[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor is out

Tor moves us closer to handling IPv6 destinations,
puts in a lot of the infrastructure for adding authorization to hidden
services, lays the groundwork for having clients read their load balancing
information out of the networkstatus consensus rather than the individual
router descriptors, addresses two potential anonymity issues, and fixes
a variety of smaller issues.

This development release has a known bug when you configure it to use
bridge relays; we recommend that bridge users wait for the next release.


Changes in version - 2008-08-31
  o Major features:
    - Convert many internal address representations to optionally hold
      IPv6 addresses.
    - Generate and accept IPv6 addresses in many protocol elements.
    - Make resolver code handle nameservers located at ipv6 addresses.
    - Begin implementation of proposal 121 ("Client authorization for
      hidden services"): configure hidden services with client
      authorization, publish descriptors for them, and configure
      authorization data for hidden services at clients. The next
      step is to actually access hidden services that perform client
    - More progress toward proposal 141: Network status consensus
      documents and votes now contain bandwidth information for each
      router and a summary of that router's exit policy. Eventually this
      will be used by clients so that they do not have to download every
      known descriptor before building circuits.

  o Major bugfixes (on 0.2.0.x and before):
    - When sending CREATED cells back for a given circuit, use a 64-bit
      connection ID to find the right connection, rather than an addr:port
      combination. Now that we can have multiple OR connections between
      the same ORs, it is no longer possible to use addr:port to uniquely
      identify a connection.
    - Relays now reject risky extend cells: if the extend cell includes
      a digest of all zeroes, or asks to extend back to the relay that
      sent the extend cell, tear down the circuit. Ideas suggested
      by rovv.
    - If not enough of our entry guards are available so we add a new
      one, we might use the new one even if it overlapped with the
      current circuit's exit relay (or its family). Anonymity bugfix
      pointed out by rovv.

  o Minor bugfixes:
    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
      794; bug spotted by rovv. Bugfix on
    - When using the TransPort option on OpenBSD, and using the User
      option to change UID and drop privileges, make sure to open /dev/pf
      before dropping privileges. Fixes bug 782. Patch from Christopher
      Davis. Bugfix on
    - Correctly detect the presence of the linux/netfilter_ipv4.h header
      when building against recent kernels. Bugfix on
    - Add a missing safe_str() call for a debug log message.
    - Use 64 bits instead of 32 bits for connection identifiers used with
      the controller protocol, to greatly reduce risk of identifier reuse.
    - Make the autoconf script accept the obsolete --with-ssl-dir
      option as an alias for the actually-working --with-openssl-dir
      option. Fix the help documentation to recommend --with-openssl-dir.
      Based on a patch by "Dave". Bugfix on

  o Minor features:
    - Rate-limit too-many-sockets messages: when they happen, they happen
      a lot. Resolves bug 748.
    - Resist DNS poisoning a little better by making sure that names in
      answer sections match.
    - Print the SOCKS5 error message string as well as the error code
      when a tor-resolve request fails. Patch from Jacob.

Attachment: signature.asc
Description: Digital signature