Tor 0.2.6.8 is released
Hi, I've just put out a new stable Tor release. It is not a high-urgency item for most clients and relays, but directory authorities should upgrade. Right now, the source is available on the website, and packages should become available one their maintainers build them.
Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and fixes an authority-side bug in assigning the HSDir flag. All directory authorities should upgrade.
Changes in version 0.2.6.8 - 2015-05-21
- Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
- Revert commit that made directory authorities assign the HSDir flag to relay without a DirPort; this was bad because such relays can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix on tor-0.2.6.3-alpha.
- Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on a client authorized hidden service. Fixes bug 15823; bugfix on 0.2.1.6-alpha.
- Minor features (geoip):
- Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
- Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database.
Comments
Please note that the comment area below has been archived.
A new big bug has been found
A new big bug has been found in SSL.
There’s a new problem with SSL called “Logjam”, here’s what you need to know
http://thenextweb.com/insider/2015/05/20/theres-a-new-problem-with-ssl-…
Test for 'The Logjam Attack'
https://weakdh.org/
I tried all ciphers with the current final and alpha Torbrowsers on https://weakdh.org/
Here are the results:
Good News! Your browser is safe against the Logjam attack.
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.dhe_rsa_camellia_256_sha
security.ssl3.dhe_dss_aes_256_sha
security.ssl3.dhe_rsa_des_ede3_sha
security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.rsa_aes_256_sha
security.ssl3.rsa_camellia_256_sha
security.ssl3.rsa_des_ede3_sha
security.ssl3.dhe_dss_aes_128_sha
security.ssl3.dhe_dss_camellia_128_sha
security.ssl3.dhe_dss_camellia_256_sha
security.ssl3.dhe_rsa_camellia_128_sha
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256
security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.rsa_aes_128_sha
security.ssl3.rsa_camellia_128_sha
security.ssl3.rsa_fips_des_ede3_sha
security.ssl3.rsa_seed_sha
Warning! Your web browser is vulnerable to Logjam
and can be tricked into using weak encryption. You should update your browser.
security.ssl3.dhe_rsa_aes_256_sha
security.ssl3.dhe_rsa_aes_128_sha
RC4 ciphers i always disable since Jacob Appelbaum told us:
"RC4 is broken in real time by the #NSA - stop using it."
Now i wonder if Tor is affected by this bug. But still, if memory serves Tor uses Elliptic Curve Diffie-Hellman.
How do you disable RC4
How do you disable RC4 chiphers? In Linux what is necessary to make sure we are safe??
Thanks
I disabled RC4 in
I disabled RC4 in Firefox/Torbrowser. Type about:config, then RC4, switch them all to FALSE. That is all.
I am quite sure that Torbrowser looks about the same under Linux and Windows.
"I disabled RC4 in
"I disabled RC4 in Firefox/Torbrowser. Type about:config, then RC4, switch them all to FALSE. That is all."
Why then are all of mine on Tor set to True?
Porque no meu Tor Browser
Porque no meu Tor Browser não dá para ver o circuito Tor estabelecido?
Voce devia aprender a postar
Voce devia aprender a postar em ingles, na proxima talvez nem receba resposta...
Em principio isso seria um bug temporario, se fizer nova identidade ja devera conseguir ver o circuito.
Outra hipotese era que o security slider esteja muito alto, e ai mexe com o circuit.
Se isso continuar abra um ticket em ingles com o problema e a descriçao (os que usa, paginas de exempplo etc)
Obrigado! eu escrevi em
Obrigado! eu escrevi em português porque eu não sei escrever corretamente em inglês!
Era realmente apenas um bug temporário, reiniciei o navegador e tudo voltou ao normal.
fantastic--excited to use
fantastic--excited to use this new release!
1/10 off-topic: PLEASE, test
1/10 off-topic:
PLEASE, test your site(https://*.torproject.org) with
https://www.ssllabs.com/ssltest/
https://weakdh.org.
You and all others should urge mozilla to use full djb-Crypto
http://safecurves.cr.yp.to/rigid.html
There is really no need to use old weak exploitable crypto! The NSA is not your friend....
I am looking for Tor
I am looking for Tor developers comment on how Logjam affects TOR NETWORK. It is clear that Tor Browser can be easily fixed, but what about connections between TOR NODES and HIDDEN SERVICES?
As near as I can tell, it
As near as I can tell, it should not affect current Tor software very much,
for a few reasons:
later, prefer 256-bit elliptic-curve Diffie Hellman for their TLS
connections, not the 1024-bit Diffie Hellman over Z_p as discussed in
this paper.
using the Curve25519-based "ntor" protocol, not the old "TAP" protocol
which used 1024-bit DH.
of forward secrecy in the circuit handshakes, so that if either one is
secure, Tor traffic should not be decryptable.
Recommendations:
(0.2.6 stable would be best), please do so soon. Anything older than
0.2.4 is NOT supported.
to 1.0.0 or later.
become available.
Information like this is the
Information like this is the reason my first website visited is always https://decvnxytmk.oedi.net.
still waiting for the
still waiting for the debian/ubuntu packages :)
It's been more than 20 days
It's been more than 20 days now. I think someone forgot they were a maintainer... Anyone tried poking them to see if we can see this release? I could just build from source but then *I* become accountable for keeping things up-to-date.
hmm, why is it taking so
hmm, why is it taking so long?
finally released, w00t!
finally released, w00t! thanks!
An article about colluding
An article about colluding Autonomous Systems, safer circuit-building, timing atttack countermeasures, and better load balancing:
http://arxiv.org/pdf/1505.05173.pdf
The researchers also looked at whether decreasing the number of guards makes users safer (it doesn't always).
SSL Report:
SSL Report: torproject.org
https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org
Important: Their is a
Important: Their is a security vulnerability with this website's encryption.
Go to Qualys SSL Labs and click on Test your site and type in decvnxytmk.oedi.net. And then you will find out the vulnerability with this website's encryption.
This problem needs to be fixed as soon as possible. Otherwise somebody could hack into this website. Nobody want's that to happen.
If the Tor project keep's their website secure, then Tor itself will also be secure.
I'm sure that Tor project
I'm sure that Tor project will fix this vulnerability with their website's encryption.
I hope so, as everyone who uses Tor should.
TorBrowser ignores
TorBrowser ignores "StrictNodes" completely when accessing hidden services! This is a huge security risk!
Please add option to force 3 nodes to be from different country because China -> China -> China is BAD!
Just because a node is in a
Just because a node is in a different country doesn't mean that a government can't monitor it.
Anything being done about
Anything being done about this? This is the message I get.
The Logjam Attack
https://weakdh.org/
Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser.
I came here to find out
I came here to find out about that also.
Firefox released an add-on but I don't know how that interacts with Torbrowser
https://addons.mozilla.org/en-US/firefox/addon/disable-dhe/reviews/7121…
The check on weakdh.org
The check on weakdh.org fails if you have javascript disabled.
On may 23rd
On may 23rd https://www.ssllabs.com reported grade B for torproject.org. Now it reports grade A+ (may 26th).
https://www.ssllabs.com/ssltest/analyze.html?d=decvnxytmk.oedi.net
Many thanks to the admin.
I was looking through other
I was looking through other tweaks that apply to Firefox to see how it's set in Tor. I came across webgl which they say is a major security risk. Tor has it set to False by default when it should be set to True. And if Jacob Appelbaum said to stop using RC4, why is Tor's default set to True?
How to use command line
How to use command line parameters on windows ?
"tor.exe -h" doesn't show anything but runs hidden process.
Is this doc outdated ?
https://decvnxytmk.oedi.net/docs/tor-manual.html.en
Where can I read about running tor with custom params ?
>TorBrowser ignores
>TorBrowser ignores "StrictNodes" completely when accessing hidden services! This is a huge security risk!
>Please add option to force 3 nodes to be from different country because China -> China -> China is BAD!
StrictNodes isn't for internal circuits it's for exiting circuits. So it doesn't apply to accessing hidden services. I made the same mistake.
If you want to force building paths which avoid problem countries you can look into the NodeFamily option for your torrc file. If you put a country code in brackets like {cc1}, {cc2} you'll avoid using circuits with more than one.
For example: NodeFamily {cn}, {kp} would use no more than one node in china and north korea. Note that you need at least two {cc} to form a family.
Careful! StrictNodes is only
Careful! StrictNodes is only for ExcludeNodes. It isn't for ExitNodes. I assume whoever made the earlier comment is confused and is using it wrong (and without any actual details, it's hard to tell either way). It looks like you're confused and are using it wrong too -- "StrictNodes isn't for internal circuits it's for exiting circuits" is not true.
That said, your use of NodeFamily looks reasonable. I hadn't thought of doing it that way. Go you. :)
A question for Tor
A question for Tor developers: Why is StartPage not the default search engine in Tor browser 4.0.5 as it used to be?
"On May 23rd, 2015 Anonymous
"On May 23rd, 2015 Anonymous said:
still waiting for the debian/ubuntu packages :)"
me too, still can't find them on deb.torproject.org :/
Hello. Please tell me how to
Hello. Please tell me how to disable HTML canvas extraction pop-up notification. I find it very annoying. Also, please tell me how to open a new tab. This new release only allows for new windows!
Thanks,
Vice