Support all your favorite nonprofits with a single donation.

Donate safely, anonymously & monthly, in any amount. It's a smarter way to give online. Learn more
The Tor Project
Dedham, MA
givvers: jason, emerssso + 4 others

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

The Tor Project is a 501(c)3 organization.

Latest News

Mar 04, 2015

Welcome to the ninth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 4.0.4 and 4.5-alpha-4 are out

The Tor Browser team announced new releases in the stable and alpha branches of the privacy-preserving browser. Version 4.0.4 contains updates to the bundled versions of Firefox, OpenSSL, HTTPS-Everywhere and NoScript (disabling the new NoScript option to make temporary permissions permanent); it also prevents meek from issuing a second update notification.

Meanwhile, following on from the recent Tor UX sprint, version 4.5-alpha-4 incorporates many interface improvements designed to make life easier for Tor users. The connection configuration wizard has been reordered to avoid confusion between network proxies and bridge relays, while a reorganized Torbutton menu now offers a “New circuit for this site” option that removes the need for the user to close all open pages in order to change circuits for one destination. If users do decide to use the “New identity” option, they will now be warned that this involves losing currently-open tabs and windows.

Please see the announcements for full details of the changes, as well as instructions for download and verification.

Reddit donates $82,765.95 to The Tor Project, Inc.

One year ago, the online community Reddit announced that it would be donating 10% of its advertising revenue in 2014 to ten non-profits, to be selected by the Reddit community. Voting took place over the last week, and The Tor Project, Inc. placed tenth in the final ranking, in good company with other charities like the Electronic Frontier Foundation, Wikimedia Foundation, and the Free Software Foundation, each of which being eligible for a $82,765.95 donation.

Community donations like this are a big step on the way to solving the problem of overreliance on single funding streams — often from national governments — that affects open-source security projects, as recently discussed by Jillian York of the Electronic Frontier Foundation (who came first in Reddit’s donation drive). Many thanks to Reddit (the company) and Reddit (the community) for their magnificent gesture of support for privacy and anonymity online — and if you’d like to join them, please take a look at the Tor Project website for ways to contribute!

2015 Winter Tor meeting

A group of around 70 dedicated Tor contributors is meeting this week in Valencia, Spain to discuss plans, milestones, deadlines, and other important matters.

This meeting is kindly hosted together with the OpenITP circumvention tech festival with public outreach and community events joined or co-hosted by Tor members.

Notes are available from the sessions happening on Monday and Tuesday for those who couldn’t make it this time.

Monthly status reports for February 2015

The wave of regular monthly reports from Tor project members for the month of February has begun. Juha Nurmi released his report first, followed by reports from Nick Mathewson, Philipp Winter, Georg Koppen, Sherief Alaa, Pearl Crescent, and Damian Johnson.

Mike Perry reported on behalf of the Tor Browser team.

Miscellaneous news

George Kadianakis reports preliminary results from "a project to study and quantify hidden services traffic." George emphasizes that they "are collecting data from just a few volunteer relays" and that "extrapolating from such a small sample is difficult." Taken with a grain of salt, they "estimate that about 30,000 hidden services announce themselves to the Tor network every day, using about 5 terabytes of data daily." They "also found that hidden service traffic is about 3.4% of total Tor traffic." George, together with Karsten Loesing, wrote a short technical report with more details on their results and methods.

Nick Mathewson announces an important step in stabilizing the Tor 0.2.6.x release series: all work on that series will proceed on the “maint-0.2.6” branch, while work on the next release series 0.2.7.x will happen on the “master” branch. This step allows developers to focus on one branch for fixing bugs and another branch for developing new features.

This issue of Tor Weekly News has been assembled by Harmony, Karsten Loesing, and qbi.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Mar 03, 2015

Hi, all! We've begun the feature-freeze for Tor 0.2.6, so we know with pretty high probability what new features and changes will be in the next stable release. The ChangeLog and ReleaseNotes files will have a pretty comprehensive overview of what changed since 0.2.5, but I thought I'd like to write up some better descriptions of the major changes.

AF_UNIX socket support for clients and hidden services

This is going to help developers of applications that use Tor make their designs more secure. On Unix and OS X, applications can bind to objects in the file namespace and use them as if they were network connections. Now, Tor can receive connections and make connections to local hidden service applications over this mechanism. That's pretty cool, because it means that integrators can prevent other applications from using the network at all, to ensure that they never make connections that don't go through Tor. Maybe we could use this eventually to turn off networking in Tor Browser entirely on OSX and Unix.

(Sorry, no Windows NamedPipe support yet. That would be cool for a future version, but it'll require some major hacks in our network stack.)

Jake, Andrea, David and I have all worked on the implementation here; it ended up being pretty elegant.

More info: #12585, #11485, #14451.

Faster cpuworker design

We want to use multithreading to spread Tor's cryptography across more cores, but one challenge in doing so has been that our old code for dividing work across multiple cores was written 12 years ago, and designed to accommodate systems that didn't support threading at all. To support no-threading builds, we allowed the CPU workers to be processes instead of threads, and we always communicated with workers over a socket pair.

No-threading systems are no longer relevant, though, and we can totally do better now. We now have a nice simple condition-and-queue based thread pool.

More info: #9682.

Much more testing

In 0.2.5, we introduced a practice of requiring high test coverage for all new or modified code whenever possible. This is continuing to bear fruit for us: We've had fewer weird undiagnosable bugs around this time than previously.

We've also added more external testing: The "make test-stem" target can run the Stem unit tests on Tor to make sure they pass.

Also, a few volunteers have stepped up to contribute to our testing infrastructure. Now test-networks can start in seconds, not minutes. This has already encouraged me to run the network tests more frequently.

Improved circuit scheduler

In older versions of Tor, we used a priority-based scheduler on each connection to decide which circuits to relay traffic for. But connections were scheduled individually rather than globally. That meant that even though the most appropriate circuit got attention on each connection, we might write to connections that did not contain the most important circuit.

(To improve latency, we prefer circuits that have not sent many cells recently.)

Now, thanks to ticket #9262, we have an improved, "global" circuit scheduler. Tor relays now consider all circuits on all connections that are ready to write at once. This is not expected to yield immediate performance improvements, but once the KIST scheduler is deployed, it should lead to lower latency for more connections.

(Kudos go to Andrea for her software engineering skills here: since we've merged it, it has actually '''worked''. That's impressive for a thing of this complexity.)

More info: #9262

Even better support for AutomapHostsOnResolve

We've got a cool feature "AutomapHostsOnResolve feature" for DNSPort users where, when you ask Tor to resolve an address that doesn't have an IP (such as for a hidden service), it can instead give you a temporary IP address (like or fcf0:1234:9312:1111:2222:9803:1bda:20ef), and treat later connections to that address as if they were to the original address.

This feature has had some longstanding warts, though. It didn't always work with IPv6; it interacted weirdly with MapAddress, and it tended to reset itself if you changed the configuration. Worse, it was in one of our messiest functions, so making changes to it was a bit difficult.

In 0.2.6, we've fixed that code (!) I hope, made the feature more robust, cleaned up the function that implements it, and written a bunch of tests for it to help development in the future.

More info: #7555, #12509, #13811, and #12831.

Proposal 227: Include package fingerprints in consensus documents

This one should help the TorBrowser updater: it allows directory authorities to vote on, and include in their consensus documents, a set of versions, URLs, and fingerprints for various software packages. Now every Tor client will have an easy way to learn when a new package is available, and to authenticate the package digest.

More info: Proposal 227, #10395.

More efficient directory requests

Back when I wrote the code for compressing responses on directory requests, I didn't use all the right flags for zlib. By turning off the "Z_FLUSH" flag on our compression objects, I think we should be saving something like 7% of the bandwidth currently used for compressed microdescriptors and descriptors, freeing that bandwidth up for other purposes.

More info: #11787.

Improved memory-based DoS prevention

In 0.2.5, we introduced features to prevent accidental or deliberate out-of-memory conditions from taking down Tor nodes. (The "Sniper Attack" research explains why this is really important.)

In 0.2.6, we identify more kinds of memory usage that could grow without bound, and improve our memory tracker to consider them and clear them as needed.

Also, we add a notion of a "low memory" mode. When a Tor relay is low on memory, it tries to use less memory-heavy versions of its algorithms. (Currently, this only effects zlib compression.)

More info: #13806, #10115, #11792.

Hidden service statistics support

Tor relays can now collect statistics on the amount of traffic that is due to hidden service usage, and the total number of hidden services in existence. (Yes, we have made a major effort to ensure this is done safely, by aggregating results, adding laplace noise, and doing lots and lots of analysis.)

This code is off by default; you can help us learn more about the network by enabling the HiddenServiceStatistics option.

More info: Proposal 238, #13192.

Dropped support for various old things

Panta rhei; the world is ever-changing. Once upon a time, it might have made sense for us to support the C89 C standard, versions of Windows before XP, kernels without threading support, and the WinCE (!) architecture.

Windows XP is a special case. In spite of its lack of security updates, some folks are still on it, and I'm not going to deliberately drop support for it for a while longer. Nevertheless, we can't keep the romance alive forever here: Sooner or later (probably) sooner, we'll wind up accidentally breaking WinXP. When that happens, we're not likely to fix it: running an OS without security patches is the internet equivalent of rejecting vaccines.

More info: #11446, #12439, #13233.

Proposal 232: Pluggable Transport through SOCKS proxy

When Tor is configured to use a pluggable transport, *and* configured to send data through an outgoing SOCKS proxy, it can now tell its transports about that proxy, too. This isn't a feature most people need, but the people who need it really need it.

More info: Proposal 232, #8402.

Longer guard-node lifetimes, single chosen guards

This one is going to be important for security. Earlier research indicates that we need to have each client use fewer guards for their traffic, and keep each guard around for longer, if we want to strengthen their resistance to attackers running a large number of nodes. We've tweaked these values a bit already; current defaults are one entry guard, three guards for directory info, and sixty to ninety days for a guard lifetime. But once we finally merge the #9321 patch, we can increase the guard lifetime to something much higher without unbalancing clients' bandwidth distributions.

More info: #9321 and its child tickets, "Improving Tor's Anonymity by Changing Guard Parameters", and "One Fast Guard For Life".

And miscellaneous features and bugfixes too numerous to mention...

See the ChangeLog for all the exciting details.

Additional acknowledgments:

Thanks go to everybody who has helped with this release, either by writing code, reporting bugs, testing fixes, making comments, diagnosing issues, or just generally helping out. This includes, but is not limited to: Adrien BAK, Andrea Shepard, Anthony G. Basile, Arlo Breault, Arthur Edelstein, Craig Andrews, David Goulet, David Stainton, Francisco Blas Izquierdo Riera (klondike), George Kadianakis, Jens Kubieziel, Dana Koch, Isis Lovecruft, Jacob Appelbaum, Karsten Loesing, Kevin Murray, Magnus Nord, Mansour Moufid, Matthew Finkel, Michael Scherer, Peter Palfrader, Philip Van Hoof, Roger Dingledine, Sebastian Hahn, Mark Smith, Gisle Vanem, Tom van der Woerdt, Tomasz Torcz, Yawning Angel, anonymous, cypherpunks, intrigeri, meejah, rl1987, teor, skruffy, special, wfn, fpxnns, jowr, Device, and chobe.

Feb 26, 2015

Non-technical abstract:

We are starting a project to study and quantify hidden services traffic. As part of this project, we are collecting data from just a few volunteer relays which only allow us to see a small portion of hidden service activity (between 2% and 5%). Extrapolating from such a small sample is difficult, and our data are preliminary.

We've been working on methods to improve our calculations, but with our current methodology, we estimate that about 30,000 hidden services announce themselves to the Tor network every day, using about 5 terabytes of data daily. We also found that hidden service traffic is about 3.4% of total Tor traffic, which means that, at least according to our early calculations, 96.6% of Tor traffic is *not* hidden services. We invite people to join us in working to research methodologies and develop systems for better understanding Tor hidden services.


Over the past months we've been working on hidden service statistics. Our goal has been to answer the following questions:

  • "Approximately how many hidden services are there?"
  • "Approximately how much traffic of the Tor network is going to hidden services?"

We chose the above two questions because even though we want to understand hidden services, we really don't want to harm the privacy of Tor users. From a privacy perspective, the above two questions are relatively easy questions to answer because we don't need data from clients or the hidden services themselves; we just need data from hidden service directories and rendezvous points. Furthermore, the measurements reported by each relay cannot be linked back to specific hidden services or their clients.

Our first move was to research various ways we could collect these statistics in a privacy-preserving manner. After days of discussions on obfuscating statistics, we began writing a Tor proposal with our design, as well as code that implements the proposal. The code has since been reviewed and merged to Tor! The statistics are currently disabled by default so we asked volunteer relay operators to explicitly turn them on. Currently there are about 70 relays publishing measurements to us every 24 hours:

Number of relays reporting stats

So as of now we've been receiving these measurements for over a month, and we have thought a lot about how to best use the reported measurements to derive interesting results. We finally have some preliminary results we would like to share with you:

How many hidden services are there?

All in all, it seems that every day about 30000 hidden services announce themselves to the hidden service directories. Graphically:

Number of hidden services

By counting the number of unique hidden service addresses seen by HSDirs, we can get the approximate number of hidden services. Keep in mind that we can only see between 2% and 5% of the total HSDir space, so the extrapolation is, naturally, messy.

How much traffic do hidden services cause?

Our preliminary results show that hidden services cause somewhere between 400 to 600 Mbit of traffic per second, or equivalently about 4.9 terabytes a day. Here is a graph:

Hidden services traffic volume

We learned this by getting rendezvous points to publish the total number of cells transferred over rendezvous circuits, which allows us to learn the approximate volume of hidden service traffic. Notice that our coverage here is not very good either, with a probability of about 5% that a hidden service circuit will use a relay that reports these statistics as a rendezvous point.

A related statistic here is "How much of the Tor network is actually hidden service usage?". There are two different ways to answer this question, depending on whether we want to understand what clients are doing or what the network is doing. The fraction of hidden-service traffic at Tor clients differs from the fraction at Tor relays because connections to hidden services use 6-hop circuits while connections to the regular Internet use 3-hop circuits. As a result, the fraction of hidden-service traffic entering or leaving Tor is about half of the fraction of hidden-service traffic inside of Tor. Our conclusion is that about 3.4% of client traffic is hidden-service traffic, and 6.1% of traffic seen at a relay is hidden-service traffic.

Conclusion and future work

In this blog post we presented some preliminary results that could be extracted from these new hidden service statistics. We hope that this data can help us better gauge the future development and maturity of the onion space as well as detect potential incidents and bugs on the network. To better present our results and methods, we wrote a short technical report that outlines the exact process we followed. We invite you to read it if you are curious about the methodology or the results.

Finally, this project is only a few months old, and there are various plans for the future. For example:

  • There are more interesting questions that we could examine in this area. For example: "How many people are using hidden services every day?" and "How many times does someone try to visit a hidden service that does not exist anymore?."

    Unfortunately, some of these questions are not easy to answer with the current statistics reporting infrastructure, mainly because collecting them in this way could reveal information about specific hidden services but also because the results of the current system contain too much obfuscating data (each reporting relay randomizes its numbers a little bit before publishing them, so we can learn about totals but not about specific events).

    For this reason, we've been analyzing various statistics aggregation protocols that could be used in place of the current system, allowing us to safely collect other kinds of statistics.

  • We need to incorporate these statistics in our Metrics portal so that they are updated regularly and so that everyone can follow them.

  • Currently, these hidden service statistics are not collected in relays by default. Unfortunately, that gives us very small coverage of the network, which in turn makes our extrapolations very noisy. The main reason that these statistics are disabled by default is that similar statistics are also disabled (e.g. CellStatistics). Also, this allows us more time to consider privacy consequences. As we analyze more of these statistics and think more about statistics privacy, we should decide whether to turn these statistics on by default.

    It's worth repeating that the current results are preliminary and should be digested with a grain of salt. We invite statistically-inclined people to review our code, methods, and results. If you are a researcher interested in digging into the measurements themselves, you can find them in the extra-info descriptors of Tor relays.

    Over the next months, we will also be thinking more about these problems to figure out proper ways to analyze and safely measure private ecosystems like the onion space.

Till then, take care, and enjoy Tor!

Feb 26, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Note: The individual bundles of the stable series are signed by one of the subkeys of the Tor Browser Developers signing key from now on, too. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290

Tor Browser 4.0.4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Additionally, it contains updates to NoScript, HTTPS-Everywhere, and OpenSSL (none of the OpenSSL advisories since OpenSSL 1.0.1i have affected Tor, but we decided to update to the latest 1.0.1 release anyway).

Here is the changelog since 4.0.3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update OpenSSL to 1.0.1l
    • Update NoScript to
    • Update HTTPS-Everywhere to 4.0.3
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions

Feb 26, 2015

The Tor Browser team is proud to announce the release of the fourth alpha of the 4.5 series of Tor Browser. The release is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5a4 is based on Firefox ESR 31.5.0, which features important security updates to Firefox. Moreover, this release includes an updated Tor,, and switches Scramblesuit and obfs3 bridge support to a new golang-based implementation. We are especially interested in hearing any issues with using obfs3, obfs4, and Scramblesuit in this release.

The release also features several improvements to usability, following the results of the usability sprint at the end of last month. In particular, the Torbutton onion menu and related preference windows have been overhauled to provide more simplicity and more focus. The onion menu now features a much requested "New Circuit for this site" option, and the security and privacy settings window have been simplified. For censored users, the first run configuration wizard was also improved to present the choice of Pluggable Transport before the local proxy information, in an effort to avoid confusion between Pluggable Transports and local proxies. As can be seen from the changelog below, the release contains several other usability tweaks and enhancements as well.

Here is the full changelog for changes since 4.5-alpha-3:

  • All Platforms
    • Update Firefox to 31.5.0esr
    • Update Tor to
    • Update OpenSSL to 1.0.1l
    • Update NoScript to
    • Update obfs4proxy to 0.0.4
      • Use obfs4proxy for ScrambleSuit bridges
    • Update Torbutton to
      • Bug 13882: Fix display of bridges after bridge settings have been changed
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 10280: Strings and pref for preventing plugin initialization.
      • Bug 14866: Show correct circuit when more than one exists for a given domain
      • Bug 9442: Add New Circuit button to Torbutton menu
      • Bug 9906: Warn users before closing all windows and performing new identity.
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 14630: Hide Torbutton's proxy settings tab.
      • Bug 14632: Disable Cookie Manager until we get it working.
      • Bug 11175: Remove "About Torbutton" from onion menu.
      • Bug 13900: Remove remaining SafeCache code in favor of C++ patch
      • Bug 14490: Use Disconnect search in about:tor search box
      • Bug 14392: Don't steal input focus in about:tor search box
      • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
      • Bug 13406: Stop directing users to download-easy.html.en on update
      • Bug 9387: Handle "custom" mode better in Security Slider
      • Bug 12430: Bind jar: pref to Security Slider
      • Bug 14448: Restore Torbutton menu operation on non-English localizations
      • Translation updates
    • Update Tor Launcher to
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Translation updates
    • Bug 14203: Prevent meek from displaying an extra update notification
    • Bug 14849: Remove new NoScript menu option to make permissions permanent
    • Bug 14851: Set NoScript pref to disable permanent permissions
    • Bug 14490: Make Disconnect the default omnibox search engine
    • Bug 11236: Fix omnibox order for non-English builds
      • Also remove Amazon, eBay and bing; add Youtube and Twitter
    • Bug 10280: Don't load any plugins into the address space.
    • Bug 14392: Make about:tor hide itself from the URL bar
    • Bug 12430: Provide a preference to disable remote jar: urls
    • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
    • Bug 5698: Fix branding in "About Torbrowser" window
  • Windows:
    • Bug 13169: Don't use /dev/random on Windows for SSP
  • Linux:
    • Bug 13717: Make sure we use the bash shell on Linux

Note: Once again, the individual bundles of both Tor Browser series are signed by one of the subkeys of the Tor Browser Developers signing key from now on. You can find its fingerprint on the Signing Keys page. It is:

pub   4096R/0x4E2C6E8793298290 2014-12-15
      Key fingerprint = EF6E 286D DA85 EA2A 4BA7
                        DE68 4E2C 6E87 9329 8290

Feb 25, 2015

Welcome to the eighth issue in 2015 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor 0.2.6-alpha-3 is out

Nick Mathewson announced the third (“and hopefully final”) alpha release in the Tor 0.2.6.x series. The major user- and operator-facing changes in this release include support for AF_UNIX sockets, allowing high-risk applications to reach a local Tor without having to enable other kinds of networking activity; a new warning for relay operators, in order to make it even harder to accidentally run an exit node; improvements and additions to the directory system; and much else besides.

See Nick’s announcement for the full changelog, and download your copy of the source code from the distribution directory, but note that “this is an alpha release”, so “please expect bugs”.

Tails 1.3 is out

The Tails team announced version 1.3 of the anonymous live operating system. This release brings several major new features, including Bitcoin support with Electrum; connections to Tor using the obfs4 pluggable transport; an AppArmor profile to protect the filesystem against some kinds of attack on Tor Browser; a simpler Tails drive creation process on Mac and Linux; and more intuitive handling of computer trackpads.

See the announcement for links to the full list of changes and known issues, and download your copy from the website or, if you already have a running Tails, using the incremental update system.

CITIZENFOUR wins many awards

Laura Poitras’ documentary film CITIZENFOUR, recording the initial encounters between herself, journalist Glenn Greenwald, and the American surveillance whistleblower (and sometime Tor relay operator) Edward Snowden, has been decorated at numerous awards ceremonies over the past few months for its artistic and political achievement.

The filmmakers have been tireless in their activism on behalf of Tor and the free software community both in the mainstream press and at community conferences; upon receiving the Ridenhour Documentary Film Prize last week, Laura called attention to the role of these projects in the production process: “This film and our NSA reporting would not have been possible without the work of the Free Software community that builds free tools to communicate privately. The prize money for the award will be given to the Tails Free Software project.”

CITIZENFOUR went on to win the Independent Spirit and Academy Awards for Best Documentary Feature over the weekend. The recognition is richly deserved. Thanks to Laura and her colleagues for their extraordinary work over the last two years!

Miscellaneous news

Giovanni Pellerano released a security advisory for a bug in GlobaLeaks that was introduced on 28th January 2015, and fixed on 16th February. The bug could have allowed an attacker to read any file in the /var/globaleaks/ directory with the exception of the Tor onion service key; if you installed or upgraded your GlobaLeaks instance on or between those dates, please see Giovanni’s announcement for more details, and upgrade again as soon as possible.

Nathan Freitas announced Orbot version 15-alpha-4, featuring bridge scanning and distribution via QR code, and simpler configuration for pluggable transports like meek, among other improvements.

Rob Jansen announced a major new release of Shadow, the Tor network simulation tool. New features include support for running Bitcoin software inside the simulation, client activity modelling using dependency graphs, and much more.

Yaron Goland updated the Tor Onion Proxy libary, a project to “enable Android and Java applications to easily host their own Tor Onion Proxies using the core Tor binaries”. This release incorporates newer software and a simplified build process.

The organizers of the Workshop on Surveillance and Technology issued a call for papers ahead of their event, which will be held on June 29th. The deadline for submission is midnight UTC on March 11th; please see SAT’s website for topics covered by the workshop and submission guidelines.

Bendert Zevenbergen relayed another call for participation, this time in the ACM SigComm2015 workshop on “Ethics in Networked Systems Research”.

This issue of Tor Weekly News has been assembled by Harmony and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Feb 24, 2015

Tails, The Amnesic Incognito Live System, version 1.3, is out.

This release fixes numerous security issues and all users must upgrade as soon as possible.

New features

  • Electrum is an easy to use bitcoin wallet. You can use the Bitcoin Client persistence feature to store your Electrum configuration and wallet.

  • The Tor Browser has additional operating system and data security. This security restricts reads and writes to a limited number of folders. Learn how to manipulate files with the new Tor Browser.

  • The obfs4 pluggable transport is now available to connect to Tor bridges. Pluggable transports transform the Tor traffic between the client and the bridge to help disguise Tor traffic from censors.

  • Keyringer lets you manage and share secrets using OpenPGP and Git from the command line.

Upgrades and changes

  • The Mac and Linux manual installation processes no longer require the isohybrid command. Removing the isohybrid command simplifies the installation.
  • The tap-to-click and two-finger scrolling trackpad settings are now enabled by default. This should be more intuitive for Mac users.
  • The Ibus Vietnamese input method is now supported.
  • Improved support for OpenPGP smartcards through the installation of GnuPG 2.

There are numerous other changes that may not be apparent in the daily operation of a typical user. Technical details of all the changes are listed in the Changelog.

Known issues

See the current list of known issues.

Download or upgrade

Go to the download page.

What's coming up?

The next Tails release is scheduled for April 7.

Have a look to our roadmap to see where we are heading to.

Do you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Feb 19, 2015

Tor is the third (and hopefully final) alpha release in the 0.2.6.x series. It introduces support for more kinds of sockets, makes it harder to accidentally run an exit, improves our multithreading backend, incorporates several fixes for the AutomapHostsOnResolve option, and fixes numerous other bugs besides.

If no major regressions or security holes are found in this version, the next version will be a release candidate.

You can download the source from the usual place on the website. Packages should be up in a few days.

NOTE: This is an alpha release. Please expect bugs.

Changes in version - 2015-02-19
  • Deprecated versions:
    • Tor relays older than are no longer allowed to advertise themselves on the network. Closes ticket 13555.
  • Major features (security, unix domain sockets):
    • Allow SocksPort to be an AF_UNIX Unix Domain Socket. Now high risk applications can reach Tor without having to create AF_INET or AF_INET6 sockets, meaning they can completely disable their ability to make non-Tor network connections. To create a socket of this type, use "SocksPort unix:/path/to/socket". Implements ticket 12585.
    • Support mapping hidden service virtual ports to AF_UNIX sockets. The syntax is "HiddenServicePort 80 unix:/path/to/socket". Implements ticket 11485.


  • Major features (changed defaults):
    • Prevent relay operators from unintentionally running exits: When a relay is configured as an exit node, we now warn the user unless the "ExitRelay" option is set to 1. We warn even more loudly if the relay is configured with the default exit policy, since this can indicate accidental misconfiguration. Setting "ExitRelay 0" stops Tor from running as an exit relay. Closes ticket 10067.
  • Major features (directory system):
    • When downloading server- or microdescriptors from a directory server, we no longer launch multiple simultaneous requests to the same server. This reduces load on the directory servers, especially when directory guards are in use. Closes ticket 9969.
    • When downloading server- or microdescriptors over a tunneled connection, do not limit the length of our requests to what the Squid proxy is willing to handle. Part of ticket 9969.
    • Authorities can now vote on the correct digests and latest versions for different software packages. This allows packages that include Tor to use the Tor authority system as a way to get notified of updates and their correct digests. Implements proposal 227. Closes ticket 10395.
  • Major features (performance):
    • Make the CPU worker implementation more efficient by avoiding the kernel and lengthening pipelines. The original implementation used sockets to transfer data from the main thread to the workers, and didn't allow any thread to be assigned more than a single piece of work at once. The new implementation avoids communications overhead by making requests in shared memory, avoiding kernel IO where possible, and keeping more requests in flight at once. Implements ticket 9682.
  • Major features (relay):
    • Raise the minimum acceptable configured bandwidth rate for bridges to 50 KiB/sec and for relays to 75 KiB/sec. (The old values were 20 KiB/sec.) Closes ticket 13822.
  • Major bugfixes (exit node stability):
    • Fix an assertion failure that could occur under high DNS load. Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; diagnosed and fixed by "cypherpunks".
  • Major bugfixes (mixed relay-client operation):
    • When running as a relay and client at the same time (not recommended), if we decide not to use a new guard because we want to retry older guards, only close the locally-originating circuits passing through that guard. Previously we would close all the circuits through that guard. Fixes bug 9819; bugfix on Reported by "skruffy".
  • Minor features (build):
    • New --disable-system-torrc compile-time option to prevent Tor from looking for the system-wide torrc or torrc-defaults files. Resolves ticket 13037.
  • Minor features (controller):
    • Include SOCKS_USERNAME and SOCKS_PASSWORD values in controller events so controllers can observe circuit isolation inputs. Closes ticket 8405.
    • ControlPort now supports the unix:/path/to/socket syntax as an alternative to the ControlSocket option, for consistency with SocksPort and HiddenServicePort. Closes ticket 14451.
    • New "GETINFO bw-event-cache" to get information about recent bandwidth events. Closes ticket 14128. Useful for controllers to get recent bandwidth history after the fix for ticket 13988.
  • Minor features (Denial of service resistance):
    • Count the total number of bytes used storing hidden service descriptors against the value of MaxMemInQueues. If we're low on memory, and more than 20% of our memory is used holding hidden service descriptors, free them until no more than 10% of our memory holds hidden service descriptors. Free the least recently fetched descriptors first. Resolves ticket 13806.
    • When we have recently been under memory pressure (over 3/4 of MaxMemInQueues is allocated), then allocate smaller zlib objects for small requests. Closes ticket 11791.
  • Minor features (geoip):
    • Update geoip and geoip6 files to the January 7 2015 Maxmind GeoLite2 Country database.
  • Minor features (guard nodes):
    • Reduce the time delay before saving guard status to disk from 10 minutes to 30 seconds (or from one hour to 10 minutes if AvoidDiskWrites is set). Closes ticket 12485.
  • Minor features (hidden service):
    • Make Sybil attacks against hidden services harder by changing the minimum time required to get the HSDir flag from 25 hours up to 96 hours. Addresses ticket 14149.
    • New option "HiddenServiceAllowUnknownPorts" to allow hidden services to disable the anti-scanning feature introduced in With this option not set, a connection to an unlisted port closes the circuit. With this option set, only a RELAY_DONE cell is sent. Closes ticket 14084.
  • Minor features (interface):
    • Implement "-f -" command-line option to read torrc configuration from standard input, if you don't want to store the torrc file in the file system. Implements feature 13865.
  • Minor features (logging):
    • Add a count of unique clients to the bridge heartbeat message. Resolves ticket 6852.
    • Suppress "router info incompatible with extra info" message when reading extrainfo documents from cache. (This message got loud around when we closed bug 9812 in Closes ticket 13762.
    • Elevate hidden service authorized-client message from DEBUG to INFO. Closes ticket 14015.
  • Minor features (stability):
    • Add assertions in our hash-table iteration code to check for corrupted values that could cause infinite loops. Closes ticket 11737.
  • Minor features (systemd):
    • Various improvements and modernizations in systemd hardening support. Closes ticket 13805. Patch from Craig Andrews.
  • Minor features (testing networks):
    • Drop the minimum RendPostPeriod on a testing network to 5 seconds, and the default on a testing network to 2 minutes. Drop the MIN_REND_INITIAL_POST_DELAY on a testing network to 5 seconds, but keep the default on a testing network at 30 seconds. This reduces HS bootstrap time to around 25 seconds. Also, change the default time in to match. Closes ticket 13401. Patch by "teor".
    • Create TestingDirAuthVoteHSDir to correspond to TestingDirAuthVoteExit/Guard. Ensures that authorities vote the HSDir flag for the listed relays regardless of uptime or ORPort connectivity. Respects the value of VoteOnHidServDirectoriesV2. Partial implementation for ticket 14067. Patch by "teor".
  • Minor features (tor2web mode):
    • Introduce the config option Tor2webRendezvousPoints, which allows clients in Tor2webMode to select a specific Rendezvous Point to be used in HS circuits. This might allow better performance for Tor2Web nodes. Implements ticket 12844.
  • Minor bugfixes (client DNS):
    • Report the correct cached DNS expiration times on SOCKS port or in DNS replies. Previously, we would report everything as "never expires." Fixes bug 14193; bugfix on
    • Avoid a small memory leak when we find a cached answer for a reverse DNS lookup in a client-side DNS cache. (Remember, client- side DNS caching is off by default, and is not recommended.) Fixes bug 14259; bugfix on
  • Minor bugfixes (client, automapping):
    • Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when no value follows the option. Fixes bug 14142; bugfix on Patch by "teor".
    • Fix a memory leak when using AutomapHostsOnResolve. Fixes bug 14195; bugfix on
    • Prevent changes to other options from removing the wildcard value "." from "AutomapHostsSuffixes". Fixes bug 12509; bugfix on
    • Allow MapAddress and AutomapHostsOnResolve to work together when an address is mapped into another address type (like .onion) that must be automapped at resolve time. Fixes bug 7555; bugfix on
  • Minor bugfixes (client, bridges):
    • When we are using bridges and we had a network connectivity problem, only retry connecting to our currently configured bridges, not all bridges we know about and remember using. Fixes bug 14216; bugfix on
  • Minor bugfixes (client, IPv6):
    • Reject socks requests to literal IPv6 addresses when IPv6Traffic flag is not set; and not because the NoIPv4Traffic flag was set. Previously we'd looked at the NoIPv4Traffic flag for both types of literal addresses. Fixes bug 14280; bugfix on
  • Minor bugfixes (compilation):
    • The address of an array in the middle of a structure will always be non-NULL. clang recognises this and complains. Disable the tautologous and redundant check to silence this warning. Fixes bug 14001; bugfix on
    • Avoid warnings when building with systemd 209 or later. Fixes bug 14072; bugfix on Patch from "h.venev".
    • Compile correctly with (unreleased) OpenSSL 1.1.0 headers. Addresses ticket 14188.
    • Build without warnings with the stock OpenSSL srtp.h header, which has a duplicate declaration of SSL_get_selected_srtp_profile(). Fixes bug 14220; this is OpenSSL's bug, not ours.
    • Do not compile any code related to Tor2Web mode when Tor2Web mode is not enabled at compile time. Previously, this code was included in a disabled state. See discussion on ticket 12844.
    • Remove the --disable-threads configure option again. It was accidentally partially reintroduced in 29ac883606d6d. Fixes bug 14819; bugfix on
  • Minor bugfixes (controller):
    • Report "down" in response to the "GETINFO entry-guards" command when relays are down with an unreachable_since value. Previously, we would report "up". Fixes bug 14184; bugfix on
    • Avoid crashing on a malformed EXTENDCIRCUIT command. Fixes bug 14116; bugfix on
    • Add a code for the END_CIRC_REASON_IP_NOW_REDUNDANT circuit close reason. Fixes bug 14207; bugfix on
  • Minor bugfixes (directory authority):
    • Allow directory authorities to fetch more data from one another if they find themselves missing lots of votes. Previously, they had been bumping against the 10 MB queued data limit. Fixes bug 14261; bugfix on
    • Do not attempt to download extrainfo documents which we will be unable to validate with a matching server descriptor. Fixes bug 13762; bugfix on
    • Fix a bug that was truncating AUTHDIR_NEWDESC events sent to the control port. Fixes bug 14953; bugfix on
    • Enlarge the buffer to read bwauth generated files to avoid an issue when parsing the file in dirserv_read_measured_bandwidths(). Fixes bug 14125; bugfix on
  • Minor bugfixes (file handling):
    • Stop failing when key files are zero-length. Instead, generate new keys, and overwrite the empty key files. Fixes bug 13111; bugfix on all versions of Tor. Patch by "teor".
    • Stop generating a fresh .old RSA onion key file when the .old file is missing. Fixes part of 13111; bugfix on 0.0.6rc1.
    • Avoid overwriting .old key files with empty key files.
    • Skip loading zero-length extrainfo store, router store, stats, state, and key files.
    • Avoid crashing when trying to reload a torrc specified as a relative path with RunAsDaemon turned on. Fixes bug 13397; bugfix on
  • Minor bugfixes (hidden services):
    • Close the introduction circuit when we have no more usable intro points, instead of waiting for it to time out. This also ensures that no follow-up HS descriptor fetch is triggered when the circuit eventually times out. Fixes bug 14224; bugfix on 0.0.6.
    • When fetching a hidden service descriptor for a down service that was recently up, do not keep refetching until we try the same replica twice in a row. Fixes bug 14219; bugfix on
    • Successfully launch Tor with a nonexistent hidden service directory. Our fix for bug 13942 didn't catch this case. Fixes bug 14106; bugfix on
  • Minor bugfixes (logging):
    • Avoid crashing when there are more log domains than entries in domain_list. Bugfix on
    • Add a string representation for LD_SCHED. Fixes bug 14740; bugfix on
    • Don't log messages to stdout twice when starting up. Fixes bug 13993; bugfix on
  • Minor bugfixes (parsing):
    • Stop accepting milliseconds (or other junk) at the end of descriptor publication times. Fixes bug 9286; bugfix on 0.0.2pre25.
    • Support two-number and three-number version numbers correctly, in case we change the Tor versioning system in the future. Fixes bug 13661; bugfix on 0.0.8pre1.
  • Minor bugfixes (path counting):
    • When deciding whether the consensus lists any exit nodes, count the number listed in the consensus, not the number we have descriptors for. Fixes part of bug 14918; bugfix on
    • When deciding whether we have any exit nodes, only examine ExitNodes when the ExitNodes option is actually set. Fixes part of bug 14918; bugfix on
    • Get rid of redundant and possibly scary warnings that we are missing directory information while we bootstrap. Fixes part of bug 14918; bugfix on
  • Minor bugfixes (portability):
    • Fix the ioctl()-based network interface lookup code so that it will work on systems that have variable-length struct ifreq, for example Mac OS X.
    • Fix scheduler compilation on targets where char is unsigned. Fixes bug 14764; bugfix on Reported by Christian Kujau.
  • Minor bugfixes (sandbox):
    • Allow glibc fatal errors to be sent to stderr before Tor exits. Previously, glibc would try to write them to /dev/tty, and the sandbox would trap the call and make Tor exit prematurely. Fixes bug 14759; bugfix on
  • Minor bugfixes (shutdown):
    • When shutting down, always call event_del() on lingering read or write events before freeing them. Otherwise, we risk double-frees or read-after-frees in event_base_free(). Fixes bug 12985; bugfix on
  • Minor bugfixes (small memory leaks):
    • Avoid leaking memory when using IPv6 virtual address mappings. Fixes bug 14123; bugfix on Patch by Tom van der Woerdt.
  • Minor bugfixes (statistics):
    • Increase period over which bandwidth observations are aggregated from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
  • Minor bugfixes (systemd support):
    • Fix detection and operation of systemd watchdog. Fixes part of bug 14141; bugfix on Patch from Tomasz Torcz.
    • Run correctly under systemd with the RunAsDaemon option set. Fixes part of bug 14141; bugfix on Patch from Tomasz Torcz.
    • Inform the systemd supervisor about more changes in the Tor process status. Implements part of ticket 14141. Patch from Tomasz Torcz.
    • Cause the "--disable-systemd" option to actually disable systemd support. Fixes bug 14350; bugfix on Patch from "blueness".
  • Minor bugfixes (TLS):
    • Check more thoroughly throughout the TLS code for possible unlogged TLS errors. Possible diagnostic or fix for bug 13319.
  • Minor bugfixes (transparent proxy):
    • Use getsockname, not getsockopt, to retrieve the address for a TPROXY-redirected connection. Fixes bug 13796; bugfix on
  • Code simplification and refactoring:
    • Move fields related to isolating and configuring client ports into a shared structure. Previously, they were duplicated across port_cfg_t, listener_connection_t, and edge_connection_t. Failure to copy them correctly had been the cause of at least one bug in the past. Closes ticket 8546.
    • Refactor the get_interface_addresses_raw() doom-function into multiple smaller and simpler subfunctions. Cover the resulting subfunctions with unit-tests. Fixes a significant portion of issue 12376.
    • Remove workaround in dirserv_thinks_router_is_hs_dir() that was only for version <= which is now deprecated. Closes ticket 14202.
    • Remove a test for a long-defunct broken version-one directory server.
  • Documentation:
    • Adding section on OpenBSD to our TUNING document. Thanks to mmcc for writing the OpenBSD-specific tips. Resolves ticket 13702.
    • Make the tor-resolve documentation match its help string and its options. Resolves part of ticket 14325.
    • Log a more useful error message from tor-resolve when failing to look up a hidden service address. Resolves part of ticket 14325.
  • Downgraded warnings:
    • Don't warn when we've attempted to contact a relay using the wrong ntor onion key. Closes ticket 9635.
  • Removed features:
    • To avoid confusion with the "ExitRelay" option, "ExitNode" is no longer silently accepted as an alias for "ExitNodes".
    • The --enable-mempool and --enable-buf-freelists options, which were originally created to work around bad malloc implementations, no longer exist. They were off-by-default in 0.2.5. Closes ticket 14848.
  • Testing:
    • Make the checkdir/perms test complete successfully even if the global umask is not 022. Fixes bug 14215; bugfix on
    • Test that tor does not fail when key files are zero-length. Check that tor generates new keys, and overwrites the empty key files.
    • Test that tor generates new keys when keys are missing (existing behavior).
    • Test that tor does not overwrite key files that already contain data (existing behavior). Tests bug 13111. Patch by "teor".
    • New "make test-stem" target to run stem integration tests. Requires that the "STEM_SOURCE_DIR" environment variable be set. Closes ticket 14107.
    • Make the script work correctly on Windows. Patch from Gisle Vanem.
    • Move the slower unit tests into a new "./src/test/test-slow" binary that can be run independently of the other tests. Closes ticket 13243.
    • Avoid undefined behavior when sampling huge values from the Laplace distribution. This made unittests fail on Raspberry Pi. Bug found by Device. Fixes bug 14090; bugfix on