New Tor 0.2.4.17-rc packages

by erinn | September 6, 2013

There's a new Tor 0.2.4.17-rc to hopefully help mitigate some of the problems with the botnet issues Tor is experiencing. All packages, including the beta Tor Browser Bundles, have been updated. Relay operators are strongly encouraged to upgrade to the latest versions, since it mostly has server-side improvements in it, but users will hopefully benefit from upgrading too. Please try it out and let us know.

https://www.torproject.org/projects/torbrowser.html.en#downloads

Tor Browser Bundle (2.4.17-beta-1)

  • Update Tor to 0.2.4.17-rc
  • Update NoScript to 2.6.7.1
  • Update HTTPS Everywhere to 4.0development.11

Comments

Please note that the comment area below has been archived.

September 06, 2013

Permalink

The download page you linked doesn't seem to contain 2.4.17-beta-1. I can only see the latest stable version.

September 06, 2013

Permalink

Question.

Why isn't a package in the repo yet? I'm stuck with Tor v0.2.3.25 (git-3fed5eb096d2d187)

September 06, 2013

Permalink

I updated to the latest 0.2.4.17 build, in the message log I have quite a few warnings like this:
[Warning] Your Guard xxxx is failing an extremely large amount of circuits. This could indicate a route manipulation attack, extreme network overload, or a bug. Success counts are 35/151. Use counts are 11/11. 80 circuits completed, 0 were unusable, 45 collapsed, and 5 timed out. For reference, your timeout cutoff is 60 seconds.

September 06, 2013

In reply to arma

Permalink

Yes, I run several hidden services and I have been seeing those messages since last Saturday. That, and ssl handshake failures.

I have seen broken SSL handshakes for alongtime all so,infact after running tor, I have had SSL problems on site, even when not using it, figure that out

September 19, 2013

In reply to arma

Permalink

Yes, I run several hidden services and I have been seeing those messages since last Saturday. That, and ssl handshake failures.

September 06, 2013

Permalink

Please downgrade Https Everywhere to stable vers !!! this version is going in conflict with NoScript due to continue flood request to clients1.google.com!!!! check it out the requests in vidalia!!

September 10, 2013

In reply to erinn

Permalink

i tried on win7 and unix, both 64bit... this https everywhere version seems going in conflict with noscript... remove one of two solve the problem... downgrade https everywhere to the stable solve the problem too

https everywhere has been broken for alongtime, I think I noticed it acting funny right before that kid in the UK got arrested for looking at facebook. My guess would also be that this is actually what gave up freedom hosting. I also want to point out that companies not working with the FEDs get put put of business, like LAVA bit

I suspect you're seeing shadows in imagining that the https-everywhere bug had anything to do with the freedom hosting guy. But hey, who knows.

As for 'companies that don't work with the feds get put out of business', see the quote from my mail to the journalist at the bottom of
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-p…

Last week I had lunch with an old employee of PGP (back before they sold out), who pointed out that the feds never asked PGP to put a backdoor in, "because they knew it wouldn't work and it would just raise a PR stink".

September 07, 2013

Permalink

Hi!

tor 0.2.4.17 reached your .deb-based repository, but the .rpm-repo (even testing) is still serving tor 0.2.4.16 - I'm too lazy to build my own packages., could you update your packages?

Thanks

September 07, 2013

Permalink

"Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily."
https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html

"As it turns out, the newer elliptical keys may turn out to be relatively easier to crack than people thought, meaning that older software may in fact be more secure. But since 1024 bit RSA/DH has been the most popular SSL encryption for the past decade, I'd assume that it's that, rather than curves, [it's 1024 RSA/DH] that the NSA is best at cracking."
http://arstechnica.com/security/2013/09/majority-of-tor-crypto-keys-cou…

It's good to see someone mentioned it. Probably the current cryptography implementation Tor uses isn't strong enough to keep the NSA away from our businesses. Hopefully the team considers this issue.

I think we're doing pretty well with the new curve25519 stuff -- better than the 1024 bit RSA and DH, and better than the NIST-specified curves we use for our TLS (link) encryption. See the threads on tor-talk for details -- I shouldn't try to teach you about crypto, even Tor's use of crypto, in a blog comment. :)

September 07, 2013

Permalink

The same problem: at times, perhaps after some inactivity delay, there appear some non-stop connection requests to clients1.google.com:443.
Why??? I have no business connecting to Google.

Look for yourself - monitor the circuits/connections in the Vidalia's Network Map... If the requests are seen, they stop only after Tor Browser is closed.

Thanks.

This happens due https everywhere (beta version) fault.. Downdgrade https everywhere to the lateat STABLE version and this clients1.google connections magically disappears

September 08, 2013

Permalink

I'm going to update, but after reading all these, I'm not sure if that is the right thing to do..It appears I have no choice but to follow Tor's advice to update, the alternative is scary. I would like to mention that Tor is really working hard and fast on keeping the network secure. Thank You Tor Development Team !

September 08, 2013

Permalink

with the dev version of https everywhere in the latest tor build I get (like the poster above) constant connections to clients1.google.com, after downgrading https everywhere to the stable version these connections don't show up.

September 08, 2013

Permalink

Here is a simple diff for Tor Browser Bundle 2.4.17-beta-1:

  1. <br />
  2. $ diff -u Data/Tor/torrc.orig Data/Tor/torrc<br />
  3. --- Data/Tor/torrc.orig 2013-09-05 15:14:47.000000000 +0200<br />
  4. +++ Data/Tor/torrc 2013-09-08 14:38:32.747460844 +0200<br />
  5. @@ -2,6 +2,7 @@<br />
  6. AvoidDiskWrites 1<br />
  7. # Store working data, state, keys, and caches here.<br />
  8. DataDirectory ./Data/Tor<br />
  9. +GeoIPFile ./Data/Tor/geoip<br />
  10. GeoIPv6File ./Data/Tor/geoip6<br />
  11. # Where to send logging messages. Format is minSeverity[-maxSeverity]<br />
  12. # (stderr|stdout|syslog|file FILENAME).<br />

I can confirm that the browsing is unusually slow, a lot slower than on TBB 2.3.25-12. Connections break occasionally. All on Linux 32bit versions.
I see the connections to clients1.google.com:443 as well.

September 08, 2013

Permalink

Why is the source tarball of the 2.4.17-beta-1-dev TBB not posted?

What is the Git URL to get this source myself?

September 08, 2013

Permalink

Warining: Dont use TOR !

The Tor Project has recently released its 2012 Financial Report; the good news is that when it comes to “openness and transparency”, they are second to none. The bad news, however, is really bad: they proudly embrace their “partnership” with the U.S. Government, and falsely assert that in 2012 fully 60% of their funding came from such reactionary and highly secretive organizations as the U.S. Department of Defense, the U.S. State Department and god knows who else! In fact, over 80% of Tor’s funding comes from the US Government. They are trying to make it look like their reliance on the US Government for the vast majority of their funding is on the decline when it’s not; they are just pretending to be funded by NGOs when in fact some of the NGOs are just cut-outs for the Pentagon.

https://fowlchicago.wordpress.com/2013/04/25/tor-project-2012-financial…

Wait, what? Falsely assert?

We published the financial audit summary. Go read it and add the numbers up for yourself. That's the point of giving it to you.

If you're unhappy that some journalist added them up wrong... that's not us.

[Edit: oh, I actually looked at the article. I thought you were quoting http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-p…
But instead you're pointing to this poorly researched garbage. I'm a big fan of openness and discussing things, but you have to start from some correct facts. Those folks don't seem to care about that.]

September 08, 2013

In reply to arma

Permalink

you think receiving ONLY 60% from the government makes you more "legit", cute...

It is what it is. That's why we tell you about it. We show you all the code and designs and so on that we produce with our funding. Then you can decide what you think of it all.

I'd love to have more funding from other sources -- if you know any that want to fund better anonymity (or circumvention, or privacy, or whatever security property they want to call it) systems, please introduce us.

I guess you're referring to the fact that nearly all the blog comments are spam from SEOers, so we don't let them show up unless they're related to Tor in some way?

You really are good at jumping to incorrect conclusions here aren't you. :(

September 08, 2013

In reply to arma

Permalink

ok ;)
Torproject!
If you lie and do work for the NSA/CIA/FBI then God will punish you will burn in hell for what eventually destroy freedom in the world.

Yeah. No kidding. We're sure running out of role models in this world. I wish we had more.

We wrote these two answers:
https://www.torproject.org/docs/faq#Backdoor
https://blog.torproject.org/blog/calea-2-and-tor
and I stand by them. If we have to shut down US operations of Tor and let other people pick up the reigns in some safer country, we will. But we're nowhere near that point now -- nobody has even tried to make us do it yet.

But that doesn't mean Tor is perfect -- we need a lot of help in a lot of areas to make it better, and to teach people what it does and doesn't do for them. I have plans to try to explain these issues more clearly to people, but I keep getting distracted by handling press messes, or this latest botnet thing, or fundraising to keep other developers able to focus.

We're big compared to what we used to be, but we're still tiny compared to the system we're up against. Please help grow the community of people working for freedom, including helping to make it more robust against folks who try to tear it down by dividing us.

September 09, 2013

In reply to arma

Permalink

Arma, I admire your patience in replying to... people like that. Keep up the spirit, the Tor team is doing a great job.

Thanks. I'm fine with replying to actual facts -- and this fellow was absolutely right, give or take the phrasing.

It's when they belligerently stick to conspiracy theories that it's tough to keep up. I mean, if everything we do is really a conspiracy, and the more open we are the deeper the conspiracy must be ... why come to us to complain about it? :)

US GOVT does not have back doors in TOR.

It doesn't need them when it can already decrypt what it needs to. At this point, it is in their interests to PROMOTE the use of TOR, not shut it down, or threaten it. This will give its adversaries the false sense of security that TOR is actually secure against them. That way, TORs growth will continue and the honey pot will get sweeter.

Seriously, do you really think the Govt will fund an organization whos basic function is to anonymize and encrypt data - the very thing the Govt, as proven by PRISM etc, is trying to avoid ?

If you saw your local police funding a company which issues unregistered guns to anonymous people, would you not find that a little STRANGE ?

Off course TOR will take the money. They are desperate for resources, and they believe it helps legitimize TOR. How can TOR be so bad when even the US GOVT is funding us to this degree ... right ?

.. wrong.

> If you saw your local police funding a company which issues unregistered guns to anonymous people

I know this isn't going to change your mind, but did you know the foreign ministries of most countries actually do that? Just for people in other countries, of course.

Governments are big and complex. You can find a person in the US government who wants just about anything. After all, *they* use and rely on Tor too.

As for legitimizing Tor, basically every possible funder out there would make some folks more comfortable and some folks less comfortable. We pick the ones who want us to do what we already wanted to do. And we turn down the ones who want us to do something we don't want to do.

That said, I totally agree that being this reliant on US govt funding is bad news from a sustainability perspective. I wish we could find some other funders who care about this freedom thing.

September 11, 2013

In reply to arma

Permalink

>I wish we could find some other funders who care about this freedom thing.
Move to Russia to SNOWden. Kremlin will you finance it.

Umm so what? That alone does not mean much. The US Government is not a monolith. The best analogy would be a multi-headed hydra. Not all elements of US Government even have the same agenda.

There are elements of government that are making good use of TOR themselves. The NSA probably isn't too fond of it but I would think the CIA is. It would obviously be VERY useful to them in the field - as long as it is actually secure.

The other things, consider how many moles the CIA and armed forces have out there. They want to keep those moles safe(so they keep getting the info).

I don't think the fact that TORproject receives funding is itself ominous. You are reaching hard.

I do not mean to say that diligence is not good. Never FULLY trust anyone. Always keep your eyes open. But so far TORproject has given us every reason to trust them, and no reason not to.

Software development costs money. As much as the people involved likely believe in what they do, these are also real people with real bills that need paid. It takes lots of time for coding and testing every release.

Since they are trying to stay ahead of the game, they need to do this constantly. This is not the sort of project that is handled slowly over time in a bored kid's basement. They need personnel on task constantly, and money is required. Someone offers money... they accept.

The alternative is that they are massively underfunded - this WILL hurt the quality of the program and thus the safety of TOR users. If you are so concerned about their funding sources, go start up a fundraiser along with your own donations so they don't have to rely on whatever funding they can get their hands on.

September 08, 2013

Permalink

Keeps failing during "requesting relay information".

Ive used previous versions of Tor no problem, just upgraded and i can't get it to work.

Also, when i go to settings > advanced and select "edit current torrc" and click save without making any changes on a clean install i get the error

Error at line 1: ""

two of the errors i get in the log are

Sep 09 00:33:00.017 [Notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep 09 00:33:00.017 [Notice] Read configuration file "C:\Users\***\Desktop\Tor Browser\Data\Tor\torrc".

Im assuming these errors mean something is wrong when its creating the torrc file.

September 09, 2013

Permalink

I experiencing a high performance count on my GPU if I run Vidalia! My GPU Consumes about 190 WATT per hour and I noticed it with my Smart Home environment. If I run TOR without Vidalia its fine no GPU is needed. Maybe there is a Bitcoin application inside Vidalia???

September 09, 2013

Permalink

I have been using the stable 0.2.3.25 expert bundle on KernelEx modified 98SE. It's been very stable and reliable. I tried to use the present release candidate 0.2.4.17-rc but it won't run regardless of Kex settings.
The error message reads:
The Tor.exe file is linked to missing export MSVCRT.DLL:_vscprintf.
After adding a copy of MSVCRT.DLL from XP to the Tor exceutable directory, I get the following error:
The MSVCRT.DLL file is linked to missing export NTDLL.DLL:RtlGetNTVersionNumbers.
Is this call a requirement of the last modification or is it from a change in the compiling environment? If it's the latter, will 98SE/ME compatibility exist when 0.2.4 versions become a stable releases?

Wow.

I think your best bet is to work on the TBB 3.x build process to make sure it'll work for you:
https://blog.torproject.org/category/tags/tbb-30
since pretty soon TBB 3.x is going to be the recommended way to use Tor, and I bet it doesn't support win98 currently.

Or to be clearer, we wouldn't mind supporting your obsolete insecure operating system if it's easy to do, but you're going to have to make it happen. :)

Regarding:
Or to be clearer, we wouldn't mind supporting your obsolete insecure operating system if it's easy to do, but you're going to have to make it happen.

Version 0.2.3.25 works properly, both as a client and a low volume relay, 1-2GB per day. My low end DSL service prevents higher volumes.
http://torstatus.blutmagie.de/router_detail.php?FP=9d729e04cd3bf8630cae…
The uptime was at 2 weeks before I tried the latest version. I'm attempting to determine what has changed in the 0.2.4 versions that has made it incompatible, whether its a system call that isn't supported by 98, or a change in file versions used during compiling.

The question of OS security could go way off topic here. In short, I'd rather deal with a potentially insecure design than one that may be deliberately backdoored. I'm too new with linux to make that change at this time.

September 09, 2013

Permalink

I run a few tor relays via VPS. When I ssh in to the servers (ubuntu) and try to update (apt-get install tor) I get the message that I'm running the latest version. I'm running the 0.2.3.25 version.

As a relay operator, how can I update to the latest 0.2.4.17-rc package on linux using the command line?

September 09, 2013

Permalink

the new tor crashed TWICE in less than 10 minutes. One of those when disconnecting a circuit, AND the browser keeps disconnecting and interrupting the connections.
Also, I couldn't access the tor blog from tor!
Please fix it!

September 09, 2013

Permalink

looking at tor bandwidth usage, noticed constant receiving and sent activity at times... especially after unsuccessfully loading a page. Stopping, closing tabs, patiently waiting (?), nothings stops stops the constant activity. It just runs in circles, preventing further use until restarting sometimes.

Few people here say its because https everywhere. Maybe downgrade?

Can you figure out what triggers it? The https everywhere developers couldn't make it happen when they tried to reproduce the problem, so they have nothing to fix.

September 09, 2013

Permalink

Sure. A way I can consistently replicate it is with gmail!.... not that I would ever seriously use gmail.

but attempting to log into gmail wont get far. it doesn't get far past showing an inbox. then constant receiving and sending, even after closing. tor craps out after this. Only thing to do is restart. it seems to be clients1.google.com. constantly opening/closing after closing everything while i stare at a blank screen. Just tried it before posting this. 10 minutes of this with no signs of ever stopping.

Same thing has happened a few times but elsewhere. This is the only way i remember and can replicate but I will try and backtrack and find were else its happened and maybe you can test it out yourself.

also, just visiting gmail front page starts the vicious cycle of clients1.google.com but doesnt completely cripple tor unless logging in.

September 09, 2013

Permalink

Erinn/Arma,

the earlier reported non-stop outgoing https connections to clients1.google.com seemed to happen with the latest TBB x64 on Linux, but only _after the browser Add-ons were updated manually_ - that loaded the latest dev version of Https-Everywhere.
After I manually replaced it with the previous "4.0development.9" version that was on hand, the weird connections are no more.

Wonder if the Https-evr devs really use Google like that in their development process... Hope it's not some MITM trick.

Thanks for interacting with us in the blog's comments. For some of us, mortal users, it's way easier to give feedback here than to register/login/create the tickets...

September 10, 2013

Permalink

EPIC Files FOIA Suit to Determine If Tor Is Compromised

EPIC has filed a Freedom of Information Act lawsuit against the Broadcasting Board of Governors, a federal agency that oversees all U.S. civilian international media. EPIC seeks information about the federal government's interest in the Tor network. Tor is a program designed to allow encrypted, anonymized online browsing and is used by many human rights organizations. Recent news reports indicate that the National Security Agency has targeted the communications of Tor users. In a related matter, EPIC has asked the Supreme Court to halt the NSA collection of domestic telephone records. For more information, see EPIC: EPIC v. BBG - Tor.

- https://epic.org/2013/09/epic-files-foia-suit-to-determ.html

https://epic.org/foia/tor/EPIC-BBG-FOIA-Complaint.pdf
https://epic.org/Tor_FOIA_Request_31_May.pdf
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-p…
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-s…
https://epic.org/privacy/nsa/in-re-epic/
https://epic.org/foia/tor.html

I'm generally a fan of EPIC, but this one is just silly. BBG funded us in part to improve the capacity of the Tor network, and I spent a month last summer growing the relay operator community and doing just that. You can see the results here:
https://metrics.torproject.org/fast-exits.html?graph=fast-exits&start=2…

We've also been exploring the idea of reimbursing some costs for exit relay operators if they run fast and stable exits:
https://blog.torproject.org/blog/turning-funding-more-exit-relays
and we've done all of that exploring in the open so far (and apart from funding Moritz a little bit to have him continue helping people to run their fast exits, it's still basically at the exploring stage).

But none of that matters, because this FOIA appears to be about finding out details about the exits that BBG runs. They don't run any. And when the FOIA response comes back empty ("sorry, don't know what you're talking about"), will it just strengthen EPIC's conspiracy fears?

What makes it extra sad is that there *are* government agencies where I'd love to find out if they're running any Tor relays -- NSA, FBI, DoJ, ICE, DEA, plus all the new acronyms that have crept up in the past decade when we added new "wars on X".

So, great, I don't want EPIC to cancel this one (after all that would just feed the conspiracy). But I sure wish they had come to us for context first before wasting their time and energy here. And I look forward to seeing their FOIAs of the many actually scary agencies.

September 10, 2013

Permalink

I agree with those who argue that Tor users must retain a niggling suspicion about the USG funding for both Tor Project (via BBG) and Tails (via NED).

But I am still with Arma on this issue. One point to consider: the BBG and NED affiliations are a rather open secret. If scarier TLAs had co-opted Tor and wanted to hide their financial support, they could probably form a less recognizable front organization.

Nontheless I would like to offer a suggestion. It seems to me that there are at least two reasons to move the incorporation (if that is the correct term) of Tor Project outside the USA:

1. Otherwise, Tor can be pressured by TLAs to either provide back doors or lose its 501c status (from the grapevine, this appears to be sufficiently common that I am surprised by the implication that Tor has not yet experienced it).

2. Otherwise, Tor will be under continual threat of suddenly receiving a dragnet surveillance order under some US "authority".

So I think reconstituting the project as a tax-exempt public interest organization in a less panopticon-friendly country could be very desirable. See

http://www.cryptolaw.org/

for suitable candidate host nations.

Comments?

We've been exploring forming a non-profit in Europe. But it's not like the European climate is much better here.

Also, if we have "operations" in the US (e.g. employees, contractors, etc) then we fall back into many of the same problems.

And if we form some organization in Europe, we fall under their jurisdictions *in addition*.

In sum, it's about much more than just where the company is incorporated.

September 10, 2013

Permalink

Wait, just to be clear, are people actually getting pages loaded and displayed, because the client you've provided seems to run fine, but the URL's are all timing out, and not loading...

September 12, 2013

In reply to arma

Permalink

Okay, are a lot of people experiencing my problem, because it was working fine before, but now it's just not loading anything.... Normal surface URL's like google.com, and duckduckgo.com work fine, its just dark net pages like hidden wiki, for example aren't working...

September 10, 2013

Permalink

Hey,

I tried to access a lot of hidden services for 2 days now and none of it except for TorDir and (sometimes) TheHiddenWiki worked. ANY other service was down or taking too long to respond.
What happened to the deepweb?
Is it all related to the raid at FH or to the botnet?
Even torproject.org (The .onion adress) threw out a timeout.

I upgraded to the 0.2.4 beta today it doesnt change anything except for lots of connections to clients1.google.com as described by someone above.

What is your plan to fix all this?

September 10, 2013

Permalink

Quote: "Tor can be pressured by TLAs to either provide back doors or lose its 501c status (from the grapevine, this appears to be sufficiently common that I am surprised by the implication that Tor has not yet experienced it)."

Can you cite any examples (from the grapevine or not)? This is the first that I've
heard of IRS using 501c3 status to try to force NSA/FBI back doors into software.
(There have been other scandals with IRS and 501c3s but not this one.)

September 10, 2013

Permalink

I have tried the latest stable, the previous, the latest alpha and the beta releases of TBB on xp and every single one connects to TOR but will not, i repeat WILL NOT launch the tor browser (firefox) at all. I can get it to take up all my cpu without actually displaying itself, and I can launch it myself to be greeted with a refusing proxy connections message for every site........WTF am i supposed to do???!! please someone help....

September 10, 2013

Permalink

For the past few days, I've been experiencing many timeouts on .onion sites as well as for most other sites. Is this is due to the recent (ongoing) overload/botnet issue? I've seen very high and extended time % CPU use which is troubling. I suppose this could be the https Everywhere bug mentioned above, I don't know. I've also had to frequently stop and shut down then restart rather than simply use a new identity just to get a few pages to load consecutively.

A few observations.

I've noticed "Sorry you are not using TOR" much more frequently from check.torproject.

When I run Tails (tails-i386-0.20), I don't seem to have the problem. Tails runs much faster overall than the TBB now runs. My TBB is 64 bit linux.

I have noticed that CPU use is 60% to nearly 80% over all cores (100% of some) during the entire time of the attempt to connect which lasts for a few minutes (I haven't timed it). The duckduckgo 3g2upl4pq6kufc4m.onion site routinely almost always times out. Overheating has become an issue on warm days.

TBB version: tor-browser-gnu-linux-x86_64-2.4.17-beta-1-dev-en-US

I first had the problem with the earlier stable: tor-browser-gnu-linux-x86_64-2.3.25-11-dev-en-US

which is why I switched to the beta.

Any clues on the high CPU %? I don't know if this is the https Everywhere bug mentioned above, but the problem is intermittent and I cannot reliably reproduce it.

In this Vidalia (0.0.21), I no longer see any "connect" lines drawn on the map. Not that that's troubling.

And finally, is this the proper area to make a post such as this?

Thanks.

September 11, 2013

Permalink

"On September 9th, 2013 arma said:
Yeah, don't use the 'edit torrc' option from inside Vidalia. The future (TBB 3.x) has no more Vidalia:
https://blog.torproject.org/category/tags/tbb-30"

has no more Vidalia .....Great decision...........

Cant wait -Youand all others,too?-for now 'not visible' circuits like
US-US-US,CA-US-CA,US-SW-CA,etc.

cheers

September 11, 2013

In reply to arma

Permalink

How can you do that, just launch a newer TBB and then launch an old Vidalia program from an old TBB release?

Yes, correct. You'll want to set a control password on the Tor that the new TBB launches, and then tell Vidalia that control password. And you'll want to get the control port number correct. Eventually we'll probably end up with a FAQ entry describing how to do it. Maybe somebody here will write it? :)

September 12, 2013

Permalink

Fairly new to TOR. I tried both tor-browser-gnu-linux-i686-2.4.17-beta-1-dev-en-US.tar.gz on one machine and tor-browser-gnu-linux-x86_64-2.4.17-beta-1-dev-en-US.tar.gz on another machine. Browsing sites other than hidden .onion sites became extremely slow after a while. Not sure if it was related to Tor itself or the browser but I believe it is the browser. Creating hidden services with Vidalia worked fine. However, I did have to comment out the line server_type = 5 in my torsocks.conf which worked with 2.3.25-12. If someone has any tests they would like me to perform, I would be happy to do so. Ultimately, I had to revert to 2.3.25-12 for a usable Tor experiences.

September 12, 2013

Permalink

More info on Ticket 9713:
It looks like Google might be causing the constant connections to clients1.google.com through a redirect from their OCSP url. Their certificates list
http://clients1.google.com/ocsp
as the OCSP url, but accessing that redirects you to
https://clients1.google.com/
The correct URL for OCSP requires a trailing slash, but that isn't what's listed in their SSL certificates.
Anyone have a contact point at Google?

That's why we had such difficulty reproducing it -- we didn't try connecting to Google over Tor in the way these users did.

And no, it wasn't about safe surfing. It was a bug in the (development version of the) https everywhere extension that made it loop while querying google.

I guess that's a step above Win 98 but not much above?

It's likely that you're going to have to sort out what the issue is, and then produce a fix, if you want it fixed anytime soon.

September 15, 2013

In reply to arma

Permalink

Windows 2000 based on NT architecture, unlike 95/98/ME, so actually it is not much below Windows XP. ;)

Now, back to the issue at hand..

Steps to reproduce:

1. Extract tor.exe with 7zip from expert bundle.
2. Run it on Windows 2000 (I used Windows 2000 SP 4 Rollup 1).
3. Tor does not starts, there is error message "Точка входа в процедуру _vscprintf не найдена в библиотека DLL msvcrt.dll" [it is text in Russian], basically it says that entry point to procedure _vscprintf cannot be found in DLL library msvcrt.dll

I have no problems running latest stable Tor (0.2.3.25)

That is the same error I got on 98SE. Unless we can analyze and compile source code ourselves, it appears that we are stuck with 0.2.3.25. I'm suspecting the problem lies with the version of msvcrt.dll that Tor expects to find but don't have the skills to confirm it.

September 13, 2013

Permalink

The new Tor 0.2.4.17-rc package is terrible, the connection is "interrupted" most of the time, so it's not accessing any websites, even the check.torproject.org. Swritched back to the older one and it's doing great.

September 14, 2013

Permalink

"The future (TBB 3.x) has no more Vidalia"

um may that's the funny running gag in the "Tor crypto broken or not" discussion?
Stooges don't need the hard decipher way on new TBB(3.x) WITHOUT Vidalia.
Tor will prefer circuits on totally fullcontrolled networks in FiveEye countrys,or loops like SW-US-SW. Ordinary timing+correlation attacks?
ie you live in the US,get circuits like US-US-GB and you think they need sophisticated decipher-hardware to broke that?
You can say: Tor would not do that. Really?
Without Vidalia you notice nothing)-: i have test it(-:
That's a way users will be really fucked)-: cause the most use it
out-of-box.
Old discussion. Make cryptosoft(bundles) useable in a way it's simple for all AND full DEVELOPED at the same time.

> Do [hard thing A] and [hard thing B] at the same time.

Yes. Great idea in theory.

But yelling at us to do more than we can do, while not stepping up to help us do it, is unlikely to solve your troubles.

September 14, 2013

Permalink

2.4.17-beta is much more slower than the stable version. What is the cause of it? Can I do something about it?

September 15, 2013

In reply to arma

Permalink

You had the right idea! I`ve done what you asked me to do and now everything is fine. Thanks a lot.

September 14, 2013

Permalink

Day nine and not much is happening in user deployment:

"Circuit handshake stats since last time: 322414/322416 TAP, 437/437 NTor."

Silly figures. Relay uptake is also slow. Only about 1000 of the 4000 is running 0.2.4 (729 using 0.2.4.17-rc).

The HTTPS Everywhere bug is fixed people! Please upgrade.

In theory you don't need to see that many NTor circuits -- normal Tor users don't chew through circuits at the rate that the botnet clients seem to.

As for the number of relays that have upgraded, you should look at capacity not number. See also:
https://lists.torproject.org/pipermail/tor-relays/2013-September/002750…

I'm happy to see that the bug in the HTTPS-Everywhere dev version has been fixed. We should put out a new version sometime I agree.

September 16, 2013

Permalink

I still do not understand why I am able to always reach the tor exit nodes and they are super fast, yet I can not reach hidden sites most of the time and they are very slow. How are they (not) targetting HS?

Someone please explain in non theoretical terms for me. A scientific explaination is preferred.

September 16, 2013

Permalink

Is a 0.2.4.17-rc package available for Debian Lenny? I am running a middle relay with 0.2.3.25, and since the botnet action started last month, it repeatedly creeps up past 500 MB of RAM, causing the Linux-VServer VM on which it runs to reboot three to four times daily.

September 24, 2013

In reply to arma

Permalink

I have no choice. It's a Dreamhost VPS, and Lenny is what is installed. So I'll need to compile it myself?

September 17, 2013

Permalink

I can hardly follow the technical talk here. I started using Tor late August b/c I am constantly hacked on Facebook, Yahoo, Hotmail, and apparently Gmail and LinkedIn too (still investigating). Why, you might ask, do I gather so much attention? I am a USA activist against gov't child confiscation (CPS). I use my real name in my work, but tired of my work being constantly attacked. So am I using Tor appropriately?

I want to upgrade but would like to see more stability via comments here. And, since I do not understand much of the technical talk here, I'd like to have a plan should my system not boot. What is the worst I can expect? What would I do if that happens?

Also- fellow activists who also began using Tor recently (late August) have experienced their Facebook accounts closed when using Tor. These activists are using Tor to access the net in much the same way as I am, using their true identities, but constantly hacked by those who wish to oppress us, thus attempting to work with Tor and avoid the calamity our haters create. Is there any information on this issue? I cannot easily reproduce my international base of activist friends, thus I am left without this valuable tool until I know more.

I would be interested in assisting creation of "Tor For Dummies" or "Q&A for Tor" since those available are still too technical for my use. I cannot, however, devote much time without compensation (my apologies) b/c we activists are stretched to the limit on resources as well.

September 17, 2013

Permalink

Firefox 17.0.9 is out

Fixed in Firefox ESR 17.0.9

MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object
MFSA 2013-90 Memory corruption involving scrolling
MFSA 2013-89 Buffer overflow with multi-column, lists, and floats
MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes
MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification
MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption
MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning
MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
MFSA 2013-65 Buffer underflow when generating CRMF requests.

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

September 19, 2013

Permalink

Well done on fixing the issues.
Was forced to close down Vidalia Exit Bundle running Exit, Dir and HS Servers for the first time in 5 years due to Torcc unable to control Up Bandwidth, CPU and RAM usage in the older versions making my system inoperable. Nearly broke my heart but all seems well now.
Does seem as if the Bot is targeting HS, Before the Dir is advertised as HS Server the Circuit builds are in the region of +-50. Once HS kicks in it increases to +-700

September 19, 2013

Permalink

This bundle is broken as shit super slow, I have noticed looking around there are about 5 places on this site to download things, so many even the devs are getting confused when linking new version how about cleaning up the site and getting one down load page will everything there.

September 19, 2013

Permalink

I heard the project was under attack and exit node were under huge stress so I decided to help out, first i had the stable bundle, then i saw this post, this bundle has something really wrong, im seeing tons of routers about 4.5k and then it drops to 600, then back up to 4.5,it has repeated this over and over for many hours , I never noticed that on the stable bundle