us from publishing to Google Play, so we have built 13.0.2 with an empty commit in order to generate a new non-colliding version code.

A long-term fix to our build-system to handle this case is being tracked in tor-browser-build#40992.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.0.1 is:

  • Android
    • Bump firefox-android commit to generate new version code to allow uploading to Google Play (see tor-browser-build#40992)
...
@blog October 25, 2023 - 00:00 • 17 days ago
New Release: Tor Browser 13.0.1

Tor Browser 13.0.1 is now available from the Tor Browser download page and also from our distribution directory.

This release backports important security updates from Firefox 115.4.0esr and

This release updates Firefox to 115.4.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 119.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.0 is:

...
@blog October 25, 2023 - 00:00 • 17 days ago
Putting Censorship Circumvention to the Test: Security Audit Findings

Helping users bypass internet censorship and ensuring their online safety and security is at the core of everything we do. To protect the communities we serve, we want to ensure that our technologies are resilient against threats and attacks. To put our efforts to the test, we've tasked Cure53 to perform a security audit of Tor Browser and other tools related to censorship circumvention.

Security audits are important, they uncover blind spots, peel back assumptions, and show us ways to improve our overall security posture. A series of penetration tests and code audits were performed specifically targeting methods by which users connect to bridges in Tor Browser, as well as OONI Probe, rdsys, BridgeDB and Conjure.

We invite you to read the full report, the testing period covered 72 days between November 2022 and April 2023 and was followed by a period of issue mitigation.

Overview of Findings

The auditors remarked that although the scope was large, the number of issues uncovered was low, and that Tor in general adopts "an admirably robust and hardened security posture and sound design decisions." The auditor further said our code was written to a "first-rate standard and conformed to secure coding practices", and that we have adopted highly-advanced and deliberately security focused building processes around Tor Browser because of our reproducible builds, build signing, and more. "All which contribute towards considerable defense-in-depth security posture." They concluded that the components they audited are in a healthy state from a security stand-point.

The audit outlined vulnerabilities, weaknesses and a couple of high-severity issues, alongside a set of recommended fixes and hardening guidance. Overall, the Tor Browser received a positive and satisfactory rating, proving it is "sufficiently robust and hardened against a multitude of common threats and attack vectors."

Tor Browser & Censorship Circumvention Assessment

Most of the key findings were confined to vulnerable code snippets or did not provide an easy method of exploitation. However, two high-severity issues were discovered that have subsequently been mitigated by the Tor Project following the recommendations from the assessment. The rdsys source code lacked authentication for the resource registration endpoint, previously allowing adversaries to register arbitrary malicious resources for distribution to users. Furthermore, the bridge list returned by rdsys/BridgeDB to the Tor Browser prior to Tor network connectivity wasn't cryptographically signed, providing a possible exploit for malicious actors eavesdropping on the connection or with access to the server providing the bridge list. To mitigate these issues, robust authentication mechanisms for all endpoints were implemented as well as cryptographic means to verify Tor as the distributor, reducing the risk of tampering and unauthorized access respectively.

Despite discovering nineteen issues, which is typical for a project of this scale, the Tor Browser and its ecosystem are considered secure.  Since in some instances the Tor Project relies on third-party libraries, Tor's security is dependent on maintaining and regularly updating those to address any emerging security issues.

Looking ahead, we intend to continue to conduct regular security assessments, and share them with you. These assessments will help maintain and enhance overall security of the Tor ecosystem.

Tor Browser UI Assessment

Recent changes to the Tor Browser's user interface (UI) aimed at improving usability have prompted us to seek another security assessment to ensure that these changes had not inadvertently introduced any security vulnerabilities. While the assessment uncovered some noteworthy findings, none of them posed immediate threats to user privacy and security, but rather offered valuable insights for future development to further strengthen Tor Browser's security: "Of the seven security-related discoveries, three were classified as security vulnerabilities and four were categorized as general weaknesses with lower exploitation potential."

The identified vulnerabilities included the ability for malicious actors to trick users into running JavaScript despite enabling the highest security level, the potential for malicious pages to download an unlimited number of files to the user's download folder, and potential information leaks via custom homepages allowing threat actors to track users across restarts.

All of these vulnerabilities have subsequently been addressed and mitigated by adjusting the data URI protections related to the security levels, and now prompting the user to actively grant permission if they wish to initiate multiple downloads. The report concluded that the recent UI changes did not compromise Tor Browser's overall security. For a comprehensive overview of the findings, you can download that report here.

We would like to thank Cure53 for performing the audit and their excellent collaboration and communication throughout the process.

...
@meejah October 22, 2023 - 00:00 • 20 days ago
Wizard Gardens
A vision for the magic-wormhole ecosystem ...
@blog October 21, 2023 - 00:00 • 21 days ago
Global Encryption Day: Encryption's Critical Role in Safeguarding Human Rights

Today, October 21, 2023, is the third Global Encryption Day, organized by the Global Encryption Coalition, of which the Tor Project is a member. Global Encryption Day is an opportunity for businesses, civil society organizations, technologists, and millions of Internet users worldwide to highlight why encryption matters and to advocate for its advancement and protection.

Needless to say, fighting for the protection of encryption is a topic for us 365 days a year. But we want to use this day to reflect on some of the efforts we have initiated or supported in 2023 to ensure access to encryption and push back against government efforts that seek to undermine it - from signing letters and supporting ally organizations on a number of advocacy and awareness campaigns to expanding our outreach and training efforts or localizing educational content.

Encryption's Critical Role in Safeguarding Human Rights

Most recently, we co-organized and co-hosted a workshop at the Internet Governance Forum (IGF) - an annual meeting established by the United Nations in 2005 as a forum for multi-stakeholder dialogue concerning public policy issues relating to the internet. The panel entitled Encryption's Critical Role in Safeguarding Human Rights brought together professionals from the technology, non-profit, policy, human rights and advocacy spaces to discuss balancing the demands of national security with the protection of individual privacy, adherence to international human rights laws and seeking a global approach.

The debate underscored the importance of international collaboration and respecting international standards and human rights principles to navigate the complexities of encryption and content moderation, pushing back against the weakening of encryption and the proliferation of surveillance technologies that have been used against human rights activists, journalists, and members of the civil society. The panelists called for education, including training and capacity-building of policymakers, and the normalization of encryption in creating a safer online environment for all users. Tech companies must play a role in protecting user privacy while addressing legitimate concerns related to content moderation, including the ability for safe and responsive reporting channels for users that do not compromise encryption and acknowledging the limitations of AI. By offering end-to-end encryption they can give power back to the users and simultaneously simplify their regulatory burden.

Two key takeaways and calls for action from our discussion have already been reflected in the first draft of IGF messaging outcomes "intended to provide a high-level overview for decision-makers of the most current thinking on key Internet governance and digital policy issues."

HUMAN RIGHTS AND FREEDOMS

  • "Policymakers need to improve their understanding of Internet technologies, the infrastructure underpinning them, their modalities and business models if they are to make informed policy decisions and design appropriate regulatory frameworks. Greater transparency on the part of businesses and other stakeholders can help to achieve this."

  • "Technology is not confined by geographic boundaries. Laws and regulations governing the use of technology in areas such as encryption should be consistent with international standards and norms concerned with privacy, freedom of expression, due process and access to information."

If you're interested to find out what other measures and recommendations to policymakers were proposed, check out the full session recording here.

The Tor Project's mission is to advance Human Rights. For us that means not only by building and deploying technology, but also by advocating for the protection and unrestricted availability of privacy-preserving technologies like encryption. We are connecting with people all around the world and supporting them to use the internet safely and freely to achieve this mission.

Ways to contribute

If you're reading this and want to support the work we are doing to ensure that the Tor Project remains strong on an organizational level, and that the ecosystem of Tor services and tools continue to reach the people who need privacy online the most, please consider making a donation today.

...
@blog October 18, 2023 - 00:00 • 24 days ago
Torbutton has retired

Once upon a time, the Tor Browser Bundle was an actual bundle. It included Firefox, the Tor daemon, and Torbutton, the extension to turn on and off the Tor mode in the browser.

This toggle model was not great and extremely confusing to some users. This and other problems led to the creation of Tor Browser: this article contains more details about this story.

From a technical point of view, Torbutton did not really go away. The visible button disappeared, but much of the related code remained.

Part of the state isolation code was not necessary anymore because Tor Browser always runs in private browsing mode or was dropped over the years thanks to Firefox improvements and the Tor Uplift initiative. However, the circuit display, the first-party domain circuit isolation, and other parts of the existing code were still needed. As a result, Torbutton continued to live for many years as a Tor Browser-only built-in extension on its separate repository and included in the browser with git submodules (even though the browser was non-functional without it). New patches and functionalities were written in the Firefox code that constitutes Tor Browser, and the Torbutton code was changed only to fix existing bugs or to keep it working in new versions of Firefox.

Similarly, Tor Launcher was the extension that showed the connection window before opening the browser.

However, we wanted to merge the codebases to more easily maintain and improve them and create a better UX. So, version by version, we replaced or refactored and integrated the various components.

Tor Browser 8.5 turned Torbutton's security slider into the security level accessible through about:preferences. Version 10.5 moved the connection workflow inside the browser. However, it still used Tor Launcher as a backend. We completely refactored and merged it with the rest of the browser code in version 12.0. In the same version, we did the same for the new identity functionality and the security level backend. In our previous major, 12.5, we reimplemented the circuit display and the download warning.

For the just-released 13.0, we decided to accelerate the pace and remove all the legacy code we still had from Torbutton.

One of the main reasons is that the Tor daemon will eventually be replaced with Arti, the new implementation written in Rust. Its control interface is more modern and incompatible with the legacy implementation. However, we expect to support both configurations for a while.

So, we decided to create an abstraction focused on the browser's needs and a first concrete implementation for the control port protocol understood by C-tor. The transition is intended to be seamless, and users should not even notice it in our ambitions 😁️. So far, we have not received feedback about regressions due to the change.

A few references to the Torbutton name are still in 13.0: traditionally, the two extensions also included our translation files. Replacing them is the last step to remove these final references. We plan to do so with the migration to Fluent, the most recent and preferred format used by Firefox, but something for 13.5.

In the meantime, we are eager to hear your feedback! Please let us know if you find any problems in our forum or in our bug tracker.

...
@blog October 16, 2023 - 00:00 • 26 days ago
If you value Tor, please make a donation

Right now, the Tor network, Tor Browser, onion services, Snowflake, and the ecosystem of tools and services built and maintained by the Tor Project are protecting the privacy of millions of people. Because the Tor Project is a nonprofit, this work is powered by donations from our community – by you.

In that vein, today we're launching our annual fundraising campaign. If you've been a Tor supporter for a while, you probably know that this is the moment we add a new message to about:tor, a banner to the torproject.org sites, and use our social channels to highlight how your support empowers people all over the world to exercise their right to privacy. 

This year we're keeping our message simple: if you value the privacy that Tor provides to yourself or to other people, please make a donation. Your support ensures that the Tor Project remains strong on an organizational level, and that the ecosystem of Tor services and tools continue to reach the people who need privacy online the most.

From Tor Browser to Onion Services to bridges, user and community support to dedicated anti-censorship teams, we are set up to quickly spring into action when the need arises. Help us keep it that way!

The Tor Project faces some unprecedented challenges this year.

Last year, charitable giving from individuals from the U.S. decreased by 10.5% compared to the year prior---this has only happened four times in U.S. history since 1956. We can confirm that this trend is real, and we've seen it continue throughout 2023 and across our network of global supporters. Widespread tech-sector layoffs also mean that hundreds of thousands of people have unexpectedly lost their jobs---and this has disproportionately impacted our community. We know now is a difficult time for many people who use and love Tor.

Even in difficult economic conditions, Tor is and will always be free. Unrestricted access to the technology we create is part of our mission. But the challenges of 2023 and beyond mean that if you are in the position to donate this year, your support is more vital than ever. 

If you value the privacy that Tor offers yourself and others, please make a donation today. Your contribution will help ensure Tor continues to provide online privacy to everyone who needs it, and help us reach our ambitious goals during a difficult economic time.

Tor is free and always will be

Ways to contribute

User quote: "I don't want to live in a world where everything I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded. Thank you, Tor Project."

...
@ooni October 16, 2023 - 00:00 • 26 days ago
OONI Community Interviews: Siti Nurliza
Today we are thrilled to publish an interview with Siti Nurliza: a talented data analyst and technologist with Sinar Project, one of our most dedicated and long-term partners who have led OONI censorship measurement efforts in Southeast Asia for more than 6 years! Sinar Project is a civic tech initiative using open technology, open data and policy analysis to systematically make important information public and more accessible to the Malaysian people. ...
@blog October 12, 2023 - 00:00 • 30 days ago
New release: Tor Browser 13.0

Tor Browser 13.0 is now available from the Tor Browser download page and our distribution directory.

This is our first stable release based on Firefox ESR 115, incorporating a year's worth of changes shipped upstream. As part of this process we've also completed our annual ESR transition audit, where we review Firefox's changelog for issues that may negatively affect the privacy and security of Tor Browser users and disable any problematic patches where necessary. Our final reports from this audit are now available in the tor-browser-spec repository on our Gitlab instance.

Particularly notable are the accessibility improvements we've gained as a result of the transition to Firefox ESR 115. While eagle-eyed users may notice small visual changes to the user interface (for example, internal links are now underlined), Tor Browser 13.0 is our first release to inherit the redesigned accessibility engine introduced by Mozilla in Firefox 113. This change promises to improve performance significantly for people who use screen readers and other assistive technology.

What's new?

Refreshed application icons

Earlier this year we spent some time artworking the Mullvad Browser logo into the various assets needed to support its release – including application, installer and document icons that conform to each platform's conventions. While getting up to speed with the current requirements for each platform, we identified a number of gaps with Tor Browser too, and started working on new icons for Tor Browser in parallel.

For context, Tor Browser's current icon (sometimes referred to as the "onion logo") was selected by community poll over four years ago to succeed the older purple and green globe in Tor Browser 8.5. Given the community's involvement in its selection, its recognizability by netizens, and the simple fact that we still love the existing icon, we chose to focus on refining rather than replacing it entirely.

One of the motivations behind work like this is our philosophy that privacy-preserving products shouldn't be purely utilitarian, but can also spark joy. However there are practical benefits too: adhering to platform conventions provides better consistency, discernible application and installer icons help prevent user error, and attracting new users benefits everyone because anonymity loves company.

New application icons for each release channel

New homepage

For the past year we've been working on a significant rewrite of Tor Browser's back-end, which recently provided us with the opportunity to rebuild one of the few internal pages that hasn't changed in a while: the homepage (often referred to by its internal reference, "about:tor"). Tor Browser 13.0's homepage now features the new application icons, a simplified design, and the ability to "onionize" your DuckDuckGo searches by switching to the DuckDuckGo onion site. Continuing the work that began in Tor Browser 12.5 to improve the browser's accessibility, the redesigned homepage also offers better support for users of screen readers and other assistive technology too.

Existing Tor Browser users can rejoice that the "red screen of death" – an infamous error state that the previous homepage would occasionally trip itself into – is long gone. As part of the back-end rewrite we've removed the automatic Tor network connectivity check that was a hold-over from the legacy tor-launcher, where bootstrapping was handled by an extension that ran before the browser interface appeared. As a result of the tighter tor integration and in-browser bootstrapping experience introduced in Tor Browser 10.5, the old logic behind this check would often fail and present some users with the red screen of death, even if their connection was fine.

In fact, all of the reports we've received of users hitting this screen with the default tor configuration since Tor Browser 10.5 have proven to be false positives, causing undue alarm. Although the check is arguably still useful for users running non-default configurations, neither of the main environments which do so – Tails and Whonix – use about:tor as their default new-tab or home pages. For everyone else, we've added a new banner to the redesigned homepage in place of the red screen of death to check that tor is connected and working as expected.

Screenshot of the new homepage in Tor Browser 13.0

Bigger new windows

The explanation for how and why Tor Browser works this way is going to get into the weeds a little, so be warned. However the main thing to take away is that new windows should be bigger by default and present themselves in a more useful landscape aspect-ratio for the majority of desktop users in Tor Browser 13.0. Now, about those weeds...

Letterboxing was introduced in Tor Browser 9.0 to allow users to resize their browser window without fear of being fingerprinted by rounding the inner content window (sometimes referred to as the "viewport") down to multiples of 200 x 100 pixels. This technique works by grouping the window sizes of most users into a series of common "buckets", protecting individual users within those buckets from being singled-out based on their window or screen size.

In order to preserve these protections when opening new windows, Tor Browser overrides platform defaults and will instead select a size that conforms to our letterboxing steps up to a maximum of 1000 x 1000 pixels. However, while that may have been fine in the past, a max width of 1000px is no longer suitable for the modern web. For example, on many newer websites the first responsive break point lies somewhere in the range of 1000 – 1200px, meaning by default Tor Browser users would receive website menus and layouts intended for tablet and mobile devices. Alternatively, on certain websites, users would receive the desktop version but with the annoyance of a horizontal scroll bar instead. This, naturally, would lead to users of these websites needing to expand each new window manually before it's usable.

In response we've bumped up the max size of new windows up to 1400 x 900 pixels and amended the letterboxing steps to match. Thanks to the increase in width, Tor Browser for desktop should no longer trigger responsive break points on larger screens and the vast majority of our desktop users will see a familiar landscape aspect-ratio more in-keeping with modern browsers. This particular size was chosen by crunching the numbers to offer greater real estate for new windows without increasing the number of buckets past the point of their usefulness. As an added bonus, we also expect that Tor Browser users will not feel the need to manually change their window size as frequently as before – thereby keeping more users aligned to the default buckets.

Illustration that visualizes the increased width of new windows in Tor Browser

Technical notes

We're pleased to report that we've made the naming scheme for all our build outputs mutually consistent. Essentially, this means that going forward the names of all our build artifacts should follow the format ${ARTIFACT}-${OS}-${ARCH}-${VERSION}.${EXT}. For example, the macOS .dmg package for 12.5 was named TorBrowser-12.5-macos_ALL.dmg, whereas for 13.0 it's named tor-browser-macos-13.0.dmg.

If you are a downstream packager or download Tor Browser artifacts using scripts or automation, you'll need to do a little more work beyond just bumping the version number to support this and future releases.

Contributions 💜

Thanks to all of the teams across Tor, and the wider community, who contributed to this release. In particular we'd like to extend our gratitude to the following volunteers who have contributed their expertise, labour, and time to this release:

  • anonym
  • cypherpunks1
  • Fabrizio
  • FlexFoot
  • guest475646844
  • honorton
  • ilf
  • JeremyRand
  • nervuri
  • Rusty Bird
  • shanzhanz
  • thorin
  • trinity-1686a

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 12.5.6 is:

...
@blog October 3, 2023 - 00:00 • 1 months ago
Arti 1.1.9 is released: Assembling the onions

Arti is our ongoing project to create a next-generation Tor client in Rust. Now we're announcing the latest release, Arti 1.1.9.

Arti 1.1.9 continues work on support for onion services in arti. We now have the code needed to publish onion service descriptors; keep them up-to-date with changes and our introduction points; receive, decrypt, process, and answer introduction requests; and respond to them by delivering traffic to local ports. The pieces are now (mostly) connected; the next month of development will see extensive testing, bugfixing, and refinement.

For full details, and for information about many smaller and less visible changes as well; for those, please see the CHANGELOG.

For more information on using Arti, see our top-level README, and the documentation for the arti binary.

Thanks to everybody who's contributed to this release, including Emil Engler and Saksham Mittal!

Also, our deep thanks to Zcash Community Grants and our other sponsors for funding the development of Arti!

...
@blog September 30, 2023 - 00:00 • 1 months ago
A closer look at online privacy: new Tor tutorials

At Tor, we're always looking for ways to empower more people to access the unrestricted internet and defend against surveillance and censorship with our digital tools. To achieve this goal, we've taken significant steps to ensure that our tools are user-friendly and accessible to a wide audience. That includes localization of our offering into as many languages as possible.

As part of a recently completed project, we've made Tor Browser, Tor circumvention tools, Tor documentation and training materials, and OnionShare available in Arabic, Chinese, and Swahili. Additionally, we've developed short, localized, and easy-to-digest explainer videos that guide users on how to access the Tor network, bypass censorship, and share files securely and anonymously.

Think using Tor is difficult? Think again!

Our focus is not solely on developing anti-censorship and anti-surveillance technology, but also on increasing awareness of these tools. The video series was designed to showcase the ease-of-use of our most popular tools and combat misconceptions about their everyday use. They serve as user-friendly guides on how to incorporate these tools into daily life and are crucial building blocks in our coordinated approach to reaching activists, journalists, human rights defenders and civil society groups.

If you've ever been asked how Tor Browser works, or wanted to learn about censorship circumvention tools like Bridges and how to anonymously share files, our how-to videos can help you get started easily. Please feel free to use these videos in your own outreach and advocacy work, and share them with anyone interested in learning more about safeguarding their online privacy and security with Tor.

We would like to thank the International Republican Institute (IRI) for sponsoring this project and helping us further reduce barriers to the adoption of our technology among vulnerable communities. Localizing our technology and its supporting documentation, including videos like these, are valuable additions to our outreach and training efforts.

...
@blog September 29, 2023 - 00:00 • 1 months ago
New Release: Tor Browser 12.5.6

Tor Browser 12.5.6 is now available from the Tor Browser download page and also from our distribution directory.

This release backports important security updates from Firefox 115.3.1.0esr.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 12.5.5 is:

...
@blog September 29, 2023 - 00:00 • 1 months ago
New Alpha Release: Tor Browser 13.0a6 (Android, Windows, macOS, Linux)

Tor Browser 13.0a6 is now available from the Tor Browser download page and also from our distribution directory.

This release backports important security fixes from Firefox 115.3.1. There were no Android-specific security backports from Firefox 115.3.0.

Major Changes

This is our sixth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. It is also our first release-candidate build for 13.0 stable. If you find any issues, please report them on our gitlab or on the Tor Project forum.

We have completed our annual esr transition audit, and the final reports should be available in our tor-browser-spec repository in the audits directory. All of the interesting upstream patches have either been disabled or found to not be a problem for us on closer inspection.

Build Output Naming Updates

As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory

Full changelog

We would like to thank volunteer contributor guest475646844 for their fix for tor-browser#41165. If you would like to contribute, our issue tracker can be found here.

The full changelog since Tor Browser 13.0a5 is:

...
@anarcat September 27, 2023 - 02:23 • 1 months ago
How big is Debian?

Now this was quite a tease! For those who haven't seen it, I encourage you to check it out, it has a nice photo of a Debian t-shirt I did not know about, to quote the Fine Article:

Today, when going through a box of old T-shirts, I found the shirt I was looking for to bring to the occasion: [...]

For the benefit of people who read this using a non-image-displaying browser or RSS client, they are respectively:

   10 years
  100 countries
 1000 maintainers
10000 packages

and

        1 project
       10 architectures
      100 countries
     1000 maintainers
    10000 packages
   100000 bugs fixed
  1000000 installations
 10000000 users
100000000 lines of code

20 years ago we celebrated eating grilled meat at J0rd1’s house. This year, we had vegan tostadas in the menu. And maybe we are no longer that young, but we are still very proud and happy of our project!

Now… How would numbers line up today for Debian, 20 years later? Have we managed to get the “bugs fixed” line increase by a factor of 10? Quite probably, the lines of code we also have, and I can only guess the number of users and installations, which was already just a wild guess back then, might have multiplied by over 10, at least if we count indirect users and installs as well…

Now I don't know about you, but I really expected someone to come up with an answer to this, directly on Debian Planet! I have patiently waited for such an answer but enough is enough, I'm a Debian member, surely I can cull all of this together. So, low and behold, here are the actual numbers from 2023!

  • 1 project: unchanged, although we could count 129 derivatives in the current census

  • ~10 architectures: number almost unchanged, but the actual architectures are of course different (woody released with i386, m68k, Alpha, SPARC, PowerPC, ARM, IA-64, hppa, mips, s390; while bookworm released with actually 9 supported architectures instead of 10: i386, amd64, aarch64, armel, armhf, mipsel, mips64el, ppc64el, s390x)

  • ~100 countries: actually 63 now, but I suspect we were generously rounding up last time as well (extracted with ldapsearch -b ou=users,dc=debian,dc=org -D uid=anarcat,ou=users,dc=debian,dc=org -ZZ -vLxW '(c=*)' c | grep ^c: | sort | uniq -c | sort -n | wc -l on coccia)

  • ~1000 maintainers: amazingly, almost unchanged (according to the last DPL vote, there were 831 DDs in 2003 and 996 in the last vote)

  • 35000 packages: that number obviously increased quite a bit, but according to sources.debian.org, woody released with 5580 source packages and bookworm with 34782 source packages and according to UDD, there are actually 200k+ binary packages ( SELECT COUNT(DISTINCT package) FROM all_packages; => 211151)

  • 1 000 000+ (OVER ONE MILLION!) bugs fixed! now that number grew by a whole order of magnitude, incredibly (934809 done, 16 fixed, 7595 forwarded, 82492 pending, 938 pending-fixed, according to UDD again, SELECT COUNT(id),status FROM all_bugs GROUP BY status;)

  • ~1 000 000 installations (?): that one is hard to call. popcon has 225419 recorded installs, but it is likely an underestimate - hard to count

  • how many users? even harder, we were claiming ten million users then, how many now? how can we even begin to tell, with Debian running on the space station?

  • 1 000 000 000+ (OVER ONE BILLION!) lines of code: that, interestingly, has also grown by an order of magnitude, from 100M to 1B lines of code, again according to sources.debian.org, woody shipped with 143M lines of codes and bookworm with 1.3 billion lines of code

So it doesn't line up as nicely, but it looks something like this:

         1 project
        10 architectures
        30 years
       100 countries (actually 63, but we'd like to have yours!)
      1000 maintainers (yep, still there!)
     35000 packages
    211000 *binary* packages
   1000000 bugs fixed
1000000000 lines of code
 uncounted installations and users, we don't track you

So maybe the the more accurate, rounding to the nearest logarithm, would look something like:

         1 project
        10 architectures
       100 countries (actually 63, but we'd like to have yours!)
      1000 maintainers (yep, still there!)
    100000 packages
   1000000 bugs fixed
1000000000 lines of code
 uncounted installations and users, we don't track you

I really like how the "packages" and "bugs fixed" still have an order of magnitude between them there, but that the "bugs fixed" vs "lines of code" have an extra order of magnitude, that is we have fixed ten times less bugs per line of code since we last did this count, 20 years ago.

Also, I am tempted to put 100 years in there, but that would be rounding up too much. Let's give it another 30 years first.

Hopefully, some real scientist is going to balk at this crude methodology and come up with some more interesting numbers for the next t-shirt. Otherwise I'm available for bar mitzvahs and children parties.

...
@blog September 26, 2023 - 00:00 • 2 months ago
New Release: Tor Browser 12.5.5

Tor Browser 12.5.5 is now available from the Tor Browser download page and also from our distribution directory.

This release backports important security updates from Firefox 115.3.0esr. We also backported the Android-specific security updates from Firefox 118.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 12.5.4 is:

  • All Platforms
    • Updated tor to 0.4.7.15
    • Updated NoScript to 11.4.27
    • Updated Translations
    • Bug tor-browser#42120: Use foursquare as domain front for snowflake
    • Bug tor-browser#42123: Backport security fixes from Firefox 118 to ESR 102.15 / 115.3 - based Tor Browser
  • Windows + macOS + Linux
...
@kushal September 25, 2023 - 09:23 • 2 months ago
Documentation of Puppet code using sphinx

Sphinx is the primary documentation tooling for most of my projects. I use it for the Linux command line book too. Last Friday while in a chat with Leif about documenting all of our puppet codebase, I thought of mixing these too.

Now puppet already has a tool to generate documentation from it's code, called puppet strings. We can use that to generate markdown output and then use the same in sphix for the final HTML output.

I am using https://github.com/simp/pupmod-simp-simplib as the example puppet code as it comes with good amount of reference documentation.

Install puppet strings and the dependencies

$ gem install yard puppet-strings

Then cloning puppet codebase.

$ git clone https://github.com/simp/pupmod-simp-simplib

Finally generating the initial markdown output.

$ puppet strings generate --format markdown --out simplib.md
Files                     161
Modules                   3 (3 undocumented)
Classes                   0 (0 undocumented)
Constants                 0 (0 undocumented)
Attributes                0 (0 undocumented)
Methods                   5 (0 undocumented)
Puppet Tasks              0 (0 undocumented)
Puppet Types              7 (0 undocumented)
Puppet Providers          8 (0 undocumented)
Puppet Plans              0 (0 undocumented)
Puppet Classes            2 (0 undocumented)
Puppet Data Type Aliases  73 (0 undocumented)
Puppet Defined Types      1 (0 undocumented)
Puppet Data Types         0 (0 undocumented)
Puppet Functions          68 (0 undocumented)
 98.20% documented

sphinx setup

python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install sphinx myst_parser

After that create a standard sphinx project or use your existing one, and update the conf.py with the following.

extensions = ["myst_parser"]
source_suffix = {
    '.rst': 'restructuredtext',
    '.txt': 'markdown',
    '.md': 'markdown',
}

Then copy over the generated markdown from the previous step and use sed command to update the title of the document to something better.

$ sed -i '1 s/^.*$/SIMPLIB Documenation/' simplib.md

Don't forget to add the simplib.md file to your index.rst and then build the HTML documentation.

$ make html

We can still improve the markdown generated by the puppet strings command, have to figure out simpler ways to do that part.

Example output

...
@blog September 24, 2023 - 00:00 • 2 months ago
New Alpha Release: Tor Browser 13.0a5 (Android, Windows, macOS, Linux)

Tor Browser 13.0a5 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 115.3.0esr, including bug fixes, stability improvements and important security updates. Android-specific security updates from Firefox 118 are not yet available, but will be part of the next alpha release scheduled for next week.

Major Changes

This is our fifth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.

We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.

Build Output Naming Updates

As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory

Known Issues

All Platforms

The Snowflake pluggable-transport is no longer working for some users due to cdn.sstatic.net resolving to a Cloudflare IP rather than a Fastly one. As a result, the domain fronting functionality required by the Snowflake pluggable-transport no longer works and users will not be able to use it to connect to tor on versions of Tor Browser older than 13.0a5.

For now, this can be worked around by using custom Snowflake bridge lines with an updated fronting domain. Directions on how to do this can be found on this post on the tor forum:

This issue is being tracked here and is fixed in 13.0a5 and will also be fixed in the next stable release. Users who rely on Snowflake for Tor connectivity will not be able to bootstrap and update their Tor Browser instance without the aforementioned manual workaround.

Desktop

The automatic censorship circumvention system is also currently failing due to the same domain-fronting issue affecting snowflake. As a workaround, users can set the extensions.torlauncher.bridgedb_front preference to foursquare.com in Tor Browser's about:config page.

This issue is being tracked here and will be fixed in the next stable and alpha releases.

Full changelog

The full changelog since Tor Browser 13.0a4 is:

...
@kushal September 20, 2023 - 07:26 • 2 months ago
SBOM and vulnerability scanning

Software Bill of Materials became one of the latest buzzword. A lot of people and companies talking about it like a magical thing, if you use it then all of your security problems will be solved, just like what happened with Blockchain!!.

Though a hand full of projects (or companies building those projects) focused on the actual tooling part. Things we can use and see some useful output than blogposts/presentations with fancy graphics.

In this post we will try to see how can we use these tools today (2023/09/20).

SBOM currently comes in two major flavors, SPDX aka Software Package Data Index and CycloneDX. There are existing tooling to convert in between.

Syft

We will use syft from Anchore to generate our SBOM(s).

This tool can generate from various sources, starting from container images to Python projects, RPM/Debian dbs, Rust or Go projects.

Let us generate the SBOM for a Debian 12 VM.

$ syft /var/lib/dpkg -o spdx-json=server.spdx.json --source-name debian12 
 ✔ Indexed file system                                                                                         /var/lib/dpkg
 ✔ Cataloged packages              [395 packages]

For for a Rust project:

$ syft /home/kdas/code/johnnycanencrypt/Cargo.lock -o spdx-json=jce.spdx.json
 ✔ Indexed file system                                                                      /home/kdas/code/johnnycanencrypt
 ✔ Cataloged packages              [203 packages]

We generated the SBOMs. Now this should solve the security issues, isn't?

SBOM joke

I found the above in Matthew Martin's timeline.

Grype

This is where Grype comes handy, it is a vulnerability scanner for container images and filesystems and works with the SBOM(s) generated by syft.

$ grype jce.spdx.json 
 ✔ Vulnerability DB                [updated]  
 ✔ Scanned for vulnerabilities     [1 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 1 medium, 0 low, 0 negligible
   └── by status:   1 fixed, 0 not-fixed, 0 ignored 
NAME  INSTALLED  FIXED-IN  TYPE        VULNERABILITY        SEVERITY 
time  0.1.45     0.2.23    rust-crate  GHSA-wcg3-cvx6-7396  Medium

And:

grype server.spdx.json 
 ✔ Vulnerability DB                [no update available]  
 ✔ Scanned for vulnerabilities     [178 vulnerability matches]  
   ├── by severity: 6 critical, 136 high, 34 medium, 2 low, 0 negligible
   └── by status:   0 fixed, 178 not-fixed, 0 ignored 
NAME     INSTALLED     FIXED-IN  TYPE  VULNERABILITY     SEVERITY 
file     1:5.44-3                      CVE-2007-1536     High      
git      1:2.39.2-1.1                  CVE-2020-5260     High      
gnupg    2.2.40-1.1                    CVE-2022-3515     Critical  
gnupg    2.2.40-1.1                    CVE-2022-34903    Medium    
gnupg    2.2.40-1.1                    CVE-2022-3219     Low       
openssl  3.0.9-1                       CVE-2023-4807     High      
openssl  3.0.9-1                       CVE-2023-3817     Medium    
openssl  3.0.9-1                       CVE-2023-2975     Medium    
openssl  3.0.9-1                       CVE-2023-1255     Medium    
perl     5.36.0-7                      CVE-2023-31486    High      
perl     5.36.0-7                      CVE-2023-31484    High      
vim      2:9.0.1378-2                  CVE-2022-3520     Critical  
vim      2:9.0.1378-2                  CVE-2022-0318     Critical  
vim      2:9.0.1378-2                  CVE-2017-6350     Critical  
vim      2:9.0.1378-2                  CVE-2017-6349     Critical  
vim      2:9.0.1378-2                  CVE-2017-5953     Critical  
vim      2:9.0.1378-2                  CVE-2023-4781     High      
vim      2:9.0.1378-2                  CVE-2023-4752     High      

<snipped>

Now it is on your team members to decide how to react to information we gather from these tools. The tools themselves will not solve the problems at hand. You have to decide the update steps and if that is at all required or not.

Also please remember, there is and will be a lot of false positives (not in Grype output yet, but other tools in the SBOM ecosystem). The projects (I am talking about in general most of the tooling in this field) are trying hard to reduce these, but not possible always to remove every such edge case.

...
@ooni September 20, 2023 - 00:00 • 2 months ago
Grindr blocked in Jordan: Shrinking LGBTQ spaces
Jordan recently blocked access to Grindr — the world’s largest social networking app for gay, bi, trans, and queer people — adding to the list of social media apps banned in the country, including TikTok and Clubhouse. OONI network measurement data collected from Jordan suggests that ISPs started blocking access to Grindr on August 8th 2023, and that the block remains ongoing. This report shares OONI data on the blocking of Grindr in Jordan. ...