New Release: Tor Browser 9.5a9
Tor Browser 9.5a9 is now available from the Tor Browser Alpha download page and also from our...
Lavoro da remoto e sicurezza personale
I nostri consigli per rimanere connessi in modo sicuro, lavorare a distanza e proteggere la vostra privacy mentre siete lontani socialmente o in quarantena.
Conectadas y seguras en tiempos de cuarentena
Nuestras recomendaciones para que estés conectadx de forma segura, puedas trabajar remotamente y proteger tu privacidad cuando estás en cuarentena.
New Release: Tor Browser 9.0.7
Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our...
Remote Work and Personal Safety
Our recommendations for safely staying connected, working remotely, and protecting your privacy while social distancing or in quarantine.
Trabalho remoto e segurança pessoal
As nossas recomendações para permanecer conectado com segurança, trabalhar remotamente e proteger a sua privacidade enquanto você se distancia socialmente ou está em quarentena.
New Release: Tor 0.4.3.3-alpha (with security fixes!)
There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.4.3.3-alpha from the download page on the website. Packages should be available over the coming days, including a new alpha Tor Browser.
Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.
Tor 0.4.3.3-alpha fixes several bugs in previous releases, including TROVE-2020-002, a major denial-of-service vulnerability that affected all released Tor instances since 0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor instances to consume a huge amount of CPU, disrupting their operations for several seconds or minutes. This attack could be launched by anybody against a relay, or by a directory cache against any client that had connected to it. The attacker could launch this attack as much as they wanted, thereby disrupting service or creating patterns that could aid in traffic analysis. This issue was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.
We do not have reason to believe that this attack is currently being exploited in the wild, but nonetheless we advise everyone to upgrade as soon as packages are available.
There are also new stable releases coming out today; I'll describe them in an upcoming post.
Changes in version 0.4.3.3-alpha - 2020-03-18
- Major bugfixes (security, denial-of-service):
- Fix a denial-of-service bug that could be used by anyone to consume a bunch of CPU on any Tor relay or authority, or by directories to consume a bunch of CPU on clients or hidden services. Because of the potential for CPU consumption to introduce observable timing patterns, we are treating this as a high-severity security issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue as TROVE-2020-002 and CVE-2020-10592.
- Major bugfixes (circuit padding, memory leak):
- Avoid a remotely triggered memory leak in the case that a circuit padding machine is somehow negotiated twice on the same circuit. Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. This is also tracked as TROVE-2020-004 and CVE-2020-10593.
New releases: 0.3.5.10, 0.4.1.9, and 0.4.2.7 (with security fixes!)
We have new releases today. If you build Tor from source, you can download the source code for 0.4.2.7 from the download page on the website. Packages should be available within the next several days, including a new Tor Browser.
Cooking with Onions: Reclaiming the Onionbalance
Onionbalance is one of the standard ways onion service administrators can load balance onion services, but it didn't work for v3 onions. Until now.
Join Our Second Documentation Hackathon March 22-30
Between 22 and 30 March, the Tor Project will host the second edition of our user documentation hackathon, the DocsHackathon. The DocsHackathon is a totally remote and online event.