Planet Tor

There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.5.2-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release by mid-December.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. It fixes several bugs present in earlier releases, including one that made it impractical to run relays on Windows. It also adds a few small safety features to improve Tor's behavior in the presence of strange compile-time options, misbehaving proxies, and future versions of OpenSSL.

Changes in version 0.4.5.2-alpha - 2020-11-23

• Major bugfixes (relay, windows):
  • Fix a bug in our implementation of condition variables on Windows. Previously, a relay on Windows would use 100% CPU after running for some time. Because of this change, Tor now require Windows Vista or later to build and run. Fixes bug 30187; bugfix on 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with the introduction of consensus diffs.) Patch by Daniel Pinto.
• Minor features (compilation):
  • Disable deprecation warnings when building with OpenSSL 3.0.0 or later. There are a number of APIs newly deprecated in OpenSSL 3.0.0 that Tor still requires. (A later version of Tor will try to stop depending on these APIs.) Closes ticket 40165.

• Minor features (protocol, proxy support, defense in depth):
  • Respond more deliberately to misbehaving proxies that leave leftover data on their connections, so as to make Tor even less likely to allow the proxies to pass their data off as having come from a relay. Closes ticket 40017.
• Minor features (safety):
  • Log a warning at startup if Tor is built with compile-time options that are likely to make it less stable or reliable. Closes ticket 18888.
• Minor bugfixes (circuit, handshake):
  • In the v3 handshaking code, use connection_or_change_state() to change the state. Previously, we changed the state directly, but this did not pass the state change to the pubsub or channel objects, potentially leading to bugs. Fixes bug 32880; bugfix on 0.2.3.6-alpha. Patch by Neel Chauhan.
• Minor bugfixes (compilation):
  • Use the correct 'ranlib' program when building libtor.a. Previously we used the default ranlib, which broke some kinds of cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
  • Remove a duplicate typedef in metrics_store.c. Fixes bug 40177; bugfix on 0.4.5.1-alpha.
  • When USDT tracing is enabled, and STAP_PROBEV() is missing, don't attempt to build. Linux supports that macro but not the BSDs. Fixes bug 40174; bugfix on 0.4.5.1-alpha.
• Minor bugfixes (configuration):
  • Exit Tor on a misconfiguration when the Bridge line is configured to use a transport but no corresponding ClientTransportPlugin can be found. Prior to this fix, Tor would attempt to connect to the bridge directly without using the transport, making it easier for adversaries to notice the bridge. Fixes bug 25528; bugfix on 0.2.6.1-alpha.
  • Fix an issue where an ORPort was compared with other kinds of ports, when it should have been only checked against other ORPorts. This bug would lead to "DirPort auto" getting ignored. Fixes bug 40195; bugfix on 0.4.5.1-alpha.
  • Fix a bug where a second non-ORPort with a variant family (ex: SocksPort [::1]:9050) would be ignored due to a configuration parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.
• Minor bugfixes (crash, relay, signing key):
  • Avoid assertion failures when we run Tor from the command line with `--key-expiration sign`, but an ORPort is not set. Fixes bug 40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.
• Minor bugfixes (logging):
  • Remove trailing whitespace from control event log messages. Fixes bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by Amadeusz Pawlik.
  • Turn warning-level log message about SENDME failure into a debug- level message. (This event can happen naturally, and is no reason for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.
• Minor bugfixes (relay, address discovery):
  • Don't trigger an IP change when no new valid IP can be found. Fixes bug 40071; bugfix on 0.4.5.1-alpha.
  • When attempting to discover our IP, use a simple test circuit, rather than a descriptor fetch: the same address information is present in NETINFO cells, and is better authenticated there. Fixes bug 40071; bugfix on 0.4.5.1-alpha.
• Minor bugfixes (testing):
  • Fix the `config/parse_tcp_proxy_line` test so that it works correctly on systems where the DNS provider hijacks invalid queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
  • Fix unit tests that used newly generated list of routers so that they check them with respect to the date when they were generated, not with respect to the current time. Fixes bug 40187; bugfix on 0.4.5.1-alpha.
  • Fix our Python reference-implementation for the v3 onion service handshake so that it works correctly with the version of hashlib provided by Python 3.9. Fixes part of bug 40179; bugfix on 0.3.1.6-rc.
  • Fix the `tortls/openssl/log_one_error` test to work with OpenSSL 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.
• Removed features (controller):
  • Remove the "GETINFO network-status" controller command. It has been deprecated since 0.3.1.1-alpha. Closes ticket 22473.

Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. It fixes several bugs present in earlier releases, including one that made it impractical to run relays on Windows. It also adds a few small safety features to improve Tor's behavior in the presence of strange compile-time options, misbehaving proxies, and future versions of OpenSSL.

Changes in version 0.4.5.2-alpha - 2020-11-23

• Major bugfixes (relay, windows):
  • Fix a bug in our implementation of condition variables on Windows. Previously, a relay on Windows would use 100% CPU after running for some time. Because of this change, Tor now require Windows Vista or later to build and run. Fixes bug 30187; bugfix on 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with the introduction of consensus diffs.) Patch by Daniel Pinto.
• Minor features (compilation):
  • Disable deprecation warnings when building with OpenSSL 3.0.0 or later. There are a number of APIs newly deprecated in OpenSSL 3.0.0 that Tor still requires. (A later version of Tor will try to stop depending on these APIs.) Closes ticket 40165.

 

• Minor features (protocol, proxy support, defense in depth):
  • Respond more deliberately to misbehaving proxies that leave leftover data on their connections, so as to make Tor even less likely to allow the proxies to pass their data off as having come from a relay. Closes ticket 40017.
• Minor features (safety):
  • Log a warning at startup if Tor is built with compile-time options that are likely to make it less stable or reliable. Closes ticket 18888.
• Minor bugfixes (circuit, handshake):
  • In the v3 handshaking code, use connection_or_change_state() to change the state. Previously, we changed the state directly, but this did not pass the state change to the pubsub or channel objects, potentially leading to bugs. Fixes bug 32880; bugfix on 0.2.3.6-alpha. Patch by Neel Chauhan.
• Minor bugfixes (compilation):
  • Use the correct 'ranlib' program when building libtor.a. Previously we used the default ranlib, which broke some kinds of cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
  • Remove a duplicate typedef in metrics_store.c. Fixes bug 40177; bugfix on 0.4.5.1-alpha.
  • When USDT tracing is enabled, and STAP_PROBEV() is missing, don't attempt to build. Linux supports that macro but not the BSDs. Fixes bug 40174; bugfix on 0.4.5.1-alpha.
• Minor bugfixes (configuration):
  • Exit Tor on a misconfiguration when the Bridge line is configured to use a transport but no corresponding ClientTransportPlugin can be found. Prior to this fix, Tor would attempt to connect to the bridge directly without using the transport, making it easier for adversaries to notice the bridge. Fixes bug 25528; bugfix on 0.2.6.1-alpha.
  • Fix an issue where an ORPort was compared with other kinds of ports, when it should have been only checked against other ORPorts. This bug would lead to "DirPort auto" getting ignored. Fixes bug 40195; bugfix on 0.4.5.1-alpha.
  • Fix a bug where a second non-ORPort with a variant family (ex: SocksPort [::1]:9050) would be ignored due to a configuration parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.
• Minor bugfixes (crash, relay, signing key):
  • Avoid assertion failures when we run Tor from the command line with `--key-expiration sign`, but an ORPort is not set. Fixes bug 40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.
• Minor bugfixes (logging):
  • Remove trailing whitespace from control event log messages. Fixes bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by Amadeusz Pawlik.
  • Turn warning-level log message about SENDME failure into a debug- level message. (This event can happen naturally, and is no reason for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.
• Minor bugfixes (relay, address discovery):
  • Don't trigger an IP change when no new valid IP can be found. Fixes bug 40071; bugfix on 0.4.5.1-alpha.
  • When attempting to discover our IP, use a simple test circuit, rather than a descriptor fetch: the same address information is present in NETINFO cells, and is better authenticated there. Fixes bug 40071; bugfix on 0.4.5.1-alpha.
• Minor bugfixes (testing):
  • Fix the `config/parse_tcp_proxy_line` test so that it works correctly on systems where the DNS provider hijacks invalid queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
  • Fix unit tests that used newly generated list of routers so that they check them with respect to the date when they were generated, not with respect to the current time. Fixes bug 40187; bugfix on 0.4.5.1-alpha.
  • Fix our Python reference-implementation for the v3 onion service handshake so that it works correctly with the version of hashlib provided by Python 3.9. Fixes part of bug 40179; bugfix on 0.3.1.6-rc.
  • Fix the `tortls/openssl/log_one_error` test to work with OpenSSL 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.
• Removed features (controller):
  • Remove the "GETINFO network-status" controller command. It has been deprecated since 0.3.1.1-alpha. Closes ticket 22473.

After completing standard audits for 2017-2018 and for 2019, our federal tax filings and audits are available. We publish all of our related tax documents for transparency.

Specifically, there are four new documents:

• The 2018 Form 990 (our tax document), covering January through June of 2018.
• The 2018 Financial statements and audit results, covering January 2017 through June 2018.
• The 2019 Form 990, covering July 2018 to June 2019.
• The 2019 Financial statements and audit results, covering July 2018 to June 2019.

The reason these documents are no longer tied to calendar years is because in 2017 we changed our fiscal year to be "July through June", since having our fiscal year end right in the middle of fundraising season (Dec 31) makes it harder to plan budgets.

Remember that transparency for a privacy project is not a contradiction: privacy is about choice, and we choose to publish all of these aspects of our work in order to build a stronger community. Transparency is about where the money comes from, but it's also about what we do with it: we show you all of our projects, in source code, and in periodic project and team reports, and in collaborations with researchers who help assess and improve Tor. Transparency also means being clear about our values, promises, and priorities as laid out in our social contract.

The board has also continued to publish minutes for seven board meetings in 2018, six meetings in 2019, and three so far in 2020.

The last few years have been a bit bumpy financially, because we grew to be able to cover more of the Tor ecosystem (which was great), but our expenses grew faster than our income (not so great). That approach is sustainable for a while by spending reserves, but once you're out of reserves the remaining option is to solve it by reducing expenses. You can see part of that arc in the 2017-2019 documents here, and the other half of the arc (the more cheerful half) will be included in the 2020-2021 documents.

One contributing factor to the bumpiness is that we didn't expand our grant writing in 2017 as much as (in retrospect) we should have. This challenge makes it even clearer why being dependent on a small set of funding sources impacts our robustness — a few big grant proposals getting rejected rather than accepted was the difference for 2018. Further amplifying the challenge is that for many funders, the time between proposal and decision can be a full year or more, which makes planning ahead both harder and essential.

Some observations to help you read through the 2018 and 2019 financial documents:

• Tor's revenue for the half-year of 2018 was $1.76 million, and for FY2019 was a bit under $4.9 million. So things have continued to grow, and the hard part is to make sure that revenue and expenses grow together.
• 2019 marks the first year since 2005 (before Tor was incorporated as a non-profit) where more than half our support came from sources other than the US government. In terms of percentages, 2015-2016-2017 were 85%, 76%, and 51% US government sources respectively. For the half-year 2018 it went back up to 70%, but for 2019 the fraction of our funding that came from US government sources dropped all the way to 42%. We should expect this percentage to keep going up and down in the future, but one of our priorities remains to continue working to reduce our reliance on US government sources.
• We also had the highest contributions ever from individuals—$577k—due to the hard work of our fundraising team. Thank you to the broader Tor community for the support! This support is especially valuable because unrestricted donations let us work on the topics and projects that are most important at the time.
• Remember the big picture though: Tor's budget remains modest considering the number of people involved and the impact we have. And it is dwarfed by the budgets that our adversaries are spending to make the world a more dangerous and less free place.
• Check out the comment sections on the previous posts for previous years' versions of the usual "omg government funding" and "omg transparency" discussions. You might find this comment more useful than the rest.
• When people ask me about Tor funding, I explain that we have four categories of funders: (A) Research funding from groups like the National Science Foundation to do fundamental research on privacy and censorship, including studying how to improve Tor's performance and safety, and inventing new censorship circumvention techniques. (B) R&D funding from groups like OTF and DARPA to actually build safer tools. Different funders might have different audiences in mind when they help us make Tor Browser safer and easier to use, but they want the same things out of Tor Browser: in all cases we make all of our work public, and also remember that anonymity loves company. (C) Deployment and teaching funding from organizations like the US State Dept and Sweden's foreign ministry to do in-country security trainings, user-oriented documentation, and otherwise help activists around the world learn how to be safer on the internet. (D) Core organizational support, primarily from individual donations (that's you!), to cover the day-to-day operations of the non-profit, and most importantly to let us spend time on critical tasks that we can't convince a funder to care enough about.
• More generally, I should take a brief moment to explain how funding proposals work, for those who worry that governments come to us wanting to pay us to do something bad. The way it works is that we try to find groups with funding for the general area that we want to work on, and then we go to them with a specific plan for what we'd like to do and how much it will cost, and if we're lucky they say ok. There is never any point where somebody comes to us and says "I'll pay you $X to do Y."
• In half-of-2018 and 2019 we counted $216k and $738k in "donated services," that is, volunteers helping with translations, website hosting, and contributed patches. Thank you!
• The 990 forms have a "Schedule B Contributors" list, which is standard practice for the accountants to anonymize (in case some contributors want to stay anonymous). Here's how they match up to funder names: contributors #1-5 in 2018 correspond to DRL, NSF part one, NSF part two, a grant via NYU for the Library Freedom Project, and Rose Foundation. And contributors #1-5 in 2019 correspond to Mozilla, DRL, NSF, Sida, and the Handshake Foundation.

In closing, remember that there are many different ways to get involved with Tor, and we need your help. For example, you can donate, volunteer, and run a Tor relay. Now is a great time to make a contribution and join our year end campaign and help us resist the surveillance pandemic. Give today, and Friends of Tor will match your donation. Double your impact by making a gift now, and remember, Use a Mask, Use Tor. 

Tor Browser 10.5a4 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release for desktop or Android instead.

This release updates Firefox to 78.5.0esr for desktop and Fenix to 83.0 for Android. Additionally, we update Tor to 0.4.5.1-alpha. This release includes important security updates both for desktop and Android users.

Note: Tor Browser 10.5 does not support CentOS 6.

The full changelog since Tor Browser 10.5a3 is:

• All Platforms
  • Update Tor to 0.4.5.1-alpha
  • Bug 40212: Add new default bridge "PraxedisGuerrero"
• Windows + OS X + Linux
  • Update Firefox to 78.5.0esr
• Android
  • Update Fenix to 83.1.0
  • Bug 27002: (Mozilla 1673237) Always allow SVGs on about: pages
  • Bug 40137: Built-in https-everywhere storage is not migrated to idb
  • Bug 40152: Top Crash: android.database.sqlite.SQLiteConstraintException
  • Bug 40205: Replace occurrence of EmptyCString with 0-length _ns literal
  • Bug 40206: Disable the /etc/hosts parser
  • Translations update
• Build System
  • OS X
    • Bug 40139: Set RANLIB in macOS tor build
  • Android
    • Bug 40211: Lower required build-tools version to 29.0.2
    • Bug 40126: Bump Node to 10.22.1 for mozilla83
    • Bug 40127: Update components for switch to mozilla83-based Fenix

Tor Browser 10.0.5 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 78.5.0esr and updates Tor to 0.4.4.6. This release includes important security updates to Firefox.

Note: Android Tor Browser 10.0.5 is delayed until next week. In the future, new Tor Browser versions for Android and Desktop should be published at the same time.

The full changelog since Tor Browser 10.0.4 (Desktop) is:

• Windows + OS X + Linux
  • Update Firefox to 78.5.0esr
  • Update Tor to 0.4.4.6
  • Bug 40212: Add new default obfs4 bridge

Tor Browser 10.5a3 for Desktop platforms is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

Tor Browser 10.5a3 updates NoScript to 11.1.5 and libevent to 2.1.12. This release includes important security updates to Firefox.

Note: Tor Browser 10.5 does not support CentOS 6.

The full changelog since Tor Browser 10.5a2 is:

• All Platforms
  • Update NoScript to 11.1.5
  • Bug 40022: EOY November Update - Matching
  • Bug 40064: Bump libevent to 2.1.12
  • Translations update
• Windows + OS X + Linux
  • Bug 27002: (Mozilla 1673237) Always allow SVGs on about: pages
  • Bug 40021: Keep page shown after Tor Browser update purple
  • Bug 40137: Migrate https-everywhere storage to idb
  • Bug 40219: Backport fix for Mozilla's bug 1675905
• Android
  • Pick up fix for Mozilla's bug 1675905 (with GeckoView 82.0.3)
  • Bug 40106: EOY November Update - Matching
• Build System
  • All Platforms
    • Bug 40079: Bump Go to 1.15.4
  • Windows + OS X + Linux
    • Bug 40133: Bump Rust version for ESR 78 to 1.43.0

We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.4.6 on the download page. Packages should be available within the next several weeks, with a new Tor Browser likely next week.

We've also released 0.3.5.12 (changelog) and 0.4.3.7 (changelog) today. You can find the source for them at https://dist.torproject.org/, along with older releases.

Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- 005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay.

Changes in version 0.4.4.6 - 2020-11-12

• Major bugfixes (security, backport from 0.4.5.1-alpha):
  • When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. Resolves TROVE-2020-005.
• Minor features (directory authorities, backport from 0.4.5.1-alpha):
  • Authorities now list a different set of protocols as required and recommended. These lists have been chosen so that only truly recommended and/or required protocols are included, and so that clients using 0.2.9 or later will continue to work (even though they are not supported), whereas only relays running 0.3.5 or later will meet the requirements. Closes ticket 40162.
  • Make it possible to specify multiple ConsensusParams torrc lines. Now directory authority operators can for example put the main ConsensusParams config in one torrc file and then add to it from a different torrc file. Closes ticket 40164.

• Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
  • Tor no longer allows subprotocol versions larger than 63. Previously version numbers up to UINT32_MAX were allowed, which significantly complicated our code. Implements proposal 318; closes ticket 40133.
• Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
  • Fix a rendezvous cache unit test that was triggering an underflow on the global rend cache allocation. Fixes bug 40125; bugfix on 0.2.8.1-alpha.
  • Fix another rendezvous cache unit test that was triggering an underflow on the global rend cache allocation. Fixes bug 40126; bugfix on 0.2.8.1-alpha.
• Minor bugfixes (compilation, backport from 0.4.5.1-alpha):
  • Fix compiler warnings that would occur when building with "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
  • Resolve a compilation warning that could occur in test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
• Minor bugfixes (logging, backport from 0.4.5.1-alpha):
  • Remove a debug logging statement that uselessly spammed the logs. Fixes bug 40135; bugfix on 0.3.5.0-alpha.
• Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
  • Avoid a fatal assert() when failing to create a listener connection for an address that was in use. Fixes bug 40073; bugfix on 0.3.5.1-alpha.
• Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
  • For HSFETCH commands on v2 onion services addresses, check the length of bytes decoded, not the base32 length. Fixes bug 34400; bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.

At the beginning of the Coronavirus pandemic, there wasn't much known about how people living in rural areas, forests, and near rivers would face this new situation. For people living in the world's cities, digital technologies were part of every decision made when considering how to address the pandemic. Still, communities that depend on forests for their livelihood and environmentalists who fight to protect forests from exploitation live with digital technology in different ways from residents of cities. As a result, the changes to daily life that these communities experienced were different.

It didn't take long for organizations worldwide to warn: loggers, land grabbers, and miners do not quarantine. In fact, according to The National Institute for Space Research (Inpe), logging in the Brazilian Amazon increased 63% in April, a month after the global pandemic had its start in the country. Along with the pandemic, Brazilian Amazonian communities face all kinds of challenges: from access to communications to the struggle for survival - and during the pandemic, a challenge was strengthened: the issues of fake news and secure communication between communities and third-party organizations.

Since July 2020, I've been working with the Tor Project as a Bertha Fellow to strengthen and promote digital security among individuals and organizations in the Amazonian region of Brazil,  where I work with the technological challenges of the people who live there fighting to protect forests: lack of internet access or unstable access; lack of telecommunication signals; limited or no variety in telecommunication service providers; lack of inexpensive devices and little availability to update systems due to poor internet access; fake news against movements and individuals, sometimes coming directly from the government; communications surveillance; little access to secure technologies and devices; little availability of alternative and secure services compared to commercial services, especially to store files and online meetings.

Still, some platforms can strengthen these people's security on the front lines against global warming. Due to the limited communications and internet signal, the people I work with often need to use VPN to access public wifi - one of the biggest challenges on these platforms is the language and availability of these tools for old devices. In other software, such as Veracrypt, the problem is the same since there is no translation and localization to Portuguese. Some other software is only produced for 64-bit computers. Due to limited access to resources, some machines used by organizations are still 32-bit; the same is true for applications that do not support or have severe problems on older or cheaper phones.  Because of these challenges, the people and organizations I work with can often be very creative about exchanging information when there is no access to the internet, and many are using Briar to circumvent this problem.

The use of Tor Browser came easily to them in terms of connectivity and the use of social media or email accounts. It's common sense that the Internet connection can be troubling in a place where there isn't much broadband available, but the needs for privacy and security surpass the challenges. Also, choosing the right app in Apple Store can be confusing due to many other applications using Tor's name to attract people.

Despite the challenges, organizations and individuals understand the need, and are willing to change their habits regarding digital security. Because they know that their safety is also the security of the forests, their territory, and, consequently, their lives.

Every year people from the Tor Project communities present the State of the Onion, a compilation of updates from our different projects, at conferences around the world. We use this opportunity to talk about highlights of the work we’ve accomplished during the year and what we are excited about in the upcoming year.

With COVID-19 pandemic this year, we didn’t have the chance to ‘tour’ our State of the Onion during any face-to-face conferences. So we decided to bring the State of the Onion to you in a special livestream on November 16 from 16:00 - 18:00 UTC.*

We have an awesome, comprehensive program this year, as we want to show off all the work that the Tor Project has been doing as well as highlight the work from people in our community. Isabela Bagueros, our executive director, will host this event and help to provide continuity for everything we’ll discuss.

* Show local time for the day-of the event.

Program

Part I — The Tor Project

Part II — Tor Community

We have also invited other projects who are part of the Tor community to present and share their updates.

The State of the Onion will be streamed on the Tor Project's YouTube, Facebook, and Twitter accounts.

You can join the conversation in two ways: use the Twitter hashtag #UseAMaskUseTor or by using the live chat feature on the YouTube stream.

This event is part of our year-end fundraising campaign. You can support the Tor Project's work to resist the surveillance pandemic by making a donation today. Your donation will be matched, 1:1, by Friends of Tor. We couldn't do the work we're sharing at this year's State of the Onion without your support!

Tor Browser 10.0.4 is now available from the Tor Browser download page and also from our distribution directory.

This release updates NoScript to 11.1.5 and includes an important security update to Firefox.

The full changelog since Tor Browser 10.0.2 (Desktop) is:

• Windows + OS X + Linux
  • Update NoScript to 11.1.5
  • Bug 40021: Keep page shown after Tor Browser update purple
  • Bug 40022: EOY November Update - Matching
  • Bug 40219: Backport Mozilla Bug 1675905
  • Translations update
• Build System
  • Windows + OS X + Linux
    • Update Go to 1.14.11
    • Bug 40141: Include "desktop" in signed tag

The full changelog since Tor Browser 10.0.3 (Android) is:

• Android
  • Update NoScript to 11.1.5
  • Bug 40022: EOY November Update - Matching
  • Bug 40106: EOY November Update - Matching
  • Bug 40219: Backport Mozilla Bug 1675905
  • Translations update
• Build System
  • Android
    • Update Go to 1.14.11
    • Bug 40141: Include "android" in signed tag

Starting today through December 31, every dollar donated to the Tor Project, up to $100,000, will be matched by Friends of Tor. That means that your donation will make double the impact. We’re able to offer this match because of generous folks in our community who believe in Tor, privacy online, and the work to resist the surveillance pandemic.

Make a donation today and your gift will be matched, 1:1.

Meet our friends who have generously come forward to make this match:

Aspiration connects nonprofit organizations, foundations and activists with free and open software solutions and technology skills that help them better carry out their missions. We want those working for social and racial justice to be able to find and use the best tools and practices available, so that they maximize their effectiveness and impact and, in turn, change the world. We also work with free and open source projects and communities in both support and partnership roles, advising and contributing on matters of strategy, sustainability, governance, community health, equity and diversity. We design and facilitate unique and collaborative nonprofit and FLOSS technology convenings, and have run almost 700 in over 50 countries as well as online over the past 16 years.

Wendy Seltzer is Strategy Lead and Counsel to the World Wide Web Consortium (W3C) at MIT, improving the Web's security, availability, and interoperability through standards. As a Fellow with Harvard's Berkman Klein Center for Internet & Society, Wendy founded the Lumen Project (formerly Chilling Effects Clearinghouse), the web's pioneering transparency report to measure the impact of legal takedown demands online. She seeks to improve technology policy in support of user-driven innovation and secure communication.

Jon Callas is a cryptographer, software engineer, user experience designer, and entrepreneur. Jon is the co-author of many crypto and security systems including OpenPGP, DKIM, ZRTP, Skein, and Threefish. Jon has co-founded several startups including PGP, Silent Circle, and Blackphone. Jon has worked on security, user experience, and encryption for Apple, Kroll-O'Gara, Counterpane, and Entrust. Before coming to the EFF, Jon was a technologist in the ACLU's Speech, Privacy, and Technology Project on issues including surveillance, encryption, machine learning, end-user security, and privacy. Jon is fond of Leica cameras, Morgan sports cars, and Birman cats. Jon's photographs have been used by Wired, CBS News, and The Guggenheim Museum.

Rabbi Rob Thomas is the founder and CEO of Team Cymru, and a member of the early generation of network defenders. He has worked at IBM, Sun, and Cisco, among others. During his career, Rabbi Rob has been a Unix kernel developer, ISP backbone engineer, security architect, and an adjunct professor. He was also the first individual member of FIRST (the Forum of Incident Response and Security Teams). Rabbi Rob took his first C programming class at age 12, and has been addicted to technology ever since. He and Team Cymru are long-time fans and supporters of the Tor Project.

We would also like to thank our dearest anonymous donors who collaborated to create this fund. This spot is dedicated to them as a small recognition of their support. As the Tor community knows, anonymity loves company, so why not join our anonymous donors and make a contribution, too? With their matching donation, your contribution has the double the impact.

Thank you to the generous Friends of Tor, and to all of our supporters! Please make your gift today, and your donation will be matched 1:1.

After many months of design and development we are very happy to announce the release of Tor Browser 10.0.3 for Android. This is the first Android Tor Browser version in the stable 10.0 series. The Desktop version was released at the end of September. We began working on this project in April 2020 with the goal of rebuilding the Android Tor Browser on top of Mozilla's new Android Firefox Browser, Fenix. Over the last six months, we successfully achieved this goal and we reached feature parity with the previous Android Tor Browser version.

This version is now available from the Tor Browser download page and also from our distribution directory.

Tor Browser 10.0.3 is based on Fenix 82.1.1, and upgrades Go to 1.14.10, NoScript to 1.1.4, OpenSSL to 1.1.1h, and Tor to 0.4.4.5. This release includes important security updates to Firefox.

Having achieved feature-parity with the previous Tor Browser for Android, we will continue working on closing the gap with Tor Browser for Desktop. That includes implementing the "Circuit Display" and "New Identity" features, as well as supporting the Onion-Location header and short ".tor.onion" URLs, among others. Stay tuned!

Over the last four months we adjusted our toolchains, finished our proxy audits, re-implemented the user interfaces, solved numerous build reproducibility bugs, and fixed a lot of issues we encountered due to the switch from Firefox 68esr to Fenix.

Give Feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know. Thanks to all of the teams across Tor, and the many volunteers, who contributed to this release.

Full Changelog

The full changelog since Tor Browser 9.5.4 is:

• Android
  • Update Fenix to 82.1.1
  • Update NoScript to 11.1.4
  • Update OpenSSL to 1.1.1h
  • Update Tor to 0.4.4.5
  • Bug 10394: Let Tor Browser update HTTPS Everywhere
  • Bug 11154: Disable TLS 1.0 (and 1.1) by default
  • Bug 16931: Sanitize the add-on blocklist update URL
  • Bug 17374: Disable 1024-DH Encryption by default
  • Bug 21601: Remove unused media.webaudio.enabled pref
  • Bug 30682: Disable Intermediate CA Preloading
  • Bug 30812: Exempt about: pages from Resist Fingerprinting
  • Bug 32886: Separate treatment of @media interaction features for desktop and android
  • Bug 33534: Review FF release notes from FF69 to latest (FF78)
  • Bug 33594: Disable telemetry collection (Glean)
  • Bug 33851: Patch out Parental Controls detection and logging
  • Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
  • Bug 33862: Fix usages of createTransport API
  • Bug 33962: Uplift patch for bug 5741 (dns leak protection)
  • Bug 34125: API change in protocolProxyService.registerChannelFilter
  • Bug 34338: Disable the crash reporter
  • Bug 34377: Port padlock states for .onion services
  • Bug 34378: Port external helper app prompting
  • Bug 34401: Re-design Connect screen on Android
  • Bug 34402: Re-design Network Settings Screen on Android
  • Bug 34403: UI changes for "Only Private Browsing Mode" on Android
  • Bug 34405: Re-design about:tor on Android
  • Bug 34406: Re-design onion indicators for Android
  • Bug 34407: Review all Fenix menu items
  • Bug 30605: Honor privacy.spoof_english
  • Bug 40001: Start Tor as part of the Fenix initialization
  • Bug 40001: Generate tor-browser-brand.ftl when importing translations
  • Bug 40002: Ensure system download manager is not used
  • Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils
  • Bug 40003: Adapt code for L10nRegistry API changes
  • Bug 40003: Block starting Tor when setup is not complete
  • Bug 40004: "Tor Browser" string is used instead of "Alpha"/"Nightly" for non en-US locales
  • Bug 40004: Fix noscript message passing for Firefox 79
  • Bug 40005: Modify WebExtensions Menu
  • Bug 40006: "Only Private Browsing Mode" on Android
  • Bug 40006: Add Security Level plumbing
  • Bug 40007: Port external helper app prompting
  • Bug 40007: Move SecurityPrefs initialization to the StartupObserver component
  • Bug 40008: Style fixes for 78
  • Bug 40009: Change the default search engines
  • Bug 40010: Verify Sentry is disabled
  • Bug 40011: Verify Leanplum is disabled
  • Bug 40011: Hide option for disallowing addons in private mode
  • Bug 40012: Verify Adjust is disabled
  • Bug 40013: Timestamp is embedded in extension manifest files
  • Bug 40013: Verify InstallReferrer is disabled
  • Bug 40014: Verify Google Ads ID is disabled
  • Bug 40014: Set correct default Security Level
  • Bug 40015: Modify Fenix Home Menu
  • Bug 40016: Modify Fenix Settings Menu
  • Bug 40016: Allow inheriting from AddonCollectionProvider
  • Bug 40017: Rebase android-components patches to 60
  • Bug 40017: Audit Firefox 68-78 diff for proxy issues
  • Bug 40018: Disable Push functionality
  • Bug 40019: Ensure missing Adjust token does not throw an exception
  • Bug 40019: Expose spoofEnglish pref
  • Bug 40020: Disable third-party cookies
  • Bug 40021: Force telemetry=false in Fennec settings migration
  • Bug 40022: Migrate tor security settings
  • Bug 40023: Stop Private Notification Service
  • Bug 40023: Rebase Tor Browser esr78 patches onto 80 beta
  • Bug 40024: Disable tracking protection by default
  • Bug 40026: Implement Security Level settings
  • Bug 40028: Implement bootstrapping and about:tor
  • Bug 40029: Rebase Fenix patches to 81.1.0b1
  • Bug 40030: Install https-everywhere and noscript addons
  • Bug 40031: Hide Mozilla-specific items on About page
  • Bug 40032: Disallow Cleartext Traffic
  • Bug 40034: Disable PWA
  • Bug 40035: Maybe hide Quick Start in release
  • Bug 40038: Review RemoteSettings for ESR 78
  • Bug 40039: Implement Bridge configuration from Connect screen
  • Bug 40040: Investigate why bootstrapping fails
  • Bug 40041: Implement Network settings
  • Bug 40042: Timestamp is embedded in extension manifest files
  • Bug 40044: Fixup Connect, Onboarding, and Home screens
  • Bug 40048: Disable various ESR78 features via prefs
  • Bug 40050: Rebase Fenix patches to Fenix 82
  • Bug 40053: Select your security settings panel on start page is confusing
  • Bug 40054: Search engines on mobile Tor Browser don't match the desktop ones
  • Bug 40058: Disabling/Enabling addon still shows option to disallow in private mode
  • Bug 40058: Hide option for disallowing addon in private mode
  • Bug 40061: Do not show "Send to device" in sharing menu
  • Bug 40062: HTTPS Everywhere is not shown as installed
  • Bug 40063: Do not sort search engines alphabetically
  • Bug 40064: Modify Nighty (and Debug) build variants
  • Bug 40066: Remove default bridge 37.218.240.34
  • Bug 40066: Update existing prefs for ESR 78
  • Bug 40067: Make date on Fenix about page reproducible
  • Bug 40068: Tor Service closes when changing theme
  • Bug 40069: Add helpers for message passing with extensions
  • Bug 40071: Show only supported locales
  • Bug 40072: Bug 40072: Disable Tracking Protection
  • Bug 40073: Use correct branding on About page
  • Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere
  • Bug 40073: Disable remote Public Suffix List fetching
  • Bug 40076: "Explore privately" not visible
  • Bug 40078: Crash at Android startup from background service
  • Bug 40082: Security level is reset when the app is killed
  • Bug 40082: Let JavaScript on safest setting handled by NoScript again
  • Bug 40083: Locale ordering in BuildConfig is non-deterministic
  • Bug 40087: Implement a switch for english locale spoofing
  • Bug 40088: Use Tor Browser logo in migration screen
  • Bug 40091: Load HTTPS Everywhere as a builtin addon
  • Bug 40093: Enable Quit menu button
  • Bug 40094: Do not use MasterPasswordTipProvider in HomeFragment
  • Bug 40095: Hide "Sign in to sync" in bookmarks
  • Bug 40095: Review Mozilla developer notes for 79-81 (including)
  • Bug 40096: Review closed Mozilla bugs between 79-81 (inclusive) for GeckoView
  • Bug 40097: Rebase browser patches to 81.0b1
  • Bug 40097: Bump allowed_addons.json
  • Bug 40098: Implement EOY home screen
  • Bug 40100: Resolve startup crashes in debug build
  • Bug 40112: Check that caching stylesheets per document group adheres to FPI
  • Bug 40119: Update Fenix dependencies for 81.1.2
  • Bug 40125: Geckoview: Expose security level interface
  • Bug 40133: Rebase tor-browser patches to 82.0b1
  • Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
  • Bug 40172: Security UI not updated for non-https .onion pages in Fenix
  • Bug 40173: Initialize security_slider in GeckoView at 4
  • Bug 40198: Expose privacy.spoof_english pref
  • Bug 40199: Avoid using system locale for intl.accept_languages
  • Translations update
• Build System
  • Android
    • Update Go to 1.14.10
    • Bug 33556: Add TBB project for android-components
    • Bug 33557: Update Android toolchain for Fenix
    • Bug 33558: Update tor-onion-proxy-library to use toolchain for Fenix
    • Bug 33559: Update tor-android-service to use toolchain for Fenix
    • Bug 33561: Update OpenSSL to use Android NDK 20
    • Bug 33563: Update Tor to use Android NDK 20
    • Bug 33564: Update ZSTD to use Android NDK 20
    • Bug 33626: Add project for GeckoView
    • Bug 33670: Update rbm.conf to match NDK 20
    • Bug 33801: Update Go project to use new Android toolchain
    • Bug 33833: Update Rust project to use Android NDK 20
    • Bug 33927: Add tor-browser-build project for fenix
    • Bug 33935: Fenix's classes5.dex files are not reproducible
    • Bug 33973: Create fat .aar for GeckoView
    • Bug 34011: Bump clang to 9.0.1
    • Bug 34012: Bump cbindgen to 0.14.3
    • Bug 34013: Bump Node to 10.21.0
    • Bug 34014: Enable sqlite3 support in Python
    • Bug 34101: Add tor-browser-build project for application-services
    • Bug 34163: testbuild target is broken for Tor Browser 64 bit
    • Bug 34187: Update zlib to use Android NDK 20
    • Bug 34360: Bump binutils version to 2.35.1
    • Bug 40010: Add nss project for application-services
    • Bug 40011: Add sqlcipher for application-services
    • Bug 40029: Clean-up all projects to remove fennec bits we don't need for fenix
    • Bug 40031: Add licenses for kcp-go and smux.
    • Bug 40039: Remove version_path in nss project
    • Bug 40040: Wire geckoview, application-services, android-components, and fenix together
    • Bug 40054: Adapt build.android script in tor-browser project for fenix
    • Bug 40055: Integrate building Glean in offline mode
    • Bug 40057: Include translations into build process in the fenix world
    • Bug 40058: Build Fenix with tor-android-service and tor-onion-proxy-library
    • Bug 40060: Set Fenix Version Name in build
    • Bug 40061: Remove Android SDK 28
    • Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1
    • Bug 40068: Bump versions for Fenix 81.1.0b1 dependencies
    • Bug 40072: Tor libraries are missing in final .apk after switch to 81.1.0b1
    • Bug 40076: Use our android-components repo on GitLab
    • Bug 40078: Bump Gradle version for Fenix to 6.5.1
    • Bug 40084: Generation of AndroidManifest.xml is not reproducible
    • Bug 40085+40086: classes.dex files are not reproducible in Fenix
    • Bug 40087: Deterministically add HTTPS Everywhere into omni.ja
    • Bug 40088+40117: Use MOZ_BUILD_DATE for extension manifest timestamps
    • Bug 40093: Ensure application-services libs do not include libc networking symbols
    • Bug 40094: Aarch64 fenix rust cross-compilation fails
    • Bug 40095: The pattern for the apk variable in build.android is matching too much
    • Bug 40097: Update toolchain for Fenix 82
    • Bug 40101: Pick up Fenix 81.1.1
    • Bug 40105: Enhance Gradle dependency script (sort deterministically and exclude .module files)
    • Bug 40106: Support using geckoview as well
    • Bug 40108: android-components does not bundle tooling-glean-gradle archive, only .pom file
    • Bug 40113: Nightly Android should use Nightly branding
    • Bug 40115: Update components for switch to mozilla82-based Fenix
    • Bug 40121: Use updated glean_parser for application-services as well
    • Bug 40124: Remove unused torbrowser-android-all (and related) targets
    • Bug 40125: Remove fenix-* projects
    • Bug 40129: application-services is missing rustc in PATH
    • Bug 40130: More mobile clean-up

There's a new alpha release available for download. If you build Tor from source, you can download the source code for Tor 0.4.5.1-alpha from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time this month, assuming we get #40172 figured out.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual. We'll be trying to put out putting out stable backport releases in the next week or so.

Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It improves support for IPv6, address discovery and self-testing, code metrics and tracing.

This release also fixes TROVE-2020-005, a security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay. To mount this attack, the adversary would need to actively extend circuits to an incorrect address, as well as compromise a relay's legacy RSA-1024 key. We'll be backporting this fix to other release series soon, after it has had some testing.

Here are the changes since 0.4.4.5.

Changes in version 0.4.5.1-alpha - 2020-11-01

• Major features (build):
  • When building Tor, first link all object files into a single static library. This may help with embedding Tor in other programs. Note that most Tor functions do not constitute a part of a stable or supported API: only those functions in tor_api.h should be used if embedding Tor. Closes ticket 40127.
• Major features (metrics):
  • Introduce a new MetricsPort which exposes, through an HTTP interface, a series of metrics that tor collects at runtime. At the moment, the only supported output format is Prometheus data model. Closes ticket 40063. See the manual page for more information and security considerations.

• Major features (relay, IPv6):
  • The torrc option Address now supports IPv6. This unifies our address discovery interface to support IPv4, IPv6, and hostnames. Closes ticket 33233.
  • Launch IPv4 and IPv6 ORPort self-test circuits on relays and bridges. Closes ticket 33222.
  • Relays now automatically bind on IPv6 for their ORPort, unless specified otherwise with the IPv4Only flag. Closes ticket 33246.
  • When a relay with IPv6 support is told to open a connection to another relay, and the extend cell lists both IPv4 and IPv6 addresses, the first relay now picks randomly which address to use. Closes ticket 33220.
  • Relays now track their IPv6 ORPort reachability separately from the reachability of their IPv4 ORPort. They will not publish a descriptor unless _both_ ports appear to be externally reachable. Closes ticket 34067.
• Major features (tracing):
  • Add event-tracing library support for USDT and LTTng-UST, and a few tracepoints in the circuit subsystem. More will come incrementally. This feature is compiled out by default: it needs to be enabled at configure time. See documentation in doc/HACKING/Tracing.md. Closes ticket 32910.
• Major bugfixes (security):
  • When completing a channel, relays now check more thoroughly to make sure that it matches any pending circuits before attaching those circuits. Previously, address correctness and Ed25519 identities were not checked in this case, but only when extending circuits on an existing channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. Resolves TROVE-2020-005.
• Major bugfixes (TLS, buffer):
  • When attempting to read N bytes on a TLS connection, really try to read all N bytes. Previously, Tor would stop reading after the first TLS record, which can be smaller than the N bytes requested, and not check for more data until the next mainloop event. Fixes bug 40006; bugfix on 0.1.0.5-rc.
• Minor features (address discovery):
  • If no Address statements are found, relays now prioritize guessing their address by looking at the local interface instead of the local hostname. If the interface address can't be found, the local hostname is used. Closes ticket 33238.
• Minor features (admin tools):
  • Add a new --format argument to -key-expiration option to allow specifying the time format of the expiration date. Adds Unix timestamp format support. Patch by Daniel Pinto. Closes ticket 30045.
• Minor features (bootstrap reporting):
  • When reporting bootstrapping status on a relay, do not consider connections that have never been the target of an origin circuit. Previously, all connection failures were treated as potential bootstrapping failures, including connections that had been opened because of client requests. Closes ticket 25061.
• Minor features (build):
  • When running the configure script, try to detect version mismatches between the OpenSSL headers and libraries, and suggest that the user should try "--with-openssl-dir". Closes 40138.
  • If the configure script has given any warnings, remind the user about them at the end of the script. Related to 40138.
• Minor features (configuration):
  • Allow using wildcards (* and ?) with the %include option on configuration files. Closes ticket 25140. Patch by Daniel Pinto.
  • Allow the configuration options EntryNodes, ExcludeNodes, ExcludeExitNodes, ExitNodes, MiddleNodes, HSLayer2Nodes and HSLayer3Nodes to be specified multiple times. Closes ticket 28361. Patch by Daniel Pinto.
• Minor features (control port):
  • Add a DROPTIMEOUTS command to drop circuit build timeout history and reset the current timeout. Closes ticket 40002.
  • When a stream enters the AP_CONN_STATE_CONTROLLER_WAIT status, send a control port event. Closes ticket 32190. Patch by Neel Chauhan.
  • Introduce GETINFO "stats/ntor/{assigned/requested}" and "stats/tap/{assigned/requested}" to get the NTor and TAP circuit onion handshake counts respectively. Closes ticket 28279. Patch by Neel Chauhan.
• Minor features (control port, IPv6):
  • Tor relays now try to report to the controller when they are launching an IPv6 self-test. Closes ticket 34068.
  • Introduce "GETINFO address/v4" and "GETINFO address/v6" in the control port to fetch the Tor host's respective IPv4 or IPv6 address. We keep "GETINFO address" for backwards-compatibility. Closes ticket 40039. Patch by Neel Chauhan.
• Minor features (directory authorities):
  • Authorities now list a different set of protocols as required and recommended. These lists have been chosen so that only truly recommended and/or required protocols are included, and so that clients using 0.2.9 or later will continue to work (even though they are not supported), whereas only relays running 0.3.5 or later will meet the requirements. Closes ticket 40162.
  • Add a new consensus method 30 that removes the unnecessary "=" padding from ntor-onion-key. Closes ticket 7869. Patch by Daniel Pinto.
  • Directory authorities now reject descriptors from relays running Tor versions from the obsolete 0.4.1 series. Resolves ticket 34357. Patch by Neel Chauhan.
  • Make it possible to specify multiple ConsensusParams torrc lines. Now directory authority operators can for example put the main ConsensusParams config in one torrc file and then add to it from a different torrc file. Closes ticket 40164.
  • The AssumeReachable option no longer stops directory authorities from checking whether other relays are running. A new AuthDirTestReachability option can be used to disable these checks. Closes ticket 34445.
  • When looking for possible Sybil attacks, also consider IPv6 addresses. Two routers are considered to have "the same" address by this metric if they are in the same /64 network. Patch from Maurice Pibouin. Closes ticket 7193.
• Minor features (directory authorities, IPv6):
  • Make authorities add their IPv6 ORPort (if any) to the trusted servers list. Authorities previously added only their IPv4 addresses. Closes ticket 32822.
• Minor features (ed25519, relay):
  • Save a relay's base64-encoded ed25519 identity key to the data directory in a file named fingerprint-ed25519. Closes ticket 30642. Patch by Neel Chauhan.
• Minor features (heartbeat):
  • Include the total number of inbound and outbound IPv4 and IPv6 connections in the heartbeat message. Closes ticket 29113.
• Minor features (IPv6, ExcludeNodes):
  • Handle IPv6 addresses in ExcludeNodes; previously they were ignored. Closes ticket 34065. Patch by Neel Chauhan.
• Minor features (logging):
  • Add the running glibc version to the log, and the compiled glibc version to the library list returned when using --library-versions. Patch from Daniel Pinto. Closes ticket 40047.
  • Consider an HTTP 301 response to be an error (like a 404) when processing a directory response. Closes ticket 40053.
  • Log directory fetch statistics as a single line. Closes ticket 40159.
  • Provide more complete descriptions of our connections when logging about them. Closes ticket 40041.
  • When describing a relay in the logs, we now include its ed25519 identity. Closes ticket 22668.
• Minor features (onion services):
  • Only overwrite an onion service's existing hostname file if its contents are wrong. This enables read-only onion-service directories. Resolves ticket 40062. Patch by Neel Chauhan.
• Minor features (pluggable transports):
  • Add an OutboundBindAddressPT option to allow users to specify which IPv4 and IPv6 address pluggable transports should use for outgoing IP packets. Tor does not have a way to enforce that the pluggable transport honors this option, so each pluggable transport needs to implement support on its own. Closes ticket 5304.
• Minor features (relay address tracking):
  • We now store relay addresses for OR connections in a more logical way. Previously we would sometimes overwrite the actual address of a connection with a "canonical address", and then store the "real address" elsewhere to remember it. We now track the "canonical address" elsewhere for the cases where we need it, and leave the connection's address alone. Closes ticket 33898.
• Minor features (relay):
  • If a relay is unable to discover its address, attempt to learn it from the NETINFO cell. Closes ticket 40022.
  • Log immediately when launching a relay self-check. Previously we would try to log before launching checks, or approximately when we intended to launch checks, but this tended to be error-prone. Closes ticket 34137.
• Minor features (relay, address discovery):
  • If Address option is not found in torrc, attempt to learn our address with the configured ORPort address if any. Closes ticket 33236.
• Minor features (relay, IPv6):
  • Add an AssumeReachableIPv6 option to disable self-checking IPv6 reachability. Closes part of ticket 33224.
  • Add new "assume-reachable" and "assume-reachable-ipv6" consensus parameters to be used in an emergency to tell relays that they should publish even if they cannot complete their ORPort self- checks. Closes ticket 34064 and part of 33224.
  • Allow relays to send IPv6-only extend cells. Closes ticket 33222.
  • Declare support for the Relay=3 subprotocol version. Closes ticket 33226.
  • When launching IPv6 ORPort self-test circuits, make sure that the second-last hop can initiate an IPv6 extend. Closes ticket 33222.
• Minor features (specification update):
  • Several fields in microdescriptors, router descriptors, and consensus documents that were formerly optional are now required. Implements proposal 315; closes ticket 40132.
• Minor features (state management):
  • When loading the state file, remove entries from the statefile that have been obsolete for a long time. Ordinarily Tor preserves unrecognized entries in order to keep forward-compatibility, but these entries have not actually been used in any release since before 0.3.5.x. Closes ticket 40137.
• Minor features (statistics, ipv6):
  • Relays now publish IPv6-specific counts of single-direction versus bidirectional relay connections. Closes ticket 33264.
  • Relays now publish their IPv6 read and write statistics over time, if statistics are enabled. Closes ticket 33263.
• Minor features (subprotocol versions):
  • Tor no longer allows subprotocol versions larger than 63. Previously version numbers up to UINT32_MAX were allowed, which significantly complicated our code. Implements proposal 318; closes ticket 40133.
  • Use the new limitations on subprotocol versions due to proposal 318 to simplify our implementation. Part of ticket 40133.
• Minor features (testing configuration):
  • The TestingTorNetwork option no longer implicitly sets AssumeReachable to 1. This change allows us to test relays' self- testing mechanisms, and to test authorities' relay-testing functionality. Closes ticket 34446.
• Minor features (testing):
  • Added unit tests for channel_matches_target_addr_for_extend(). Closes Ticket 33919. Patch by MrSquanchee.
• Minor features (tests, v2 onion services):
  • Fix a rendezvous cache unit test that was triggering an underflow on the global rend cache allocation. Fixes bug 40125; bugfix on 0.2.8.1-alpha.
  • Fix another rendezvous cache unit test that was triggering an underflow on the global rend cache allocation. Fixes bug 40126; bugfix on 0.2.8.1-alpha.
• Minor bugfixes (circuit padding):
  • When circpad_send_padding_cell_for_callback is called, `is_padding_timer_scheduled` flag was not reset. Now it is set to 0 at the top of that function. Fixes bug 32671; bugfix on 0.4.0.1-alpha.
  • Add a per-circuit padding machine instance counter, so we can differentiate between shutdown requests for old machines on a circuit. Fixes bug 30992; bugfix on 0.4.1.1-alpha.
  • Add the ability to keep circuit padding machines if they match a set of circuit states or purposes. This allows us to have machines that start up under some conditions but don't shut down under others. We now use this mask to avoid starting up introduction circuit padding again after the machines have already completed. Fixes bug 32040; bugfix on 0.4.1.1-alpha.
• Minor bugfixes (compatibility):
  • Strip '\r' characters when reading text files on Unix platforms. This should resolve an issue where a relay operator migrates a relay from Windows to Unix, but does not change the line ending of Tor's various state files to match the platform, and the CRLF line endings from Windows end up leaking into other files such as the extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.
• Minor bugfixes (compilation):
  • Fix compiler warnings that would occur when building with "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
  • Resolve a compilation warning that could occur in test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
• Minor bugfixes (configuration):
  • Fix bug where %including a pattern ending with */ would include files and folders (instead of folders only) in versions of glibc < 2.19. Fixes bug 40141; bugfix on 0.4.5.0-alpha-dev. Patch by Daniel Pinto.
• Minor bugfixes (control port):
  • Make sure we send the SOCKS request address in relay begin cells when a stream is attached with the purpose CIRCUIT_PURPOSE_CONTROLLER. Fixes bug 33124; bugfix on 0.0.5. Patch by Neel Chauhan.
• Minor bugfixes (logging):
  • Remove a debug logging statement that uselessly spammed the logs. Fixes bug 40135; bugfix on 0.3.5.0-alpha.
  • When logging a rate-limited message about how many messages have been suppressed in the last N seconds, give an accurate value for N, rounded up to the nearest minute. Previously we would report the size of the rate-limiting interval, regardless of when the messages started to occur. Fixes bug 19431; bugfix on 0.2.2.16-alpha.
• Minor bugfixes (relay configuration, crash):
  • Avoid a fatal assert() when failing to create a listener connection for an address that was in use. Fixes bug 40073; bugfix on 0.3.5.1-alpha.
• Minor bugfixes (rust, protocol versions):
  • Declare support for the onion service introduction point denial of service extensions when building with Rust. Fixes bug 34248; bugfix on 0.4.2.1-alpha.
  • Make Rust protocol version support checks consistent with the undocumented error behavior of the corresponding C code. Fixes bug 34251; bugfix on 0.3.3.5-rc.
• Minor bugfixes (self-testing):
  • When receiving an incoming circuit, only accept it as evidence that we are reachable if the declared address of its channel is the same address we think that we have. Otherwise, it could be evidence that we're reachable on some other address. Fixes bug 20165; bugfix on 0.1.0.1-rc.
• Minor bugfixes (spec conformance):
  • Use the correct key type when generating signing->link certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha.
• Minor bugfixes (subprotocol versions):
  • Consistently reject extra commas, instead of only rejecting leading commas. Fixes bug 27194; bugfix on 0.2.9.4-alpha.
  • In summarize_protover_flags(), treat empty strings the same as NULL. This prevents protocols_known from being set. Previously, we treated empty strings as normal strings, which led to protocols_known being set. Fixes bug 34232; bugfix on 0.3.3.2-alpha. Patch by Neel Chauhan.
• Minor bugfixes (v2 onion services):
  • For HSFETCH commands on v2 onion services addresses, check the length of bytes decoded, not the base32 length. Fixes bug 34400; bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
• Code simplification and refactoring:
  • Add and use a set of functions to perform down-casts on constant connection and channel pointers. Closes ticket 40046.
  • Refactor our code that logs descriptions of connections, channels, and the peers on them, to use a single call path. This change enables us to refactor the data types that they use, and eliminates many confusing usages of those types. Closes ticket 40041.
  • Refactor some common node selection code into a single function. Closes ticket 34200.
  • Remove the now-redundant 'outbuf_flushlen' field from our connection type. It was previously used for an older version of our rate-limiting logic. Closes ticket 33097.
  • Rename "fascist_firewall_*" identifiers to "reachable_addr_*" instead, for consistency with other code. Closes ticket 18106.
  • Rename functions about "advertised" ports which are not in fact guaranteed to return the ports that have been advertised. Closes ticket 40055.
  • Split implementation of several command line options from options_init_from_torrc into smaller isolated functions. Patch by Daniel Pinto. Closes ticket 40102.
  • When an extend cell is missing an IPv4 or IPv6 address, fill in the address from the extend info. This is similar to what was done in ticket 33633 for ed25519 keys. Closes ticket 33816. Patch by Neel Chauhan.
• Deprecated features:
  • The "non-builtin" argument to the "--dump-config" command is now deprecated. When it works, it behaves the same as "short", which you should use instead. Closes ticket 33398.
• Documentation:
  • Replace URLs from our old bugtracker so that they refer to the new bugtracker and wiki. Closes ticket 40101.
• Removed features:
  • We no longer ship or build a "tor.service" file for use with systemd. No distribution included this script unmodified, and we don't have the expertise ourselves to maintain this in a way that all the various systemd-based distributions can use. Closes ticket 30797.
  • We no longer ship support for the Android logging API. Modern versions of Android can use the syslog API instead. Closes ticket 32181.
  • The "optimistic data" feature is now always on; there is no longer an option to disable it from the torrc file or from the consensus directory. Closes part of 40139.
  • The "usecreatefast" network parameter is now removed; there is no longer an option for authorities to turn it off. Closes part of 40139.
• Testing:
  • Add unit tests for bandwidth statistics manipulation functions. Closes ticket 33812. Patch by MrSquanchee.
• Code simplification and refactoring (autoconf):
  • Remove autoconf checks for unused funcs and headers. Closes ticket 31699; Patch by @bduszel
• Code simplification and refactoring (maintainer scripts):
  • Disable by default the pre-commit hook. Use the environment variable TOR_EXTRA_PRE_COMMIT_CHECKS in order to run it. Furthermore, stop running practracker in the pre-commit hook and make check-local. Closes ticket 40019.
• Code simplification and refactoring (relay address):
  • Most of IPv4 representation was using "uint32_t". It has now been moved to use the internal "tor_addr_t" interface instead. This is so we can properly integrate IPv6 along IPv4 with common interfaces. Closes ticket 40043.
• Documentation (manual page):
  • Move them from doc/ to doc/man/. Closes ticket 40044.
  • Describe the status of the "Sandbox" option more accurately. It is no longer "experimental", but it _is_ dependent on kernel and libc versions. Closes ticket 23378.
• Documentation (tracing):
  • Document in depth the circuit subsystem trace events in the new doc/tracing/EventsCircuit.md. Closes ticket 40036.

Android Tor Browser 10.0a9 is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

We are happy to announce the second alpha version for Android users based on Fenix 82.

Tor Browser 10.0a9 ships with Fenix 82.1.1 (see Mozilla's blog post for more information about this new browser). As this is the second alpha version based on Fenix we expect more bugs than usual. Please report them (with steps to reproduce), either here or on Gitlab, or essentially with any other means that would reach us. We are in particular interested in potential proxy bypasses which our proxy audit missed. This version is expected to be the last alpha release before Tor Browser 10.0 is considered stable on Android.

The full changelog since Tor Browser 10.0a8 is:

• Android
  • Update Fenix to 82.1.1
  • Update NoScript to 11.1.3
  • Update OpenSSL to 1.1.1h
  • Bug 30605: Honor privacy.spoof_english
  • Bug 40003: Block starting Tor when setup is not complete
  • Bug 40004: "Tor Browser" string is used instead of "Alpha"/"Nightly" for non en-US locales
  • Bug 40016: Allow inheriting from AddonCollectionProvider
  • Bug 40017: Rebase android-components patches to 60
  • Bug 40019: Expose spoofEnglish pref
  • Bug 40020: Disable third-party cookies
  • Bug 40021: Force telemetry=false in Fennec settings migration
  • Bug 40022: Migrate tor security settings
  • Bug 40023: Stop Private Notification Service
  • Bug 40024: Disable tracking protection by default
  • Bug 40050: Rebase Fenix patches to Fenix 82
  • Bug 40053: Select your security settings panel on start page is confusing
  • Bug 40058: Disabling/Enabling addon still shows option to disallow in private mode
  • Bug 40062: HTTPS Everywhere is not shown as installed
  • Bug 40068: Tor Service closes when changing theme
  • Bug 40071: Show only supported locales
  • Bug 40073: Use correct branding on About page
  • Bug 40076: "Explore privately" not visible
  • Bug 40078: Crash at Android startup from background service
  • Bug 40082: Security level is reset when the app is killed
  • Bug 40083: Locale ordering in BuildConfig is non-deterministic
  • Bug 40087: Implement a switch for english locale spoofing
  • Bug 40088: Use Tor Browser logo in migration screen
  • Bug 40094: Do not use MasterPasswordTipProvider in HomeFragment
  • Bug 40095: Hide "Sign in to sync" in bookmarks
  • Bug 40097: Bump allowed_addons.json
  • Bug 40133: Rebase tor-browser patches to 82.0b1
  • Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
  • Bug 40198: Expose privacy.spoof_english pref
  • Bug 40199: Avoid using system locale for intl.accept_languages
  • Translations update
• Build System
  • Android
    • Update Go to 1.14.10
    • Bug 34360: Bump binutils version to 2.35.1
    • Bug 40097: Update toolchain for Fenix 82
    • Bug 40108: Package tooling-glean-gradle archive, too
    • Bug 40115: Update components for switch to mozilla82-based Fenix
    • Bug 40121: Use updated glean_parser for application-services as well
    • Bug 40124: Remove unused torbrowser-android-all (and related) targets
    • Bug 40125: Remove fenix-* projects
    • Bug 40129: application-services is missing rustc in PATH
    • Bug 40130: More mobile clean-up

Update October 27: Limited-edition Tor masks are now available. Make a donation of $50 between now and December 31, 2020, and get yours.

As many friends and followers of Tor know by now, we spend the final weeks of each year asking for your help as part of our year-end fundraising campaign. This year hasn't been a normal year at all, not for Tor and not for the rest of the world. 

In many ways, 2020 has put the dangers of a centralized, surveillance-driven internet into even clearer focus. The pandemic has changed most of our lives dramatically. Many of us have shifted more of our work, socialization, shopping, medical care, and schooling online. We’ve seen governments and corporations roll out new surveillance technology, like tools to watch students while they take tests, tech to spy on workers, and contact tracing mechanisms that will change our world long after the pandemic is over.

In the face of this widespread hardship, people all around the world have also demonstrated enormous gestures of solidarity and mutual-aid, and millions of people have risen in defense of Black lives in the U.S. and around the world.

For our 2020 campaign, we wanted a theme that conveys a positive message and speaks to the power of this kind of community action. That’s why we decided on the theme Use a Mask, Use Tor. There is a lot of meaning and intention behind this slogan. Use a mask, use Tor promotes the positive steps we can all take to combat the virus by using masks. Wearing a mask protects others. Wearing a mask is about caring about each other, our community.

In the same way, when using Tor, you are not only protecting your identity and privacy online, but you are also helping to hide others who are using Tor. After all, anonymity loves company.  

To put it simply, using a mask keeps yourself and your communities safe in person. Using Tor keeps yourself and your communities safe online. Both tools help to conceal your identity, can break systems of surveillance, and their widespread use can promote the health of communities while undermining the power of systems bent on dividing us. Using a mask and using Tor helps us stand in solidarity with one another.

Now is the time we ask you to stand with Tor. We believe it IS possible to resist the surveillance pandemic. Your support makes this mission a reality. In 2021, we are taking some big steps, including: 

• Improving speed and user-perceptible performance on the Tor network, particularly for people who are connecting on mobile devices with slow connections and limited data. 
• Providing more support to the relay operator community.
• Bringing more censorship circumvention tools to mobile devices and making this experience more seamless for users.
• Making it easier for any developer to embed Tor in their mobile app.
• Continue our work in UX research, metrics, network health, onion services, and Tor Browser for desktop. 

The Tor Project is a 501(3) nonprofit, and your support at this time is critical for our success in the coming year. Use a mask, Use Tor. Donate today and fight the surveillance pandemic.

Every donation made from now through the end of 2020 will count towards our year-end campaign. Be on the lookout for events, giveaways, and new merch available from now until December 31. And don’t forget: use a mask, use Tor.

Tor Browser 10.5a2 for Desktop platforms is now available from the Tor Browser Alpha download page and also from our distribution directory.

Note: This is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

Tor Browser 10.5a2 ships with Firefox 78.4.0esr, updates NoScript to 11.1.3, and OpenSSL to 1.1.1h. This release includes important security updates to Firefox.

Note: Tor Browser 10.5 does not support CentOS 6.

Note: We encountered updater issues for all alpha users that have been auto-updating the alpha series for months. We changed the accepted MAR channel ID to torbrowser-torproject-alpha as we are on an alpha channel. The assumption was that enough time passed since we changed it last time to torbrowser-torproject-release,torbrowser-torproject-alpha but it turns out that change did not get applied. Workaround: change the torbrowser-torproject-release in your update-settings.ini (in the Browser's code directory, which depends on you operating system) file to torbrowser-torproject-alpha and the update should get applied successfully. Alternatively, downloading a fresh alpha copy of Tor Browser works as well. Sorry for the inconvenience.

Note: Now Javascript on the Safest security level is governed by NoScript again. It was set as false when on Safest in 9.5a9. The javascript.enabled preference was reset to true beginning in Tor Browser 10.5a1 for everyone using Safest and you must re-set it as false if that is your preference.

The full changelog since Tor Browser 10.5a1 is:

• Windows + OS X + Linux
  • Update Firefox to 78.4.0esr
  • Update NoScript to 11.1.3
  • Update OpenSSL to 1.1.1h
  • Update Tor Launcher to 0.2.26
    • Translations update
  • Bug 31767: Avoid using intl.locale.requested preference directly
  • Bug 33954: Consider different approach for Bug 2176
  • Bug 40011: Rename tor-browser-brand.ftl to brand.ftl
  • Bug 40012: Fix about:tor not loading some images in 82
  • Bug 40013: End of year 2020 Fundraising campaign
  • Bug 40016: Fix onion pattern for LTR locales
  • Bug 40139: Update Onboarding icon for 10.0
  • Bug 40148: Disable Picture-in-Picture until we investigate and possibly fix it
  • Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
  • Bug 40192: Backport Mozilla Bug 1658881
  • Translations update
• Windows
  • Bug 40140: Videos stop working with Tor Browser 10.0 on Windows
• Build System
  • Windows + OS X + Linux
    • Update Go to 1.14.10
    • Bug 40104: Use our TMPDIR when creating our .mar files
  • Linux
    • Bug 40118: Add missing libdrm dev package to firefox container
  • Windows
    • Bug 34360: Bump binutils to 2.35.1
    • Bug 40051: Remove SOURCE_DATE_EPOCH patch
    • Bug 40131: Remove unused binutils patches