Support all your favorite nonprofits with a single donation.

Donate safely, anonymously & monthly, in any amount. It's a smarter way to give online. Learn more
The Tor Project
Dedham, MA
givvers: jason, emerssso + 4 others

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

The Tor Project is a 501(c)3 organization.

Latest News

Feb 05, 2016

Tor Browser 5.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

Most notably, this release features fixes for regressions caused by our font fingerprinting defense: chinese users should have a functional Tor Browser again and emoji support is restored on OS X and Linux systems (we are still working on a fix for Windows).

Moreover, we fixed an oversight in one of our patches which broke some websites depending heavily on iframes.

The full changelog since 5.5 is:

Tor Browser 5.5.1 -- February 5 2016

  • All Platforms
    • Bug 18168: Don't clear an iframe's window.name (fix of #16620)
    • Bug 18137: Add two new obfs4 default bridges
  • Windows
  • OS X
  • Linux

Feb 04, 2016

Tor 0.2.8.1-alpha has been released! You can download the source from the Tor website. Packages should be available over the next several days.

Tor 0.2.8.1-alpha is the first alpha release in its series. It includes numerous small features and bugfixes against previous Tor versions, and numerous small infrastructure improvements. The most notable features are a set of improvements to the directory subsystem.

PLEASE NOTE: This is an alpha release. Expect a lot of bugs. You should really only run this release if you're willing to find bugs and report them.

Changes in version 0.2.8.1-alpha - 2016-02-04

  • Major features (security, Linux):
    • When Tor starts as root on Linux and is told to switch user ID, it can now retain the capability to bind to low ports. By default, Tor will do this only when it's switching user ID and some low ports have been configured. You can change this behavior with the new option KeepBindCapabilities. Closes ticket 8195.
  • Major features (directory system):
    • When bootstrapping multiple consensus downloads at a time, use the first one that starts downloading, and close the rest. This reduces failures when authorities or fallback directories are slow or down. Together with the code for feature 15775, this feature should reduces failures due to fallback churn. Implements ticket 4483. Patch by "teor". Implements IPv4 portions of proposal 210 by "mikeperry" and "teor".
    • Include a trial list of default fallback directories, based on an opt-in survey of suitable relays. Doing this should make clients bootstrap more quickly and reliably, and reduce the load on the directory authorities. Closes ticket 15775. Patch by "teor". Candidates identified using an OnionOO script by "weasel", "teor", "gsathya", and "karsten".
    • Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled directory requests that they receive through their ORPort. You can disable this behavior using the new DirCache option. Closes ticket 12538.

 

  • Major key updates:
    • Update the V3 identity key for the dannenberg directory authority: it was changed on 18 November 2015. Closes task 17906. Patch by "teor".
  • Minor features (security, clock):
    • Warn when the system clock appears to move back in time (when the state file was last written in the future). Tor doesn't know that consensuses have expired if the clock is in the past. Patch by "teor". Implements ticket 17188.
  • Minor features (security, exit policies):
    • ExitPolicyRejectPrivate now rejects more private addresses by default. Specifically, it now rejects the relay's outbound bind addresses (if configured), and the relay's configured port addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on 0.2.0.11-alpha. Patch by "teor".
  • Minor features (security, memory erasure):
    • Set the unused entries in a smartlist to NULL. This helped catch a (harmless) bug, and shouldn't affect performance too much. Implements ticket 17026.
    • Use SecureMemoryWipe() function to securely clean memory on Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function. Implements feature 17986.
    • Use explicit_bzero or memset_s when present. Previously, we'd use OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches from <[email protected]> and <[email protected]>.
    • Make memwipe() do nothing when passed a NULL pointer or buffer of zero size. Check size argument to memwipe() for underflow. Fixes bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", patch by "teor".
  • Minor features (security, RNG):
    • Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely, positively are not allowed to fail. Previously we depended on internal details of OpenSSL's behavior. Closes ticket 17686.
    • Never use the system entropy output directly for anything besides seeding the PRNG. When we want to generate important keys, instead of using system entropy directly, we now hash it with the PRNG stream. This may help resist certain attacks based on broken OS entropy implementations. Closes part of ticket 17694.
    • Use modern system calls (like getentropy() or getrandom()) to generate strong entropy on platforms that have them. Closes ticket 13696.
  • Minor features (accounting):
    • Added two modes to the AccountingRule option: One for limiting only the number of bytes sent ("AccountingRule out"), and one for limiting only the number of bytes received ("AccountingRule in"). Closes ticket 15989; patch from "unixninja92".
  • Minor features (build):
    • Since our build process now uses "make distcheck", we no longer force "make dist" to depend on "make check". Closes ticket 17893; patch from "cypherpunks."
    • Tor now builds successfully with the recent OpenSSL 1.1 development branch, and with the latest LibreSSL. Closes tickets 17549, 17921, and 17984.
  • Minor features (controller):
    • Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes tickets 16774 and 17817. Patch by George Tankersley.
    • New 'GETINFO hs/service/desc/id/' command to retrieve a hidden service descriptor from a service's local hidden service descriptor cache. Closes ticket 14846.
    • Add 'GETINFO exit-policy/reject-private/[default,relay]', so controllers can examine the the reject rules added by ExitPolicyRejectPrivate. This makes it easier for stem to display exit policies.
  • Minor features (crypto):
    • Add SHA512 support to crypto.c. Closes ticket 17663; patch from George Tankersley.
    • Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
    • When allocating a digest state object, allocate no more space than we actually need. Previously, we would allocate as much space as the state for the largest algorithm would need. This change saves up to 672 bytes per circuit. Closes ticket 17796.
    • Improve performance when hashing non-multiple of 8 sized buffers, based on Andrew Moon's public domain SipHash-2-4 implementation. Fixes bug 17544; bugfix on 0.2.5.3-alpha.
  • Minor features (directory downloads):
    • Wait for busy authorities and fallback directories to become non- busy when bootstrapping. (A similar change was made in 6c443e987d for directory caches chosen from the consensus.) Closes ticket 17864; patch by "teor".
    • Add UseDefaultFallbackDirs, which enables any hard-coded fallback directory mirrors. The default is 1; set it to 0 to disable fallbacks. Implements ticket 17576. Patch by "teor".
  • Minor features (geoip):
    • Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 Country database.
  • Minor features (IPv6):
    • Add an argument 'ipv6=address:orport' to the DirAuthority and FallbackDir torrc options, to specify an IPv6 address for an authority or fallback directory. Add hard-coded ipv6 addresses for directory authorities that have them. Closes ticket 17327; patch from Nick Mathewson and "teor".
    • Add address policy assume_action support for IPv6 addresses.
    • Limit IPv6 mask bits to 128.
    • Warn when comparing against an AF_UNSPEC address in a policy, it's almost always a bug. Closes ticket 17863; patch by "teor".
    • Allow users to configure directory authorities and fallback directory servers with IPv6 addresses and ORPorts. Resolves ticket 6027.
    • routerset_parse now accepts IPv6 literal addresses. Fixes bug 17060; bugfix on 0.2.1.3-alpha. Patch by "teor".
    • Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug 17638; bugfix on 0.0.2pre8. Patch by "teor".
  • Minor features (logging):
    • When logging to syslog, allow a tag to be added to the syslog identity (the string prepended to every log message). The tag can be configured with SyslogIdentityTag and defaults to none. Setting it to "foo" will cause logs to be tagged as "Tor-foo". Closes ticket 17194.
  • Minor features (portability):
    • Use timingsafe_memcmp() where available. Closes ticket 17944; patch from <[email protected]>.
  • Minor features (relay, address discovery):
    • Add a family argument to get_interface_addresses_raw() and subfunctions to make network interface address interogation more efficient. Now Tor can specifically ask for IPv4, IPv6 or both types of interfaces from the operating system. Resolves ticket 17950.
    • When get_interface_address6_list(.,AF_UNSPEC,.) is called and fails to enumerate interface addresses using the platform-specific API, have it rely on the UDP socket fallback technique to try and find out what IP addresses (both IPv4 and IPv6) our machine has. Resolves ticket 17951.
  • Minor features (replay cache):
    • The replay cache now uses SHA256 instead of SHA1. Implements feature 8961. Patch by "teor", issue reported by "rransom".
  • Minor features (unix file permissions):
    • Defer creation of Unix sockets until after setuid. This avoids needing CAP_CHOWN and CAP_FOWNER when using systemd's CapabilityBoundingSet, or chown and fowner when using SELinux. Implements part of ticket 17562. Patch from Jamie Nguyen.
    • If any directory created by Tor is marked as group readable, the filesystem group is allowed to be either the default GID or the root user. Allowing root to read the DataDirectory prevents the need for CAP_READ_SEARCH when using systemd's CapabilityBoundingSet, or dac_read_search when using SELinux. Implements part of ticket 17562. Patch from Jamie Nguyen.
    • Introduce a new DataDirectoryGroupReadable option. If it is set to 1, the DataDirectory will be made readable by the default GID. Implements part of ticket 17562. Patch from Jamie Nguyen.
  • Minor bugfixes (accounting):
    • The max bandwidth when using 'AccountRule sum' is now correctly logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch from "unixninja92".
  • Minor bugfixes (code correctness):
    • When closing an entry connection, generate a warning if we should have sent an end cell for it but we haven't. Fixes bug 17876; bugfix on 0.2.3.2-alpha.
    • Assert that allocated memory held by the reputation code is freed according to its internal counters. Fixes bug 17753; bugfix on tor-0.1.1.1-alpha.
    • Assert when the TLS contexts fail to initialize. Fixes bug 17683; bugfix on 0.0.6.
  • Minor bugfixes (compilation):
    • Mark all object files that include micro-revision.i as depending on it, so as to make parallel builds more reliable. Fixes bug 17826; bugfix on 0.2.5.1-alpha.
    • Don't try to use the pthread_condattr_setclock() function unless it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug 17819; bugfix on 0.2.6.3-alpha.
    • Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix on tor-0.2.5.2-alpha.
    • Fix compilation of sandbox.c with musl-libc. Fixes bug 17347; bugfix on 0.2.5.1-alpha. Patch from 'jamestk'.
    • Fix search for libevent libraries on OpenBSD (and other systems that install libevent 1 and libevent 2 in parallel). Fixes bug 16651; bugfix on 0.1.0.7-rc. Patch from "rubiate".
    • Isolate environment variables meant for tests from the rest of the build system. Fixes bug 17818; bugfix on tor-0.2.7.3-rc.
    • Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix on tor-0.0.2pre8.
    • Remove config.log only from make distclean, not from make clean. Fixes bug 17924; bugfix on 0.2.4.1-alpha.
  • Minor bugfixes (crypto):
    • Check the return value of HMAC() and assert on failure. Fixes bug 17658; bugfix on 0.2.3.6-alpha. Patch by "teor".
  • Minor bugfixes (fallback directories):
    • Mark fallbacks as "too busy" when they return a 503 response, rather than just marking authorities. Fixes bug 17572; bugfix on 0.2.4.7-alpha. Patch by "teor".
  • Minor bugfixes (IPv6):
    • Update the limits in max_dl_per_request for IPv6 address length. Fixes bug 17573; bugfix on 0.2.1.5-alpha.
  • Minor bugfixes (linux seccomp2 sandbox):
    • Fix a crash when using offline master ed25519 keys with the Linux seccomp2 sandbox enabled. Fixes bug 17675; bugfix on 0.2.7.3-alpha.
  • Minor bugfixes (logging):
    • In log messages that include a function name, use __FUNCTION__ instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but with clang __PRETTY_FUNCTION__ has extra information we don't need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van der Woerdt.
    • Remove needless quotes from a log message about unparseable addresses. Fixes bug 17843; bugfix on 0.2.3.3-alpha.
  • Minor bugfixes (portability):
    • Remove an #endif from configure.ac so that we correctly detect the presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix on 0.2.0.13-alpha.
  • Minor bugfixes (relays):
    • Check that both the ORPort and DirPort (if present) are reachable before publishing a relay descriptor. Otherwise, relays publish a descriptor with DirPort 0 when the DirPort reachability test takes longer than the ORPort reachability test. Fixes bug 18050; bugfix on 0.1.0.1-rc. Reported by "starlight", patch by "teor".
  • Minor bugfixes (relays, hidden services):
    • Refuse connection requests to private OR addresses unless ExtendAllowPrivateAddresses is set. Previously, tor would connect, then refuse to send any cells to a private address. Fixes bugs 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by "teor".
  • Minor bugfixes (safe logging):
    • When logging a malformed hostname received through socks4, scrub it if SafeLogging says we should. Fixes bug 17419; bugfix on 0.1.1.16-rc.
  • Minor bugfixes (statistics code):
    • Consistently check for overflow in round_*_to_next_multiple_of functions, and add unit tests with additional and maximal values. Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
    • Handle edge cases in the laplace functions: avoid division by zero, avoid taking the log of zero, and silence clang type conversion warnings using round and trunc. Add unit tests for edge cases with maximal values. Fixes part of bug 13192; bugfix on 0.2.6.2-alpha.
  • Minor bugfixes (testing):
    • The test for log_heartbeat was incorrectly failing in timezones with non-integer offsets. Instead of comparing the end of the time string against a constant, compare it to the output of format_local_iso_time when given the correct input. Fixes bug 18039; bugfix on 0.2.5.4-alpha.
    • Make unit tests pass on IPv6-only systems, and systems without localhost addresses (like some FreeBSD jails). Fixes bug 17632; bugfix on 0.2.7.3-rc. Patch by "teor".
    • Fix a memory leak in the ntor test. Fixes bug 17778; bugfix on 0.2.4.8-alpha.
    • Check the full results of SHA256 and SHA512 digests in the unit tests. Bugfix on 0.2.2.4-alpha. Patch by "teor".
  • Code simplification and refactoring:
    • Move logging of redundant policy entries in policies_parse_exit_policy_internal into its own function. Closes ticket 17608; patch from "juce".
    • Extract the more complicated parts of circuit_mark_for_close() into a new function that we run periodically before circuits are freed. This change removes more than half of the functions currently in the "blob". Closes ticket 17218.
    • Clean up a little duplicated code in crypto_expand_key_material_TAP(). Closes ticket 17587; patch from "pfrankw".
    • Decouple the list of streams waiting to be attached to circuits from the overall connection list. This change makes it possible to attach streams quickly while simplifying Tor's callgraph and avoiding O(N) scans of the entire connection list. Closes ticket 17590.
    • When a direct directory request fails immediately on launch, instead of relaunching that request from inside the code that launches it, instead mark the connection for teardown. This change simplifies Tor's callback and prevents the directory-request launching code from invoking itself recursively. Closes ticket 17589
    • Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't use them. Closes ticket 17926.
  • Documentation:
    • Add a description of the correct use of the '--keygen' command- line option. Closes ticket 17583; based on text by 's7r'.
    • Document the minimum HeartbeatPeriod value. Closes ticket 15638.
    • Explain actual minima for BandwidthRate. Closes ticket 16382.
    • Fix a minor formatting typo in the manpage. Closes ticket 17791.
    • Mention torspec URL in the manpage and point the reader to it whenever we mention a document that belongs in torspce. Fixes issue 17392.
  • Removed features:
    • Remove client-side support for connecting to Tor relays running versions of Tor before 0.2.3.6-alpha. These relays didn't support the v3 TLS handshake protocol, and are no longer allowed on the Tor network. Implements the client side of ticket 11150. Based on patches by Tom van der Woerdt.
  • Testing:
    • Add unit tests to check for common RNG failure modes, such as returning all zeroes, identical values, or incrementing values (OpenSSL's rand_predictable feature). Patch by "teor".
    • Log more information when the backtrace tests fail. Closes ticket 17892. Patch from "cypherpunks."
    • Always test both ed25519 backends, so that we can be sure that our batch-open replacement code works. Part of ticket 16794.
    • Cover dns_resolve_impl() in dns.c with unit tests. Implements a portion of ticket 16831.
    • More unit tests for compat_libevent.c, procmon.c, tortls.c, util_format.c, directory.c, and options_validate.c. Closes tickets 17075, 17082, 17084, 17003, and 17076 respectively. Patches from Ola Bini.
    • Unit tests for directory_handle_command_get. Closes ticket 17004. Patch from Reinaldo de Souza Jr.

Jan 27, 2016

A new hardened Tor Browser release is available. It can be found in the 6.0a1-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

Note: There is no incremental update from 5.5a6-hardened available due to bug 17858. The internal updater should work, though, doing a complete update.

Here is the complete changelog since 5.5a6-hardened:

  • All Platforms

    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.8.3
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
Jan 27, 2016

A new alpha Tor Browser release is available for download in the 6.0a1 distribution directory and on the alpha download page.

This release features important security updates to Firefox.

On the usability front we improved the setup wizard UI flow. We also changed the search bar URL for the DuckDuckGo search engine to its onion URL.

On the build system side, we switched the guest build VMs to Debian Wheezy for the Linux version (the previous versions were built using Ubuntu 10.04 LTS).

Here is the complete changelog since 5.5a6:

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.5
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.9
      • Bug 18113: Randomly permutate available default bridges of chosen type
      • Bug 11773: Setup wizard UI flow improvements
      • Translation updates
    • Bug 17428: Remove Flashproxy
    • Bug 18115+18102+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
  • Build System
    • Linux
      • Bug 15578: Switch to Debian Wheezy guest VMs (10.04 LTS is EOL)

Jan 27, 2016

Tor Browser 5.5, the first stable release in the 5.5 series, is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

On the privacy front we finally provide a defense against font enumeration attacks which we developed over the last weeks and months. While there is still room for improvement, it closes an important gap in our fingerprinting defenses. Additionally, we isolate Shared Workers to the first-party domain now and further improved our keyboard fingerprinting defense.

We made also progress on the usability side. First, by providing Tor Browser in another locale, Japanese. Additionally, by showing the changes in the new Tor Browser version immediately after an update and polishing our about:tor appearance. Last but not least we changed the search bar URL for the DuckDuckGo search engine to its onion URL.

Here is the full changelog since 5.0.7:

Tor Browser 5.5 -- January 27 2016

  • All Platforms
    • Update Firefox to 38.6.0esr
    • Update libevent to 2.0.22-stable
    • Update NoScript to 2.9.0.2
    • Update Torbutton to 1.9.4.3
      • Bug 16990: Show circuit display for connections using multi-party channels
      • Bug 18019: Avoid empty prompt shown after non-en-US update
      • Bug 18004: Remove Tor fundraising donation banner
      • Bug 16940: After update, load local change notes
      • Bug 17108: Polish about:tor appearance
      • Bug 17568: Clean up tor-control-port.js
      • Bug 16620: Move window.name handling into a Firefox patch
      • Bug 17351: Code cleanup
      • Translation updates
    • Update Tor Launcher to 0.2.7.8
      • Bug 18113: Randomly permutate available default bridges of chosen type
    • Bug 13313: Bundle a fixed set of fonts to defend against fingerprinting
    • Bug 10140: Add new Tor Browser locale (Japanese)
    • Bug 17428: Remove Flashproxy
    • Bug 13512: Load a static tab with change notes after an update
    • Bug 9659: Avoid loop due to optimistic data SOCKS code (fix of #3875)
    • Bug 15564: Isolate SharedWorkers by first-party domain
    • Bug 16940: After update, load local change notes
    • Bug 17759: Apply whitelist to local fonts in @font-face (fix of #13313)
    • Bug 17009: Shift and Alt keys leak physical keyboard layout (fix of #15646)
    • Bug 17790: Map the proper SHIFT characters to the digit keys (fix of #15646)
    • Bug 17369: Disable RC4 fallback
    • Bug 17442: Remove custom updater certificate pinning
    • Bug 16620: Move window.name handling into a Firefox patch
    • Bug 17220: Support math symbols in font whitelist
    • Bug 10599+17305: Include updater and build patches needed for hardened builds
    • Bug 18115+18104+18071+18091: Update/add new obfs4 bridge
    • Bug 18072: Change recommended pluggable transport type to obfs4
    • Bug 18008: Create a new MAR Signing key and bake it into Tor Browser
    • Bug 16322: Use onion address for DuckDuckGo search engine
    • Bug 17917: Changelog after update is empty if JS is disabled
  • Windows
    • Bug 17250: Add localized font names to font whitelist
    • Bug 16707: Allow more system fonts to get used on Windows
    • Bug 13819: Ship expert bundles with console enabled
    • Bug 17250: Fix broken Japanese fonts
    • Bug 17870: Add intermediate certificate for authenticode signing
  • OS X
    • Bug 17122: Rename Japanese OS X bundle
    • Bug 16707: Allow more system fonts to get used on OS X
    • Bug 17661: Whitelist font .Helvetica Neue DeskInterface
  • Linux
    • Bug 16672: Don't use font whitelisting for Linux users

Jan 26, 2016

We are especially proud to present you Tails 2.0, the first version of Tails based on:

  • GNOME Shell, with lots of changes in the desktop environment.
  • Debian 8 (Jessie), which upgrades most included software and improves many things under the hood.

This release fixes many security issues and users should upgrade as soon as possible.

New features

Tails now uses the GNOME Shell desktop environment, in its Classic mode. GNOME Shell provides a modern, simple, and actively developed desktop environment. The Classic mode keeps the traditional Applications, Places menu, and windows list. Accessibility and non-Latin input sources are also better integrated.

To find your way around, read our introduction to GNOME and the Tails desktop.

Upgrades and changes

  • Debian 8 upgrades most included software, for example:

    • Many core GNOME utilities from 3.4 to 3.14: Files, Disks, Videos, etc.
    • LibreOffice from 3.5 to 4.3
    • PiTiVi from 0.15 to 0.93
    • Git from 1.7.10 to 2.1.4
    • Poedit from 1.5.4 to 1.6.10
    • Liferea from 1.8.6 to 1.10
  • Update Tor Browser to 5.5 (based on Firefox 38.6.0 ESR):

    • Add Japanese support.
  • Remove the Windows camouflage which is currently broken in GNOME Shell. We started working on adding it back but your help is needed!

  • Change to systemd as init system and use it to:

    • Sandbox many services using Linux namespaces and make them harder to exploit.
    • Make the launching of Tor and the memory wipe on shutdown more robust.
    • Sanitize our code base by replacing many custom scripts.
  • Update most firmware packages which might improve hardware compatibility.

  • Notify the user if Tails is running from a non-free virtualization software.

  • Remove Claws Mail, replaced by Icedove, a rebranded version of Mozilla Thunderbird.

Fixed problems

  • HiDPI displays are better supported. (#8659)

  • Remove the option to open a download with an external application in Tor Browser as this is usually impossible due to the AppArmor confinement. (#9285)

  • Close Vidalia before restarting Tor.

  • Allow Videos to access the DVD drive. (#10455, #9990)

  • Allow configuring printers without administration password. (#8443)

Known issues

  • Tor Browser 5.5 introduces protection against fingerprinting but due to an oversight it is not enabled in Tails 2.0. However, this is not so bad for Tails users since each Tails system has the same fonts installed, and hence will look identical, so this only means that it's easy to distinguish whether a user of Tor Browser 5.5 uses Tails or not. That is already easy given that Tails has the AdBlock Plus extension enabled, unlike the normal Tor Browser.

See the current list of known issues.

Installing

We also redesigned completely our download and installation instructions to make it easier to get started with Tails.

For example, you can now verify the ISO image automatically from Firefox using a special add-on.

You can also install or upgrade Tails directly from Debian or Ubuntu using the tails-installer package.

Try our new installation assistant.

Upgrading

Tails changed so much since version 1.8.2 that it is impossible to provide an automatic upgrade. We recommend you follow our new manual upgrade instructions instead.

What's coming up?

The next Tails release is scheduled for March 6.

Have a look at our roadmap to see where we are heading to.

We need your help and there are many ways to contribute to Tails (donating is only one of them). Come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Jan 21, 2016



When we launched this first crowd funding campaign, we weren’t sure what would happen. We knew we wanted to diversify our funding sources; crowd funding gives us flexibility to do what we think is most important, when we want to do it. It allows us to fund the development of powerful new privacy tools. Or make the ones we have stronger and more resilient. Or pay for things we need like a funded help desk or an Arabic version of our web site.

But we didn’t know if people who like Tor would actually invest in our independence.

Now we do.

Together, our community has contributed $205,874 from 5,265 people to support Tor in this first crowdfunding campaign. We are so excited.

What we’ve seen, we think, is our community in action—our whole community finding ways to support us—by making a donation, or by sending us a bug bounty as GitHub hackers did. By making a matching donation, or just pinging their friends to help out.

Following our theme "This Is What a Tor Supporter Looks Like," you sent in photos of yourselves in Tor t-shirts doing back bends or teaching your daughters how to use Tor browser, or covering your face to preserve your anonymity but trumpet your support for Tor.

You sent fundraising notes to giant email lists. You tweeted screenshots of your donations. You bragged about your Tor relays (thank you) to inspire others. Some of you pointed out that Tor has saved your life.

The international Tor community rose up to support Tor’s independence in every way it could think of. And independence is power. Power to defend the rights of human rights activists. Power to defend the privacy of all of us.

Even though we’re a privacy organization, we found out what a Tor supporter looks like. It's someone who takes action to support their right to privacy.

Thank you.

Our deepest thanks to Tor’s wonderful champions, who put on the T-shirt first and took the plunge to support Tor in our first-ever campaign:

Laura Poitras

Roger Dingledine

Amanda Palmer and baby Anthony

Nick Merrill

Andy Bichlbaum

Molly Crabapple

Rabbi Rob and Lauren Thomas

Shari Steele

Cory Doctorow

Ben Wizner

Daniel Ellsberg and Patricia Marx Ellsberg

Alison Macrina

Edward Snowden

Giordano Nanni

Susan Landau

Ethan Zuckerman

Jacob Appelbaum

By Kate Krauss, for Tor's fundraising team:

Isabela Bagueros, Juris Vetra, Leiah Jansen, Mike Perry, Shari Steele, Sue Gardner, Katherine Bergeron, Nima Fatemi, Sebastian Hahn, Roger Dingledine, Nick Mathewson, Ben Moskowitz, Jacob Appelbaum, Katina Bishop, Colin Childs, and Kate Krauss.

Jan 14, 2016

After completing the standard audit, our 2014 state and federal tax filings are available. We publish all of our related tax documents because we believe in transparency.

Tor's annual revenue in 2014 held steady at about $2.5 million. Tor's budget is modest considering the number of people involved and the impact we have. And it is dwarfed by the budgets that our adversaries are spending to make the world a more dangerous and less free place.

To achieve our goals, which include scaling our user base, we fund about 20 contractors and staff members (some part time, some full time) and rely on thousands of volunteers to do everything from systems administration to outreach. Our relay operators are also volunteers, and in 2014 we grew their number to almost 7,000 — helped along by the Electronic Frontier Foundation's wonderful Tor Challenge, which netted 1,635 relays. Our user base is up to several million people each day.

Transparency doesn't just mean that we show you our source code (though of course we do). The second layer to transparency is publishing specifications to explain what we thought we implemented in the source code. And the layer above that is publishing design documents and research papers to explain why we chose to build it that way, including analyzing the security implications and the tradeoffs of alternate designs. The reason for all these layers is to help people evaluate every level of our system: whether we chose the right design, whether we turned that design into a concrete plan that will keep people safe, and whether we correctly implemented this plan. Tor gets a huge amount of analysis and attention from professors and university research groups down to individual programmers around the world, and this consistent peer review is one of our core strengths over the past decade.

As we look toward the future, we are grateful for our institutional funding, but we want to expand and diversify our funding too. The recent donations campaign is a great example of our vision for future fundraising. We are excited about the future, and we invite you to join us: donate, volunteer, and run a Tor relay.