Tor Browser 8.0a3 is released

Tor Browser 8.0a3 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

In addition to security updates to Firefox (52.7.0esr) this release includes newer versions of Tor (0.3.3.3), HTTPS Everywhere (2018.2.26), and obfs4proxy (0.0.7).

Apart from those component updates we are proud that this alpha is the first one containing Moat, which is a more robust way of getting bridges from torproject.org using the meek pluggable transport. Please try it out if you can and report any issues you find!

The full changelog since Tor Browser 8.0a2 is:

  • All platforms
    • Update Firefox to 52.7.0esr
    • Update Tor to 0.3.3.3-alpha
    • Update Tor Launcher to 0.2.15.1
      • Bug 23136: Moat integration (fetch bridges for the user)
      • Translations update
    • Update HTTPS Everywhere to 2018.2.26
      • Bug 25339: Adapt build system for Python 3.6 based build procedure
    • Bug 25356: Update obfs4proxy to v0.0.7
    • Bug 25147: Sanitize HTML fragments created for chrome-privileged documents
  • Windows
    • Bug 25112: No sandboxing on 64-bit Windows <= Vista

原文:https://blog.torproject.org/tor-browser-80a3-released

Tor Browser 7.5.1 is released

Tor Browser 7.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

In addition to security updates to Firefox (52.7.0esr) this release includes newer versions of Tor (0.3.2.10), NoScript (5.1.8.4), and obfs4proxy (0.0.7).

Moreover, we fixed sandbox incompatibilities for 64bit Windows Vista users and amended the NoScript whitelist, which unbreaks extension panels on higher security levels.

Note: We did not include the latest HTTPS Everywhere release in Tor Browser 7.5.1 as we need to first test some changes in its new build system in an alpha release to make sure we still can build everything reproducibly. We expect to have this fixed in the next stable release, though. Sorry for any inconvenience.

The full changelog since Tor Browser 7.5 is:

  • All platforms
    • Update Firefox to 52.7.0esr
    • Update Tor to 0.3.2.10
    • Update Torbutton to 1.9.8.6
      • Bug 24159: Version check does not deal with platform specific checks
      • Bug 25016: Remove 2017 donation banner
      • Translations update
    • Update Tor Launcher to 0.2.14.4
      • Bug 25089: Special characters are not escaped in proxy password
      • Translations update
    • Update NoScript to 5.1.8.4
    • Bug 25356: Update obfs4proxy to v0.0.7
    • Bug 25000: Add [System+Principal] to the NoScript whitelist
  • Windows
    • Bug 25112: Disable sandboxing on 64-bit Windows <= Vista

原文:https://blog.torproject.org/tor-browser-751-released

New Tor alpha release: 0.3.3.3-alpha

Hi!  In addition to today’s stable releases, there’s a new alpha release available for download.  If you build Tor from source, you can download the source code for 0.3.3.3-alpha from the usual place on the website.  Packages for relays should be available over the coming days.

Remember, this is an alpha release: you should only run this if you’d like to find and report more bugs than usual.

See the other announcement for more information about today’s security issues.

Tor 0.3.3.3-alpha is the third alpha release for the 0.3.3.x series. It includes an important security fix for a remote crash attack against directory authorities tracked as TROVE-2018-001.

Additionally, with this release, we are upgrading the severity of a bug fixed in 0.3.3.2-alpha. Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely triggered in order to crash relays with a use-after-free pattern. As such, we are now tracking that bug as TROVE-2018-002 and CVE-2018-0491. This bug affected versions 0.3.2.1-alpha through 0.3.2.9, as well as 0.3.3.1-alpha.

This release also fixes several minor bugs and annoyances from earlier releases.

Relays running 0.3.2.x should upgrade to one of the versions released today, for the fix to TROVE-2018-002. Directory authorities should also upgrade. (Relays on earlier versions might want to update too for the DoS mitigations.)

Changes In Version 0.3.3.3-Alpha – 2018-03-03

  • Major bugfixes (denial-of-service, directory authority):
    • Fix a protocol-list handling bug that could be used to remotely crash directory authorities with a null-pointer exception. Fixes bug 25074; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and CVE-2018-0490.
  • Minor features (compatibility, OpenSSL):
    • Tor will now support TLS1.3 once OpenSSL 1.1.1 is released. Previous versions of Tor would not have worked with OpenSSL 1.1.1, since they neither disabled TLS 1.3 nor enabled any of the ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites. Closes ticket 24978.
  • Minor features (logging):
    • Clarify the log messages produced when getrandom() or a related entropy-generation mechanism gives an error. Closes ticket 25120.
  • Minor features (testing):
    • Add a “make test-rust” target to run the rust tests only. Closes ticket 25071.
  • Minor bugfixes (denial-of-service):
    • Fix a possible crash on malformed consensus. If a consensus had contained an unparseable protocol line, it could have made clients and relays crash with a null-pointer exception. To exploit this issue, however, an attacker would need to be able to subvert the directory authority system. Fixes bug 25251; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
  • Minor bugfixes (DoS mitigation):
    • Add extra safety checks when refilling the circuit creation bucket to ensure we never set a value above the allowed maximum burst. Fixes bug 25202; bugfix on 0.3.3.2-alpha.
    • When a new consensus arrives, don’t update our DoS-mitigation parameters if we aren’t a public relay. Fixes bug 25223; bugfix on 0.3.3.2-alpha.
  • Minor bugfixes (man page, SocksPort):
    • Remove dead code from the old “SocksSocket” option, and rename SocksSocketsGroupWritable to UnixSocksGroupWritable. The old option still works, but is deprecated. Fixes bug 24343; bugfix on 0.2.6.3.
  • Minor bugfixes (performance):
    • Reduce the number of circuits that will be opened at once during the circuit build timeout phase. This is done by increasing the idle timeout to 3 minutes, and lowering the maximum number of concurrent learning circuits to 10. Fixes bug 24769; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (spec conformance):
    • Forbid “-0” as a protocol version. Fixes part of bug 25249; bugfix on 0.2.9.4-alpha.
    • Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249; bugfix on 0.2.9.4-alpha.
  • Minor bugfixes (spec conformance, rust):
    • Resolve a denial-of-service issue caused by an infinite loop in the rust protover code. Fixes bug 25250, bugfix on 0.3.3.1-alpha. Also tracked as TROVE-2018-003.
  • Code simplification and refactoring:
    • Update the “rust dependencies” submodule to be a project-level repository, rather than a user repository. Closes ticket 25323.

原文:https://blog.torproject.org/new-tor-alpha-release-0333-alpha

New stable Tor releases, with security fixes and DoS prevention: 0.3.2.10, 0.3.1.10, 0.2.9.15

Today, we made several new stable Tor releases.  Together, they fix an issue in directory authorities, and backport a feature to improve relays’ resistance of denial-of-service attacks. In addition, the 0.3.2.10 release fixes a security bug affecting relays running earlier 0.3.2.x versions.

To summarize:

  • Relays (and bridges) running 0.3.2.1-alpha through 0.3.2.9 should upgrade.
  • Directory authorities should upgrade.
  • Relays (and bridges) running 0.3.3.1-alpha should upgrade.
  • All other relays (and bridges) may wish to upgrade in order to improve their
    resistance to denial-of-service attacks.

If you build Tor from source, you can fetch the latest source code from https://dist.torproject.org/. New packages for relays should be available in the coming days.

The 0.3.2.10 changelog is below. For the changes in 0.2.9.15 and 0.3.1.10, please see the ChangeLog file distributed along with the source code. The changes in 0.3.3.3-alpha will be listed in my next blog post.


Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It backports a number of bugfixes, including important fixes for security issues.

It includes an important security fix for a remote crash attack against directory authorities, tracked as TROVE-2018-001.

Additionally, it backports a fix for a bug whose severity we have upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely triggered in order to crash relays with a use-after-free pattern. As such, we are now tracking that bug as TROVE-2018-002 and CVE-2018-0491, and backporting it to earlier releases. This bug affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version 0.3.3.1-alpha.

This release also backports our new system for improved resistance to denial-of-service attacks against relays.

This release also fixes several minor bugs and annoyances from earlier releases.

Relays running 0.3.2.x SHOULD upgrade to one of the versions released today, for the fix to TROVE-2018-002. Directory authorities should also upgrade. (Relays on earlier versions might want to update too for the DoS mitigations.)

Changes In Version 0.3.2.10 – 2018-03-03

  • Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
    • Fix a protocol-list handling bug that could be used to remotely crash directory authorities with a null-pointer exception. Fixes bug 25074; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and CVE-2018-0490.
  • Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
    • Avoid adding the same channel twice in the KIST scheduler pending list, which could lead to remote denial-of-service use-after-free attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
  • Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
    • Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses). First: if a single client address makes too many concurrent connections (>100), hang up on further connections. Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours). Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there’s no need to configure anything manually. Implements ticket 24902.
  • Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
    • Fix an “off by 2” error in counting rendezvous failures on the onion service side. While we thought we would stop the rendezvous attempt after one failed circuit, we were actually making three circuit attempts before giving up. Now switch to a default of 2, and allow the consensus parameter “hs_service_max_rdv_failures” to override. Fixes bug 24895; bugfix on 0.0.6.
    • New-style (v3) onion services now obey the “max rendezvous circuit attempts” logic. Previously they would make as many rendezvous circuit attempts as they could fit in the MAX_REND_TIMEOUT second window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
  • Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
    • Add Link protocol version 5 to the supported protocols list. Fixes bug 25070; bugfix on 0.3.1.1-alpha.
  • Major bugfixes (relay, backport from 0.3.3.1-alpha):
    • Fix a set of false positives where relays would consider connections to other relays as being client-only connections (and thus e.g. deserving different link padding schemes) if those relays fell out of the consensus briefly. Now we look only at the initial handshake and whether the connection authenticated as a relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
  • Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
    • The scheduler subsystem was failing to promptly notice changes in consensus parameters, making it harder to switch schedulers network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
  • Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
    • Make our OOM handler aware of the geoip client history cache so it doesn’t fill up the memory. This check is important for IPv6 and our DoS mitigation subsystem. Closes ticket 25122.
  • Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
    • Tor will now support TLS1.3 once OpenSSL 1.1.1 is released. Previous versions of Tor would not have worked with OpenSSL 1.1.1, since they neither disabled TLS 1.3 nor enabled any of the ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites. Closes ticket 24978.
  • Minor features (geoip):
    • Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2 Country database.
  • Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
    • When logging a failure to check a hidden service’s certificate, also log what the problem with the certificate was. Diagnostic for ticket 24972.
  • Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
    • Use the actual observed address of an incoming relay connection, not the canonical address of the relay from its descriptor, when making decisions about how to handle the incoming connection. Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by “ffmancera”.
  • Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
    • Fix a possible crash on malformed consensus. If a consensus had contained an unparseable protocol line, it could have made clients and relays crash with a null-pointer exception. To exploit this issue, however, an attacker would need to be able to subvert the directory authority system. Fixes bug 25251; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
  • Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
    • Directory authorities, when refusing a descriptor from a rejected relay, now explicitly tell the relay (in its logs) to set a valid ContactInfo address and contact the bad-relays@ mailing list. Fixes bug 25170; bugfix on 0.2.9.1.
  • Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
  • Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
    • Remove a BUG() statement when a client fetches an onion descriptor that has a lower revision counter than the one in its cache. This can happen in normal circumstances due to HSDir desync. Fixes bug 24976; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (logging, backport from 0.3.3.2-alpha):
    • Don’t treat inability to store a cached consensus object as a bug: it can happen normally when we are out of disk space. Fixes bug 24859; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
    • Improve the performance of our consensus-diff application code when Tor is built with the –enable-fragile-hardening option set. Fixes bug 24826; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
    • Don’t exit the Tor process if setrlimit() fails to change the file limit (which can happen sometimes on some versions of OSX). Fixes bug 21074; bugfix on 0.0.9pre5.
  • Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
    • Forbid “-0” as a protocol version. Fixes part of bug 25249; bugfix on 0.2.9.4-alpha.
    • Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249; bugfix on 0.2.9.4-alpha.
  • Minor bugfixes (testing, backport from 0.3.3.1-alpha):
    • Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug 25005; bugfix on 0.3.2.7-rc.
  • Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
    • Look at the “HSRend” protocol version, not the “HSDir” protocol version, when deciding whether a consensus entry can support the v3 onion service protocol as a rendezvous point. Fixes bug 25105; bugfix on 0.3.2.1-alpha.
  • Code simplification and refactoring (backport from 0.3.3.3-alpha):
    • Update the “rust dependencies” submodule to be a project-level repository, rather than a user repository. Closes ticket 25323.
  • Documentation (backport from 0.3.3.1-alpha):
    • Document that operators who run more than one relay or bridge are expected to set MyFamily and ContactInfo correctly. Closes ticket 24526.

原文:https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915

Tor Browser 8.0a2 is released

Tor Browser 8.0a2 is now available from the Tor Browser Project page and also from our distribution directory.

This release includes Tor 0.3.3.2-alpha. In addition we update HTTPS Everywhere to 2018.1.29, NoScript to 5.1.8.4, meek to 0.29, and we include various other fixes and improvements.

The full changelog since Tor Browser 8.0a1 is:

  • All Platforms
    • Update Tor to 0.3.3.2-alpha
    • Update Torbutton to 1.9.9
      • Bug 24159: Version check does not deal with platform specific checks
      • Bug 25016: Remove 2017 donation banner
      • Translations update
    • Update Tor Launcher to 0.2.15
      • Bug 25089: Special characters are not escaped in proxy password
      • Translations update
    • Update HTTPS Everywhere to 2018.1.29
    • Update NoScript to 5.1.8.4
    • Update meek to 0.29
    • Bug 25215: Revert bug 18619 (we are not disabling IndexedDB any longer)
    • Bug 19910: Rip out optimistic data socks handshake variant (#3875)
    • Bug 22659: Changes to `intl.accept.languages` get overwritten after restart
    • Bug 25000: Add [System+Principal] to the NoScript whitelist
    • Bug 15599: Disable Range requests used by pdfjs as they are not isolated
    • Bug 22614: Make e10s/non-e10s Tor Browsers indistinguishable
    • Bug 13575: Disable randomised Firefox HTTP cache decay user tests
    • Bug 25020: Add a tbb_version.json file
    • Bug 24995: Include git hash in tor –version
  • OS X
    • Bug 22794: Don’t open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
  • Linux
    • Bug 22794: Don’t open AF_INET/AF_INET6 sockets when AF_LOCAL is configured
  • Windows:
    • Bug 25266: PT config should include full names of executable files
  • Build System
    • Windows
      • Bug 25111: Don’t compile Yasm on our own anymore for Windows Tor Browser

原文:https://blog.torproject.org/tor-browser-80a2-released

Tor 0.3.3.1-alpha is released: back to unstable development!

Hi!  There’s a new alpha release available for download.  If you build Tor from source, you can download the source code for 0.3.3.1-alpha from the usual place on the website.  Packages should be available over the coming weeks, with a new alpha Tor Browser release some time in February.

Remember, this is an alpha release: you should only run this if you’d like to find and report more bugs than usual.

Tor 0.3.3.1-alpha is the first release in the 0.3.3.x series. It adds several new features to Tor, including several improvements to bootstrapping, and support for an experimental “vanguards” feature to resist guard discovery attacks. This series also includes better support for applications that need to embed Tor or manage v3 onion services.

Changes In Version 0.3.3.1-Alpha – 2018-01-25

  • Major features (embedding):
    • There is now a documented stable API for programs that need to embed Tor. See tor_api.h for full documentation and known bugs. Closes ticket 23684.
    • Tor now has support for restarting in the same process. Controllers that run Tor using the “tor_api.h” interface can now restart Tor after Tor has exited. This support is incomplete, however: we fixed crash bugs that prevented it from working at all, but many bugs probably remain, including a possibility of security issues. Implements ticket 24581.
  • Major features (IPv6, directory documents):
    • Add consensus method 27, which adds IPv6 ORPorts to the microdesc consensus. This information makes it easier for IPv6 clients to bootstrap and choose reachable entry guards. Implements 23826.
    • Add consensus method 28, which removes IPv6 ORPorts from microdescriptors. Now that the consensus contains IPv6 ORPorts, they are redundant in microdescs. This change will be used by Tor clients on 0.2.8.x and later. (That is to say, with all Tor clients having IPv6 bootstrap and guard support.) Implements 23828.
    • Expand the documentation for AuthDirHasIPv6Connectivity when it is set by different numbers of authorities. Fixes 23870 on 0.2.4.1-alpha.
  • Major features (onion service v3, control port):
    • The control port now supports commands and events for v3 onion services. It is now possible to create ephemeral v3 services using ADD_ONION. Additionally, several events (HS_DESC, HS_DESC_CONTENT, CIRC and CIRC_MINOR) and commands (GETINFO, HSPOST, ADD_ONION and DEL_ONION) have been extended to support v3 onion services. Closes ticket 20699; implements proposal 284.
  • Major features (onion services):
    • Provide torrc options to pin the second and third hops of onion service circuits to a list of nodes. The option HSLayer2Guards pins the second hop, and the option HSLayer3Guards pins the third hop. These options are for use in conjunction with experiments with “vanguards” for preventing guard enumeration attacks. Closes ticket 13837.
  • Major features (rust, portability, experimental):
    • Tor now ships with an optional implementation of one of its smaller modules (protover.c) in the Rust programming language. To try it out, install a Rust build environment, and configure Tor with “–enable-rust –enable-cargo-online-mode”. This should not cause any user-visible changes, but should help us gain more experience with Rust, and plan future Rust integration work. Implementation by Chelsea Komlo. Closes ticket 22840.
  • Major features (storage, configuration):
    • Users can store cached directory documents somewhere other than the DataDirectory by using the CacheDirectory option. Similarly, the storage location for relay’s keys can be overridden with the KeyDirectory option. Closes ticket 22703.
  • Major features (v3 onion services, ipv6):
    • When v3 onion service clients send introduce cells, they now include the IPv6 address of the rendezvous point, if it has one. Current v3 onion services running 0.3.2 ignore IPv6 addresses, but in future Tor versions, IPv6-only v3 single onion services will be able to use IPv6 addresses to connect directly to the rendezvous point. Closes ticket 23577. Patch by Neel Chauhan.
  • Major bugfixes (onion services, retry behavior):
    • Fix an “off by 2” error in counting rendezvous failures on the onion service side. While we thought we would stop the rendezvous attempt after one failed circuit, we were actually making three circuit attempts before giving up. Now switch to a default of 2, and allow the consensus parameter “hs_service_max_rdv_failures” to override. Fixes bug 24895; bugfix on 0.0.6.
    • New-style (v3) onion services now obey the “max rendezvous circuit attempts” logic. Previously they would make as many rendezvous circuit attempts as they could fit in the MAX_REND_TIMEOUT second window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
  • Major bugfixes (relays):
    • Fix a set of false positives where relays would consider connections to other relays as being client-only connections (and thus e.g. deserving different link padding schemes) if those relays fell out of the consensus briefly. Now we look only at the initial handshake and whether the connection authenticated as a relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
  • Minor feature (IPv6):
    • Make IPv6-only clients wait for microdescs for relays, even if we were previously using descriptors (or were using them as a bridge) and have a cached descriptor for them. Implements 23827.
    • When a consensus has IPv6 ORPorts, make IPv6-only clients use them, rather than waiting to download microdescriptors. Implements 23827.
  • Minor features (cleanup):
    • Tor now deletes the CookieAuthFile and ExtORPortCookieAuthFile when it stops. Closes ticket 23271.
  • Minor features (defensive programming):
    • Most of the functions in Tor that free objects have been replaced with macros that free the objects and set the corresponding pointers to NULL. This change should help prevent a large class of dangling pointer bugs. Closes ticket 24337.
    • Where possible, the tor_free() macro now only evaluates its input once. Part of ticket 24337.
    • Check that microdesc ed25519 ids are non-zero in node_get_ed25519_id() before returning them. Implements 24001, patch by “aruna1234”.
  • Minor features (directory authority):
    • Make the “Exit” flag assignment only depend on whether the exit policy allows connections to ports 80 and 443. Previously relays would get the Exit flag if they allowed connections to one of these ports and also port 6667. Resolves ticket 23637.
  • Minor features (embedding):
    • Tor can now start with a preauthenticated control connection created by the process that launched it. This feature is meant for use by programs that want to launch and manage a Tor process without allowing other programs to manage it as well. For more information, see the __OwningControllerFD option documented in control-spec.txt. Closes ticket 23900.
    • On most errors that would cause Tor to exit, it now tries to return from the tor_main() function, rather than calling the system exit() function. Most users won’t notice a difference here, but it should make a significant for programs that run Tor inside a separate thread: they should now be able to survive Tor’s exit conditions rather than having Tor shut down the entire process. Closes ticket 23848.
    • Applications that want to embed Tor can now tell Tor not to register any of its own POSIX signal handlers, using the __DisableSignalHandlers option. Closes ticket 24588.
  • Minor features (fallback directory list):
    • Avoid selecting fallbacks that change their IP addresses too often. Select more fallbacks by ignoring the Guard flag, and allowing lower cutoffs for the Running and V2Dir flags. Also allow a lower bandwidth, and a higher number of fallbacks per operator (5% of the list). Implements ticket 24785.
    • Update the fallback whitelist and blacklist based on opt-ins and relay changes. Closes tickets 22321, 24678, 22527, 24135, and 24695.
  • Minor features (fallback directory mirror configuration):
    • Add a nickname to each fallback in a C comment. This makes it easier for operators to find their relays, and allows stem to use nicknames to identify fallbacks. Implements ticket 24600.
    • Add a type and version header to the fallback directory mirror file. Also add a delimiter to the end of each fallback entry. This helps external parsers like stem and Relay Search. Implements ticket 24725.
    • Add an extrainfo cache flag for each fallback in a C comment. This allows stem to use fallbacks to fetch extra-info documents, rather than using authorities. Implements ticket 22759.
    • Add the generateFallbackDirLine.py script for automatically generating fallback directory mirror lines from relay fingerprints. No more typos! Add the lookupFallbackDirContact.py script for automatically looking up operator contact info from relay fingerprints. Implements ticket 24706, patch by teor and atagar.
    • Reject any fallback directory mirror that serves an expired consensus. Implements ticket 20942, patch by “minik”.
    • Remove commas and equals signs from external string inputs to the fallback list. This avoids format confusion attacks. Implements ticket 24726.
    • Remove the “weight=10” line from fallback directory mirror entries. Ticket 24681 will maintain the current fallback weights by changing Tor’s default fallback weight to 10. Implements ticket 24679.
    • Stop logging excessive information about fallback netblocks. Implements ticket 24791.
  • Minor features (forward-compatibility):
    • If a relay supports some link authentication protocol that we do not recognize, then include that relay’s ed25519 key when telling other relays to extend to it. Previously, we treated future versions as if they were too old to support ed25519 link authentication. Closes ticket 20895.
  • Minor features (heartbeat):
    • Add onion service information to our heartbeat logs, displaying stats about the activity of configured onion services. Closes ticket 24896.
  • Minor features (instrumentation, development):
    • Add the MainloopStats option to allow developers to get instrumentation information from the main event loop via the heartbeat messages. We hope to use this to improve Tor’s behavior when it’s trying to sleep. Closes ticket 24605.
  • Minor features (log messages):
    • Improve a warning message that happens when we fail to re-parse an old router because of an expired certificate. Closes ticket 20020.
    • Make the log more quantitative when we hit MaxMemInQueues threshold exposing some values. Closes ticket 24501.
  • Minor features (logging, android):
    • Added support for the Android logging subsystem. Closes ticket 24362.
  • Minor features (performance):
    • Support predictive circuit building for onion service circuits with multiple layers of guards. Closes ticket 23101.
    • Use stdatomic.h where available, rather than mutexes, to implement atomic_counter_t. Closes ticket 23953.
  • Minor features (performance, 32-bit):
    • Improve performance on 32-bit systems by avoiding 64-bit division when calculating the timestamp in milliseconds for channel padding computations. Implements ticket 24613.
    • Improve performance on 32-bit systems by avoiding 64-bit division when timestamping cells and buffer chunks for OOM calculations. Implements ticket 24374.
  • Minor features (performance, OSX, iOS):
    • Use the mach_approximate_time() function (when available) to implement coarse monotonic time. Having a coarse time function should avoid a large number of system calls, and improve performance slightly, especially under load. Closes ticket 24427.
  • Minor features (performance, windows):
    • Improve performance on Windows Vista and Windows 7 by adjusting TCP send window size according to the recommendation from SIO_IDEAL_SEND_BACKLOG_QUERY. Closes ticket 22798. Patch from Vort.
  • Minor features (relay):
    • Implement an option, ReducedExitPolicy, to allow an Tor exit relay operator to use a more reasonable (“reduced”) exit policy, rather than the default one. If you want to run an exit node without thinking too hard about which ports to allow, this one is for you. Closes ticket 13605. Patch from Neel Chauhan.
  • Minor features (testing, debugging, embedding):
    • For development purposes, Tor now has a mode in which it runs for a few seconds, then stops, and starts again without exiting the process. This mode is meant to help us debug various issues with ticket 23847. To use this feature, compile with –enable-restart-debugging, and set the TOR_DEBUG_RESTART environment variable. This is expected to crash a lot, and is really meant for developers only. It will likely be removed in a future release. Implements ticket 24583.
  • Minor bugfix (network IPv6 test):
    • Tor’s test scripts now check if “ping -6 ::1” works when the user runs “make test-network-all”. Fixes bug 24677; bugfix on 0.2.9.3-alpha. Patch by “ffmancera”.
  • Minor bugfixes (build, rust):
    • Fix output of autoconf checks to display success messages for Rust dependencies and a suitable rustc compiler version. Fixes bug 24612; bugfix on 0.3.1.3-alpha.
    • When building with Rust on OSX, link against libresolv, to work around the issue at https://github.com/rust-lang/rust/issues/46797. Fixes bug 24652; bugfix on 0.3.1.1-alpha.
    • Don’t pass the –quiet option to cargo: it seems to suppress some errors, which is not what we want to do when building. Fixes bug 24518; bugfix on 0.3.1.7.
    • Build correctly when building from outside Tor’s source tree with the TOR_RUST_DEPENDENCIES option set. Fixes bug 22768; bugfix on 0.3.1.7.
  • Minor bugfixes (directory authorities, IPv6):
    • When creating a routerstatus (vote) from a routerinfo (descriptor), set the IPv6 address to the unspecified IPv6 address, and explicitly initialize the port to zero. Fixes bug 24488; bugfix on 0.2.4.1-alpha.
  • Minor bugfixes (fallback directory mirrors):
    • Make updateFallbackDirs.py search harder for python. (Some OSs don’t put it in /usr/bin.) Fixes bug 24708; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (hibernation, bandwidth accounting, shutdown):
    • When hibernating, close connections normally and allow them to flush. Fixes bug 23571; bugfix on 0.2.4.7-alpha. Also fixes bug 7267.
    • Do not attempt to launch self-reachability tests when entering hibernation. Fixes a case of bug 12062; bugfix on 0.0.9pre5.
    • Resolve several bugs related to descriptor fetching on bridge clients with bandwidth accounting enabled. (This combination is not recommended!) Fixes a case of bug 12062; bugfix on 0.2.0.3-alpha.
    • When hibernating, do not attempt to launch DNS checks. Fixes a case of bug 12062; bugfix on 0.1.2.2-alpha.
    • When hibernating, do not try to upload or download descriptors. Fixes a case of bug 12062; bugfix on 0.0.9pre5.
  • Minor bugfixes (IPv6, bridges):
    • Tor now always sets IPv6 preferences for bridges. Fixes bug 24573; bugfix on 0.2.8.2-alpha.
    • Tor now sets IPv6 address in the routerstatus as well as in the router descriptors when updating addresses for a bridge. Closes ticket 24572; bugfix on 0.2.4.5-alpha. Patch by “ffmancera”.
  • Minor bugfixes (linux seccomp2 sandbox):
    • When running with the sandbox enabled, reload configuration files correctly even when %include was used. Previously we would crash. Fixes bug 22605; bugfix on 0.3.1. Patch from Daniel Pinto.
  • Minor bugfixes (memory leaks):
    • Avoid possible at-exit memory leaks related to use of Libevent’s event_base_once() function. (This function tends to leak memory if the event_base is closed before the event fires.) Fixes bug 24584; bugfix on 0.2.8.1-alpha.
    • Fix a harmless memory leak in tor-resolve. Fixes bug 24582; bugfix on 0.2.1.1-alpha.
  • Minor bugfixes (OSX):
    • Don’t exit the Tor process if setrlimit() fails to change the file limit (which can happen sometimes on some versions of OSX). Fixes bug 21074; bugfix on 0.0.9pre5.
  • Minor bugfixes (performance, fragile-hardening):
    • Improve the performance of our consensus-diff application code when Tor is built with the –enable-fragile-hardening option set. Fixes bug 24826; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (performance, timeouts):
    • Consider circuits for timeout as soon as they complete a hop. This is more accurate than applying the timeout in circuit_expire_building() because that function is only called once per second, which is now too slow for typical timeouts on the current network. Fixes bug 23114; bugfix on 0.2.2.2-alpha.
    • Use onion service circuits (and other circuits longer than 3 hops) to calculate a circuit build timeout. Previously, Tor only calculated its build timeout based on circuits that planned to be exactly 3 hops long. With this change, we include measurements from all circuits at the point where they complete their third hop. Fixes bug 23100; bugfix on 0.2.2.2-alpha.
  • Minor bugfixes (testing):
    • Give out Exit flags in bootstrapping networks. Fixes bug 24137; bugfix on 0.2.3.1-alpha.
    • Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug 25005; bugfix on 0.3.2.7-rc.
  • Code simplification and refactoring:
    • Remove /usr/athena from search path in configure.ac. Closes ticket 24363.
    • Remove duplicate code in node_has_curve25519_onion_key() and node_get_curve25519_onion_key(), and add a check for a zero microdesc curve25519 onion key. Closes ticket 23966, patch by “aruna1234” and teor.
    • Rewrite channel_rsa_id_group_set_badness to reduce temporary memory allocations with large numbers of OR connections (e.g. relays). Closes ticket 24119.
    • Separate the function that deletes ephemeral files when Tor stops gracefully.
    • Small changes to Tor’s buf_t API to make it suitable for use as a general-purpose safe string constructor. Closes ticket 22342.
    • Switch -Wnormalized=id to -Wnormalized=nfkc in configure.ac to avoid source code identifier confusion. Closes ticket 24467.
    • The tor_git_revision[] constant no longer needs to be redeclared by everything that links against the rest of Tor. Done as part of ticket 23845, to simplify our external API.
    • We make extend_info_from_node() use node_get_curve25519_onion_key() introduced in ticket 23577 to access the curve25519 public keys rather than accessing it directly. Closes ticket 23760. Patch by Neel Chauhan.
    • Add a function to log channels’ scheduler state changes to aid debugging efforts. Closes ticket 24531.
  • Documentation:
    • Add documentation on how to build tor with Rust dependencies without having to be online. Closes ticket 22907; bugfix on 0.3.0.3-alpha.
    • Clarify the behavior of RelayBandwidth{Rate,Burst} with client traffic. Closes ticket 24318.
    • Document that OutboundBindAddress doesn’t apply to DNS requests. Closes ticket 22145. Patch from Aruna Maurya.
    • Document that operators who run more than one relay or bridge are expected to set MyFamily and ContactInfo correctly. Closes ticket 24526.
  • Code simplification and refactoring (channels):
    • Remove the incoming and outgoing channel queues. These were never used, but still took up a step in our fast path.
    • The majority of the channel unit tests have been rewritten and the code coverage has now been raised to 83.6% for channel.c. Closes ticket 23709.
    • Remove other dead code from the channel subsystem: All together, this cleanup has removed more than 1500 lines of code overall and adding very little except for unit test.
  • Code simplification and refactoring (circuit rendezvous):
    • Split the client-size rendezvous circuit lookup into two functions: one that returns only established circuits and another that returns all kinds of circuits. Closes ticket 23459.
  • Code simplification and refactoring (controller):
    • Make most of the variables in networkstatus_getinfo_by_purpose() const. Implements ticket 24489.

 

原文:https://blog.torproject.org/tor-0331-alpha-released-back-unstable-development

搬瓦工官方一键搭建Shadowsocks图文教程并开启Google BB加速, 让手机电脑全翻墙(赠送优惠码)

搬瓦工VPS官方网站是英文的,很多朋友看到后一脸懵逼不知道该怎么做。为此站长就专门写了本篇新手用户购买图文教程,帮助大家更加容易的购买搬瓦工VPS。

注意:购买之前,我们需要提前准备好支付宝,后面需要使用支付宝进行付款。

这个教程小编前前后后共修改了十几次,只要各位朋友按照教程一步一步来,那么就绝对没问题的。

第一步、选择需要的VPS方案

首先在这里:  搬瓦工最新特价套餐列表 中挑选自己需要的内存、流量和硬盘方案,然后点击底下直达方案通道链接 前往购买!

在下面的6个VPS方案中,选择自己需要的内存、流量和硬盘方案,且需要点击底下直达方案通道才可以购买,因为这样新注册/登录账户的时候无需输入验证码信息(否则验证码会被墙)。 另外如果出现 out of stock 这样的提示,那就是这个方案卖空了,如果碰到某个方案已经卖空的情况, 请先暂时选择其他方案, 后面还可以再变更方案的. 

推荐年49.99方案(KVM架构6机房)

  • 内存:1024MB
  • 硬盘:20GB SSD
  • 流量:1000GB/月
  • 价格:$4.99/月(年$49.99)

直达方案通道(KVM架构6机房)

年付19.99方案(洛杉矶)

  • 内存:512MB
  • 硬盘:10GB SSD
  • 流量:1000GB/月
  • 价格:$19.99/年

直达方案通道(洛杉矶)

年付39.99方案(洛杉矶)

  • 内存:1024MB
  • 硬盘:20GB SSD
  • 流量:2000GB/月
  • 价格:$39.99/年

直达方案通道(洛杉矶)

年19.99方案(佛利蒙)

  • 内存:512MB
  • 硬盘:10GB SSD
  • 流量:1000GB/月
  • 价格:$19.99/年

直达方案通道(佛利蒙)

年49.99方案(佛利蒙)

  • 内存:1024MB
  • 硬盘:20GB SSD
  • 流量:2000GB/月
  • 价格:$49.99/年

直达方案通道(佛利蒙)

年付19.99方案(8机房)

  • 内存:512MB
  • 硬盘:10GB SSD
  • 流量:500GB/月
  • 价格:$19.99/年

直达方案通道(8机房优选)

年49.99方案(8机房)

  • 内存:1024MB
  • 硬盘:20GB SSD
  • 流量:1000GB/月
  • 价格:$4.99/月(年$49)

直达方案通道(8机房优选)

月9.99方案(8机房)

  • 内存:2048MB
  • 硬盘:40GB SSD
  • 流量:2000GB/月
  • 价格:$9.99/月(年$99)

直达方案通道(8机房优选)

年18.99方案(凤凰城)

  • 内存:1024MB
  • 硬盘:20GB SSD
  • 流量:2000GB/月
  • 价格:$18.99/年

直达方案通道(凤凰城)

提醒: 即便我们购买低配置方案之后,以后也可以升级到其他方案的, 反之也可以降级到更低方案。

第二步、选择付款周期和机房位置

点击直达链接后,我们会跳转到下图所示的界面。根据图中指示,我们首先选择付款周期,月付、季付、半年付及年付均可,推荐年付更划算,然后选择机房位置为 US – Los Angeles DC QNET ,最后点击 Add to Cart 按钮继续。

关于上面的机房位置。有 US – Los Angeles DC QNET 选项的请选择这个,没有的默认即可。

第三步、核对价格和填写优惠码

点击 Add to Cart 按钮后,我们会跳转到下图所示界面。根据图中指示,我们首先输入下面的最新优惠码,然后点击 Validate Code 按钮验证优惠码,最后点击 Checkout 按钮继续。

搬瓦工最新可用优惠码:当前我们可以使用优惠码  BWH1ZBPVK   节省6%的费用

第四步、登录或者注册搬瓦工账户

点击 Checkout 按钮后,我们会跳转到下图所示界面。根据图中数字指示按顺序填写,我们首先填写个人信息,(已经有账户的直接点击 Click here to login 按钮登录, )  填写完毕后点击 Update 更新,然后选择Alipay付款方式,然后在 I have read and agree the Terms of Service 前面打钩,最后点击 Complete Order 按钮继续。

注意:国家请务必选择China,不要乱选择,这样可以避免以后被暂停服务。

第五步、使用支付宝付款

点击 Complete Order 按钮后,我们会跳转到下图所示界面。根据图中指示,我们点击 Pay now 按钮继续。

点击 Pay now 按钮后,我们会跳转到下图所示界面。根据下图指示,我们使用手机支付宝扫码付款或者电脑登录支付宝进行付款。

付款完成后稍等三分钟左右,我们登录搬瓦工(登录地址)点击下图
右上角【Client Area】按钮,如下图:

跳转到登录界面,输入电子邮箱地址和密码(刚才注册时输入的密码),点击【Login】按钮,如下图:

,然后我们按照下图指示,就可以看到我们购买的产品,同时我们也可以登录控制面板使用。

点击 KiwiVM Control Panel 按钮后我们会跳转到下图所示界面,  首先注意这里第三行写着IP address: XX.XX.XX.XX ,这个XX.XX.XX.XX就是你的VPS的IP地址,最好拿笔记录下来,等会儿教程最后进行翻墙连接要用到。然后根据图中指示,我们点击 stop 按钮停止服务器。

点击 stop 按钮停止服务器后,根据下图图中指示,我们首先点击左侧的 Install new OS ,然后再选择 centos-6-x86_64-bbr ,接着打钩同意 I agree that all existing data on my VPS will be lost,最后点击 Reload 按钮重装系统为CentOS6 64位。

第三步、安装5had0ws0cks

点击 Reload 按钮后我们耐心等待三分钟等候系统重装完毕。根据下图图中指示,我们首先点击 5had0ws0cksR Server,然后点击 Install 5had0ws0cksR Server 按钮继续。

点击 Install 5had0ws0cksR Server 按钮后系统会自动安装5had0ws0cksR。根据下图图中指示,我们点击 Go back 按钮继续。

点击 Go back 按钮后我们会跳转到下图所示界面。根据图中指示,我们需要将加密方式、连接端口、连接密码保存到记事本或者其他方便找到的地方,如果还没有手机/电脑客户端的也可以点击下面的链接下载 。

通常情况下现在并不能连接成功。根据下图图中指示,我们首先停止服务,然后再启动服务,此时就可以连接成功了。



也可以去这里下载客户端  Shadowsocks (SS)电脑客户端 -Windows、Mac OS X  :

Windows、Mac OS X  :

https://sourceforge.net/projects/shadowsocksgui/files/dist/

(小提醒:打开后, Windows xp和 7用户下载Shadowsocks-win-x.x.x.zip,Windows 8用户下载Shadowsocks-win-dotnet4.0-x.x.x.zip )

更多其他客户端(苹果/安卓手机/linux )请到这里下载 

https://shadowsocks.org/en/download/clients.html
没有越狱的苹果手机要番墙请先按照上面教程自己搭建好节点, 然后在电脑上下载一个PP助手,用数据线将手机连接到电脑上,然后就可以将PP助手装在手机上啦。手机上的PP助手装好以后就直接打开,搜索并下载安装Shadowrocket ,,安装完毕后 然后填上上面教程中自己搭建的节点等信息后就可以翻墙了。具体的步骤可参照这个教程:http://archive.is/P4pFF

下面以windows系统为例,大家可以举一反三。
首先下载客户端解压缩,鼠标双击运行shadowsocks.exe

1 双击打开后如下填写SS服务器的信息,
服务器 IP:就是上面开头记录你的VPS 的IP地址 ;
服务器端口:即为上面记录的SS连接的端口 ;
密码:即为上面记录的SS连接的密码 ;
加密:aes-256-cfb ;
代理端口:1080 ;
备注:随便写

点击确定

​在电脑右下角任务栏找到ss图标,右键点击,点击启用系统代理,可以了,试试上google吧

到这里 恭喜你大功告成了, 

为了防止账户到期忘记续费被删除数据带来损失,我们可以提前给搬瓦工账户充值,这样到期需要续费的时候会自动从账户余额扣款。
充值方法是只需要点击Biling菜单(如下图所示),点击Add funds即可,接下来在Amount to Add 那一栏可以任意输入充值金额,10美元–500美元之间,接下来Payment Method (充值方式) 一栏选择使用Alipay (支付宝 ,如下图) 或者paypal或信用卡充值均可,最后点击最底下的Add Funds按钮进行充值操即可。

希望想搭建的朋友可以通过我的教程搭建起来, 请大家 帮忙转发相关穿墙技术让更多人看到外面的世界,星星之火可以燎原。

有碰到问题的网友可以在底下留言,我会尽全力帮助大家,让墙内的网友都能呼吸到自由的互联网空气

 

原文:http://program-thinker.blogspot.com/2014/12/bandwagonhost-SS-Shadowsocks.html

目前找到的三个SSR改版,更新PAC等可以使用

1.接盘的SSRR 来自Akkariiin
https://github.com/shadowsocksrr/shadowsocksr-csharp/releases
修改内容:
1.添加 auth_chain_c auth_chain_d 支持
2.修复PAC更新

2.SSR魔改版 来自Azure99
https://github.com/Azure99/ShadowSocksRCsM/releases
修改内容:
1.增加测试当前网络状态是否正常(通过代理)
2.部分人性化设置
3.修复PAC更新

3.SSR修复版 来自Readour
https://github.com/Readour/ShadowsocksR-Csharp/releases
修改内容:
1.调小右侧logo
2.修复PAC更新

原文:https://plus.google.com/u/0/116188780692588660963?cfem=1

Tor Browser 8.0a1 is released

Tor Browser 8.0a1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 8.0a1 is the first alpha release in the 8.0 series. Apart from the usual Firefox security updates we have included the new stable Tor, 0.3.2.9, and updated Torbutton and Tor Launcher to the same version shipped in Tor Browser 7.5.

We added a new MAR signing key following our plan to yearly rotate one of our update signing keys and included a patch contributed by ffmancera (thanks!) dealing with possible fingerprinting by checking video decoding performance: before Tor Browser 8.0a1 users were getting videos in a different format depending on the performance of the decoding.

On the build side it is noteworthy that starting with this alpha release all bundles are built on some Debian version. If you notice some issues on Windows (those bundles were previously built on Ubuntu Precise), let us know.

The full changelog since Tor Browser 7.5a10 is:

  • All Platforms
    • Update Firefox to 52.6.0esr
    • Update Tor to 0.3.2.9
    • Update Torbutton to 1.9.8.5
      • Bug 21245: Add da translation to Torbutton and keep track of it
      • Bug 24702: Remove Mozilla text from banner
      • Translations update
    • Update Tor Launcher to 0.2.14.3
      • Translations update
    • Update HTTPS Everywhere to 2018.1.11
    • Bug 24756: Add noisebridge01 obfs4 bridge configuration
    • Bug 23916: Add new MAR signing key
    • Bug 22548: Firefox downgrades VP9 videos to VP8 for some users
  • Windows
    • Bug 24197: Fix win64 sandbox compile issues
  • Build System
    • Windows
      • Bug 18691: switch Windows builds from precise to jessie
    • Linux
      • Bug 23892: Include Firefox and Tor debug files in final build directory
      • Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

原文:https://blog.torproject.org/tor-browser-80a1-released

Tor Browser 7.5 is released

Tor Browser 7.5 is released

by boklm | January 23, 2018

The Tor Browser Team is proud to announce the first stable release in the 7.5 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Apart from the usual Firefox security updates it contains some notable improvements compared to the 7.0 series. Here are the highlights:

  1. We redesigned parts of the Tor Browser user interface. One of the major improvements for our users is our new Tor Launcher experience. This work is based on the findings published at ‘A Usability Evaluation of Tor Launcher’, a paper done by Linda Lee et al. At our work we iterated on the redesign proposed by the research, improving it even further. Here are the main changes we would like to highlight:

    Welcome Screen

    Our old screen had way too much information for the users, leading many of them to spend great time confused about what to do. Some users at the paper experiment spent up to 40min confused about what they needed to be doing here. Besides simplifying the screen and the message, to make it easier for the user to know if they need to configure anything or not, we also did a ‘brand refresh’ bringing our logo to the launcher.

    Censorship circumvention configuration

    This is one of the most important steps for a user who is trying to connect to Tor while their network is censoring Tor. We also worked really hard to make sure the UI text would make it easy for the user to understand what a bridge is for and how to configure to use one. Another update was a little tip we added at the drop-down menu (as you can see below) for which bridge to use in countries that have very sophisticated censorship methods.

    Proxy help information

    The proxy settings at our Tor Launcher configuration wizard is an important feature for users who are under a network that demands such configuration. But it can also lead to a lot of confusion if the user has no idea what a proxy is. Since it is a very important feature for users, we decided to keep it in the main configuration screen and introduced a help prompt with an explanation of when someone would need such configuration.

    As part of our work with the UX team, we will also be coordinating user testing of this new UI to continue iterating and make sure we are always improving our users’ experience. We are also planning a series of improvements not only for the Tor Launcher flow but for the whole browser experience (once you are connected to Tor) including a new user onboarding flow. And last but not least we are streamlining both our mobile and desktop experience: Tor Browser 7.5 adapted the security slider design we did for mobile bringing the improved user experience to the desktop as well.

  2. We ship the first release in Tor’s 0.3.2 series, 0.3.2.9. This release includes support for the Next Generation of Onion Services.
  3. On the security side we enabled content sandboxing on Windows and fixed remaining issues on Linux that prevented printing to file from working properly. Additionally, we improved the compiler hardening on macOS and fixed holes in the W^X mitigation on Windows.
  4. We finally moved away from Gitian/tor-browser-bundle as the base of our reproducible builds environment. Over the past weeks and months rbm/tor-browser-build got developed making it much easier to reproduce Tor Browser builds and to add reproducible builds for new platforms and architectures. This will allow us to ship 64bit bundles for Windows (currently in the alpha series available) and bundles for Android at the same day as the release for the current platforms/architectures is getting out.

The full changelog since Tor Browser 7.0.11 is:

  • All Platforms
    • Update Firefox to 52.6.0esr
    • Update Tor to 0.3.2.9
    • Update OpenSSL to 1.0.2n
    • Update Torbutton to 1.9.8.5
      • Bug 21847: Update copy for security slider
      • Bug 21245: Add da translation to Torbutton and keep track of it
      • Bug 24702: Remove Mozilla text from banner
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update Tor Launcher to 0.2.14.3
      • Bug 23262: Implement integrated progress bar
      • Bug 23261: implement configuration portion of new Tor Launcher UI
      • Bug 24623: Revise “country that censors Tor” text
      • Bug 24624: tbb-logo.svg may cause network access
      • Bug 23240: Retrieve current bootstrap progress before showing progress bar
      • Bug 24428: Bootstrap error message sometimes lost
      • Bug 22232: Add README on use of bootstrap status messages
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update HTTPS Everywhere to 2018.1.11
    • Update NoScript to 5.1.8.3
    • Bug 23104: CSS line-height reveals the platform Tor Browser is running on
    • Bug 24398: Plugin-container process exhausts memory
    • Bug 22501: Requests via javascript: violate FPI
    • Bug 24756: Add noisebridge01 obfs4 bridge configuration
  • Windows
    • Bug 16010: Enable content sandboxing on Windows
    • Bug 23230: Fix build error on Windows 64
  • OS X
    • Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
    • Bug 23025: Add some hardening flags to macOS build
  • Linux
    • Bug 23970: Make “Print to File” work with sandboxing enabled
    • Bug 23016: “Print to File” is broken on some non-english Linux systems
    • Bug 10089: Set middlemouse.contentLoadURL to false by default
    • Bug 18101: Suppress upload file dialog proxy bypass (linux part)
  • Android
  • Build System
    • All Platforms
      • Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
    • Windows
    • Linux
      • Bug 20929: Bump GCC version to 5.4.0
      • Bug 23892: Include Firefox and Tor debug files in final build directory
      • Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

原文:https://blog.torproject.org/tor-browser-75-released

vpngate-build-9656

VPN Gate Client 下载 (Windows, 免费软件)

安装带有 SoftEther VPN Client 的 VPN Gate Client 插件。它可用简单的配置连接到 VPN Gate 的一个公共 VPN 中继服务器,VPN 通信的吞吐量比使用 L2TP、OpenVPN 或 SSTP 要高。OpenVPN or SSTP.二进制文件有赛门铁克的副署签名。

你很幸运,你可以下载 VPN 客户端程序。有些国家,例如像中东,阻止下载的网址。
该 VPN 客户端程序是免费的。您可以分发。请上传你的国家的网站上,以帮助你周围的人。
使用国内的上传网站。我们爱互联网用户在你的国家。我们想帮助他们。

  • 如何安装和使用
  • 可发布的文件
    本软件是免费的。您可以复制或分发已下载的文件。你可以把它上传到其他网站。如果你们政府的防火墙处于未知原因的故障, http://www.vpngate.net 网站不能从你的国家轻松访问,在你们国家的网站上发布 VPN Gate 程序文件,以帮助你身边的其他用户。
  • 注意
    如果可能的话,使用最新版本。有一天,如果贵国政府的防火墙导致未知错误,且 VPN Gate Client 软件有问题,更新 VPN Gate 到最新版本。如果在未来贵国政府的防火墙由于故障 http://www.vpngate.net 网站变得无法访问,建议记住 镜像站点 URL 列表。VPN Gate Client 插件包含 VPN Gate 服务。默认禁用。你可以手动激活它。
  • About Anti-Virus software
    This program uses the network functions of the operating system because this is VPN software.
    Some anti-virus software or firewalls warn that such behavior might be dangerous.
    If your anti-virus disturbs the VPN function, add the VPN program file or the installer to the exception list.
SoftEther VPN Server 下载 (免费软件)

SoftEther VPN 是在日本筑波大学开发的免费软件。高性能 VPN 兼容多种终端设备。支持 Windows、Mac、智能手机、平板电脑 (iPhone、iPad、安卓、Windows RT) 和思科或其他 VPN 路由器。SoftEther VPN 还支持 OpenVPN 和 MS-SSTP VPN 客户端。有关详细信息,请访问 http://www.softether.org/

关于如何提供为您的计算机作为一个 VPN Gate 的 VPN 服务器的描述你可以安装 SoftEther VPN Server ,并激活 VPN Gate 服务使您的电脑主机主持一个 VPN 服务,作为 VPN Gate 学术实验的成员。

使用 Mac, iPhone / iPad 或安卓 ?
  • 你可以使用带操作系统插件 L2TP/IPsec VPN Client 的 L2TP/IPsec 来连接 VPN Gate。
    更多详细信息
  • 你可以使用 OpenVPN Client (由 OpenVPN 科技有限公司) 来连接 VPN Gate。
    更多详细信息

原文:http://www.vpngate.net/cn/download.aspx

十大代理方式在常见操作系统中的支持情况

√代表系统支持,×代表系统不支持

  Windows Mac OS X iOS Android Linux Router
Shadowsocks
ShadowsocksR
V2Ray
HTTPs/2 proxy
SSH Tunnel
Brook
GFW.Press
GoFlyway ×
PipeSocks ×
LightSword ×

以上系统iOS9+,Android4+,Router以OpenWRT系统为例。

iOS可以使用免费的Potatso Lite或者收费的Shadowrocket连接ss和ssr;win可以使用V2RayN,mac可以使用V2RayX,安卓可以使用V2RayNG,ios可以使用KitsunebiShadowrocketPepi连接V2Ray;HTTP/2 proxy和HTTPS代理在桌面系统上可以直接使用Google Chrome+Proxy SwitchyOmega设置HTTPS代理协议使用,iOS上可以使用免费的Potatso Lite,安卓上可以使用Drony设置https代理,在goproxy项目停止后使用Caddy搭建http2 proxy成为了一个不错的选择;ssh代理在安卓上可以使用PosternKi4a – SSH Tunnel,在ios有个SSH Tunnel;大杀器官方ios客户端需要越狱,在不越狱的情况下ShadowrocketNetShuttle支持GFW.Press;iOS上Shadowrocket和level.4可以连接LightSword。

这里主要列举了,目前在翻墙代理中应用较多的10种代理方式,除了这十大代理方式还存在很多代理方式可以用来翻墙,比如gostGSnovaGoGoTunneluProxyhttpproxyGo HTTP tunnelChisel等。

原文:https://www.igfw.net/archives/13537

十大VPN类型在常见操作系统中的支持情况

√代表系统自带支持,〇代表系统安装程序后支持,×代表系统尚不支持

  Windows Mac OS X iOS Android Linux Router
PPTP 〇① 〇②
L2TP/IPsec
SSTP 〇③ × 〇④
IKEv2 〇⑤
IPSec 〇⑥
OpenVPN
SoftEther × 〇⑦
WireGuard ×⑧ × 〇⑨
AnyConnect
Tinc 〇⑩

Windows以Windows7和10为例,Mac OS X和iOS均指最新系统,Router以OpenWRT系统为例。

注:①新版Mac OS X移除了对PPTP的支持,可以使用收费应用Shimo解决;②新版iOS移除了对PPTP的支持,网络上有越狱后恢复PPTP支持的方法;③Mac OS X可以使用Easy SSTPsstp-client连接SSTP;④安卓可以使用收费应用SSTP VPN Client连接SSTP;⑤安卓可以安装strongSwan VPN Client连接IKEv2;⑥Windows可以安装Shrew Soft VPN、Cisco VPN client连接Cisco IPSec VPN;⑦需要root后编译;⑧WireGuard对windows系统的支持尚在计划开发中,⑨WireGuard对安卓的支持尚在试验开发阶段,需要rom支持,未来会提供对安卓的全面支持;⑩需要越狱后安装Tinc

这里主要列举了,目前在翻墙代理中应用较多的10种类型的VPN连接方式,除了这十大VPN类型还存在很多VPN类型,比如ZeroTierSigmaVPNIPOP VPNHamachiQuickTunGoVPNsshuttlekytan、StealthVPN(加强版OpenVPN)等。

原文:https://www.igfw.net/archives/13535

Tor 0.3.2.9 is released: We have a new stable series!

After months of hard work, there’s a new stable Tor release series available!  If you build Tor from source, you can now download the source code for Tor 0.3.2.9 from the usual place on the website. Packages should become available over the coming days, including (we hope) a Tor Browser release before the end of the month.

Tor 0.3.2.9 is the first stable release in the 0.3.2 series.

The 0.3.2 series includes our long-anticipated new onion service design, with numerous security features. (For more information, see our blog post at https://blog.torproject.org/fall-harvest.) We also have a new circuit scheduler algorithm for improved performance on relays everywhere (see https://blog.torproject.org/kist-and-tell), along with many smaller features and bugfixes.

Per our stable release policy, we plan to support each stable release series for at least the next nine months, or for three months after the first stable release of the next series: whichever is longer. If you need a release with long-term support, we recommend that you stay with the 0.2.9 series.

Below is a list of the changes since 0.3.1.7. For a list of all changes since 0.3.2.8-rc, see the ChangeLog file.

Changes In Version 0.3.2.9 – 2018-01-09

  • Directory authority changes:
    • Add “Bastet” as a ninth directory authority to the default list. Closes ticket 23910.
    • The directory authority “Longclaw” has changed its IP address. Closes ticket 23592.
    • Remove longclaw’s IPv6 address, as it will soon change. Authority IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves 3/8 directory authorities with IPv6 addresses, but there are also 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
    • Add an IPv6 address for the “bastet” directory authority. Closes ticket 24394.
  • Major features (next-generation onion services):
    • Tor now supports the next-generation onion services protocol for clients and services! As part of this release, the core of proposal 224 has been implemented and is available for experimentation and testing by our users. This newer version of onion services (“v3”) features many improvements over the legacy system, including:

      a) Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)

      b) Improved directory protocol, leaking much less information to directory servers.

      c) Improved directory protocol, with smaller surface for targeted attacks.

      d) Better onion address security against impersonation.

      e) More extensible introduction/rendezvous protocol.

      f) A cleaner and more modular codebase.

      You can identify a next-generation onion address by its length: they are 56 characters long, as in “4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion”.

      In the future, we will release more options and features for v3 onion services, but we first need a testing period, so that the current codebase matures and becomes more robust. Planned features include: offline keys, advanced client authorization, improved guard algorithms, and statistics. For full details, see proposal 224.

      Legacy (“v2”) onion services will still work for the foreseeable future, and will remain the default until this new codebase gets tested and hardened. Service operators who want to experiment with the new system can use the ‘HiddenServiceVersion 3’ torrc directive along with the regular onion service configuration options. For more information, see our blog post at “https://blog.torproject.org/fall-harvest“. Enjoy!

  • Major feature (scheduler, channel):
    • Tor now uses new schedulers to decide which circuits should deliver cells first, in order to improve congestion at relays. The first type is called “KIST” (“Kernel Informed Socket Transport”), and is only available on Linux-like systems: it uses feedback from the kernel to prevent the kernel’s TCP buffers from growing too full. The second new scheduler type is called “KISTLite”: it behaves the same as KIST, but runs on systems without kernel support for inspecting TCP implementation details. The old scheduler is still available, under the name “Vanilla”. To change the default scheduler preference order, use the new “Schedulers” option. (The default preference order is “KIST,KISTLite,Vanilla”.)

      Matt Traudt implemented KIST, based on research by Rob Jansen, John Geddes, Christ Wacek, Micah Sherr, and Paul Syverson. For more information, see the design paper at http://www.robgjansen.com/publications/kist-sec2014.pdf and the followup implementation paper at https://arxiv.org/abs/1709.01044. Closes ticket 12541. For more information, see our blog post at “https://blog.torproject.org/kist-and-tell“.

  • Major bugfixes (security, general):
    • Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.
  • Major bugfixes (security, directory authority):
    • Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820.
  • Major bugfixes (security, onion service v2):
    • Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
    • When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor’s legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819.
  • Major bugfixes (security, relay):
    • When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
    • When running as a relay, make sure that we never choose ourselves as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  • Major bugfixes (bootstrapping):
    • Fetch descriptors aggressively whenever we lack enough to build circuits, regardless of how many descriptors we are missing. Previously, we would delay launching the fetch when we had fewer than 15 missing descriptors, even if some of those descriptors were blocking circuits from building. Fixes bug 23985; bugfix on 0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha, when we began treating missing descriptors from our primary guards as a reason to delay circuits.
    • Don’t try fetching microdescriptors from relays that have failed to deliver them in the past. Fixes bug 23817; bugfix on 0.3.0.1-alpha.
  • Major bugfixes (circuit prediction):
    • Fix circuit prediction logic so that a client doesn’t treat a port as being “handled” by a circuit if that circuit already has isolation settings on it. This change should make Tor clients more responsive by improving their chances of having a pre-created circuit ready for use when a request arrives. Fixes bug 18859; bugfix on 0.2.3.3-alpha.
  • Major bugfixes (exit relays, DNS):
    • Fix an issue causing DNS to fail on high-bandwidth exit nodes, making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for identifying and finding a workaround to this bug and to Moritz, Arthur Edelstein, and Roger for helping to track it down and analyze it.
  • Major bugfixes (relay, crash, assertion failure):
    • Fix a timing-based assertion failure that could occur when the circuit out-of-memory handler freed a connection’s output buffer. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  • Major bugfixes (usability, control port):
    • Report trusted clock skew indications as bootstrap errors, so controllers can more easily alert users when their clocks are wrong. Fixes bug 23506; bugfix on 0.1.2.6-alpha.
  • Minor features (bridge):
    • Bridge relays can now set the BridgeDistribution config option to add a “bridge-distribution-request” line to their bridge descriptor, which tells BridgeDB how they’d like their bridge address to be given out. (Note that as of Oct 2017, BridgeDB does not yet implement this feature.) As a side benefit, this feature provides a way to distinguish bridge descriptors from non-bridge descriptors. Implements tickets 18329.
    • When handling the USERADDR command on an ExtOrPort, warn when the transports provides a USERADDR with no port. In a future version, USERADDR commands of this format may be rejected. Detects problems related to ticket 23080.
  • Minor features (bug detection):
    • Log a warning message with a stack trace for any attempt to call get_options() during option validation. This pattern has caused subtle bugs in the past. Closes ticket 22281.
  • Minor features (build, compilation):
    • The “check-changes” feature is now part of the “make check” tests; we’ll use it to try to prevent misformed changes files from accumulating. Closes ticket 23564.
    • Tor builds should now fail if there are any mismatches between the C type representing a configuration variable and the C type the data-driven parser uses to store a value there. Previously, we needed to check these by hand, which sometimes led to mistakes. Closes ticket 23643.
  • Minor features (client):
    • You can now use Tor as a tunneled HTTP proxy: use the new HTTPTunnelPort option to open a port that accepts HTTP CONNECT requests. Closes ticket 22407.
    • Add an extra check to make sure that we always use the newer guard selection code for picking our guards. Closes ticket 22779.
    • When downloading (micro)descriptors, don’t split the list into multiple requests unless we want at least 32 descriptors. Previously, we split at 4, not 32, which led to significant overhead in HTTP request size and degradation in compression performance. Closes ticket 23220.
    • Improve log messages when missing descriptors for primary guards. Resolves ticket 23670.
  • Minor features (command line):
    • Add a new commandline option, –key-expiration, which prints when the current signing key is going to expire. Implements ticket 17639; patch by Isis Lovecruft.
  • Minor features (control port):
    • If an application tries to use the control port as an HTTP proxy, respond with a meaningful “This is the Tor control port” message, and log the event. Closes ticket 1667. Patch from Ravi Chandra Padmala.
    • Provide better error message for GETINFO desc/(id|name) when not fetching router descriptors. Closes ticket 5847. Patch by Kevin Butler.
    • Add GETINFO “{desc,md}/download-enabled”, to inform the controller whether Tor will try to download router descriptors and microdescriptors respectively. Closes ticket 22684.
    • Added new GETINFO targets “ip-to-country/{ipv4,ipv6}-available”, so controllers can tell whether the geoip databases are loaded. Closes ticket 23237.
    • Adds a timestamp field to the CIRC_BW and STREAM_BW bandwidth events. Closes ticket 19254. Patch by “DonnchaC”.
  • Minor features (development support):
    • Developers can now generate a call-graph for Tor using the “calltool” python program, which post-processes object dumps. It should work okay on many Linux and OSX platforms, and might work elsewhere too. To run it, install calltool from https://gitweb.torproject.org/user/nickm/calltool.git and run “make callgraph”. Closes ticket 19307.
  • Minor features (directory authority):
    • Make the “Exit” flag assignment only depend on whether the exit policy allows connections to ports 80 and 443. Previously relays would get the Exit flag if they allowed connections to one of these ports and also port 6667. Resolves ticket 23637.
  • Minor features (ed25519):
    • Add validation function to checks for torsion components in ed25519 public keys, used by prop224 client-side code. Closes ticket 22006. Math help by Ian Goldberg.
  • Minor features (exit relay, DNS):
    • Improve the clarity and safety of the log message from evdns when receiving an apparently spoofed DNS reply. Closes ticket 3056.
  • Minor features (fallback directory mirrors):
    • The fallback directory list has been re-generated based on the current status of the network. Tor uses fallback directories to bootstrap when it doesn’t yet have up-to-date directory information. Closes ticket 24801.
    • Make the default DirAuthorityFallbackRate 0.1, so that clients prefer to bootstrap from fallback directory mirrors. This is a follow-up to 24679, which removed weights from the default fallbacks. Implements ticket 24681.
  • Minor features (geoip):
    • Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2 Country database.
  • Minor features (integration, hardening):
    • Add a new NoExec option to prevent Tor from running other programs. When this option is set to 1, Tor will never try to run another program, regardless of the settings of PortForwardingHelper, ClientTransportPlugin, or ServerTransportPlugin. Once NoExec is set, it cannot be disabled without restarting Tor. Closes ticket 22976.
  • Minor features (linux seccomp2 sandbox):
    • Update the sandbox rules so that they should now work correctly with Glibc 2.26. Closes ticket 24315.
  • Minor features (logging):
    • Provide better warnings when the getrandom() syscall fails. Closes ticket 24500.
    • Downgrade a pair of log messages that could occur when an exit’s resolver gave us an unusual (but not forbidden) response. Closes ticket 24097.
    • Improve the message we log when re-enabling circuit build timeouts after having received a consensus. Closes ticket 20963.
    • Log more circuit information whenever we are about to try to package a relay cell on a circuit with a nonexistent n_chan. Attempt to diagnose ticket 8185.
    • Improve info-level log identification of particular circuits, to help with debugging. Closes ticket 23645.
    • Improve the warning message for specifying a relay by nickname. The previous message implied that nickname registration was still part of the Tor network design, which it isn’t. Closes ticket 20488.
    • If the sandbox filter fails to load, suggest to the user that their kernel might not support seccomp2. Closes ticket 23090.
  • Minor features (onion service, circuit, logging):
    • Improve logging of many callsite in the circuit subsystem to print the circuit identifier(s).
    • Log when we cleanup an intro point from a service so we know when and for what reason it happened. Closes ticket 23604.
  • Minor features (portability):
    • Tor now compiles correctly on arm64 with libseccomp-dev installed. (It doesn’t yet work with the sandbox enabled.) Closes ticket 24424.
    • Check at configure time whether uint8_t is the same type as unsigned char. Lots of existing code already makes this assumption, and there could be strict aliasing issues if the assumption is violated. Closes ticket 22410.
  • Minor features (relay):
    • When choosing which circuits can be expired as unused, consider circuits from clients even if those clients used regular CREATE cells to make them; and do not consider circuits from relays even if they were made with CREATE_FAST. Part of ticket 22805.
    • Reject attempts to use relative file paths when RunAsDaemon is set. Previously, Tor would accept these, but the directory- changing step of RunAsDaemon would give strange and/or confusing results. Closes ticket 22731.
  • Minor features (relay statistics):
    • Change relay bandwidth reporting stats interval from 4 hours to 24 hours in order to reduce the efficiency of guard discovery attacks. Fixes ticket 23856.
  • Minor features (reverted deprecations):
    • The ClientDNSRejectInternalAddresses flag can once again be set in non-testing Tor networks, so long as they do not use the default directory authorities. This change also removes the deprecation of this flag from 0.2.9.2-alpha. Closes ticket 21031.
  • Minor features (robustness):
    • Change several fatal assertions when flushing buffers into non- fatal assertions, to prevent any recurrence of 23690.
  • Minor features (startup, safety):
    • When configured to write a PID file, Tor now exits if it is unable to do so. Previously, it would warn and continue. Closes ticket 20119.
  • Minor features (static analysis):
    • The BUG() macro has been changed slightly so that Coverity no longer complains about dead code if the bug is impossible. Closes ticket 23054.
  • Minor features (testing):
    • Our fuzzing tests now test the encrypted portions of v3 onion service descriptors. Implements more of 21509.
    • Add a unit test to make sure that our own generated platform string will be accepted by directory authorities. Closes ticket 22109.
    • The default chutney network tests now include tests for the v3 onion service design. Make sure you have the latest version of chutney if you want to run these. Closes ticket 22437.
    • Add a unit test to verify that we can parse a hardcoded v2 onion service descriptor. Closes ticket 15554.
  • Minor bugfixes (address selection):
    • When the fascist_firewall_choose_address_ functions don’t find a reachable address, set the returned address to the null address and port. This is a precautionary measure, because some callers do not check the return value. Fixes bug 24736; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (bootstrapping):
    • When warning about state file clock skew, report the correct direction for the detected skew. Fixes bug 23606; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (bridge clients, bootstrap):
    • Retry directory downloads when we get our first bridge descriptor during bootstrap or while reconnecting to the network. Keep retrying every time we get a bridge descriptor, until we have a reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
    • Stop delaying bridge descriptor fetches when we have cached bridge descriptors. Instead, only delay bridge descriptor fetches when we have at least one reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
    • Stop delaying directory fetches when we have cached bridge descriptors. Instead, only delay bridge descriptor fetches when all our bridges are definitely unreachable. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
  • Minor bugfixes (bridge):
    • Overwrite the bridge address earlier in the process of retrieving its descriptor, to make sure we reach it on the configured address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
  • Minor bugfixes (build, compilation):
    • Fix a compilation warning when building with zstd support on 32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found and fixed by Andreas Stieger.
    • When searching for OpenSSL, don’t accept any OpenSSL library that lacks TLSv1_1_method(): Tor doesn’t build with those versions. Additionally, look in /usr/local/opt/openssl, if it’s present. These changes together repair the default build on OSX systems with Homebrew installed. Fixes bug 23602; bugfix on 0.2.7.2-alpha.
    • Fix a signed/unsigned comparison warning introduced by our fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
    • Fix a memory leak warning in one of the libevent-related configuration tests that could occur when manually specifying -fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha. Found and patched by Alex Xu.
    • Fix unused-variable warnings in donna’s Curve25519 SSE2 code. Fixes bug 22895; bugfix on 0.2.7.2-alpha.
  • Minor bugfixes (certificate handling):
    • Fix a time handling bug in Tor certificates set to expire after the year 2106. Fixes bug 23055; bugfix on 0.3.0.1-alpha. Found by Coverity as CID 1415728.
  • Minor bugfixes (client):
    • By default, do not enable storage of client-side DNS values. These values were unused by default previously, but they should not have been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
  • Minor bugfixes (client, usability):
    • Refrain from needlessly rejecting SOCKS5-with-hostnames and SOCKS4a requests that contain IP address strings, even when SafeSocks in enabled, as this prevents user from connecting to known IP addresses without relying on DNS for resolving. SafeSocks still rejects SOCKS connections that connect to IP addresses when those addresses are _not_ encoded as hostnames. Fixes bug 22461; bugfix on Tor 0.2.6.2-alpha.
  • Minor bugfixes (code correctness):
    • Call htons() in extend_cell_format() for encoding a 16-bit value. Previously we used ntohs(), which happens to behave the same on all the platforms we support, but which isn’t really correct. Fixes bug 23106; bugfix on 0.2.4.8-alpha.
    • For defense-in-depth, make the controller’s write_escaped_data() function robust to extremely long inputs. Fixes bug 19281; bugfix on 0.1.1.1-alpha. Reported by Guido Vranken.
    • Fix several places in our codebase where a C compiler would be likely to eliminate a check, based on assuming that undefined behavior had not happened elsewhere in the code. These cases are usually a sign of redundant checking or dubious arithmetic. Found by Georg Koppen using the “STACK” tool from Wang, Zeldovich, Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various Tor versions.
  • Minor bugfixes (compression):
    • Handle a pathological case when decompressing Zstandard data when the output buffer size is zero. Fixes bug 23551; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (consensus expiry):
    • Check for adequate directory information correctly. Previously, Tor would reconsider whether it had sufficient directory information every 2 minutes. Fixes bug 23091; bugfix on 0.2.0.19-alpha.
  • Minor bugfixes (control port, linux seccomp2 sandbox):
    • Avoid a crash when attempting to use the seccomp2 sandbox together with the OwningControllerProcess feature. Fixes bug 24198; bugfix on 0.2.5.1-alpha.
  • Minor bugfixes (control port, onion services):
    • Report “FAILED” instead of “UPLOAD_FAILED” “FAILED” for the HS_DESC event when a service is not able to upload a descriptor. Fixes bug 24230; bugfix on 0.2.7.1-alpha.
  • Minor bugfixes (directory cache):
    • Recover better from empty or corrupt files in the consensus cache directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
    • When a consensus diff calculation is only partially successful, only record the successful parts as having succeeded. Partial success can happen if (for example) one compression method fails but the others succeed. Previously we misrecorded all the calculations as having succeeded, which would later cause a nonfatal assertion failure. Fixes bug 24086; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (directory client):
    • On failure to download directory information, delay retry attempts by a random amount based on the “decorrelated jitter” algorithm. Our previous delay algorithm tended to produce extra-long delays too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (directory protocol):
    • Directory servers now include a “Date:” http header for response codes other than 200. Clients starting with a skewed clock and a recent consensus were getting “304 Not modified” responses from directory authorities, so without the Date header, the client would never hear about a wrong clock. Fixes bug 23499; bugfix on 0.0.8rc1.
    • Make clients wait for 6 seconds before trying to download a consensus from an authority. Fixes bug 17750; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (documentation):
    • Document better how to read gcov, and what our gcov postprocessing scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
    • Fix manpage to not refer to the obsolete (and misspelled) UseEntryGuardsAsDirectoryGuards parameter in the description of NumDirectoryGuards. Fixes bug 23611; bugfix on 0.2.4.8-alpha.
  • Minor bugfixes (DoS-resistance):
    • If future code asks if there are any running bridges, without checking if bridges are enabled, log a BUG warning rather than crashing. Fixes bug 23524; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (entry guards):
    • Tor now updates its guard state when it reads a consensus regardless of whether it’s missing descriptors. That makes tor use its primary guards to fetch descriptors in some edge cases where it would previously have used fallback directories. Fixes bug 23862; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (format strictness):
    • Restrict several data formats to decimal. Previously, the BuildTimeHistogram entries in the state file, the “bw=” entries in the bandwidth authority file, and the process IDs passed to the __OwningControllerProcess option could all be specified in hex or octal as well as in decimal. This was not an intentional feature. Fixes bug 22802; bugfixes on 0.2.2.1-alpha, 0.2.2.2-alpha, and 0.2.2.28-beta.
  • Minor bugfixes (heartbeat):
    • If we fail to write a heartbeat message, schedule a retry for the minimum heartbeat interval number of seconds in the future. Fixes bug 19476; bugfix on 0.2.3.1-alpha.
  • Minor bugfixes (logging):
    • Suppress a log notice when relay descriptors arrive. We already have a bootstrap progress for this so no need to log notice everytime tor receives relay descriptors. Microdescriptors behave the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
    • Remove duplicate log messages regarding opening non-local SocksPorts upon parsing config and opening listeners at startup. Fixes bug 4019; bugfix on 0.2.3.3-alpha.
    • Use a more comprehensible log message when telling the user they’ve excluded every running exit node. Fixes bug 7890; bugfix on 0.2.2.25-alpha.
    • When logging the number of descriptors we intend to download per directory request, do not log a number higher than then the number of descriptors we’re fetching in total. Fixes bug 19648; bugfix on 0.1.1.8-alpha.
    • When warning about a directory owned by the wrong user, log the actual name of the user owning the directory. Previously, we’d log the name of the process owner twice. Fixes bug 23487; bugfix on 0.2.9.1-alpha.
    • Fix some messages on unexpected errors from the seccomp2 library. Fixes bug 22750; bugfix on 0.2.5.1-alpha. Patch from “cypherpunks”.
    • The tor specification says hop counts are 1-based, so fix two log messages that mistakenly logged 0-based hop counts. Fixes bug 18982; bugfix on 0.2.6.2-alpha and 0.2.4.5-alpha. Patch by teor. Credit to Xiaofan Li for reporting this issue.
  • Minor bugfixes (logging, relay shutdown, annoyance):
    • When a circuit is marked for close, do not attempt to package any cells for channels on that circuit. Previously, we would detect this condition lower in the call stack, when we noticed that the circuit had no attached channel, and log an annoying message. Fixes bug 8185; bugfix on 0.2.5.4-alpha.
  • Minor bugfixes (memory safety, defensive programming):
    • Clear the target address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (memory usage):
    • When queuing DESTROY cells on a channel, only queue the circuit-id and reason fields: not the entire 514-byte cell. This fix should help mitigate any bugs or attacks that fill up these queues, and free more RAM for other uses. Fixes bug 24666; bugfix on 0.2.5.1-alpha.
  • Minor bugfixes (network layer):
    • When closing a connection via close_connection_immediately(), we mark it as “not blocked on bandwidth”, to prevent later calls from trying to unblock it, and give it permission to read. This fixes a backtrace warning that can happen on relays under various circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
  • Minor bugfixes (onion services):
    • The introduction circuit was being timed out too quickly while waiting for the rendezvous circuit to complete. Keep the intro circuit around longer instead of timing out and reopening new ones constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
    • Rename the consensus parameter “hsdir-interval” to “hsdir_interval” so it matches dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.
    • When handling multiple SOCKS request for the same .onion address, only fetch the service descriptor once.
    • Avoid a possible double close of a circuit by the intro point on error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610; bugfix on 0.3.0.1-alpha.
    • When reloading configured onion services, copy all information from the old service object. Previously, some data was omitted, causing delays in descriptor upload, and other bugs. Fixes bug 23790; bugfix on 0.2.1.9-alpha.
  • Minor bugfixes (path selection):
    • When selecting relays by bandwidth, avoid a rounding error that could sometimes cause load to be imbalanced incorrectly. Previously, we would always round upwards; now, we round towards the nearest integer. This had the biggest effect when a relay’s weight adjustments should have given it weight 0, but it got weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
    • When calculating the fraction of nodes that have descriptors, and all nodes in the network have zero bandwidths, count the number of nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
    • Actually log the total bandwidth in compute_weighted_bandwidths(). Fixes bug 24170; bugfix on 0.2.4.3-alpha.
  • Minor bugfixes (portability):
    • Stop using the PATH_MAX variable, which is not defined on GNU Hurd. Fixes bug 23098; bugfix on 0.3.1.1-alpha.
    • Fix a bug in the bit-counting parts of our timing-wheel code on MSVC. (Note that MSVC is still not a supported build platform, due to cyptographic timing channel risks.) Fixes bug 24633; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (relay):
    • When uploading our descriptor for the first time after startup, report the reason for uploading as “Tor just started” rather than leaving it blank. Fixes bug 22885; bugfix on 0.2.3.4-alpha.
    • Avoid unnecessary calls to directory_fetches_from_authorities() on relays, to prevent spurious address resolutions and descriptor rebuilds. This is a mitigation for bug 21789. Fixes bug 23470; bugfix on in 0.2.8.1-alpha.
    • Avoid a crash when transitioning from client mode to bridge mode. Previously, we would launch the worker threads whenever our “public server” mode changed, but not when our “server” mode changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
  • Minor bugfixes (testing):
    • Fix a spurious fuzzing-only use of an uninitialized value. Found by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
    • Test that IPv6-only clients can use microdescriptors when running “make test-network-all”. Requires chutney master 61c28b9 or later. Closes ticket 24109.
    • Prevent scripts/test/coverage from attempting to move gcov output to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
    • Capture and detect several “Result does not fit” warnings in unit tests on platforms with 32-bit time_t. Fixes bug 21800; bugfix on 0.2.9.3-alpha.
    • Fix additional channelpadding unit test failures by using mocked time instead of actual time for all tests. Fixes bug 23608; bugfix on 0.3.1.1-alpha.
    • Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to correctly handle cases where a caller gives it an RSA key of under 160 bits. (This is not actually a bug in Tor itself, but rather in our fuzzing code.) Fixes bug 24247; bugfix on 0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
    • Fix a broken unit test for the OutboundAddress option: the parsing function was never returning an error on failure. Fixes bug 23366; bugfix on 0.3.0.3-alpha.
    • Fix a signed-integer overflow in the unit tests for dir/download_status_random_backoff, which was untriggered until we fixed bug 17750. Fixes bug 22924; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (usability, control port):
    • Stop making an unnecessary routerlist check in NETINFO clock skew detection; this was preventing clients from reporting NETINFO clock skew to controllers. Fixes bug 23532; bugfix on 0.2.4.4-alpha.
  • Code simplification and refactoring:
    • Remove various ways of testing circuits and connections for “clientness”; instead, favor channel_is_client(). Part of ticket 22805.
    • Extract the code for handling newly-open channels into a separate function from the general code to handle channel state transitions. This change simplifies our callgraph, reducing the size of the largest strongly connected component by roughly a factor of two. Closes ticket 22608.
    • Remove dead code for largely unused statistics on the number of times we’ve attempted various public key operations. Fixes bug 19871; bugfix on 0.1.2.4-alpha. Fix by Isis Lovecruft.
    • Remove several now-obsolete functions for asking about old variants directory authority status. Closes ticket 22311; patch from “huyvq”.
    • Remove some of the code that once supported “Named” and “Unnamed” routers. Authorities no longer vote for these flags. Closes ticket 22215.
    • Rename the obsolete malleable hybrid_encrypt functions used in TAP and old hidden services, to indicate that they aren’t suitable for new protocols or formats. Closes ticket 23026.
    • Replace our STRUCT_OFFSET() macro with offsetof(). Closes ticket 22521. Patch from Neel Chauhan.
    • Split the enormous circuit_send_next_onion_skin() function into multiple subfunctions. Closes ticket 22804.
    • Split the portions of the buffer.c module that handle particular protocols into separate modules. Part of ticket 23149.
    • Use our test macros more consistently, to produce more useful error messages when our unit tests fail. Add coccinelle patches to allow us to re-check for test macro uses. Closes ticket 22497.
  • Deprecated features:
    • The ReachableDirAddresses and ClientPreferIPv6DirPort options are now deprecated; they do not apply to relays, and they have had no effect on clients since 0.2.8.x. Closes ticket 19704.
    • Deprecate HTTPProxy/HTTPProxyAuthenticator config options. They only applies to direct unencrypted HTTP connections to your directory server, which your Tor probably isn’t using. Closes ticket 20575.
  • Documentation:
    • Add notes in man page regarding OS support for the various scheduler types. Attempt to use less jargon in the scheduler section. Closes ticket 24254.
    • Clarify that the Address option is entirely about setting an advertised IPv4 address. Closes ticket 18891.
    • Clarify the manpage’s use of the term “address” to clarify what kind of address is intended. Closes ticket 21405.
    • Document that onion service subdomains are allowed, and ignored. Closes ticket 18736.
    • Clarify in the manual that “Sandbox 1” is only supported on Linux kernels. Closes ticket 22677.
    • Document all values of PublishServerDescriptor in the manpage. Closes ticket 15645.
    • Improve the documentation for the directory port part of the DirAuthority line. Closes ticket 20152.
    • Restore documentation for the authorities’ “approved-routers” file. Closes ticket 21148.
  • Removed features:
    • The AllowDotExit option has been removed as unsafe. It has been deprecated since 0.2.9.2-alpha. Closes ticket 23426.
    • The ClientDNSRejectInternalAddresses flag can no longer be set on non-testing networks. It has been deprecated since 0.2.9.2-alpha. Closes ticket 21031.
    • The controller API no longer includes an AUTHDIR_NEWDESCS event: nobody was using it any longer. Closes ticket 22377.

原文:https://blog.torproject.org/tor-0329-released-we-have-new-stable-series

Tor Browser 7.5a10 is released

Tor Browser 7.5a10 is now available from the Tor Browser Project page and also from our distribution directory.

This release updates Tor to 0.3.2.7-rc and OpenSSL to 1.0.2n. The security slider has been updated, following the experience provided for mobile users. On Linux, the “Print to File” feature should be working again.

The full changelog since Tor Browser 7.5a9 is:

  • All Platforms
    • Update Tor to 0.3.2.7-rc
    • Update OpenSSL to 1.0.2n
    • Update Torbutton to 1.9.8.4
      • Bug 21847: Update copy for security slider
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update Tor Launcher to 0.2.14.2
      • Bug 24623: Revise “country that censors Tor” text
      • Bug 24428: Bootstrap error message sometimes lost
      • Bug 24624: tbb-logo.svg may cause network access
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update NoScript to 5.1.8.3
    • Bug 23104: CSS line-height reveals the platform Tor Browser is running on
    • Bug 24398: Plugin-container process exhausts memory
  • OS X
    • Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
  • Linux
    • Bug 23970: Make “Print to File” work with sandboxing enabled
    • Bug 23016: “Print to File” is broken on some non-english Linux systems
  • Android

原文:https://blog.torproject.org/tor-browser-75a10-released

Shadowsocks安卓版客户端(v4.3.0)

  1. Retire the NAT mode.
  2. Add transparent proxy mode. (Firewall rules should be set manually)
  3. Add local SOCKS5 proxy mode. (Typically work with Orbot and similar app as a front-end proxy)
  4. Minor changes to the user interface.

Downloads

原文:https://github.com/shadowsocks/shadowsocks-android/releases/tag/v4.3.0

Tor Browser 7.5a8 is released

Tor Browser 7.5a8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to version 52.5.0esr and Tor to version version 0.3.2.4-alpha. The HTTPS Everywhere and NoScript extensions we ship have also been updated.

This release also includes a new Tor Launcher with an improved progress bar and configuration UI.

On Windows, users with a 64bit CPU can now download a 64bit version of Tor Browser. Users of the 32bit version won’t automatically be updated to the 64bit version yet, so a manual installation needs to be done. Due to bug 24197 the sandbox is not yet enabled in the 64bit version. We plan to fix that in the next release.

The full changelog since Tor Browser 7.5a7 (7.5a6 for Windows) is:

  • All Platforms
    • Update Firefox to 52.5.0esr
    • Update Tor to 0.3.2.4-alpha
    • Update Torbutton to 1.9.8.3
      • Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
      • Bug 23949: Fix donation banner display
      • Update locales with translated banner
      • Translations update
    • Update Tor Launcher to 0.2.14.1
      • Bug 23262: Implement integrated progress bar
      • Bug 23261: implement configuration portion of new Tor Launcher UI
      • Translations update
    • Update HTTPS-Everywhere to 2017.10.30
    • Update NoScript to 5.1.5
      • Bug 23968: NoScript icon jumps to the right after update
    • Update sandboxed-tor-browser to 0.0.15
  • Windows
    • Bug 20636+10026: Create 64bit Tor Browser for Windows
    • Bug 24052: Block file:// redirects early

原文:https://blog.torproject.org/tor-browser-75a8-released

New stable Tor releases, with security fixes: 0.3.1.9, 0.3.0.13, 0.2.9.14, 0.2.8.17, 0.2.5.16

There are new stable releases today, fixing the following security issues.  For more information about the issues, follow the links from from https://trac.torproject.org/projects/tor/wiki/TROVE

TROVE-2017-009: Replay-cache ineffective for v2 onion services
TROVE-2017-010: Remote DoS attack against directory authorities
TROVE-2017-011: An attacker can make Tor ask for a password
TROVE-2017-012: Relays can pick themselves in a circuit path
TROVE-2017-013: Use-after-free in onion service v2

You can download the source for 0.3.1.9 from the usual place on the website. For the older release series, see https://dist.torproject.org/. Binary packages should be available soon. All users should update to one of these releases, or to 0.3.2.6-alpha, also released today.

Below is the changelog for 0.3.1.9.  For the other releases, see the tor-announceme email.

Tor 0.3.1.9 backports important security and stability fixes from the 0.3.2 development series. All Tor users should upgrade to this release, or to another of the releases coming out today.

Changes In Version 0.3.1.9 – 2017-12-01:

  • Major bugfixes (security, backport from 0.3.2.6-alpha):
    • Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.
    • Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820.
    • When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor’s legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819.
  • Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
    • Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
  • Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
    • When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
    • When running as a relay, make sure that we never choose ourselves as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  • Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
    • Fix an issue causing DNS to fail on high-bandwidth exit nodes, making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for identifying and finding a workaround to this bug and to Moritz, Arthur Edelstein, and Roger for helping to track it down and analyze it.
  • Minor features (bridge):
    • Bridges now include notice in their descriptors that they are bridges, and notice of their distribution status, based on their publication settings. Implements ticket 18329. For more fine- grained control of how a bridge is distributed, upgrade to 0.3.2.x or later.
  • Minor features (directory authority, backport from 0.3.2.6-alpha):
    • Add an IPv6 address for the “bastet” directory authority. Closes ticket 24394.
  • Minor features (geoip):
    • Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2 Country database.
  • Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
    • Avoid unnecessary calls to directory_fetches_from_authorities() on relays, to prevent spurious address resolutions and descriptor rebuilds. This is a mitigation for bug 21789. Fixes bug 23470; bugfix on in 0.2.8.1-alpha.
  • Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
    • Fix unused variable warnings in donna’s Curve25519 SSE2 code. Fixes bug 22895; bugfix on 0.2.7.2-alpha.
  • Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
    • When a circuit is marked for close, do not attempt to package any cells for channels on that circuit. Previously, we would detect this condition lower in the call stack, when we noticed that the circuit had no attached channel, and log an annoying message. Fixes bug 8185; bugfix on 0.2.5.4-alpha.
  • Minor bugfixes (onion service, backport from 0.3.2.5-alpha):
    • Rename the consensus parameter “hsdir-interval” to “hsdir_interval” so it matches dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
    • Avoid a crash when transitioning from client mode to bridge mode. Previously, we would launch the worker threads whenever our “public server” mode changed, but not when our “server” mode changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.

原文:https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516

Tor 0.3.2.6-alpha is released, with security updates

This version of Tor is the latest in the 0.3.2 alpha series. It includes fixes for several important security issues. All Tor users should upgrade to this release, or to one of the other releases coming out today. (The next announcement will be about the stable releases.)

You can download the source from the usual place on the website. Binary packages should be available soon.

These releases fix the following security bugs. For more information
on each one, see the links from
https://trac.torproject.org/projects/tor/wiki/TROVE

TROVE-2017-009: Replay-cache ineffective for v2 onion services
TROVE-2017-010: Remote DoS attack against directory authorities
TROVE-2017-011: An attacker can make Tor ask for a password
TROVE-2017-012: Relays can pick themselves in a circuit path
TROVE-2017-013: Use-after-free in onion service v2

Changes In Version 0.3.2.6-Alpha – 2017-12-01

  • Major bugfixes (security):
    • Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.
    • Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820.
    • When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor’s legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819.
  • Major bugfixes (security, onion service v2):
    • Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
  • Major bugfixes (security, relay):
    • When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
    • When running as a relay, make sure that we never choose ourselves as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  • Minor feature (relay statistics):
    • Change relay bandwidth reporting stats interval from 4 hours to 24 hours in order to reduce the efficiency of guard discovery attacks. Fixes ticket 23856.
  • Minor features (directory authority):
    • Add an IPv6 address for the “bastet” directory authority. Closes ticket 24394.
  • Minor bugfixes (client):
    • By default, do not enable storage of client-side DNS values. These values were unused by default previously, but they should not have been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.

原文:https://blog.torproject.org/tor-0326-alpha-released-security-updates

Tor Browser 7.0.10 is released

Tor Browser 7.0.10 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to version 52.5.0esr and Tor to version version 0.3.1.8, the second stable release in the 0.3.1 series. In addition to that we updated the HTTPS Everywhere and NoScript extensions we ship. For Windows users we backported patches from the alpha series that update the msvcr100.dll runtime library we include and which should make Tor Browser more robust against crashes due to misbehvaing third party software.

The full changelog since Tor Browser 7.0.9 (7.0.8 for Windows) is:

  • All Platforms
    • Update Firefox to 52.5.0esr
    • Update Tor to 0.3.1.8
    • Update Torbutton to 1.9.7.10
      • Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
      • Translations update
    • Update HTTPS-Everywhere to 2017.10.30
      • Bug 24178: Use make.sh for building HTTPS-Everywhere
    • Update NoScript to 5.1.5
      • Bug 23968: NoScript icon jumps to the right after update
  • Windows
    • Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
    • Bug 23396: Update the msvcr100.dll we ship
    • Bug 24052: Block file:// redirects early

原文:https://blog.torproject.org/tor-browser-7010-released

Tor 0.3.2.4-alpha is released, with several stability fixes by nickm

Tor 0.3.2.4-alpha is the fourth alpha release in the 0.3.2.x series. It fixes several stability and reliability bugs, especially including a major reliability issue that has been plaguing fast exit relays in recent months.

You can download the source from the usual place on the website. Binary packages should be available soon, with an alpha Tor Browser likely in the next week or so.

Remember: This is an alpha release, and it’s likely to have more bugs than usual. We hope that people will try it out to find and report bugs, though.

Changes In Version 0.3.2.4-Alpha – 2017-11-08

  • Major bugfixes (exit relays, DNS):
    • Fix an issue causing DNS to fail on high-bandwidth exit nodes, making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for identifying and finding a workaround to this bug and to Moritz, Arthur Edelstein, and Roger for helping to track it down and analyze it.
  • Major bugfixes (scheduler, channel):
    • Stop processing scheduled channels if they closed while flushing cells. This can happen if the write on the connection fails leading to the channel being closed while in the scheduler loop. Fixes bug 23751; bugfix on 0.3.2.1-alpha.
  • Minor features (logging, scheduler):
    • Introduce a SCHED_BUG() function to log extra information about the scheduler state if we ever catch a bug in the scheduler. Closes ticket 23753.
  • Minor features (removed deprecations):
    • The ClientDNSRejectInternalAddresses flag can once again be set in non-testing Tor networks, so long as they do not use the default directory authorities. This change also removes the deprecation of this flag from 0.2.9.2-alpha. Closes ticket 21031.
  • Minor features (testing):
    • Our fuzzing tests now test the encrypted portions of v3 onion service descriptors. Implements more of 21509.
  • Minor bugfixes (directory client):
    • On failure to download directory information, delay retry attempts by a random amount based on the “decorrelated jitter” algorithm. Our previous delay algorithm tended to produce extra-long delays too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (IPv6, v3 single onion services):
    • Remove buggy code for IPv6-only v3 single onion services, and reject attempts to configure them. This release supports IPv4, dual-stack, and IPv6-only v3 onion services; and IPv4 and dual- stack v3 single onion services. Fixes bug 23820; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (logging, relay):
    • Give only a protocol warning when the ed25519 key is not consistent between the descriptor and microdescriptor of a relay. This can happen, for instance, if the relay has been flagged NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (manpage, onion service):
    • Document that the HiddenServiceNumIntroductionPoints option is 0-10 for v2 services and 0-20 for v3 services. Fixes bug 24115; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (memory leaks):
    • Fix a minor memory leak at exit in the KIST scheduler. This bug should have no user-visible impact. Fixes bug 23774; bugfix on 0.3.2.1-alpha.
    • Fix a memory leak when decrypting a badly formatted v3 onion service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha. Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
  • Minor bugfixes (onion services):
    • Cache some needed onion service client information instead of constantly computing it over and over again. Fixes bug 23623; bugfix on 0.3.2.1-alpha.
    • Properly retry HSv3 descriptor fetches when missing required directory information. Fixes bug 23762; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (path selection):
    • When selecting relays by bandwidth, avoid a rounding error that could sometimes cause load to be imbalanced incorrectly. Previously, we would always round upwards; now, we round towards the nearest integer. This had the biggest effect when a relay’s weight adjustments should have given it weight 0, but it got weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
    • When calculating the fraction of nodes that have descriptors, and all nodes in the network have zero bandwidths, count the number of nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
    • Actually log the total bandwidth in compute_weighted_bandwidths(). Fixes bug 24170; bugfix on 0.2.4.3-alpha.
  • Minor bugfixes (relay, crash):
    • Avoid a crash when transitioning from client mode to bridge mode. Previously, we would launch the worker threads whenever our “public server” mode changed, but not when our “server” mode changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
  • Minor bugfixes (testing):
    • Fix a spurious fuzzing-only use of an uninitialized value. Found by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
    • Test that IPv6-only clients can use microdescriptors when running “make test-network-all”. Requires chutney master 61c28b9 or later. Closes ticket 24109.

原文:https://blog.torproject.org/tor-0324-alpha-released-several-stability-fixes

Tor Browser 7.5a7 is released

Note: Tor Browser 7.5a7 is a security bugfix release in the alpha channel for macOS and Linux users only. Users of the alpha channel on Windows are not affected and stay on Tor Browser 7.5a6.

Tor Browser 7.5a7 is now available for our macOS and Linux users from the Tor Browser Project pageand also from our distribution directory.

This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.

The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!

Known issues: The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.

Here is the full changelog since 7.5a6:

  • OS X
    • Bug 24052: Streamline handling of file:// resources
  • Linux
    • Bug 24052: Streamline handling of file:// resources

原文:https://blog.torproject.org/tor-browser-75a7-released

Tor Browser 7.0.9 is released

Note: Tor Browser 7.0.9 is a security bugfix release for macOS and Linux users only. Users on Windows are not affected and stay on Tor Browser 7.0.8.

Tor Browser 7.0.9 is now available for our macOS and Linux users from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor Browser for macOS and Linux users. Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address (note: as of Nov. 4, 2017, this link is non-public while Mozilla works on a fix for Firefox). Once an affected user navigates to a specially crafted URL the operating system may directly connect to the remote host, bypassing Tor Browser. Tails users and users of our sandboxed-tor-browser are unaffected, though.

The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!

We are currently preparing updated macOS and Linux bundles for our alpha series which will be tentatively available on Monday, November 6. Meanwhile macOS and Linux users on that series are strongly encouraged to use the stable bundles or one of the above mentioned tools that are not affected by the underlying problem.
Update: Tor Browser 7.5a7 has now been released.

Known issues: The fix we deployed is just a workaround stopping the leak. As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead. We track this follow-up regression in bug 24136.

Here is the full changelog since 7.0.8:

  • OS X
    • Bug 24052: Streamline handling of file:// resources
  • Linux
    • Bug 24052: Streamline handling of file:// resources

原文:https://blog.torproject.org/tor-browser-709-released

Tor 0.3.2.3-alpha is released, with small bugfixes

Tor 0.3.2.3-alpha is the third release in the 0.3.2 series. It fixes numerous small bugs in earlier versions of 0.3.2.x, and adds a new directory authority, Bastet.

You can download the source from the usual place on the website. Binary packages should be available soon, with an alpha Tor Browser likely some time in November.

Remember: This is an alpha release, and it’s likely to have more bugs than usual. We hope that people will try it out to find and report bugs, though.

Changes In Version 0.3.2.3-Alpha – 2017-10-27

  • Directory authority changes:
    • Add “Bastet” as a ninth directory authority to the default list. Closes ticket 23910.
    • The directory authority “Longclaw” has changed its IP address. Closes ticket 23592.
  • Minor features (bridge):
    • Bridge relays can now set the BridgeDistribution config option to add a “bridge-distribution-request” line to their bridge descriptor, which tells BridgeDB how they’d like their bridge address to be given out. (Note that as of Oct 2017, BridgeDB does not yet implement this feature.) As a side benefit, this feature provides a way to distinguish bridge descriptors from non-bridge descriptors. Implements tickets 18329.
  • Minor features (client, entry guards):
    • Improve log messages when missing descriptors for primary guards. Resolves ticket 23670.
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database.
  • Minor bugfixes (bridge):
    • Overwrite the bridge address earlier in the process of retrieving its descriptor, to make sure we reach it on the configured address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
  • Minor bugfixes (documentation):
    • Document better how to read gcov, and what our gcov postprocessing scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
  • Minor bugfixes (entry guards):
    • Tor now updates its guard state when it reads a consensus regardless of whether it’s missing descriptors. That makes tor use its primary guards to fetch descriptors in some edge cases where it would previously have used fallback directories. Fixes bug 23862; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (onion service client):
    • When handling multiple SOCKS request for the same .onion address, only fetch the service descriptor once.
    • When a descriptor fetch fails with a non-recoverable error, close all pending SOCKS requests for that .onion. Fixes bug 23653; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service):
    • Always regenerate missing onion service public key files. Prior to this, if the public key was deleted from disk, it wouldn’t get recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha. Patch from “cathugger”.
    • Make sure that we have a usable ed25519 key when the intro point relay supports ed25519 link authentication. Fixes bug 24002; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (onion service, v2):
    • When reloading configured onion services, copy all information from the old service object. Previously, some data was omitted, causing delays in descriptor upload, and other bugs. Fixes bug 23790; bugfix on 0.2.1.9-alpha.
  • Minor bugfixes (memory safety, defensive programming):
    • Clear the target address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (relay):
    • Avoid a BUG warning when receiving a dubious CREATE cell while an option transition is in progress. Fixes bug 23952; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (testing):
    • Adjust the GitLab CI configuration to more closely match that of Travis CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
    • Prevent scripts/test/coverage from attempting to move gcov output to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
    • When running unit tests as root, skip a test that would fail because it expects a permissions error. This affects some continuous integration setups. Fixes bug 23758; bugfix on 0.3.2.2-alpha.
    • Stop unconditionally mirroring the tor repository in GitLab CI. This prevented developers from enabling GitLab CI on master. Fixes bug 23755; bugfix on 0.3.2.2-alpha.
    • Fix the onion service v3 descriptor decoding fuzzing to use the latest decoding API correctly. Fixes bug 21509; bugfix on 0.3.2.1-alpha.
  • Minor bugfixes (warnings):
    • When we get an HTTP request on a SOCKS port, tell the user about the new HTTPTunnelPort option. Previously, we would give a “Tor is not an HTTP Proxy” message, which stopped being true when HTTPTunnelPort was introduced. Fixes bug 23678; bugfix on 0.3.2.1-alpha.

原文:https://blog.torproject.org/tor-0323-alpha-released-small-bugfixes

vpngate-build-9651

  • 如何安装和使用
  • 可发布的文件
    本软件是免费的。您可以复制或分发已下载的文件。你可以把它上传到其他网站。如果你们政府的防火墙处于未知原因的故障, http://www.vpngate.net 网站不能从你的国家轻松访问,在你们国家的网站上发布 VPN Gate 程序文件,以帮助你身边的其他用户。
  • 注意
    如果可能的话,使用最新版本。有一天,如果贵国政府的防火墙导致未知错误,且 VPN Gate Client 软件有问题,更新 VPN Gate 到最新版本。如果在未来贵国政府的防火墙由于故障 http://www.vpngate.net 网站变得无法访问,建议记住 镜像站点 URL 列表。VPN Gate Client 插件包含 VPN Gate 服务。默认禁用。你可以手动激活它。

原文:http://www.vpngate.net/cn/download.aspx

Lantern4.4.2版

:red_circle:蓝灯最新版本下载地址请点这里:red_circle:

最新版本是4.4.x

Windows 版本(要求XP SP3以上) 备用地址

安卓版(要求4.1以上) 备用地址 Google Play下载

其他系统下载

请大家收藏本页面,方便日后下载新版。

蓝灯官方论坛

论坛帖子页面请点这里进入,或者点击左上方的Issues进入。

你可以在右上角“sign up” 注册账号。 通过邮件验证后,请点击 https://github.com/getlantern/forum 回到论坛。

在论坛内,可用右上角使用“New issue” 发新帖,或者在帖内使用“Comment”回复。

版规

:red_circle:使用遇到问题,请阅读蓝灯无法使用的解决办法 提问前,请先阅读蓝灯精华帖:red_circle:

本论坛可进行关于蓝灯(Lantern)翻墙软件的讨论。因为版面有限,请不要重复发帖,也请不要再开新帖发表邀请码。邀请码请发表到汇总贴或其他论坛。 禁止广告帖,包括非官方的讨论群。禁止刷版,人身攻击等恶劣行为。屡次违反版规会禁言甚至封号。

原文:https://github.com/getlantern/forum#%E8%93%9D%E7%81%AFlantern%E6%9C%80%E6%96%B0%E7%89%88%E6%9C%AC%E4%B8%8B%E8%BD%BD

XX-Net V3.7.9

What is new:

  • GAE check cert using POST
  • no_mess system config
  • X-tunnel status detail info
  • GAE add sni on TLS

Downloads

最新状态:

2017-11-2

提示:

原文:https://github.com/XX-net/XX-Net/releases/tag/3.7.9

宽带IP地址被屏蔽(2017年10月17日更新)

最近封锁比较严重,如果使用无界16.03,17.01,无界火狐扩展, 无界安卓手机(英文版)无法连接服务器,或连接不稳定,可能是您的宽带IP地址被屏蔽,请关闭所有翻墙软件(包括无界),10分钟后再打开无界浏览。有时可能需要反复几次,每次最好运行几分钟(即使无法链接),3-5分钟就可以了。如果能更换您的宽带IP地址,就无需等待10分钟。

可参考以下步骤更换您的宽带IP地址:
1.关闭所有翻墙软件.
2.更换您的宽带IP地址:
最简单的方法是关闭您的宽带调制解调器和路由器的电源,等待1分钟后再打开电源。
如果您是用电脑直接拨接宽带服务,只需掉宽带连接,1分钟后再重新拨接。
3.等连上宽带后再打开无界浏览。
4.如以上步骤不成功,宽带IP地址没有更新,请等待10分钟后再打开无界浏览。

目前封锁比较严重,有些翻墙软件(包括旧版无界)可能会造成您的宽带IP地址被屏蔽。

请大家分享一下效果和更换宽带IP地址的经验。

原文:http://forums.internetfreedom.org/index.php?topic=22344.0

尝试使用 IPFS 来分发 V2Ray 安装包

除了 V2Ray 的开发之外,一个非常重要的问题是分发。也就是先有鸡还是先有蛋的问题。用户需要使用 V2Ray 软件来翻墙,但是使用之前要先下载到安装包,而安装包的下载地址,比如 Github Release,通常是被墙的。

V2Ray 的终极目标是提供一个无障碍的翻墙体验,即当你只有一台全新的电脑,包括网络和浏览器,其它什么都没有的时候,你可以使用 V2Ray 来完全翻墙的第一步。

要做到这一点,需要两个条件:

  1. V2Ray 提供了一个免费的服务器,通过自带的配置文件即可连上;
  2. 用户可以自由地下载到 V2Ray 的安装包。

第一个条件已经完成了,V2Ray 的官方服务器已经稳定工作很长一段时间了。现在面临的主要问题是第二个条件。

network

想必大家都已经看到 Telegram 上的公告,我的第一个想法是通过网盘来分发,某网盘号称国际版没有审查,但在我公布下载链接的数小时内,帐号就被封锁,我也只能呵呵了。

想来想去,传统的 HTTP 道路肯定是走不通的,国内的 HTTP 都有审查,国外的都被墙,没有可用的。那么也只能 P2P 了。

目前对于文件分享,P2P 的一个主流方案是 IPFS。和 BT 类似,IPFS 没有中心服务器,你可以连接到其它的 IPFS 节点来下载所指定的文件。文件名(或目录名)就是一个字符串,有了这个字符串,你就可以下载到 V2Ray 的安装包。

当然这个方案有个缺点,也就是你需要先下载 IPFS 的程序,等于把分发的责任转移给了 IPFS。如果将来有一天,没人可以下载到 IPFS 的程序了,那也就没戏了。

所以现在只能期待 IPFS 依然存活,并且有好心人在墙内做种子。

接下来简单介绍一下 IPFS。在 IPFS 中可以发布文件或者文件夹,每个文件和文件夹都有一个唯一标识,在 IPFS 中通过这个标识可以获取这个文件。比如目前最新的 V2Ray 安装包在这里。这个路径是不可变的,也就是说,之后的版本再次传到 IPFS 之后,会有一个新的标识符。为了解决这个每次都变的问题,IPFS 项目中有个叫 IPNS 的工具用来重定向,大概就相当于域名和 IP 的关系。而 V2Ray 的 IPNS 是这个。不知道为什么 IPNS 比 IPFS 慢了很多,大概是种子不够多的原因吧。

在此希望广大翻墙同胞们一起来做种,让下载速度变得更快。做种的方式大约是,在已经配置完 IPFS 之后,运行:

ipfs pin add -r /ipns/QmdtMuAhEUPFX9NQiGhRj2zhS1oEA76SXNDnZRHqivjMwR

我也是刚刚学着使用 IPFS,如果有问题请指正。

在上述的分发渠道中你还可以找到一些主要的 V2Ray 客户端。如果还需要其它的工具,请留言,之后我会加上。

原文:https://steemit.com/cn/@v2ray/ipfs-v2ray

New stable Tor releases: 0.3.1.8, 0.3.0.12, 0.2.9.13, 0.2.8.16, 0.2.5.15 by nickm

There are new stable Tor releases available for download.  If you build Tor from source, you can find the source for the latest stable release on our Download page. You can find the older releases at https://dist.torproject.org/. Packages should be available over the coming days, including a planned TorBrowser release in November.

These releases backport stability fixes from later Tor releases, and add the key for the latest directory authority, “bastet”.

The ChangeLog for 0.3.1.8 follows below. For the changelogs for other releases, see the announcement email.

Tor 0.3.1.8 is the second stable release in the 0.3.1 series. It includes several bugfixes, including a bugfix for a crash issue that had affected relays under memory pressure. It also adds a new directory authority, Bastet.

Changes In Version 0.3.1.8 – 2017-10-25

  • Directory authority changes:
    • Add “Bastet” as a ninth directory authority to the default list. Closes ticket 23910.
    • The directory authority “Longclaw” has changed its IP address. Closes ticket 23592.
  • Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
    • Fix a timing-based assertion failure that could occur when the circuit out-of-memory handler freed a connection’s output buffer. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  • Minor features (directory authorities, backport from 0.3.2.2-alpha):
    • Remove longclaw’s IPv6 address, as it will soon change. Authority IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves 3/8 directory authorities with IPv6 addresses, but there are also 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 Country database.
  • Minor bugfixes (compilation, backport from 0.3.2.2-alpha):
    • Fix a compilation warning when building with zstd support on 32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found and fixed by Andreas Stieger.
  • Minor bugfixes (compression, backport from 0.3.2.2-alpha):
    • Handle a pathological case when decompressing Zstandard data when the output buffer size is zero. Fixes bug 23551; bugfix on 0.3.1.1-alpha.
  • Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
    • Remove the length limit on HTTP status lines that authorities can send in their replies. Fixes bug 23499; bugfix on 0.3.1.6-rc.
  • Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
    • Avoid a possible double close of a circuit by the intro point on error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610; bugfix on 0.3.0.1-alpha.
  • Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
    • Clear the address when node_get_prim_orport() returns early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (unit tests, backport from 0.3.2.2-alpha):
    • Fix additional channelpadding unit test failures by using mocked time instead of actual time for all tests. Fixes bug 23608; bugfix on 0.3.1.1-alpha.

原文:https://blog.torproject.org/new-stable-tor-releases-0318-03012-02913-02816-02515

Tor Browser 7.0.8 is released

Tor Browser 7.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

In version 7.0.7 we added a donation banner to point to our end-of-the-year 2017 donation campaign. This new release is fixing a bug which prevented the display of the banner.

The full changelog since Tor Browser 7.0.7 is:

  • All Platforms
    • Update Torbutton to 1.9.7.9
      • Bug 23949: Fix donation banner display
      • Update locale list with translated banner
      • Translations update

原文:https://blog.torproject.org/tor-browser-708-released

Tor Browser 7.5a6 is released

Tor Browser 7.5a6 is now available from the Tor Browser Project page and also from our distribution directory.

This release updates firefox to 52.4.1esr, Tor to 0.3.2.2-alpha, HTTPS-Everywhere to 2017.10.4 and NoScript to 5.1.2. This release is also fixing some crashes and adding a donation banner starting on Oct 23 in order to point to our end-of-the-year 2017 donation campaign.

The full changelog since Tor Browser 7.5a5 is:

  • All Platforms
    • Update Firefox to 52.4.1esr
    • Update Tor to 0.3.2.2-alpha
    • Update Torbutton to 1.9.8.2
      • Bug 23887: Update banner locales and Mozilla text
      • Translations update
    • Update HTTPS-Everywhere to 2017.10.4
    • Update NoScript to 5.1.2
      • Bug 23723: Loading entities from NoScript .dtd files is blocked
      • Bug 23724: NoScript update breaks Security Slider and its icon disappears
    • Bug 23745: Tab crashes when using Tor Browser to access Google Drive
    • Bug 23694: Update the detailsURL in update responses
    • Bug 22501: Requests via javascript: violate FPI
  • OS X
    • Bug 23807: Tab crashes when playing video on High Sierra
    • Bug 23025: Add some hardening flags to macOS build

原文:https://blog.torproject.org/tor-browser-75a6-released

Tor Browser 7.0.7 is released

Tor Browser 7.0.7 is now available from the Tor Browser Project page and also from our distribution directory.

This release updates Firefox to 52.4.1esr, HTTPS-Everywhere to 2017.10.4 and NoScript to 5.1.2. On Linux the content sandboxing is now enabled. This release is also fixing some crashes and adding a donation banner starting on Oct 23 in order to point to our end-of-the-year 2017 donation campaign.

The full changelog since Tor Browser 7.0.6 is:

  • All Platforms
    • Update Firefox to 52.4.1esr
    • Update Torbutton to 1.9.7.8
      • Bug 23887: Update banner locales and Mozilla text
      • Bug 23526: Add 2017 Donation banner text
      • Bug 23483: Donation banner on about:tor for 2017 (testing mode)
      • Bug 22610: Avoid crashes when canceling external helper app related downloads
      • Bug 22472: Fix FTP downloads when external helper app dialog is shown
      • Bug 22471: Downloading pdf files via the PDF viewer download button is broken
      • Bug 22618: Downloading pdf file via file:/// is stalling
      • Translations update
    • Update HTTPS-Everywhere to 2017.10.4
    • Update NoScript to 5.1.2
      • Bug 23723: Loading entities from NoScript .dtd files is blocked
      • Bug 23724: NoScript update breaks Security Slider and its icon disappears
    • Bug 23745: Tab crashes when using Tor Browser to access Google Drive
    • Bug 22610: Avoid crashes when canceling external helper app related downloads
    • Bug 22472: Fix FTP downloads when external helper app dialog is shown
    • Bug 22471: Downloading pdf files via the PDF viewer download button is broken
    • Bug 22618: Downloading pdf file via file:/// is stalling
    • Bug 23694: Update the detailsURL in update responses
  • OS X
    • Bug 23807: Tab crashes when playing video on High Sierra
  • Linux
    • Bug 22692: Enable content sandboxing on Linux

原文:https://blog.torproject.org/tor-browser-707-released

2017年10月翻墙快报(兼谈用 I2P 突破封锁)

文章目录

★近期翻墙动态
★常见翻墙工具的状况
★非常时期,关于翻墙的注意事项
★关于【分布式】的重要性
★翻墙教程汇总

★近期翻墙动态

  很久没有发过《翻墙快报》了。细心的读者会发现:前一篇还是《2015年8月翻墙快报》,距今超过【两年】。
  为啥隔了这么久捏?主要是因为最近两年,翻墙形势喜人,常用的那几款梯子,一直都很稳定。因此,俺就没有动力去写《翻墙快报》了(请原谅俺的懒惰)。

  最近捏,因为朝廷要开【十九大】,按照惯例,GFW
又要加大封锁力度了。本来俺以为会从“十一”长假开始加强封锁。但不知为何,GFW 一直到10月9日才开始发飙。想来是因为 GFW
的研发人员也在欢度长假,所以等到节后第一个工作日才开始动手。
  下面俺给大伙儿介绍一下:几款常见翻墙工具的状况(形势不太妙哦)

★常见翻墙工具的状况

  俺测试了几款常用翻墙工具,情况如下。
  根据这几年的经验,不同省份或者不同
ISP,翻墙工具的效果可能会有差异。所以俺个人的测试,仅供参考。也欢迎列位看官反馈自己的翻墙情况。

◇VPN Gate

  经俺本人测试,从10月9日开始,VPN
gate 就很难找到可用的 server;从10月10日开始,连 server list 的更新机制也失效了。
  比较奇怪的是:俺访问 VPN gate
的官网,发现天朝(china)在“国别排名”中依然排在第二名,而且总流量还在继续增加。这说明某些墙内的网民依然可以使用 VPN gate 翻墙。如果你手头的
VPNgate(在10月9日之后)依然可用,欢迎在俺博客留言,反馈一下。反馈的时候顺便说一下你所在的省份以及你的宽带使用哪个
ISP。

    以下是热心读者的反馈:

广东翻墙简报:
广州电信,VPNgate,国庆中秋长假期间开始渐渐大部分IP无法正常连接上,到了长假结束翻墙形势更加严峻,基本大部分IP连接1整天都练不上,有的即使连上了,很快就被阻断,但VPN还是显示连上的。

He Huang
VPNgate今天還能用,福州電信

◇蓝灯(lantern)

  蓝灯在10月8日发布了
4.1.2 版本。当 GFW
在10月9日开始加强封锁的时候,这个版本还可以用;但是在昨天(10月11日)已经失效了。
  另外,蓝灯官方在10月10日还连发了两个版本(4.1.3 和
4.1.4),可惜在昨天(11日)也都失效了。蓝灯官方这么密集地发布新版本,肯定是为了应对这几天 GFW
的封锁。
  蓝灯最新的两个版本刚推出就失效,让俺有点意外(从另一个角度也反映出——GFW
近期的封锁比较彻底,大伙儿要小心

    以下是热心读者的反馈:

挪威森林猫:
(广东联通)
蓝灯:
不论是无流量限制的2.x版本还是有流量限制的3.x版本不仅每次都连得上,而且还超快(720p Youtube
竟然不卡)。。。;手机版也是如此

萩原悠介:
常用工具是GAE的XX-NET和蓝灯,坐标魔都,观察到虽然都是电信ISP但是翻墙工具貌似会因为公网IP网段的不同出现不同效果,比如家庭宽带拨号获得最多的114段IP基本都走掉了,少数非114段IP的封锁相对比较缓和,不知道其他地区的运营商是否有类似的情况

◇赛风(psiphon)

  最近一年,(俺个人感觉)赛风不如蓝灯。所以,赛风最新版本
3.129 失效,俺倒没觉得太意外。
  (赛风的 3.129
版本于10月9日发布,也是刚推出就失效)

    以下是热心读者的反馈:

匿名:
我检查其他免费的轮子的工具基本沦陷,赛风3偶尔可以用!
四川联通的网络哈

匿名:
广东,手机版赛风还可以。。。,第一次留言哈哈!

匿名:
本人用赛风3加四维翻出来的,其他VPN不管用了,电脑小白!

匿名:
过去赛风条件下,油管视频下载速度常超过1M,自从殇日过完,就只能对付在线看了,表示欲哭无泪,为了防止悲伤过度发生更可怕的后果,决心偷偷准备好I2P

◇无界

  经俺本人测试,无界最新的 16.03
版本【依然可用】,但是从10月9日开始就【很不稳定】。
  如果你手头的无界用了一段时间后突然断线,你可以【切换一下自己的公网
IP】,然后再重新运行无界,【运气好的话】就又能联网了。
  (对于家用宽带,只需要关闭一下宽带拨号设备,隔一会儿再开,就可以切换自己的“公网
IP”)

◇自由门

  经俺本人测试,自由门最新的 7.6.1 版本,从10月9日开始就失效了。

◇TOR + meek

  TOR
在七八年前就被 GFW 封杀了。不过后来 TOR 官方提供了一个 meek 插件,可以让 TOR 客户端通过国外的计算平台间接连入 TOR
网络。
  根据读者反馈,“TOR + meek”的方式【依然可用】。
  关于 TOR + Meek 的使用教程,请参见:《“如何翻墙”系列:TOR
已复活——meek 流量混淆插件的安装、优化、原理

  以下是热心读者的反馈:

挪威森林猫:
(广东联通)
TOR + meek:
有时候连得上,有时候不行;看网页还行,看Youtube基本不行。

匿名:
Tor+meek可以翻出去,tor+obfs4國殤日之前就已經掛掉

◇I2P

  (从来没用过 I2P 的同学,请先看这篇《简单扫盲 I2P
的使用
》)
  前些年,每当 GFW 发飙,翻墙工具倒下一大片,I2P
通常都能屹立不倒。(就比如5年前开“十八大”的那次,当时各种工具纷纷失效,也是 I2P 一枝独秀)
  这次也不例外,【I2P
依然坚挺】,实在可喜可贺!(经俺本人测试,一直可用!)
  I2P
虽然坚挺,但是速度慢。所以它适合于:【在封锁很严重的时期进行应急】。

  如果你是第一次运行
I2P,需要先进行【补种】(洋文叫做“reseed”)。补种之后,I2P 才能够接入 P2P
网络。现在封锁很严重,【如何补种】是一门艺术。下面俺会单独聊。

◇SS(ShadowSocks)及其衍生工具

  俺一直没有购买
VPS 用于翻墙(主要是出于【隐匿性】的考虑),所以就没法亲自测试 SS 的情况。
  前几天看到一则新闻《中国研究人员利用机器学习识别 Tor 和
Shadowsocks 流量 @ Solidot》。所以俺猜测:SS 的情况也不乐观 😦
  如果你近期使用过 SS,欢迎在俺博客留言,反馈一下 SS
的情况。

  以下是热心读者的反馈:

Benny
Think.:
一部分SS/SSR先是连不上,换端口能连上,还有一部分IP被墙彻底挂了。
现在SS/SSR也是苟活,速度稳定性比以前差一些。

匿名:
广东移动,GCP搭建的SS相对稳定,使用东亚的节点,延迟基本上保持在两位数。

i Vanilla:
Shadowsocks 等工具目前是受到了一定的影响,如果用 obfs
混淆效果可能会好些,当然这跟加密算法有关。
V2Ray 应该是比较好用的,大家可以尝试一下。
GFW 最近是封了一批 VPS 的 IP
段,所以无论这些 VPS 运行什么代理工具,都会无法连接。

Unknown:
安徽电信,晚上连vultr的ss,无法连接,切换到移动走流量正常,速度奇快。白天连vultr,一切正常,速度忽快忽慢。

匿名:
SS目前无问题。自己搭的梯子,从早期低版本到近期高版本的,还都可用

匿名:
SS可用,目前5个vps有一个出问题,原因应该是网段被封了。

匿名:
ss,va2y, SSR也是一片哀嚎

◇V2Ray

  V2Ray 依赖于 VPS,基于前面提到原因,俺没有尝试过“基于 VPS 的翻墙”,因此也就没有亲自测试
V2Ray 的情况。

  以下是热心读者的反馈:

匿名:
這段時間v2ray採用http混淆或者kcp模式爬牆均無大礙,psiphon變形版本也可以翻出去
gfw.press只要及時更新節點,爬牆亦沒有問題

◇关于 VPS(Virtual Private
Server)的补充说明

  除了
SS,还有其它一些翻墙方法(比如自建 SSH)也依赖 VPS,所以再顺便提一下 VPS。
  据俺了解到的情况,这次 GFW 加强封锁,把很多 VPS
提供商的网段都封杀了。
  假如你付费的 VPS 提供商,其网段已经被 GFW 加入“IP 黑名单”,那你的 VPS
就废了(无论怎么折腾都没戏)。

  以下是热心读者的反馈:

cirno
scarlet:
我用韩国的蘑菇云自建ss,原版SS,没有混淆,无任何影响;
大杀器昨天是激烈的IP攻防战,石斑鱼换了N多的IP地址,貌似是守下来了;
搬瓦工听说挂掉的极多;
感觉这次所谓GFW升级,实为人海战术,只要流量集中,就把相关IP墙掉。

Unknown:
根据我的观察,挂掉的SS集中于搬瓦工,阿里云等知名VPS;我自己用的是新加坡的一个小众VPS,自己建的shadowsocks-liev,没开obfs,用TCP
BBR加速,一直都没事。

匿名:
手上3个VPS均是SS,每个IP用几小时就会ping不通,然后换个IP继续用,ping不通的IP过一段时间也会复活,没死绝。这段时间就是这么换来换去。

Chaos;Code
(・_・;)辽宁联通,目前用的自搭酸酸乳,搬瓦工vps,混淆开的很高,速度还算较快,偶尔有ping不通的情况(大概一周一次?),应该是日常抽风吧(*>_<*)ノ,没什么大碍(・∀・),就酱。

匿名:
Goproxy-php,xxnet-php,https目录加密的php-web代理都正常使用,需要一个虚拟主机空间。

noneme:
我的两个vps 都同时挂了ss ssr v2ray, 有一个被封ip了.
另一个没有问题. 都是美帝的服务器

◇热心读者的其它反馈

  有些热心人的反馈,不方便归入某个类别,就统一放到这里。

Bingyu
Pan
现在电脑里也只有I2P坚挺,tor如果连的上,问题也不大(因为难以切断)。石斑鱼的大杀器也坚持了下来。
不可用的:lantern,xx
net,freegate,VPN
gate,psiphon,无界.
运营商:河南联通,安徽移动,福建电信。

★非常时期,关于翻墙的注意事项

  下面是一些经验介绍,供大伙儿参考。

◇【不要】在一棵树上吊死

  在严重封锁的非常时期,你手头要多准备几个翻墙的梯子。
  有些缺乏经验的同学只依赖一个梯子,万一这个仅有的梯子失效了,就傻逼了。

◇确保有一个【可用的】I2P

  考虑到
I2P 比较坚挺,可以在非常时期用来【救急】。当 GFW 加大封锁导致很多翻墙工具失效,这些翻墙工具也会更频繁地发布新版本,尝试突破封锁。而 I2P
的【救急】作用就体现在——用来下载其它翻墙工具的新版本。
  如果你是第一次运行 I2P,或者你很久没有运行 I2P,要先进行【补种】。I2P
的补种大致有三招,分别如下:

  第1招:用其它翻墙工具给 I2P 补种
  I2P
内置了一批“补种服务器”(洋文叫“reseed server”)。很显然,这些“补种服务器”早就被 GFW 封杀了。要想通过这些“种子服务器”进行补种,需要让
I2P 通过其它翻墙工具联网。假如你手头有其它的翻墙工具,【并且还能用】,赶紧用这个工具给 I2P 补种。
  启动 I2P
之后,用浏览器中访问如下网址,就可以进入【I2P 的补种界面】。

http://127.0.0.1:7657/configreseed
  在这个界面上勾选“Enable HTTP Proxy”,并填写相应的“Proxy
Host”和“Proxy Port”(具体填啥,取决于另一个翻墙工具提供的代理)。填写完记得点保存按钮,然后 I2P
就可以通过其它翻墙工具联网并补种。
  补种完成之后,当 I2P 已经找到其它节点(界面上的 Peers 大于零),你就可以把“Enable HTTP
Proxy”选项去掉——让 I2P【独立联网】。

  第2招:找其它人帮忙获取 I2P
的【种子文件】

  假设你有一个朋友手头有【可用的】I2P,那么你让这个朋友生成 I2P 的种子文件,并把种子文件发给你;然后你在自己的 I2P
补种界面上,导入这个种子文件,就可以成功补种。
  【生成种子文件】的方法如下:
  进入“I2P 的补种界面”,界面上有一项是【Create
reseed file】。如果 I2P 已经联网,就可以通过这个功能,创建一个种子文件(文件中会包含可用的 I2P 节点的信息)。这个种子文件可以分享给其他
I2P 的使用者。
  【导入种子文件】的方法如下:
  进入“I2P 的补种界面”,界面上有一项是【Reseed from
file】,用来导入种子文件。只要导入的种子文件【足够新鲜】,就可以让无法联网的 I2P
重新联网。

  补充说明:
  种子文件是有【时效性】滴。越久以前创建的种子文件,时效性越差。因为 I2P
网络的节点是在不断变化的——很早以前创建的种子文件,其中包含的节点信息可能已经过时了。一般来说,一两天之内的种子文件,是“新鲜”的;而超过一周的种子文件,就“不新鲜”了。

  第3招:通过
BT sync(Resilio Sync)获得 I2P
的【种子文件】

  如果你既没有其它可用的翻墙工具,也没有其它朋友可以帮你生成种子文件,那么你还有第三个选择——利用俺提供的
BTsync(Resilio Sync)网盘获取种子文件。
  熟悉俺博客的读者应该都知道:俺提供了一个 BTsync
网盘用来分享翻墙工具。该网盘的【同步密钥】如下:

BTLZ4A4UD3PEWKPLLWEOKH3W7OQJKFPLG
  上个月,俺已经在这个网盘上放了 I2P
的最新版本(0.9.31),位于 I2P 目录下。从昨天(10月11日)开始,俺又在上面放了几个“种子文件”(位于 I2P 目录下的 seeds 子目录)。种子文件的“文件名”是俺下载种子文件的
reseed server
的域名;种子文件的“扩展名”是 su3
  在翻墙困难的时期,俺会尽量多更新网盘上的这批种子文件。

  补充说明:
  如果俺从自己的
I2P
界面上创建种子文件,这些种子文件可能会包含一些跟俺本人的网络环境相关的信息。
  所以,【为了保护自己的隐匿性】,俺分享的“种子文件”是从一些【公开的】“补种服务器”下载的。为了确保种子文件的可靠性,俺使用了
I2P 界面【内置的】“补种服务器”(在“I2P 补种界面”上有这些 server 的列表)。

◇经常运行 I2P 和 BTsync

  I2P
和 BT sync(Resilio Sync)都是基于 Kad(Kademlia)技术进行 P2P
联网。它们的客户端会缓存当前联网的节点信息。如果你只是【短暂关闭】它们的客户端,下次运行时,它们的客户端依然可以根据缓存的节点信息,找到互联网上的其它节点,于是就可以正常联网。
  但如果你【长时间没有运行】I2P

BTsync,那么它们客户端缓存的节点信息就过时了(不够新鲜了),于是下次再运行时,客户端就找不到其它节点。这种情况下,就需要【重新补种】!
  那么,怎样才算【长时间不运行】?根据经验,超过一周就算“长时间”。为了保险起见,至少一两天就得运行一次,以便让
I2P 或 BTsync 的客户端更新 P2P 网络的节点信息。如果有条件的话,可以让 I2P 或 BTsync
的客户端一直运行着。

◇电脑上保留一份【本博客的离线浏览】

  多年前,俺就通过
BT sync
网盘分享博客的离线浏览。
  在封锁很严重的时期,如果你手头保留一份【博客的离线浏览】,那么你【无需联网】就可以看俺写的那些【翻墙教程】。
  要获取【本博客的离线浏览】,请使用如下【同步密钥】:
B7P64IMWOCXWEYOXIMBX6HN5MHEULFS4V

★关于【分布式】的重要性

  关于【分布式】的重要性,俺已经唠叨过很多次了,比如这篇:《“对抗专制、捍卫自由”的
N 种技术力量

  这次 GFW 加强封锁,很多翻墙工具失效,而 I2P 和 BTsync 依然可用——再次体现出【彻底无中心的
P2P】是何等重要。而且这2款工具都是基于 Kad 网络,这也说明了——“Kad
网络”是久经考验滴!

  如果你对网络技术比较感兴趣,想知道 Kad 的原理,可以看俺前几周的博文:《聊聊分布式散列表(DHT)的原理——以
Kademlia(Kad) 和 Chord 为例

★翻墙教程汇总

  下面这些教程都在俺博客上(需翻墙)。
  再次唠叨:如果你已经用
BT sync(Resilio Sync)自动同步了【本博客的离线浏览】,无需联网就可以看这些教程。

◇基础教程

如何翻墙(传说中的全方位扫盲教程,定期更新)
获取翻墙软件方法大全(教你在无法翻墙的情况下拿到翻墙软件)
多台电脑如何共享翻墙通道
聊聊
GFW 如何封杀 Resilio Sync(BTSync)?以及如何【免翻墙】继续使用?

扫盲 BT Sync——不仅是同步利器,而且是【分布式】网盘

◇各种翻墙软件使用教程

简单扫盲
I2P 的使用

关于 TOR
的常见问题解答

扫盲
VPN Gate——分布式的 VPN 服务器

新版本无界——赛风3失效后的另一个选择
双管齐下的赛风3
“如何翻墙”系列:TOR
已复活——meek 流量混淆插件的安装、优化、原理

fqrouter——安卓系统翻墙利器(免
ROOT)

自由門——TOR
被封之后的另一个选择

戴“套”翻墻的方法
扫盲 VPN 翻墙——以 Hotspot Shield 为例
原文:https://program-think.blogspot.com/2017/10/gfw-news.html

教程:搬瓦工VPS搭建v2Ray 服务器,配合ShadowRay,v2Ray等客户端翻墙攻略

写在前面,因为小火箭的作者出了ShadowRay这个App,然后我又是个好奇心很强的人,之前的SS,包括现在这个博客站点,也是自己一边Google一边摸索着搭建,所以就Google和琢磨v2Ray这个翻墙方式,然后开始在搬瓦工上面使劲造,各种尝试,失败,尝试,失败之旅,一气之下撂下不干了,太闹心了,但过了一天后平静下心来想,这尼玛太窝囊了!我就不信了,必须得搞会这个东西,从小就是个倔驴没办法,然后就有了这篇文章的诞生,废话不多说,下面列出详细的过程,各位看官不喜勿喷,我是纯技术小白,不懂代码不懂各种学术描述,只有一颗倔强的心,觉得本文有用的,可以转给身边的朋友。

随后我又在另外一台搬瓦工和自用的vultr上尝试搭建,均已成功。搭建以后试用了一天(Mac上和iOS上),不知大是心理作用还是怎么的,速度居然相当快。下面还是说方法

时间线:2017-10-12更新

在VPS上同时搭建好shadowsocks和v2Ray后,可能出现SS可以用,但是v2Ray用不了的情况,我也遇到了,解决方法是需要打开防火墙(ubuntu1.6系统)

操作方法:1.
执行:apt-get install
ufw 回车,等待自动安装

2.
执行: ufw
enable
  回车

(如果出现以下提示

Command
may disrupt existing ssh connections. Proceed with operation (y|n)?
y)

选择 y 回车

3. ufw allow
22
 回车

4. ufw allow
xxx
 (xxx代表你的v2Ray客户端配置的端口)回车

5.
如果VPS上面也搭建Shadowsocks,执行同样的命令,把XX换成shadowsocks的端口,回车。

5. ufw allow
status
 回车,查看防火墙状态,应该都是allow和开通的

这样在同一个VPS上,Shadowsocks和v2Ray都可以翻墙了

我在安卓设备上,使用的是v2RayNG,速度快的起飞    

时间线:2017-10-11更新

1.
搬瓦工使用Centos 7没问题, Vultr且不行,后来换成了 Ubuntu 1.6

2.
记得要把防火墙打开,不然搭建好了也无法链接


准备材料

1. VPS
,知道IP,SSH端口,和root密码,搬瓦工的root密码是每次都要生成,vultr的是固定的

2. https://www.uuidgenerator.net/ 这个网站提前申请一个密码

3. SSH链接工具,用来远程登陆,windows可与用putty,Mac用自带的终端,顺便推一个,在Mac上面喜欢用Windows终端格式的,可以在Mac上下载一个Shuttle

4. 提前在网站上下载好v2Ray客户端(Windows/Mac)https://github.com/v2ray/v2ray-core/releases/tag/v2.40 根据自己的设备选择下载,下载完以后解压出来

以上这些东西准备好以后,可以开工了

服务器配置

首先登陆终端,我用的是Mac,所以在主要讲的是Mac,但是也会有windows的方法,VPS的当然是最适合练手又耐操的搬瓦工主机,系统是 centos
7

输入ssh  -p 端口 root@IP 地址,回车,会提示要输入密码。复制密码,粘贴,回车,就会登陆。注:粘贴密码后不会显示出来,直接回车就可以

登陆成功以后,可以输入相应的指令开始安装服务器了。

一:自动安装脚本支持所有主流系统,只需一行命令即可完成安装过程,复制下列命令,粘贴,回车

bash <(curl -L -s https://install.direct/go.sh)

该脚本会自动安装unzipdeamon,并自动安装以下两个文件:

/usr/bin/v2ray/v2ray:V2Ray
程序;

/etc/v2ray/config.json:配置文件;

脚本安装完成无误后,会提示安装成功,然后进行如下操作(看不懂英文的,出现v2Ray
v.x.x.x is installed表示成功了

二:输入 vi
/etc/v2ray/config.json
指令,回车,进入vi编辑状态,这个时候开始配置服务器

要改的地方就是文字标注的地方,改完记得要记录下来,修改完以后保存退出
(估计对于很多人来说,最难的是在JSON里面的编辑吧,具体的操作快捷键,请点击这里参照里面的介绍,其它的请Google

三:输入 service
v2ray start
  回车,来启动 V2Ray ,会提示启动成功。(之后可以使用 service v2ray
start|stop|status|reload|restart|force-reload
控制 V2Ray
的运行。)到这里,服务器就已经搭建好了

客户端配置

Mac端

先说Mac,打开准备工作中第4步里下载好,并解压出来的客户端文件夹,打开文件夹,里面有个config.json文件,双击打开

打开以后,下面截图里面,汉字标注的地方进行修改,修改完以后保存,如何保存,请搜索vi快捷操作方法,(有功夫的时候我把这里能用到的vi操作方法写一个吧)

保存以后,右击文件夹里面的“v2Ray”,选择用终端打开

然后打开v2ray客户端,填入相应的信息就可以翻墙了(Mac要另外下载好客户端,点这里下载)

Windows端

windows端的话,也是一样,先找到config.json文件,修改IP,端口,密码等信息(必须和第一步中配置好的信息相对应),修改后保存,然后双击打开v2Ray,按照上图的方法填写相应信息,保存就可以

iOS端

iOS端目前用的是小火箭Shadowrocket的作者写的
ShadowRay,目前在测试阶段,我也加入了测试,ShadowRay(Twitter:@ShadowRayApp)购买地址:请点击这里

图1

图2

配置方式的话大同小异,填入IP,端口,密码,加密方式等,和服务器配置里面的相对应就可以了。

以上就是我自己配置成功以后,马上根据记忆和我保存的东西写的一篇步骤,写的很乱也很糙,后续还会修改,一来给各位一个借鉴,二来到时候自己也可以复习,在搭建成功之前,我试过很多次,都败下阵来了,都是因为细节原因和概念错误所以没搞明白,最大的困难我相信大部分都是在输入vi
进入JSON的编辑模式以后不知道怎么编辑,所以特地补了下课,学习如何使用vi这个功能,建议各位,这个环节上不来,信我的没错。但依然跟以前搭建SS一样,因为各种原因出错,好在是没放弃,不断试错+Google+适当的求助=
增加成功概率。

网络上关于此类介绍的文章很多,但是好像都是写给程序员看的,小白看不太懂或者无法全懂,我是一个小白,就按照小白的笨的步骤写的,希望看到的人都能按着步骤搭建成功,也希望各位老司机看后勿喷,多提意见

好吧,暂时就这些了,一切为了世界和平!

原文:http://www.liyonge.com/2017/10/11/v2ray/

『干货福利』手把手教你如何“搭梯子”

中国工信部新禁令,2017 年 1 月 22 日至 2018 年 3 月 31 日将对网络接入服务市场进行 14 个月的清理,大批量 VPN 服务近期将面临整改下架。

如果你想享受一个自由且不受限制的互联网,想使用谷歌学术搜索写论文,想无障碍使用全球顶尖互联网公司的优秀产品与服务,想去 instagramfacebooktwitter 等社交网络追踪自己爱豆的最新动态,该怎么办?
授人以鱼不如授人以渔,跟着本教程,教你如何自己动手搭建一个稳定、高速、流量管够的自用“梯子”。

前期准备:
1、一张 VISA 标志的信用卡,注册 
PayPal 绑定该信用卡,用于支付购买 VPS 费用。
2、大致了解最基础的 SS 知识《
SS指导篇(总结归类)——从无到有,境无止尽!
》最好把文章内容链接多看几遍,不要求熟知,了解大概即可。

搭梯子教程:
一、VPS 购买,SSH 登录服务器 
1、点击
链接注册 http://www.vultr.com/?ref=7122815 (使用此链接你我都将获得额外的10美元优惠),选择适合自己需求的套餐。点击链接图文教程
个人使用建议流量需求不大的朋友,选择最低配 2.5 美元/月,每月 500 G 流量,多余流量可提供给身边的朋友使用。
2、简单学习 Linux 文本編輯器 Vim 
教程
3、创建 VPS 以及进入 SSH 教程(电脑+手机教程
4、登录 VPS 的 SSH 
教程

二、 安装配置 SS 服务
方案二选一:
1⃣『图文详解』
手动搭建SS和锐速 教程作者 @VVFGV
2⃣ 一键搭建脚本 脚本作者 @toyo13140010096
该脚本已开源
『视频教程』ShadowsocksR 服务端安装+客户端使用
新手小白视频教程

启动并永久运行 SS 服务端功能

三、优化 SS 性能
给梯子加速,教程见第二步搭建 SS 服务链接,使用一键搭建脚本可以直接选择安装。笔者 vultr 日本 SS 节点在安装 TCP-BBR 后任意时段看 YouTube 720P 高清视频无压力,但在网络高峰时段看 1080P 超清会稍有卡顿。

四、下载客户端并使用 SS 服务
1⃣ 下载客户端
SSR客户端的Windows 、iOS、Android 
客户端下载
网页右上角 LAYOUTS 里面找到 SSR 客户端下载
SSR
官方客户端下载 (需梯子)
2⃣ 使用 SS 服务
将搭建成功后获得的服务器 IP 地址,远程端口,密码,加密方式,依次填入客户端中。如有生成 SS 二维码可直接扫描添加节点。
参考
教程 文末第 7 部分:配置 Shadowsocks Windows 
客户端

五、享受自由无墙的互联网。
维基百科:
中华人民共和国被封锁网站列表
翻墙后看什么

六、常见错误的解决办法
以上教程包含图文详解、视频教程、一键搭建脚本,了解 SS 基础知识后按照教程上手很简单,但是总会碰到一些错误和问题,这里列出几个错误问题的解决办法,供大家参考。

SS 无法使用后的简单排除方法
SS 端口已被占用的错误解决办法
拨号上网用户无法使用 SS 的解决办法
关于 SS 的小白常见问题总结篇
SS 关闭后浏览器无法上网
QQ
正常的解决办法

原文:https://murongxun.wordpress.com/2017/07/25/第一篇博文/

XX-Net 3.6.8

Fix small bugs:

  • remove WebUI x-tunnel Charge but not buy traffic link
  • fix x-tunnel check_ip bug
  • auto disable dump_cert link if OpenSSL lib not support this api.

Downloads

最新状态:

2017-10-06

  • GAE封锁严重,请更新到3.6.7以上,若无法扫到ip,可以考虑启用ipv6或使用X-tunnel,具体请到Issues区看前面的讨论。
  • X-Tunnel 干扰严重. (使用教程
    X-Tunnel 数据库出问题,部分用户套餐流量丢失,请给xxnet.dev@gmail.com 发邮件。

原文:https://github.com/XX-net/XX-Net/releases/tag/3.6.8

Tor Browser 7.5a5 is released

Tor Browser 7.5a5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Besides the usual Firefox security and extensions updates this alpha contains a bunch of long-awaited features:

  1. We include Tor 0.3.2.1-alpha, the first alpha release in the 0.3.2 series, with support for next generation onion services and a new circuit scheduler, KIST.
  2. Thanks to the work of Jed Davis we are able to ship a content sandbox for Linux users. While the content sandbox is disabled in Firefox 52 ESR versions, which Tor Browser is based on, backported patches allow us to protect our Linux users with the same mechanisms that are provided to regular Firefox users.
  3. The content sandbox is enabled for Windows users as well. While we still need to clean up our workarounds to get the sandboxing code to work with our mingw-w64 compiler, we think the enabled sandbox is ready for a wider testing in our alpha series. Please give it a try if you can.
  4. Although this change should be invisible to users, we switched our build system from gitian/tor-browser-bundleto rbm/tor-browser-build. The build should continue to be reproducible and if you want to do a build yourself the README file in the tor-browser-build repository has some informations.

Update: Tor Browser 7.5a5 is broken when using the sandboxed-tor-browser version 0.0.13, due to bug 23692. Version 0.0.14 of the sandboxed-tor-browser has been released to fix that issue.

Note: The release date in the changelog displayed after the update is incorrect. The actual release date is September 28.

The full changelog since Tor Browser 7.5a4 is:

  • All Platforms
    • Update Firefox to 52.4.0esr
    • Update Tor to 0.3.2.1-alpha
    • Update Torbutton to 1.9.8.1
      • Bug 20375: Warn users after entering fullscreen mode
      • Bug 22989: Fix dimensions of new windows on macOS
      • Bug 23526: Add 2017 Donation banner text
      • Bug 23483: Donation banner on about:tor for 2017 (testing mode)
      • Translations update
    • Update Tor Launcher to 0.2.13
      • Bug 23240: Retrieve current bootstrap progress before showing progress bar
      • Bug 22232: Add README on use of bootstrap status messages
      • Translations update
    • Update HTTPS-Everywhere to 2017.9.12
    • Update NoScript to 5.0.10
    • Update sandboxed-tor-browser to 0.0.13
    • Bug 23393: Don’t crash all tabs when closing one tab
    • Bug 23166: Add new obfs4 bridge to the built-in ones
    • Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
    • Bug 21270: NoScript settings break WebExtensions add-ons
    • Bug 23104: CSS line-height reveals the platform Tor Browser is running on
  • Windows
    • Bug 16010: Enable content sandboxing on Windows
    • Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
    • Bug 23396: Update the msvcr100.dll we ship
    • Bug 23230: Fix build error on Windows 64
  • OS X
    • Bug 23404: Add missing Noto Sans Buginese font to the macOS whitelist
  • Linux
    • Bug 10089: Set middlemouse.contentLoadURL to false by default
    • Bug 22692: Enable content sandboxing on Linux
    • Bug 18101: Suppress upload file dialog proxy bypass (linux part)
  • Build System
    • All Platforms
      • Switch from gitian/tor-browser-bundle to rbm/tor-browser-build

原文:https://blog.torproject.org/tor-browser-75a5-released