Support all your favorite nonprofits with a single donation.

Donate safely, anonymously & monthly, in any amount. It's a smarter way to give online. Learn more
The Tor Project
Dedham, MA
givvers: jason, emerssso + 4 others

Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

The Tor Project is a 501(c)3 organization.

Latest News

Mar 20, 2017

SEATTLE, WA, USA – Monday, March 20th, 2017 – The Tor Project announces the release of The State of Internet Censorship in Thailand, a report from a joint research study by Open Observatory of Network Interference (OONI), Sinar Project, and the Thai Netizen Network. The study aims to increase transparency of Internet controls in Thailand and to collect data that can potentially corroborate rumors and reports of Internet censorship events. The key finding of this report reveal that Internet Service Providers (ISPs) in Thailand appear to be blocking websites at their own discretion.

"We hope the findings of this report will enhance public debate around the necessity and proportionality of information controls," said Maria Xynou, Research and Partnerships Coordinator for OONI. Adding further that "A dozen websites, including The New York Post (nypost.com), were blocked in some networks, while accessible in others, indicates that Thai ISPs are likely blocking content at their own discretion."

Multiple censorship events in Thailand have been reported over the last decade. More than 10,000 URLs were reportedly blocked by the Government in 2010. Following Thailand’s most recent coup d’etat, Citizen Lab reported that 56 websites were blocked between May and June of 2014. One importance of undertaking this study, which collects and analyzes network measurements, is to examine whether Internet censorship events are persisting in the country.

Anyone can contribute to the research efforts by OONI by installing and running ooniprobe, thus increasing the transparency of Internet censorship in Southeast Asia and beyond.

About Open Observatory of Network Interference

The Open Observatory of Network Interference (OONI) is a free software project under The Tor Project that aims to empower decentralized efforts in increasing transparency of Internet censorship around the world. Since 2012, OONI has collected millions of network measurements from more than 190 countries, shedding light on multiple instances of network interference.

About Sinar Project

Sinar Project is an initiative using open technology and applications to systematically make important information public and more accessible to the Malaysian people. It aims to improve governance and encourage greater citizen involvement in the public affairs of the nation by making the Malaysian Government more open, transparent and accountable. We build open source civic tech applications, work to open government with open data and defend digital rights for citizens to apply their democratic rights.

About Thai Netizen Network

Thai Netizen Network (TNN), founded in 2008, is a leading nonprofit organization in Thailand that advocates for digital rights and civil liberties. The group was officially registered as มูลนิธิเพื่ออินเทอร์เน็ตและวัฒนธรรมพลเมือง (Foundation for Internet and Civic Culture) in May 2014.

About Tor Project, Inc

The Tor Project develops and distributes free software and has built an open and free network that helps people defend against online surveillance that threatens personal freedom and privacy. Tor is used by human rights defenders, diplomats, government officials, and millions of ordinary people who value freedom from surveillance.

The Tor Project's Mission Statement: "To advance human rights and freedoms by creating and deploying free and open anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding."

Media Contacts

Joshua Gay
Communications Director
Tor Project
[email protected]

Maria Xynou (OONI)
[email protected]

Arturo Filasto (OONI)
[email protected]

Mar 08, 2017

A new hardened Tor Browser release is available. It can be found in the 7.0a2-hardened distribution directory and on the download page for hardened builds.

This release features important security updates to Firefox.

This hardened alpha release mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.3.0.4-rc, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In the previous release we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

Another known regression is the resizing of the window. We are currently working on a fix for this issue.

The full changelog since Tor Browser 7.0a1-hardened is:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.3.0.4-rc
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.7.1
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Bug 21324: Don't update NoScript button with timer update
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
  • Build system
    • Bug 17034: Use our built binutils and GCC for building tor
    • Code clean-up

Mar 08, 2017

Tor Browser 7.0a2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This alpha release mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.3.0.4-rc, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In the previous release we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

Another known regression is the resizing of the window. We are currently working on a fix for this issue.

The full changelog since Tor Browser 7.0a1 is:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.3.0.4-rc
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.7.1
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Bug 21324: Don't update NoScript button with timer update
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
    • Bug 21348: Make snowflake only available on Linux for now
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script
  • Build system
    • OS X
      • Bug 21343: Remove unused FTE related parts for macOS
    • Linux
      • Bug 17034: Use our built binutils and GCC for building tor
      • Clean-up

Mar 07, 2017

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script

Mar 06, 2017

Atlas is a web application to learn about currently running Tor relays and bridges. You can search by fingerprint, nickname, country, flags and contact information and be returned information about its advertised bandwidth, uptime, exit policies and more.

I'm taking this opportunity to introduce myself. I'm Iain R. Learmonth, or just irl on IRC. I began contributing to Atlas in June last year, and I'm currently serving as the maintainer for Atlas. We have made some usability improvements to Atlas recently that we are happy to share with you today.

Thanks to the work of Raphael and anonymous contributors for their help in producing patches. We will continue to work through the open tickets, and if you have a feature you would like to see or spot something not working quite correctly, please do feel free to open a ticket for that. If you would like to contribute to fixing some of our existing tickets, we have a new guide for contributing to Atlas.

Improved Error Handling

  • Added a new message to warn users when the Onionoo backend is unavailable [#18081]
  • Added a new message for the case where Onionoo is serving outdated data [#20374]
  • No longer attempts to display AS or geolocation information when it's not available [#18989]

UX Improvements

  • Added tooltips to give descriptions of the meaning for flags [#9913]
  • Made it easy to distinguish between "alleged" and "effective" family [#20382]
  • Removed the graphs for which the data backend will never have any data [#19553]
  • Graphs that have no data, but which may have data in the future, now give a "No Data Available" message [#21430]
  • Relay and bridge fingerprints will now wrap when on smaller screens [#12685]
  • Tooltips are repositioned to avoid them being clipped off on smaller displays [#21398]

Standards Compliance

  • Now HTML 5 compliant according to the W3C Validator (including generated HTML) [#21274]

Mar 06, 2017

We are pleased to announce another public beta release of Tor Messenger. This release features important improvements to the stability and security of Tor Messenger. All users are encouraged to upgrade.

Tor Messenger 0.3.0b2 users will be automatically prompted to install the update (similar to Tor Browser). On installing and restarting, the update will be applied; your account settings and OTR keys will be preserved.

Downloads

Please note that Tor Messenger is still in beta. The purpose of this release is to help test the application and provide feedback. At-risk users should not depend on it for their privacy and safety.

Linux (32-bit)

Linux (64-bit)

Windows

macOS

sha256sums-signed-build.txt
sha256sums-signed-build.txt.asc

The sha256sums-signed-build.txt file containing hashes of the bundles is signed with the key 0xB01C8B006DA77FAA (fingerprint: E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA). Please verify the fingerprint from the signing keys page on Tor Project's website.

Changelog

Tor Messenger 0.4.0b1 -- March 06, 2017

  • All Platforms
    • Use the tor-browser-45.7.0esr-6.5-1-build1 tag on tor-browser
    • Use the THUNDERBIRD_45_7_0_RELEASE tag on comm-esr45
    • Update tor-browser to 6.5
    • Update tor-launcher to 0.2.10.3
  • Windows
    • Fix automatic generation of complete MAR files
    • Trac 21231: Enable intl-api

Mar 03, 2017

Hi! We've just tagged and uploaded new versions for the older 0.2.4 through 0.2.8 release series, to backport important patches and extend the useful life of these versions.

If you have the option, we'd recommend that you run the latest stable release instead of these. They are mainly of interest to distribution maintainers who for whatever reason want to track older release series of Tor.

You can, as usual, find the source at https://dist.torproject.org/. For a list of the backported changes in each release, see one of the nice handcrafted links below:

Please note that these releases are larger than we expect most future old-stable releases to be, because until recently we didn't have an actual policy of which releases should receive backports and support. You can learn more about our plans for "regular" and "long-term support" releases of Tor on the wiki.

Mar 01, 2017

Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the 0.3.0 release series, and introduces a few reliability features to keep them from coming back.

This is the first release candidate in the Tor 0.3.0 series. If we find no new bugs or regressions here, the first stable 0.3.0 release will be nearly identical to it.

You can download the source code from the usual place on the website, but most users should wait for packages to become available over the upcoming weeks.

Please note: This is a release candidate, but not a stable release. Please expect more bugs than usual. If you want a stable experience, please stick to the stable releases.

Changes in version 0.3.0.4-rc - 2017-03-01

  • Major bugfixes (bridges):
    • When the same bridge is configured multiple times with the same identity, but at different address:port combinations, treat those bridge instances as separate guards. This fix restores the ability of clients to configure the same bridge with multiple pluggable transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha.
  • Major bugfixes (hidden service directory v3):
    • Stop crashing on a failed v3 hidden service descriptor lookup failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha.

 

  • Major bugfixes (parsing):
    • When parsing a malformed content-length field from an HTTP message, do not read off the end of the buffer. This bug was a potential remote denial-of-service attack against Tor clients and relays. A workaround was released in October 2016, to prevent this bug from crashing Tor. This is a fix for the underlying issue, which should no longer matter (if you applied the earlier patch). Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing using AFL (http://lcamtuf.coredump.cx/afl/).
    • Fix an integer underflow bug when comparing malformed Tor versions. This bug could crash Tor when built with --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with -ftrapv by default. In other cases it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix on 0.0.8pre1. Found by OSS-Fuzz.
  • Minor feature (protocol versioning):
    • Add new protocol version for proposal 224. HSIntro now advertises version "3-4" and HSDir version "1-2". Fixes ticket 20656.
  • Minor features (directory authorities):
    • Directory authorities now reject descriptors that claim to be malformed versions of Tor. Helps prevent exploitation of bug 21278.
    • Reject version numbers with components that exceed INT32_MAX. Otherwise 32-bit and 64-bit platforms would behave inconsistently. Fixes bug 21450; bugfix on 0.0.8pre1.
  • Minor features (geoip):
    • Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 Country database.
  • Minor features (reliability, crash):
    • Try better to detect problems in buffers where they might grow (or think they have grown) over 2 GB in size. Diagnostic for bug 21369.
  • Minor features (testing):
    • During 'make test-network-all', if tor logs any warnings, ask chutney to output them. Requires a recent version of chutney with the 21572 patch. Implements 21570.
  • Minor bugfixes (certificate expiration time):
    • Avoid using link certificates that don't become valid till some time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
  • Minor bugfixes (code correctness):
    • Repair a couple of (unreachable or harmless) cases of the risky comparison-by-subtraction pattern that caused bug 21278.
    • Remove a redundant check for the UseEntryGuards option from the options_transition_affects_guards() function. Fixes bug 21492; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (directory mirrors):
    • Allow relays to use directory mirrors without a DirPort: these relays need to be contacted over their ORPorts using a begindir connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
    • Clarify the message logged when a remote relay is unexpectedly missing an ORPort or DirPort: users were confusing this with a local port. Fixes another case of bug 20711; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (guards):
    • Don't warn about a missing guard state on timeout-measurement circuits: they aren't supposed to be using guards. Fixes an instance of bug 21007; bugfix on 0.3.0.1-alpha.
    • Silence a BUG() warning when attempting to use a guard whose descriptor we don't know, and make this scenario less likely to happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (hidden service):
    • Pass correct buffer length when encoding legacy ESTABLISH_INTRO cells. Previously, we were using sizeof() on a pointer, instead of the real destination buffer. Fortunately, that value was only used to double-check that there was enough room--which was already enforced elsewhere. Fixes bug 21553; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (testing):
    • Fix Raspbian build issues related to missing socket errno in test_util.c. Fixes bug 21116; bugfix on tor-0.2.8.2. Patch by "hein".
    • Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha.
    • Use bash in src/test/test-network.sh. This ensures we reliably call chutney's newer tools/test-network.sh when available. Fixes bug 21562; bugfix on 0.2.9.1-alpha.
  • Documentation:
    • Small fixes to the fuzzing documentation. Closes ticket 21472.