Following up on our research on secure Intent interactions, we are now announcing the first working version of the TrustedIntents library for Android. It provides methods for checking any Intent for whether the sending and receiving app matches a specified set of trusted app providers. It does this by “pinning” to the signing certificate of the APKs. The developer includes this “pin” in the app, which includes the signing certificate to trust, then TrustedIntents checks Intents against the configured certificate pins. The library includes pins for the Guardian Project and Tor Project signing certificates. It is also easy to generate the pin using our new utility Checkey (available in our FDroid repo and in Google Play).

Checkey displaying the signing certificate of ChatSecure

Checkey displaying the signing certificate of ChatSecure

We hope to make this process as dead simple as possible by providing developers with this library. TrustedIntents is currently set up as an “Android Library Project” but it could easily be a jar too, the code is currently quite simple, the plan is to add more convenience methods and also support for TOFU/POP in addition to pinning. For usage examples, check out TrustedIntentsExample and the test project under the test/ subdir of the TrustedIntents library source repo.

Checkey includes a simple method for generating the certificate pins. The pin is in the format of Java subclass of ApkSignaturePin, which provides all needed utility functions. The create the pin file, first install the app whose certificate you want to trust. Be sure to get it from a trusted source since you are going to be trusting the signing certificate of the APK that you have installed. Launch Checkey and select that app in the list, you will see the certificate details show up on the top. To generate the .java file for pinning Intents, select Generate Pin from the menu and send the resulting file to yourself. That file is the pin, include it in your project, then load it into TrustedIntents by doing in onCreate() or wherever is appropriate:

TrustedIntents ti = TrustedIntents.get(context);

How to generate a pin file with Checkey

How to generate a pin file with Checkey

Gathering all the edge cases

One of the things I’ve focused on in the TrustedIntents library is thinking about all the possible edge cases and how to check for them. It is rare that the main part of a security check algorithm fails, its almost always the edge cases that are the gotcha.

One example: TrustedIntents should properly check all signing certificates on an APK. From what I’ve seen, it is rare that APKs are signed by more than one certificate, but the spec allows for that. There might be exploits related to not handling that.

Another thing is that TrustedIntents uses the method that the Android code uses for comparing signatures: it does a byte-by-byte comparison of the signature byte arrays. Some apps area already doing something similar based on the hash of the signing certificate (i.e. the “fingerprint”). The Android technique will also be faster than hashing since the hash algorithm has to read the whole signature byte array anyway.

We’d love to have feedback, flames, comments, etc on any and all of this. Let us know how it works for you!

Guardian Project | The Guardian Project | 2014-07-31 03:29:23

This advisory was posted on the tor-announce mailing list.


On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.

Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.

Relays should upgrade to a recent Tor release ( or, to close the particular protocol vulnerability the attackers used — but remember that preventing traffic confirmation in general remains an open research problem. Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service.


We believe they used a combination of two classes of attacks: a traffic confirmation attack and a Sybil attack.

A traffic confirmation attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are indeed on the same circuit. If the first relay in the circuit (called the "entry guard") knows the IP address of the user, and the last relay in the circuit knows the resource or destination she is accessing, then together they can deanonymize her. You can read more about traffic confirmation attacks, including pointers to many research papers, at this blog post from 2009:

The particular confirmation attack they used was an active attack where the relay on one end injects a signal into the Tor protocol headers, and then the relay on the other end reads the signal. These attacking relays were stable enough to get the HSDir ("suitable for hidden service directory") and Guard ("suitable for being an entry guard") consensus flags. Then they injected the signal whenever they were used as a hidden service directory, and looked for an injected signal whenever they were used as an entry guard.

The way they injected the signal was by sending sequences of "relay" vs "relay early" commands down the circuit, to encode the message they want to send. For background, Tor has two types of cells: link cells, which are intended for the adjacent relay in the circuit, and relay cells, which are passed to the other end of the circuit. In 2008 we added a new kind of relay cell, called a "relay early" cell, which is used to prevent people from building very long paths in the Tor network. (Very long paths can be used to induce congestion and aid in breaking anonymity). But the fix for infinite-length paths introduced a problem with accessing hidden services, and one of the side effects of our fix for bug 1038 was that while we limit the number of outbound (away from the client) "relay early" cells on a circuit, we don't limit the number of inbound (towards the client) relay early cells.

So in summary, when Tor clients contacted an attacking relay in its role as a Hidden Service Directory to publish or retrieve a hidden service descriptor (steps 2 and 3 on the hidden service protocol diagrams), that relay would send the hidden service name (encoded as a pattern of relay and relay-early cells) back down the circuit. Other attacking relays, when they get chosen for the first hop of a circuit, would look for inbound relay-early cells (since nobody else sends them) and would thus learn which clients requested information about a hidden service.

There are three important points about this attack:

A) The attacker encoded the name of the hidden service in the injected signal (as opposed to, say, sending a random number and keeping a local list mapping random number to hidden service name). The encoded signal is encrypted as it is sent over the TLS channel between relays. However, this signal would be easy to read and interpret by anybody who runs a relay and receives the encoded traffic. And we might also worry about a global adversary (e.g. a large intelligence agency) that records Internet traffic at the entry guards and then tries to break Tor's link encryption. The way this attack was performed weakens Tor's anonymity against these other potential attackers too — either while it was happening or after the fact if they have traffic logs. So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future.

(This concern is in addition to the general issue that it's probably unwise from a legal perspective for researchers to attack real users by modifying their traffic on one end and wiretapping it on the other. Tools like Shadow are great for testing Tor research ideas out in the lab.)

B) This protocol header signal injection attack is actually pretty neat from a research perspective, in that it's a bit different from previous tagging attacks which targeted the application-level payload. Previous tagging attacks modified the payload at the entry guard, and then looked for a modified payload at the exit relay (which can see the decrypted payload). Those attacks don't work in the other direction (from the exit relay back towards the client), because the payload is still encrypted at the entry guard. But because this new approach modifies ("tags") the cell headers rather than the payload, every relay in the path can see the tag.

C) We should remind readers that while this particular variant of the traffic confirmation attack allows high-confidence and efficient correlation, the general class of passive (statistical) traffic confirmation attacks remains unsolved and would likely have worked just fine here. So the good news is traffic confirmation attacks aren't new or surprising, but the bad news is that they still work. See for more discussion.

Then the second class of attack they used, in conjunction with their traffic confirmation attack, was a standard Sybil attack — they signed up around 115 fast non-exit relays, all running on or Together these relays summed to about 6.4% of the Guard capacity in the network. Then, in part because of our current guard rotation parameters, these relays became entry guards for a significant chunk of users over their five months of operation.

We actually noticed these relays when they joined the network, since the DocTor scanner reported them. We considered the set of new relays at the time, and made a decision that it wasn't that large a fraction of the network. It's clear there's room for improvement in terms of how to let the Tor network grow while also ensuring we maintain social connections with the operators of all large groups of relays. (In general having a widely diverse set of relay locations and relay operators, yet not allowing any bad relays in, seems like a hard problem; on the other hand our detection scripts did notice them in this case, so there's hope for a better solution here.)

In response, we've taken the following short-term steps:

1) Removed the attacking relays from the network.

2) Put out a software update for relays to prevent "relay early" cells from being used this way.

3) Put out a software update that will (once enough clients have upgraded) let us tell clients to move to using one entry guard rather than three, to reduce exposure to relays over time.

4) Clients can tell whether they've received a relay or relay-cell. For expert users, the new Tor version warns you in your logs if a relay on your path injects any relay-early cells: look for the phrase "Received an inbound RELAY_EARLY cell".

The following longer-term research areas remain:

5) Further growing the Tor network and diversity of relay operators, which will reduce the impact from an adversary of a given size.

6) Exploring better mechanisms, e.g. social connections, to limit the impact from a malicious set of relays. We've also formed a group to pay more attention to suspicious relays in the network:

7) Further reducing exposure to guards over time, perhaps by extending the guard rotation lifetime:

8) Better understanding statistical traffic correlation attacks and whether padding or other approaches can mitigate them.

9) Improving the hidden service design, including making it harder for relays serving as hidden service directory points to learn what hidden service address they're handling:


Q1) Was this the Black Hat 2014 talk that got canceled recently?
Q2) Did we find all the malicious relays?
Q3) Did the malicious relays inject the signal at any points besides the HSDir position?
Q4) What data did the attackers keep, and are they going to destroy it? How have they protected the data (if any) while storing it?

Great questions. We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how "relay early" cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our emails lately, so we don't know for sure, but it seems likely that the answer to Q1 is "yes". In fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was. We don't yet know the answers to Q2, Q3, or Q4.

Tor Blog | The Tor Blog blogs | 2014-07-30 13:00:00

Welcome to the thirtieth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.3 is out

A new pointfix release for the 3.6 series of the Tor Browser is out. Most components have been updated and a couple of small issues fixed. Details are available in the release announcement.

The release fixes import security updates from Firefox. Be sure to upgrade! Users of the experimental meek bundles have not been forgotten.

New Tor stable and alpha releases

Two new releases of Tor are out. The new release “brings us a big step closer to slowing down the risk from guard rotation, and fixes a variety of other issues to get us closer to a release candidate”.

Once directory authorities have upgraded, they will “assign the Guard flag to the fastest 25% of the network”. Some experiments showed that “for the current network, this results in about 1100 guards, down from 2500.”

The complementary change to moving the number of entry guards down to one is the introduction of two new consensus parameters. NumEntryGuards and NumDirectoryGuards will respectively set the number of entry guards and directory guards that clients will use. The default for NumEntryGuards is currently three, but this will allow a reversible switch to one in a near future.

Several important fixes have been backported to the stable branch in the release. Source packages are available at the regular location . Binary packages have already landed in Debian (unstable, experimental) and the rest should follow shortly.

Security issue in Tails 1.1 and earlier

Several vulnerabilities have been discovered in I2P which is shipped in Tails 1.1 and earlier. I2P is an anonymous overlay network with many similarities to Tor. There was quite some confusion around the disclosure process of this vulnerability. Readers are encouraged to read what the Tails team has written about it.

Starting I2P in Tails normally requires a click on the relevant menu entry. Once started, the security issues can lead to the deanonymization of a Tails user who visits a malicious web page. As a matter of precaution, the Tails team recommends removing the “i2p” package each time Tails is started.

I2P has fixed the issue in version 0.9.14. It is likely to be included in the next Tails release, but the team is also discussing implementing more in-depth protections that would be required in order to keep I2P in Tails.

Reporting bad relays

“Bad” relays are malicious, misconfigured, or otherwise broken Tor relays. As anyone is free to volunteer bandwidth and processing power to spin up a new relay, users can encounter such bad relays once in a while. Getting them out of everyone’s circuits is thus important.

Damian Johnson and Philipp Winter have been working on improving and documenting the process of reporting bad relays. “While we do regularly scan the network for bad relays, we are also dependent on the wider community to help us spot relays which don’t act as they should” wrote Philipp.

When observing unusual behaviors, one way to learn about the current exit relay before reporting it is to use the Check service. This method can be inaccurate and tends to be a little bit cumbersome. The good news is that Arthur Edelstein is busy integrating more feedback on Tor circuits being used directly into the Tor Browser.

Miscellaneous news

The Tor Project, Inc. has completed its standard financial audit for the year 2013. IRS Form 990, Massachusetts Form PC, and the Financial Statements are now available for anyone to review. Andrew Lewman explained: “we publish all of our related tax documents because we believe in transparency. All US non-profit organizations are required by law to make their tax filings available to the public on request by US citizens. We want to make them available for all.”

CJ announced the release of orWall (previously named Torrific), a new Android application that “will force applications selected through Orbot while preventing unchecked applications to have network access”.

The Thali project aims to use hidden services to host web content. As part of the effort, they have written a cross-platform Java library. “The code handles running the binary, configuring it, managing it, starting a hidden service, etc.” wrote Yaron Goland.

Gareth Owen released a Java-based Tor research framework . The goal is to enable researchers to try things out without having to deal with the full tor source. “At present, it is a fully functional client with a number of examples for hidden services and SOCKS. You can build arbitrary circuits, build streams, send junk cells, etc.” wrote Gareth.

Version 0.2.3 of BridgeDB has been deployed. Among other changes, owners of email accounts can now request bridges through email.

The first candidate for Orbot 14.0.5 has been released. “This update includes improved management of the background processes, the ability to easily change the local SOCKS port (to avoid conflicts on some Samsung Galaxy and Note devices), and the fancy new notification dialog, showing your current exit IPs and country” wrote Nathan Freitas.

While working on guard nodes, George Kadianakis realized that “the data structures and methods of the guard nodes code are not very robust”. Nick Mathewson and George have been busy trying to come up with better abstractions. More brains working on the problem would be welcome!

Mike Perry posted “a summary of the primitives that Marc Juarez aims to implement for his Google Summer of Code project on prototyping defenses for Website Traffic Fingerprinting and follow-on research”. Be sure to have a look if you want to help prevent website fingerprint attacks.

A new draft proposal “for making all relays also be directory servers (by default)” has been submitted by Matthew Finkel. Among the motivations, Matthew wrote: “In a network where every router is a
directory server, the profiling and partitioning attack vector is reduced to the guard (for clients who use them), which is already in a privileged position for this. In addition, with the increased set size, relay descriptors and documents are more readily available and it diversifies the providers.” This change might make the transition to a single guard safer. Feedback welcome!

Noah Rahman reported on the progress of the Stegotorus Google Summer of Code project.

Tor help desk roundup

A number of Iranian Tor users have reported that Tor no longer works out of the box in Iran, and the Tor Metrics portal shows a corresponding drop in the number of directly-connecting users there. Collin Anderson investigated the situation and reported that the Telecommunication Company of Iran had begun blocking the Tor network by blacklisting connections to Tor’s directory authorities. Tor users can circumvent this block by getting bridges from BridgeDB and entering the bridge addresses they receive into their Tor Browser.

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, harmony, and Philipp Winter.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Blog | The Tor Blog blogs | 2014-07-30 12:00:00

Speaking at Vodafone’s annual shareholder meeting in London on Tuesday, July 29, Access Senior Policy Counsel Peter Micek challenged the company to take a greater role in stopping government surveillance.

Access | Access Blog | 2014-07-29 23:14:49

Access urges expedient passage of law to reform NSA surveillance, but warns that additional reforms are needed.

Access | Access Blog | 2014-07-29 14:03:27

To help bridge the substantial differences in how user privacy is protected on the two sides of the Atlantic, the Safe Harbor was established to enable U.S. companies to lawfully transfer data without running afoul of EU data protection law. To make use of the Safe Harbor, companies voluntarily adhere to a set of principles, with oversight from the Federal Trade Commission (FTC), though to date enforcement of corporate policies and practices has been limited.

Access | Access Blog | 2014-07-29 07:49:55

We now have a wiki page which explains how bad relays should be reported to the Tor Project. A bad relay can be malicious, misconfigured, or otherwise broken. Once such a relay is reported, a subset of vigilant Tor developers (currently Roger, Peter, Damian, Karsten, and I) first tries to reproduce the issue. If it's reproducible, we attempt to get in touch with the relay operator and work on the issue together. However, if the relay has no contact information or we cannot reach the operator, we will resort to assigning flags (such as BadExit) to the reported relay which instructs clients to no longer use the relay in the future. In severe cases, we are also able to remove the relay descriptor from the network consensus which effectively makes the relay disappear. To get an idea of what bad behavior was documented in the past, have a look at this (no longer maintained) wiki page or these research papers.

We regularly scan the network for bad relays using exitmap but there are several other great tools such as Snakes on a Tor, torscanner, tortunnel, and DetecTor. We are also dependent on the wider community to help us spot relays which don't act as they should. So if you think that you stumbled upon a bad relay while using Tor, please report it to us by sending an email to To find out which relay is currently being used as your exit relay, please visit our Check service. Just tell us the relay's IP address (Check tells you what your IP address appears to be) and the behavior you observed. Then, we can begin to investigate!

Tor Blog | The Tor Blog blogs | 2014-07-28 23:07:14

2013 was a great year for Tor. The increasing awareness of the lack of privacy online, increasing Internet censorship around the world, and general interest in encryption has helped continue to keep us in the public mind. As a result, our supporters have increased our funding to keep us on the leading edge of our field, this of course, means you. We're happy to have more developers, advocates, and support volunteers. We're encouraged as the general public talks about Tor to their friends and neighbors. Join us as we continue to fight for your privacy and freedom on the Internet!

After completing the standard audit, our 2013 state and federal tax filings are available. We publish all of our related tax documents because we believe in transparency. All US non-profit organizations are required by law to make their tax filings available to the public on request by US citizens. We want to make them available for all.

Part of our transparency is simply publishing the tax documents for your review. The other part is publishing what we're working on in detail. We hope you'll join us in furthering our mission (a) to develop, improve and distribute free, publicly available tools and programs that promote free speech, free expression, civic engagement and privacy rights online; (b) to conduct scientific research regarding, and to promote the use of and knowledge about, such tools, programs and related issues around the world; (c) to educate the general public around the world about privacy rights and anonymity issues connected to Internet use.

All of this means you can look through our source code, including our design documents, and all open tasks, enhancements, and bugs available on our tracking system. Our research reports are available as well. From a technical perspective, all of this free software, documentation, and code allows you and others to assess the safety and trustworthiness of our research and development. On another level, we have a 10 year track record of doing high quality work, saying what we're going to do, and doing what we said.

Internet privacy and anonymity is more important and rare than ever. Please help keep us going through getting involved, donations, or advocating for a free Internet with privacy, anonymity, and keeping control of your identity.

Tor Blog | The Tor Blog blogs | 2014-07-26 20:09:41

Update: SMS finally unblocked in Central African Republic

Access | Access Blog | 2014-07-25 15:30:46

The third pointfix release of the 3.6 series is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Here is the complete changelog:

  • All Platforms
    • Update Firefox to 24.7.0esr
    • Update obfsproxy to 0.2.12
    • Update FTE to 0.2.17
    • Update NoScript to
    • Update HTTPS Everywhere to 3.5.3
    • Bug 12673: Update FTE bridges
    • Update Torbutton to
      • Bug 12221: Remove obsolete Javascript components from the toggle era
      • Bug 10819: Bind new third party isolation pref to Torbutton security UI
      • Bug 9268: Fix some window resizing corner cases with DPI and taskbar size.
  • Linux:
    • Bug 11102: Set Window Class to "Tor Browser" to aid in Desktop navigation
    • Bug 12249: Don't create PT debug files anymore

The list of frequently encountered known issues is also available in our bug tracker.

Tor Blog | The Tor Blog blogs | 2014-07-25 02:36:56

USA FREEDOM Act likely to be considered on Senate floor. Here's a re-cap of the path the bill has taken to get to this point.

Access | Access Blog | 2014-07-24 13:50:26

Access and other groups introduce updates to International Principles one year after their introduction.

Access | Access Blog | 2014-07-23 20:38:22

Welcome to the twenty-ninth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tails 1.1 is out!

Tails, the Debian-based live system that protects its users’ communications by ensuring they are all sent through the Tor network, has been updated. This new 1.1 release reminds Tails users of the distribution’s roots in Debian: Tails is now based on the current stable version of Debian, dubbed “Wheezy”.

This means that almost all software components have been updated. One noticeable example is the desktop environment. The user experience of the GNOME 3 in fallback mode should be similar to previous Tails versions, but things will look a bit differently than they used to.

One of the most keenly-awaited features of this new version is the support for UEFI firmware. Mac users now have only to press the Alt key while booting their computer to start Tails from a DVD or USB stick. The same goes for owners of computers displaying “Windows 8” stickers. And, talking of Windows 8, the camouflage mode has been updated to look more like it, instead of the now discontinued XP.

This new release also contains security fixes, and minor tweaks over the previous versions.

Because of the newly-introduced support for UEFI and the amount of upgraded software, incremental upgrades will not be offered for Tails 1.1. A full upgrade is needed through the Tails Installer. The safest method for upgrading Tails sticks is to go through a freshly burned DVD. Be sure to have a look at the list of known issues to learn about other oddities that might happen in the process.

PETS 2014

The fourteenth Privacy Enhancing Technologies Symposium was held in Amsterdam, Netherlands, July 16-18, 2014. A wide range of research in privacy enhancing technologies was presented, with many of relevance to Tor. Keynotes were given by Martin Ortlieb, Senior User Experience Researcher in Privacy at Google, and William Binney, a former NSA employee.

Some papers focusing on Tor include:

Also announced at PETS was the 2014 PET Award for Outstanding Research in Privacy Enhancing Technologies, for A Scanner Darkly: Protecting User Privacy From Perceptual Applications by Suman Jana, Arvind Narayanan†, and Vitaly Shmatikov. The winner of the best student paper at PETS was I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis by Brad Miller, Ling Huang, A. D. Joseph and J. D. Tygar .

Prior to PETS, there was a Tor meet-up which Moritz Bartl reported as a great success. Hopefully there will also be such an event at the 2015 PETS, to be held in Philadelphia, US, in the week of June 29, 2015.

Miscellaneous news

txtorcon, the Tor control protocol implementation for the Twisted framework, received a new minor release. Version 0.10.1 fixes “a couple bugs introduced along with the endpoints feature in 0.10.0”.

Roger Dingledine posted an official reaction to the cancellation of a proposed talk at the upcoming Blackhat2014 conference dealing with possible deanonymization attacks on Tor users and hidden services.

Tor ships with a sample webpage that can be used by exit node operators to identify their system as such to anyone wishing to identify the source of Tor traffic. Operators most often copy and adapt this template to the local situation. Mick Morgan discovered than his version was out of sync and contained broken links. “If other operators are similarly using a page based on the old template, they may wish to update”, Mick advised.

Michael Rogers, one of the developers of Briar, announced a new mailing list for discussing peer-to-peer-based communication systems based on Tor hidden services. As Briar and other systems might be “running into similar issues”, a shared place to discuss them seemed worthwhile.

Karsten Loesing and Philipp Winter are looking for front-end web developers: “We are looking for somebody to fork and extend one of the two main Tor network status websites Atlas or Globe” writes Karsten. Both websites currently need love and new maintainers. Please reach out if you want to help!

The database which holds Tor bridges, usually called BridgeDB, is able to give out bridge addresses through email. This feature was recently extended to make the email autoresponder support more bridge types, which required introducing new keywords that must be used in the initial request. Matthew Finkel is looking for feedback on the current set of commands and how they could be improved.

Lunar wrote a detailed report on his week at the Libre Software Meeting in Montpellier, France. The report covers the booth jointly held with Nos Oignons, his talk in the security track, and several contacts made with other free software projects.

Here’s another round of reports from Google Summer of Code students: the mid-term: Amogh Pradeep on Orbot and Orfox improvements, Israel Leiva on the GetTor revamp, Quinn Jarrell on the pluggable transport combiner, Juha Nurmi on the project, Marc Juarez on website fingerprinting defenses, and Daniel Martí on incremental updates to consensus documents.

Tim Retout announced that apt-transport-tor 0.2.1 has entered Debian unstable. This package enables APT to download Debian packages through Tor.

Atlas can now also be used to search for Tor bridges. In the past, Atlas was only able to search for relays. This was made possible thanks to a patch developed by Dmitry Eremin-Solenikov.

Thanks to Tim Semeijn and Tobias Bauer for setting up new mirrors of the Tor Project’s website and its software.

Tor help desk roundup

Some Linux users have experienced missing dependency errors when trying to install Tor Browser from their operating system’s software repositories. Tor Browser should only be installed from the Tor Project’s website, and never from a software repository. In other words, using apt-get or yum to install Tor Browser is discouraged. Downloading and verifying Tor Browser from the Tor Project website allows users to keep up with important security updates as they are released.

News from Tor StackExchange

user3224 wants to log in to its Google, Microsoft etc. accounts and wonders if they will know the real name and other personal information. Roya and mirimir explained that if someone logs into an already personalized account Tor can’t anonymize this user. Instead it might be wise to use Tor to register a pseudonym and also use an anonymous operating system like Tails or Whonix.

escapologybb has set up a Raspberry Pi. It serves as SOCKS proxy for the internal network. While everyone can use it, escapologybb asks what the security implications are and if this lowers the overall anonymity. If you know a good answer please share your knowledge with the users of Tor StackExchange.

This issue of Tor Weekly News has been assembled by Lunar, Steven Murdoch, harmony, Philipp Winter, Matt Pagan, qbi, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Blog | The Tor Blog blogs | 2014-07-23 12:00:00

On July 14th, the European Union and the United States kicked off the sixth round of negotiations of what could be the world’s largest trade pact — the Transatlantic Trade and Investment Partnership (TTIP). The negotiations, which have been taking place for more than a year, are about opening markets on both sides of the Atlantic for exchange in goods, services, investment, and public procurement.

Access | Access Blog | 2014-07-23 07:14:19

Tails, The Amnesic Incognito Live System, version 1.1, is out.

All users must upgrade as soon as possible: this release fixes numerous security issues.


Notable user-visible changes include:

  • Rebase on Debian Wheezy
    • Upgrade literally thousands of packages.
    • Migrate to GNOME3 fallback mode.
    • Install LibreOffice instead of OpenOffice.
  • Major new features
    • UEFI boot support, which should make Tails boot on modern hardware and Mac computers.
    • Replace the Windows XP camouflage with a Windows 8 camouflage.
    • Bring back VirtualBox guest modules, installed from Wheezy backports. Full functionality is only available when using the 32-bit kernel.
  • Security fixes
    • Fix write access to boot medium via udisks (ticket #6172).
    • Upgrade the web browser to 24.7.0esr-0+tails1~bpo70+1 (Firefox 24.7.0esr + Iceweasel patches + Torbrowser patches).
    • Upgrade to Linux 3.14.12-1 (fixes CVE-2014-4699).
    • Make persistent file permissions safer (ticket #7443).
  • Bugfixes
    • Fix quick search in Tails Greeter's Other languages window (Closes: ticket #5387)
  • Minor improvements
    • Don't install Gobby 0.4 anymore. Gobby 0.5 has been available in Debian since Squeeze, now is a good time to drop the obsolete 0.4 implementation.
    • Require a bit less free memory before checking for upgrades with Tails Upgrader. The general goal is to avoid displaying "Not enough memory available to check for upgrades" too often due to over-cautious memory requirements checked in the wrapper.
    • Whisperback now sanitizes attached logs better with respect to DMI data, IPv6 addresses, and serial numbers (ticket #6797, ticket #6798, ticket #6804).
    • Install the BookletImposer PDF imposition toolkit.

See the online Changelog for technical details.

Known issues

I want to try it or to upgrade!

Go to the download page.

Note that for this release there are some special actions needed when upgrading from ISO and automatically upgrading from Tails 1.1~rc1.

What's coming up?

The next Tails release is scheduled for September 2.

Have a look to our roadmap to see where we are heading to.

Would you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Tor Blog | The Tor Blog blogs | 2014-07-22 19:05:54

This past March, people from all over the world gathered in San Francisco for RightsCon. Access’ annual conference brings together activists, corporate leaders, programmers, representatives from various governments, and experts in law and policy working on a range of issues at the intersection of technology and human rights.

Access | Access Blog | 2014-07-22 16:49:29

Today Access, together with 20 digital and civil rights organisations, sent the following letter (linked here and below) to E.U. Commissioners Michel Barnier and Cecilia Malmström to bring their attention to an infringement of E.U. law by the United Kingdom through the adoption of the Data Retention and Investigatory Powers Act (“DRIP”).

Access | Access Blog | 2014-07-22 13:28:47

As posted by Roger on the Tor-Talk mailing list:

Hi folks,

Journalists are asking us about the Black Hat talk on attacking Tor that got cancelled. We're still working with CERT to do a coordinated disclosure of the details (hopefully this week), but I figured I should share a few details with you earlier than that.

1) We did not ask Black Hat or CERT to cancel the talk. We did (and still do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.

2) In response to our questions, we were informally shown some materials. We never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat Webpage.

3) We encourage research on the Tor network along with responsible disclosure of all new and interesting attacks. Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with.

[Edit 30 July 2014: here is the security advisory we posted.]

Tor Blog | The Tor Blog blogs | 2014-07-21 22:41:21

The Senate Subcommittee on Crime and Terror held a Hearing on Taking Down Botnets: Public and Private Efforts to Disrupt and Dismantle Cybercriminal Networks.

Access | Access Blog | 2014-07-18 20:03:36

A report by the top UN human rights authority condemns government surveillance practices for the "lack of accountability for arbitrary or unlawful interference in the right to privacy."

Access | Access Blog | 2014-07-18 19:10:50

This week the U.K. Parliament adopted the “Data Retention and Investigatory Powers Act,” or DRIP, a bill that would dramatically expand the government’s surveillance powers. In the runup to the vote, the GCHQ, civil service, and coalition and opposition leaders showed a flagrant disregard for parliamentary procedure and failed to allow an informed and public debate. The result is a terrible bill that would treat all citizens, in the U.K. and abroad, as surveillance targets.

Access | Access Blog | 2014-07-18 14:25:23

This week Access submitted comments to the FCC urging it to use its full authority to reclassify broadband internet access service as a telecommunications service under Title II of the Telecommunications Act — the only viable way the agency can safeguard the values that enabled the internet to become a global force for commerce, culture, free expression, and innovation.

Access | Access Blog | 2014-07-18 14:07:03

Access Senior Policy Counsel Peter Micek questioned the company on transparency reports, surveillance, and sweeping data retention legislation making its way rapidly through the UK Parliament.

Access | Access Blog | 2014-07-18 07:14:59

Access is pleased to announce the first release of Digital First Aid Kit, created in collaboration with a number of civil society and digital security organizations, including Hivos, Frontline Defenders, Electronic Frontier Foundation, the Computer Incident Response Center Luxembourg, Virtual Road, Internews, and Global Voices.

Access | Access Blog | 2014-07-17 18:18:58

Hello front-end web developers!

We are looking for somebody to fork and extend one of the two main Tor network status websites Atlas or Globe.

Here's some background: both the Atlas and the Globe website use the Onionoo service as their data back-end and make that data accessible to mere humans. The Onionoo service is maintained by Karsten. Atlas was written by Arturo as proof-of-concept for the Onionoo service and later maintained (but not extended) by Philipp. Globe was forked from Atlas by Christian who improved and maintained it for half a year, but who unfortunately disappeared a couple of weeks ago. That leaves us with no actively maintained network status website, which is bad.

Want to help out?

Here's how: Globe has been criticized for having too much whitespace, which makes it less useful on smaller screens. But we hear that the web technology behind Globe is superior to the one behind Atlas (we're no front-end web experts, so we can't say for sure). A fine next step could be to fork Globe and tidy up its design to work better on smaller screens. And there are plenty of steps after that if you look through the tickets in the Globe and Atlas component of our bug tracker. Be sure to present your fork on the tor-dev@ mailing list early to get feedback. You can just run it on your own server for now.

The long-term goal would be to have one or more people working on a new network status website to replace Atlas and Globe. We'd like to wait with that step until such a new website is maintained for a couple of weeks or even months though. And even then, we may keep Atlas and Globe running for a couple more months. But eventually, we'd like to shut them down in favor of an actively maintained website.

Let us know if you're interested, and we're happy to provide more details and discuss ideas with you.

Tor Blog | The Tor Blog blogs | 2014-07-17 17:13:15

Welcome to the twenty-eighth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Roundup of research on incentives for running Tor relays

As an hors-d’œuvre to the now on-going the Privacy Enhancing Technology Symposium, Rob Jansen wrote a long blog post covering the last five years of research on incentives for running Tor relays.

Rob introduces the topic by describing the current “volunteer resource model” and mentions that “has succeeded so far: Tor now consists of over 5000 relays transferring between 4 and 5 GiB/s in aggregate”. Rob lists several possible reasons why volunteers run relays right now. They are all intrinsic motivations: current operators run relays because they really want to.

Is only relying on volunteers going to limit the growth of the Tor network in the future? There are already not-for-profit organizations operating relays based on donations, but growing them too much would also be problematic. Another area being explored are extrinsic motivations: making Tor clients faster when someone runs a relay or giving a financial reward — in a currency or another — for the service. Some can legitimately ask if they are suitable for Tor at all and Rob raises plenty of legitimate concerns on how they would interact with the current set of volunteers.

The problem keeps interesting researchers, and Rob details no less than six schemes: the oldest are PAR and Gold Star which introduced anonymity problems, BRAIDS where double spending of rewards is prevented without leaking timing information, LIRA which focused on scalability, TEARS where a publicly auditable e-cash protocol reduce the reliance on trusted parties, and finally, the (not ideally namedTorCoin which introduces the idea of a crypto-currency based on “proof-of-bandwidth”.

Rob details the novel ideas and drawbacks of each schemes, so be sure to read the original blog post for more details. After this roundup, Rob highlights that “recent research has made great improvements in the area of Tor incentives”. But that’s for the technical side as “it is unclear how to make headway on the social issues”.

“Tor has some choices to make in terms of how to grow the network and how to position the community during that growth process” concludes Rob. So let’s have that conversation.

Defending against guard discovery attacks with layered rotation time

Guard nodes are a key component of a Tor client’s anonymity. Once an attacker gains knowledge of which guard node is being used by a particular client, putting the guard node under monitoring is likely the last step before finding a client’s IP address.

George Kadianakis has restarted the discussion on how to slow down guard discovery of hidden services by exploring the idea of “keeping our middle nodes more static”. The idea is to slow down the attacks based on repeated circuit destruction by reusing the same “middle nodes for 3-4 days instead of choosing new ones for every circuit”. Introducing this new behavior will slow down the attack, but George asks “are there any serious negative implications?”

The idea is not new, as Paul Syverson pointed out: “Lasse and I suggested and explored the idea of layered guards when we introduced guards”. He adds “there are lots of possibilities here”.

George worries that middle nodes would then “always see your traffic coming through your guard (assuming a single guard per client)”. Ian Goldberg added “the exit will now know that circuits coming from the same middle are more likely to be the same client”. Restricting the change to only hidden services and not every client means that it will be “easy for an entry guard to learn whether a client has static middle nodes or not”.

As George puts it the latest message in the thread: “As always, more research is needed…” Please help!

More monthly status reports for June 2014

The wave of regular monthly reports from Tor project members for the month of June continued, with submissions from Michael Schloh von Bennewitz and Andrew Lewman.

Arturo Filastò reported on behalf of the OONI team, while Roger Dingledine submitted the SponsorF report

Miscellaneous news

The various roadmaps that came out of the 2014 summer dev. meeting have been transcribed in a joint effort by George Kadianakis, Yawning Angel, Karsten Loesing, and an anonymous person. Most items will probably be matched with a ticket soon.

The Tor Project is hiring a financial controller. This is a part time position, approximately 20 hours per week, at the office in Cambridge, Massachusetts.

The Tails developers announced the creation of two new mailing lists. “If you are a designer, UX/UI expert or beginner” interested in the theory and practice of designing user interfaces for Tails, the tails-ux list is for you, while the tails-project list is dedicated to “the ‘life’ of the project“; however, “technical questions should stay on tails-dev”.

Alan kicked of the aforementioned tails-ux mailing list announcing progress on Tails initial login screen. The new set of mockups is visible on the corresponding blueprint.

More mockups! Nima Fatemi produced some for a possible browser-based Tor control panel, incorporating features that were lost with the removal of Vidalia from the Tor Browser, such as the world map with Tor circuit visualizations. “How would you perfect that image? What’s missing?”, asked Nima, hoping “to inspire people to start hacking on it”.

Meanwhile, Sean Robinson had been working on a new graphical Tor controller called Syboa. Sean’s “primary motivation for Syboa was to replace TorK, so it looks more like TorK than Vidalia”. Sean announces that he will not have time for further development soon but that he would answer questions.

Juha Nurmi submitted the weekly status report for the GSoC project.

Thanks to the University of Edinburgh’s School of Informatics,, Stefano Fenoglio, IP-Connect, Justin Ramos, Jacob Henner from Anatomical Networks, and for running mirrors of the Tor Project website!

Tor help desk roundup

Users often ask about for assistance setting up Tor Cloud instances. Sina Rabbani is taking over the maintenance of Tor Cloud and is working on updating the packages and documentation. Until new documentation on using the up-to-date images and Amazon Web Services interface lands, users not already familiar with AWS may want to use a different virtual server provider to host their bridges.

Easy development tasks to get involved with

The setup scripts of the Flashproxy and Obfsproxy pluggable transports attempt to download and build the M2Crypto library if they are not already installed. We´d really want to avoid this and have the setup script fail if not all libraries are present for building Flashproxy. The ticket that describes this bug also outlines a possible workaround that disables all downloads during the setup process. If you know a bit about setuptools and want to turn this description into a patch and test it, please give it a try.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, Karsten Loesing, and George Kadianakis.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Blog | The Tor Blog blogs | 2014-07-16 12:00:00

We now have an official FDroid app repository that is available via three separate methods, to guarantee access to a trusted distribution channel throughout the world! To start with, you must have FDroid installed. Right now, I recommend using the latest test release since it has support for Tor and .onion addresses (earlier versions should work for non-onion addresses):

In order to add this repo to your FDroid config, you can either click directly on these links on your devices and FDroid will recognize them, or you can click on them on your desktop, and you will be presented with a QR Code to scan. Here are your options:

From here on out, our old FDroid repo ( is considered deprecated and will no longer be updated. It will eventually be removed. Update to the new one!

Also, if you missed it before, all of our test builds are also available for testing only via FDroid. Just remember, the builds in the test repo are only debug builds, not fully trusted builds, so use them for testing only.

Automate it all!

This setup has three distribution channels that are all mirrors of a repo that is generated on a fully offline machine. This is only manageable because of lots of new automation features in the fdroidserver tools for building and managing app repos. You can now set up a USB thumb drive as the automatic courier for shuffling the repo from the offline machine to an online machine. The repo is generated, updated, and signed using fdroid update, then those signed files are synced to the USB thumb drive using fdroid server update. Then the online machine syncs the signed files from that USB thumb drive to multiple servers via SSH and Amazon S3 with a single command: fdroid server update. The magic is in setting up the config options and letting the tools do the rest.

New Repo Signing Key

For part of this, I’ve completed the process of generating a new, fully offline fdroid signing key. So that means there is a new signing key for the FDroid repo, and the old repo signing key is being retired.

The fingerprints for this signing key are:

Owner:,, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US
Issuer:,, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US
Serial number: a397b4da7ecda034
Valid from: Thu Jun 26 15:39:18 EDT 2014 until: Sun Nov 10 14:39:18 EST 2041
Certificate fingerprints:
 MD5:  8C:BE:60:6F:D7:7E:0D:2D:B8:06:B5:B9:AD:82:F5:5D
 SHA1: 63:9F:F1:76:2B:3E:28:EC:CE:DB:9E:01:7D:93:21:BE:90:89:CD:AD
 SHA256: B7:C2:EE:FD:8D:AC:78:06:AF:67:DF:CD:92:EB:18:12:6B:C0:83:12:A7:F2:D6:F3:86:2E:46:01:3C:7A:61:35
 Signature algorithm name: SHA1withRSA
 Version: 1

Guardian Project | The Guardian Project | 2014-07-01 00:26:39

On Saturday, a new post was relased by Xordern entitled IP Leakage of Mobile Tor Browsers. As the title says, the post documents flaws in mobile browser apps, such as Orweb and Onion Browser, both which automatically route communication traffic over Tor. While we appreciate the care the author has taken, he does make the mistake of using the term “security” to lump together the need for total anonymity up with the needs of anti-censorship, anti-surveillance, circumvention and local device privacy. We do understand the seriousness of this bug, but at the same time, it is not an issue encountered regularly in the wild.

Here are thoughts on the three specific issues covered:

1) HTML5 Multimedia: This is a known issue which is not present on 100% of Android devices, but is definitely something to be concerned about, if you access sites with HTML5 media player content on them. To us, it is a bug in Android, and not in Orweb, since all of the appropriate APIs are called when the browser is configured to proxy. However, it is a problem, and our solution remains to either use transparent proxying feature of Orbot, or to use the Firefix Privacy configuration we provide here:

2) Downloads leak: This is a new issue and one we are trying to reproduce on our end. If our proxied download indeed is not working, we will issue a fix shortly. Again, using Firefox configured in the manner we prescribe, the downloads would be proxied properly.

3) Unique Headers: The inclusion of a unique HTTP header issue in this list is confusing, because it has nothing to do with IP leakage. We have never claimed that a mobile browser can be 100% anonymous, and defending against full fingerprinting of browsers based on headers is something beyond what we are attempting to do at this point.

At this point, we still recommend Orweb for most people who want a very simple solution for a browser that is proxied through Tor. This will defeat mass traffic surveillance, network censorship, filtering by your mobile operator, work or school, and more. Orweb also keeps little data cached on the local system, and so protects against physical inspection and analysis of your device, to retrieve your browser history. HOWEVER if you do seem to visit sites that have HTML5 media players in the them, then we recommend you do not use Orweb, and again, that you use Firefox with our Privacy-Enhanced Configuration.

If you are truly worried about IP leakage, then you MUST root your phone, and use Orbot’s Transparent Proxying feature. This provides the best defense against leaking of your real IP. Even further, if you require even more assurance than that, you should follow Mike Perry’s Android Hardening Guide, which uses AFWall firewall in combination with Orbot, to block traffic to apps, and even stops Google Play from updating apps without your permission.

Finally, the best news is that we are making great progress in a fully privacy-by-default version of Firefox, under the project named “Orfox”. This is being done in partnership with the Tor Project, as a Google Summer of Code effort, along with the Orweb team. We aim to use as much of the same code that Tor Browser does to harden Firefox in our browser, and are getting close to an alpha release. If you are interested in a testing the first prototype build, which address the HTML5 and Download leak issues, you can find it here: and track the project here:





Guardian Project | The Guardian Project | 2014-06-30 16:43:51


We just released Lil’ Debi 0.4.7 into the Play Store and It is not really different than the 0.4.6 release except in has a new, important property: the APK contents can be reproduced on other machines to the extent that the APK signature can be swapped between the official build and builds that other people have made from source, and this will still be installable. This is known as a “deterministic build” or “reproducible build”: the build process is deterministic, meaning it runs the same way each time, and that results in an APK that is reproducible by others using only the source code. There are some limitations to this, like it has to be built using similar versions of the OpenJDK 1.7 and other build tools, for example. But this process should work on any recent version of Debian or Ubuntu. Please try the process yourself, and let us know if you can verify or not:

The ultimate goal here is to make a process that reproduces the APK exactly, bit-for-bit, so that the anyone who runs the process will end up with an APK that has the exact same hash sum. As far as I can tell, the only thing that needs to be fixed in Lil’ Debi’s process is the timestamps in the ZIP format that is the APK container.

There are a number of other parallel efforts. The Tor Project has written a lot about their process for reproducible builds for the Tor Browser Bundle. Debian has made some progress in fixing the package builders to make the process deterministic.

Guardian Project | The Guardian Project | 2014-06-09 20:41:34

The latest Orbot is out soon on Google Play, and by direct download from the link below:
Android APK:
(PGP Sig)

The major improvements for this release are:

  • Uses the latest Tor stable version
  • Fix for recent OpenSSL vulnerabilities
  • Addition of Obfuscated Bridges 3 (Obfs3) support
  • Switch from Privoxy to Polipo (semi-experimental)

and much more… see the CHANGELOG link below for all the details.

The tag commit message was “updating to 14.0.0 build 100!”

and the full CHANGELOG is here:

Guardian Project | The Guardian Project | 2014-06-08 03:45:17

One thing we are very lucky to have is a good community of people willing to test out unfinished builds of our software. That is a very valuable contribution to the process of developing usable, secure apps. So we want to make this process as easy as possible while keeping it as secure and private as possible. To that end, we have set up an FDroid repository of apps generated from the test builds that our build server generates automatically every time we publish new code.

After this big burst of development focused on FDroid, it has become clear that FDroid has lots of promise for becoming a complete solution for the whole process of delivering software from developers to users. We have tried other ways of delivering test builds like HockeyApp and Google Play’s Alpha and Beta channels and have found them lacking. The process did not seem as easy as it should be. And of course, both of them leave a lot to be desired when it comes to privacy of the users. So this is the first step in hopefully a much bigger project.

To use our new test build service, first install FDroid by downloading it from the official source: Then using a QR Code scanner like Barcode Scanner, just scan the QR Code below, and send it to FDroid Repositories. You can also browse to this page on your Android device, and click the link below to add it to FDroid:

You can also use our test repo via an anonymized connection using the Tor Hidden Service (as of this moment, that means downloading an official FDroid v0.69 test build). Just get Orbot and turn it on, and the following .onion address will automatically work in FDroid, as long as you have a new enough version (0.69 or later).


Guardian Project | The Guardian Project | 2014-06-06 21:17:01

We’re making the Internet more secure, by taking part in #ResetTheNet

Guardian Project | The Guardian Project | 2014-06-04 23:07:14

FreedomBox version 0.2

For those of you who have not heard through the mailing list or in the project's IRC channel (#freedombox on, FreedomBox has reached the 0.2 release. This second release is still intended for developers but represents a significant maturation of the components we have discussed here in the past and a big step forward for the project as a whole.

0.2 features

Plinth, our user interface tool, is now connected to a number of running systems on the box including PageKite, an XMPP chat server, local network administration if you want to use the FreedomBox as a home router, and some diagnostic and general system configuration tools. Plinth also has support for downloading and installing ownCloud.

Additionally, the 0.2 release installs Tor and configures it as a bridge. This default configuration does not actually send any of your traffic through Tor or allow those sending traffic over Tor to enter the public net using your connection. Acting as a bridge simply moves data around within the Tor network, much like adding an additional participant to a game of telephone. The more bridges there are in the Tor network, the harder it is to track where that traffic actually comes from.

Availability and reach

As discussed previously, one of the ways we are working to improve privacy and security for computer users is by making the tools we include in FreedomBox available outside of particular FreedomBox images or hardware. We are working towards that goal by adding the software we use to the Debian community Linux distribution upon which the FreedomBox is built. I am happy to say that Plinth, PageKite, ownCloud, as well as our internal box configuration tool freedombox-setup are now all available in the Jessie version of Debian.

In addition to expanding the list of tools available in Debian we have also expanded the range of Freedom-maker, the tool that builds full images of FreedomBox to deploy directly onto machines like our initial hardware target the DreamPlug. Freedom-maker can now build images for DreamPlug, the VirtualBox blend of virtual machines, and the RasbperryPi. Now developers can test and contribute to FreedomBox using anything from a virtual machine to one of the more than two million PaspberryPis out there in the world.

The future

Work has really been speeding up on the FreedomBox in 2014 and significant work has been done on new cryptographic security tools for a 0.3 release. As always, the best places to find out more are the wiki, the mailing list and the IRC channel.

FreedomBox | news | 2014-05-12 21:07:40

security in a thumb driveHardware Security Modules (aka Smartcards, chipcards, etc) provide a secure way to store and use cryptographic keys, while actually making the whole process a bit easier. In theory, one USB thumb drive like thing could manage all of the crypto keys you use in a way that makes them much harder to steal. That is the promise. The reality is that the world of Hardware Security Modules (HSMs) is a massive, scary minefield of endless technical gotchas, byzantine standards (PKCS#11!), technobabble, and incompatibilities. Before I dive too much into ranting about the days of my life wasted trying to find a clear path through this minefield, I’m going to tell you about one path I did find through to solve a key piece of the puzzle: Android and Java package signing.

ACS ACR38-T-IBSFor this round, I am covering the Aventra MyEID PKI Card. I bought a SIM-sized version to fit into an ACS ACR38T-IBS-R smartcard reader (it is apparently no longer made, and the ACT38T-D1 is meant to replace it). Why such specificity you may ask? Because you have to be sure that your smartcard will work with your reader, and that your reader will have a working driver for you system, and that your smartcard will have a working PKCS#11 driver so that software can talk to the smartcard. Thankfully there is the OpenSC project to cover the PKCS#11 part, it implements the PKCS#11 communications standard for many smartcards. On my Ubuntu/precise system, I had to install an extra driver, libacr38u, to get the ACR38T reader to show up on my system.

So let’s start there and get this thing to show up! First we need some packages. The OpenSC packages are out-of-date in a lot of releases, you need version 0.13.0-4 or newer, so you have to add our PPA (Personal Package Archive) to get current versions, which include a specific fix for the Aventra MyEID: (fingerprint: F50E ADDD 2234 F563):

sudo add-apt-repository ppa:guardianproject/ppa
sudo apt-get update
sudo apt-get install opensc libacr38u libacsccid1 pcsc-tools usbutils

First thing, I use lsusb in the terminal to see what USB devices the Linux kernel sees, and thankfully it sees my reader:

$ lsusb
Bus 005 Device 013: ID 072f:9000 Advanced Card Systems, Ltd ACR38 AC1038-based Smart Card Reader

Next, its time to try pcsc_scan to see if the system can see the smartcard installed in the reader. If everything is installed and in order, then pcsc_scan will report this:

$ pcsc_scan 
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau 
Compiled with PC/SC lite version: 1.7.4
Using reader plug'n play mechanism
Scanning present readers...
0: ACS ACR38U 00 00

Thu Mar 27 14:38:36 2014
Reader 0: ACS ACR38U 00 00
  Card state: Card inserted, 
  ATR: 3B F5 18 00 00 81 31 FE 45 4D 79 45 49 44 9A

If pcsc_scan cannot see the card, then things will not work. Try re-seating the smardcard in the reader, make sure you have all the right packages installed, and if you can see the reader in lsusb. If your smartcard or reader cannot be read, then pcsc_scan will report something like this:

$ pcsc_scan 
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau 
Compiled with PC/SC lite version: 1.7.4
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...

Moving right along… now pcscd can see the smartcard, so we can start playing with using the OpenSC tools. These are needed to setup the card, put PINs on it for access control, and upload keys and certificates to it. The last annoying little preparation tasks are finding where is installed and the “slot” for the signing key in the card. These will go into a config file which keytool and jarsigner need. To get this info on Debian/Ubuntu/etc, run these:

$ dpkg -S
opensc: /usr/lib/x86_64-linux-gnu/
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/ \
>     --list-slots
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
Slot 1 (0x1): ACS ACR38U 00 00
  token label        : MyEID (signing)
  token manufacturer : Aventra Ltd.
  token model        : PKCS#15
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 0106004065952228

This is the info needed to put into a opensc-java.cfg, which keytool and jarsigner need in order to talk to the Aventra HSM. The name, library, and slot fields are essential, and the description is helpful. Here is how the opensc-java.cfg using the above information looks:

name = OpenSC
description = SunPKCS11 w/ OpenSC Smart card Framework
library = /usr/lib/x86_64-linux-gnu/
slot = 1

Now everything should be ready for initializing the HSM, generating a new key, and uploading that key to the HSM. This process generates the key and certificate, puts them into files, then uploads them to the HSM. That means you should only run this process on a trusted machine, certainly with some kind of disk encryption, and preferably on a machine that is not connected to a network, running an OS that has never been connected to the internet. A live CD is one good example, I recommend Tails on a USB thumb drive running with the secure persistent store on it (we have been working here and there on making a TAILS-based distro specifically for managing keys, we call it CleanRoom).

HSM plugged into a laptop

HSM plugged into a laptop

First off, the HSM needs to be initialized, then set up with a signing PIN and a “Security Officer” PIN (which means basically an “admin” or “root” PIN). The signing PIN is the one you will use for signing APKs, the “Security Officer PIN” (SO-PIN) is used for modifying the HSM setup, like uploading new keys, etc. Because there are so many steps in the process, I’ve written up scripts to run thru all of the steps. If you want to see the details, read the scripts. The next step is to generate the key using openssl and upload it to the HSM. Then the HSM needs to be “finalized”, which means the PINs are activated, and keys cannot be uploaded. Don’t worry, as long as you have the SO-PIN, you can erase the HSM and re-initialize it. But be careful! Many HSMs will permanently self-destruct if you enter in the wrong PIN too many times, some will do that after only three wrong PINs! As long as you have not finalized the HSM, any PIN will work, so play around a lot with it before finalizing it. Run the init and key upload procedure a few times, try signing an APK, etc. Take note: the script will generate a random password for the secret files, then echo that password when it completes, so make sure no one can see your screen when you generate the real key. Alright, here goes!

code $ git clone
code $ cd smartcard-apk-signing/Aventra_MyEID_Setup
Aventra_MyEID_Setup $ ./ 
Edit pkcs15-init-options-file-pins to put in the PINs you want to set:
Aventra_MyEID_Setup $ emacs pkcs15-init-options-file-pins
Aventra_MyEID_Setup $ ./ 
Using reader with a card: ACS ACR38U 00 00
Connecting to card in reader ACS ACR38U 00 00...
Using card driver MyEID cards with PKCS#15 applet.
About to erase card.
PIN [Security Officer PIN] required.
Please enter PIN [Security Officer PIN]: 
Using reader with a card: ACS ACR38U 00 00
Connecting to card in reader ACS ACR38U 00 00...
Using card driver MyEID cards with PKCS#15 applet.
About to create PKCS #15 meta structure.
Using reader with a card: ACS ACR38U 00 00
Connecting to card in reader ACS ACR38U 00 00...
Using card driver MyEID cards with PKCS#15 applet.
Found MyEID
About to generate key.
Using reader with a card: ACS ACR38U 00 00
Connecting to card in reader ACS ACR38U 00 00...
Using card driver MyEID cards with PKCS#15 applet.
Found MyEID
About to generate key.
next generate a key with ./ then ./
Aventra_MyEID_Setup $ cd ../openssl-gen/
openssl-gen $ ./ 
Usage: ./ "CertDName" [4096]
  for example:
  "/C=US/ST=New York/O=Guardian Project Test/"
openssl-gen $ ./ "/C=US/ST=New York/O=Guardian Project Test/"
Generating key, be patient...
2048 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Signature ok
subject=/C=US/ST=New York/O=Guardian Project Test/
Getting Private key
writing RSA key
Your HSM will prompt you for 'Security Officer' aka admin PIN, wait for it!
Enter destination keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore]
Key fingerprints for reference:
MD5 Fingerprint=90:24:68:F3:F3:22:7D:13:8C:81:11:C3:A4:B6:9A:2F
SHA1 Fingerprint=3D:9D:01:C9:28:BD:1F:F4:10:80:FC:02:95:51:39:F4:7D:E7:A9:B1
SHA256 Fingerprint=C6:3A:ED:1A:C7:9D:37:C7:B0:47:44:72:AC:6E:FA:6C:3A:B2:B1:1A:76:7A:4F:42:CF:36:0F:A5:49:6E:3C:50
The public files are: certificate.pem publickey.pem request.pem
The secret files are: secretkey.pem certificate.p12 certificate.jkr
The passphrase for the secret files is: fTQ*he-[:y+69RS+W&+!*0O5i%n
openssl-gen $ cd ../Aventra_MyEID_Setup/
Aventra_MyEID_Setup $ ./ 
Using reader with a card: ACS ACR38U 00 00
Connecting to card in reader ACS ACR38U 00 00...
Using card driver MyEID cards with PKCS#15 applet.
Found MyEID
About to delete object(s).
Your HSM is ready for use! Put the secret key files someplace encrypted and safe!

Now your HSM should be ready for use for signing. You can try it out with keytool to see what is on it, using the signing PIN not the Security Officer PIN:

smartcard-apk-signing $ /usr/bin/keytool -v \
>     -providerClass \
>     -providerArg opensc-java.cfg \
>     -providerName SunPKCS11-OpenSC -keystore NONE -storetype PKCS11 \
>     -list
Enter keystore password:  

Keystore type: PKCS11
Keystore provider: SunPKCS11-OpenSC

Your keystore contains 1 entry

Alias name: 1
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner:,, O=Guardian Project Test, ST=New York, C=US
Issuer:,, O=Guardian Project Test, ST=New York, C=US
Serial number: aa6887be1ec84bde
Valid from: Fri Mar 28 16:41:26 EDT 2014 until: Mon Aug 12 16:41:26 EDT 2041
Certificate fingerprints:
	 MD5:  90:24:68:F3:F3:22:7D:13:8C:81:11:C3:A4:B6:9A:2F
	 SHA1: 3D:9D:01:C9:28:BD:1F:F4:10:80:FC:02:95:51:39:F4:7D:E7:A9:B1
	 SHA256: C6:3A:ED:1A:C7:9D:37:C7:B0:47:44:72:AC:6E:FA:6C:3A:B2:B1:1A:76:7A:4F:42:CF:36:0F:A5:49:6E:3C:50
	 Signature algorithm name: SHA1withRSA
	 Version: 1


And let’s try signing an actual APK using the arguments that Google recommends, again, using the signing PIN:

smartcard-apk-signing $ /usr/bin/jarsigner -verbose \
>     -providerClass \
>     -providerArg opensc-java.cfg -providerName SunPKCS11-OpenSC \
>     -keystore NONE -storetype PKCS11 \
>     -sigalg SHA1withRSA -digestalg SHA1 \
>     bin/LilDebi-release-unsigned.apk 1
Enter Passphrase for keystore: 
   adding: META-INF/1.SF
   adding: META-INF/1.RSA
  signing: assets/busybox
  signing: assets/
  signing: assets/
  signing: assets/
  signing: assets/debian-archive-keyring.gpg
  signing: assets/debootstrap.tar.bz2
  signing: assets/e2fsck.static
  signing: assets/gpgv
  signing: assets/lildebi-common

Now we have a working, but elaborate, process for setting up a Hardware Security Module for signing APKs. Once the HSM is setup, using it should be quite straightforward. Next steps are to work out as many kinks in this process as possible so this will be the default way to sign APKs. That means things like figuring out how Java can be pre-configured to use OpenSC in the Debian package, as well as including all relevant fixes in the pcscd and opensc packages. Then the ultimate is to add support for using HSMs in Android’s generated build files like the build.xml for ant that is generated by android update project. Then people could just plug in the HSM and run ant release and have a signed APK!

Guardian Project | The Guardian Project | 2014-03-28 20:54:39

An interesting turn of events (which we are very grateful for!)


Diana Del Olmo,
Nathan Freitas (in Austin / SXSW) +1.718.569.7272

Get press kit and more at:



The Guardian Project is amongst the 10 chosen grantee organizations to be awarded a $100,000 digital age grant due to its extensive work creating open source software to help citizens overcome government-sponsored censorship.

image courtesy of the

NEW YORK, NY (March 10, 2014)—Ten non-profits in the U.S. and abroad
have been named recipients of New Digital Age Grants, funded through a
$1 million donation by Google executive chairman Eric Schmidt. The
Guardian Project is one of two New York City-based groups receiving an

The New Digital Age Grants were established to highlight organizations
that use technology to counter the global challenges Schmidt and
Google Ideas Director Jared Cohen write about in their book THE NEW
DIGITAL AGE, including government-sponsored censorship, disaster
relief and crime fighting. The book was released in paperback on March 4.

“The recipients chosen for the New Digital Age Grants are doing some
very innovative and unique work, and I’m proud to offer them this
encouragement,” said Schmidt. “Five billion people will encounter the
Internet for the first time in the next decade. With this surge in the
use of technology around the world—much of which we in the West take
for granted—I felt it was important to encourage organizations that
are using it to solve some of our most pressing problems.”

Guardian Project founder, Nathan Freitas, created the project based on
his first-hand experience working with Tibetan human rights and
independence activists for over ten years. Today, March 10th, is the
55th anniversary of the Tibetan Uprising Day against Chinese
occupation. “I have seen first hand the toll that online censorship,
mobile surveillance and digital persecution can take on a culture,
people and movement,” said Freitas. “I am elated to know Mr. Schmidt
supports our effort to fight back against these unjust global trends
through the development of free, open-source mobile security

Many of the NDA grantees, such as Aspiration, Citizen Lab and OTI,
already work with the Guardian Project on defending digital rights,
training high-risk user groups and doing core research and development
of anti-censorship and surveillance defense tools and training.

The New Digital Age Grants are being funded through a private donation
by Eric and Wendy Schmidt.

About the Guardian Project

The Guardian Project is a global collective of software developers
(hackers!), designers, advocates, activists and trainers who develop
open source mobile security software and operating system
enhancements. They also create customized mobile devices to help
individuals communicate more freely and protect themselves from
intrusion and monitoring. The effort specifically focuses on users who
live or work in high-risk situations, and who often face constant
surveillance and intrusion attempts into their mobile devices and
communication streams.

Since it was founded in 2009, the Guardian Project has developed more
than a dozen mobile apps for Android and iOS with over two million
downloads and hundreds of thousands of active users. In the last five
years the Guardian Project has partnered with prominent open source
software projects, activists groups, NGOs, commercial partners and
news organizations to support their mobile security software
capabilities. This work has been made possible with funding from
Google, UC Berkeley with the MacArthur Foundation, Avaaz, Internews,
Open Technology Fund, WITNESS, the Knight Foundation, Benetech, and
Free Press Unlimited. Through work on partner projects like The Tor
Project, Commotion mesh and StoryMaker, we have received indirect
funding from both the US State Department through the Bureau of
Democracy, Human Rights and Labor Internet Freedom program, and the
Dutch Ministry of Foreign Affairs through HIVOS.

The Guardian Project is very grateful for this personal donation and
is happy to have its work recognized by Mr Schmidt. This grant will
allow us to continue our work on ensuring users around the world have
access to secure, open and trustworthy mobile messaging services. We
will continue to improve reliability and security of ChatSecure for
Android and iOS and integrate the OStel voice and video calling
services into the app for a complete secure communications solution.
We will support the work of the new I.M.AWESOME (Instant Messaging
Always Secure Messaging) Coalition focused on open-standards,
decentralized secure mobile messaging, and voice and video
communications. Last, but not least, we will improve device testing,
support and outreach to global human rights defenders, activists and
journalists, bringing the technology that the Guardian Project has
developed to the people that need it most.

About the NDA Recipients

Aspiration in San Francisco, CA, provides deep mentorship to build
tech capacity supporting Africa, Asia and beyond. Their NDA grant will
grow their capacity-building programs for the Global South, increasing
technical capacity to meet local challenges.

C4ADS, a nonprofit research team in Washington, DC, is at the cutting
edge of unmasking Somali pirate networks, Russian arms-smuggling
rings, and other illicit actors entirely through public records. Their
data-driven approach and reliance on public documents has enormous
potential impact, and the grant will help with their next big project.

The Citizen Integration Center in Monterrey, Mexico has developed an
innovative public safety broadcast and tipline system on social media.
Users help their neighbors—and the city—by posting incidents and
receiving alerts when violence is occurring in their communities. The
grant will help them broaden their reach.

The Citizen Lab at the Munk School of Global Affairs at the University
of Toronto, Canada, is a leading interdisciplinary laboratory
researching and exposing censorship and surveillance. The grant will
support their technical reconnaissance and analysis, which uniquely
combines experts and techniques from computer science and the social

The Guardian Project, based in New York City, develops open-source
secure communication tools for mobile devices. ChatSecure and OSTel,
their open standards-based encrypted messaging, voice and video
communication services, which are both built on open standards, have
earned the trust of tens of thousands of users in
repressively-censored environments, and the grant will advance their
technical development.

The Igarapé Institute in Rio de Janeiro, Brazil, focuses on violence
prevention and reduction through technology. Their nonprofit work on
anti-crime projects combines the thoughtfulness of a think tank with
the innovative experimentation of a technology design shop. The grant
will support their research and development work.

KoBo Toolbox in Cambridge, MA, allows fieldworkers in far-flung
conflict and disaster zones to easily gather information without
active Internet connections. The grant will help them revamp their
platform to make it easier and faster to deploy.

The New Media Advocacy Project in New York, NY, is nonprofit
organization developing mobile tools to map violence and
disappearances in challenging environments. The grant will allow them
to refine their novel, interactive, video-based interfaces.

The Open Technology Institute at the New America Foundation in
Washington, DC, advances open architectures and open-source
innovations for a free and open Internet. The grant will assist their
work with the Measurement Lab project to objectively measure and
report Internet interference from repressive governments.

Portland State University in Portland, OR, is leading ground-breaking
research on network traffic obfuscation techniques, which improve
Internet accessibility for residents of repressively-censored
environments. The grant will support the research of Professor Tom
Shrimpton and his lab, who—with partners at the University of
Wisconsin and beyond—continue to push the boundaries with new
techniques like Format Transforming Encryption.

Guardian Project | The Guardian Project | 2014-03-10 16:22:34

The HTTPS protocol is based on TLS and SSL, which are standard ways to negotiate encrypted connections. There is a lot of complexity in the protocols and lots of config options, but luckily most of the config options can be ignored since the defaults are fine. But there are some things worth tweaking to ensure that as many connections as possible are using reliable encryption ciphers while providing forward secrecy. A connection with forward secrecy provides protection to past transactions even if the server’s HTTPS private key/certificate is stolen or compromised. This protects your users from large scale network observers that can store all traffic for later decryption, like governments, ISPs, telecoms, etc. From the server operator’s point of view, it means less risk of leaking users’ data, since even if the server is compromised, past network traffic will probably not be able to be encrypted.

In my situation, I was using our development site,, as my test bed, it is Apache 2.2 and openssl 1.0.1 running on Ubuntu/precise 12.04 Long-Term Support, so that means that some of the options are more limited since this is an older release. On Debian, Ubuntu and other Debian-derivatives, you’ll only need to edit /etc/apache2/mods-available/ssl.conf. There are more paranoid resources for perfectly configuring your TLS, but we’re not ready to drop support for old browsers that only support SSLv3, and not TLS at all. So I went with this line to enable SSLv3 and TLSv1.0 and newer:

SSLProtocol all -SSLv2

With TLS connections, the client and the server each present a list of encryption ciphers that represent the ciphers they each support in order of preference. This enables the client and server to choose a cipher that both support. Normally, the client’s list takes precedence over the server’s, but with many browsers that can be changed. Unfortunately it seems that Microsoft Internet Explorer (IE) ignores this and always uses the client’s preference first. Here’s how to make Apache request that the server preferences are preferred:

SSLHonorCipherOrder on

Next up is tweaking the server’s preference list to put ciphers that enable forward secrecy first (don’t worry if you don’t understand the next stuff about my rationale, my aim is to walk thru the process). This is done in most web servers using openssl-style cipher lists. I started out with what Mozilla recommends, then pared down the list to remove AES-256 ciphers, since AES-128 is widely regarded to be faster, quite strong, and perhaps more resistant to timing attacks than AES-256. I also chose to remove RC4-based ciphers, since RC4 might already be broken, and will only get worse with time. RC4 has historically been used to mitigate the “BEAST” attack, but that is mostly happening in the clients now. So with that I ended up with this cipher list (should be all one line in your config file):


One thing to make sure is that all of these ciphers are supported on your system. You can get the list of supported ciphers from openssl ciphers. I used this command line to get them in a nice, alphabetized list:

openssl ciphers | sed 's,:,\n,g' | sort

Lastly, we want to set the HSTS header to tell the browser to always use HTTPS. To enforce this, a header is added to the collection of HTTP headers delivered when connecting to the HTTPS site. This header tells the client browser to always connect to the current domain using HTTPS. It includes an expiration date (aka max-age) after which, the client browser will again allow HTTP connections to that domain. The server might then again redirect the HTTP connection to HTTPS, and again the client will get the HSTS header, and use only HTTPS until the expiration date comes again. To include this header in your Apache server, add this line:

Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"

Now you can check the results of your work with Qualys’ handy SSL Test. You can see the result of my efforts here: A- is not bad. I tried for a good long while to get IE to use FS (Forward Secrecy) ciphers, but failed. IE does not respect the server-side cipher preferences. My guess is that the only way to get IE to use FS ciphers is to make a custom cipher list that does not include anything but FS ciphers and serve that only to IE. I know it is possible to do because got an A+ for doing it. For a quick way to check out the cipher lists and HSTS header, look at iSEC Partner’s sslyze.

This is only a quick overview of the process to outline the general concepts. To find out more I recommend reading the source articles for this post, including specific directions for nginx and lighttpd:

Guardian Project | The Guardian Project | 2014-02-13 00:14:59

In September, I was pleased to present a talk on the importance of making cryptography and privacy technology accessible to the masses at TED’s Montréal event. In my 16-minute talk, I discussed threats to Internet freedom and privacy, political perspectives, as well as the role open technologies such as Cryptocat can play in this field.

The talk is available here, on the TEDx YouTube channel.

CryptoCat | Cryptocat Development Blog | 2013-10-19 16:43:32

Independent Cryptocat server operators:

We’re issuing a mandatory update for Cryptocat server configuration. Specifically, the ejabberd XMPP server configuration must be updated to include support for mod_ping.

Click here for Cryptocat server setup instructions, including the updated configuration for ejabberd.

We’re doing this in order to allow upcoming Cryptocat versions better connection handling, and the introduction of a new auto-reconnect feature! All Cryptocat versions 2.1.14 and above will not connect to servers without this configuration update. Cryptocat 2.1.14 is expected to be released some time within the coming weeks.

CryptoCat | Cryptocat Development Blog | 2013-09-11 19:38:58

This morning, we’ve begun to push Cryptocat 2.1.13, a big update, to all Cryptocat-compatible platforms (Chrome, Safari, Firefox and OS X.) This update brings many new features and improvements, as well as some small security fixes and improvements. The full change log is available in our code repository, but we’ll also list the big new things below. The update is still being pushed, so it may take around 24 hours for the update to be available in your area.

Important notes

First things first: encrypted group chat in Cryptocat 2.1.13 is not backwards compatible with any prior version. Encrypted file sharing and private one-on-one chat will still work, but we still strongly recommend that you update and also remind your friends to update as well. Also, the block feature has been changed to an ignore feature — you can still ignore group chat messages from others, but you cannot block them from receiving your own.

New feature: Authenticate with secret questions!

Secret question authentication (SMP)

Secret question authentication (SMP)

An awesome new feature we’re proud to introduce is secret question authentication, via the SMP protocol. Now, if you are unable to authenticate your friend’s identity using fingerprints, you can simply ask them a question to which only they would know the answer. They will be prompted to answer — if the answers match, a cryptographic process known as SMP will ensure that your friend is properly authenticated. We hope this new feature will make it easier to authenticate your friend’s identities, which can be time-consuming when you’re chatting with a conversation of five or more friends. This feature was designed and implemented by Arlo Breault and Nadim Kobeissi.



New Feature: Message previews

Message previews

Another exciting new feature is message previews: Messages from buddies you’re not currently chatting with will appear in a small blue bubble, allowing you to quickly preview messages you’re receiving from various parties, without switching conversations. This feature was designed by Meghana Khandekar at the Cryptocat Hackathon and implemented by Nadim Kobeissi.





Security improvements

Better warnings for participants.

We’ve addressed a few security issues: the first is a recurring issue where Cryptocat users could be allowed to send group chat messages only to some participants of a group chat and not to others. This issue had popped up before, and we hope we won’t have to address it again. In a group chat scenario, it turns out that resolving this kind of situation is more difficult than previously thought.

The second issue is related to private chat accepting unencrypted messages from non-Cryptocat clients. We’ve chosen to make Cryptocat refuse to display any unencrypted messages it receives, and dropping them.

Finally, we’ve added better warnings. In case of suspicious cryptographic activity (such as bad message authentication codes, reuse of initialization vectors,) Cryptocat will display a general warning regarding the violating user.

More improvements and fixes

This is a really big update, and there’s a lot more improvements and small bug fixes spread all around Cryptocat. We’ve fixed an issue that would prevent Windows users from sending encrypted ZIP file transfers, made logout messages more reliable, added timestamps to join/part messages, made Cryptocat for Firefox a lot snappier… these are only a handful of the many small improvements and fixes in Cryptocat 2.1.13.

We hope you enjoy it! It should be available as an update for your area within the next 24 hours.

CryptoCat | Cryptocat Development Blog | 2013-09-04 16:56:25

We’re excited to announce the new Cryptocat Encrypted Chat Mini Guide! This printable, single-page two-sided PDF lets you print out, cut up and staple together a small guide you can use to introduce friends, colleagues and anyone else to the differences between regular instant messaging and encrypted chat, how Cryptocat works, why fingerprints are important, and Cryptocat’s current limitations. Download the PDF and print your own!

The goal of the Cryptocat Mini Guide is to quickly explain to anyone how Cryptocat is different, focusing on an easy-to-understand cartoon approach while also communicating important information such as warnings and fingerprint authentication.

Special thanks go to Cryptocat’s Associate Swag Coordinator, Ingrid Burrington, for designing the guide and getting it done. The Cryptocat Mini Guide was one of the many initiatives that started at last month’s hackathon, and we’re very excited to see volunteers come up with fruitful initiatives. You’ll be seeing this guide distributed at conferences and other events where Cryptocat is present. And don’t forget to print your own — we even put dashed lines where you’re supposed to cut with scissors.

CryptoCat | Cryptocat Development Blog | 2013-09-01 20:31:44

Open Source Veteran Bdale Garbee Joins FreedomBox Foundation Board

NEW YORK, March 10, 2011-- The FreedomBox Foundation, based here, today announced that Bdale Garbee has agreed to join the Foundation's board of directors and chair its technical advisory committee. In that role, he will coordinate development of the FreedomBox and its software.

Garbee is a longtime leader and developer in the free software community. He serves as Chief Technologist for Open Source and Linux at Hewlett Packard, is chairman of the Debian Technical Committee, and is President of Software in the Public Interest, the non-profit organization that provides fiscal sponsorship for the Debian GNU/Linux distribution and other projects. In 2002, he served as Debian Project Leader.

"Bdale has excelled as a developer and leader in the free software community. He is exactly the right person to guide the technical architecture of the FreedomBox," said Eben Moglen, director of the FreedomBox Foundation.

"I'm excited to work on this project with such an enthusiastic community," said Garbee. "In the long-term, this may prove to be most important thing I'm doing right now."

The Foundation's formation was announced in Brussels on February 4, and it is actively seeking funds; it recently raised more than $80,000 in less than fifteen days on Kickstarter.

About the FreedomBox Foundation

The FreedomBox project is a free software effort that will distribute computers that allow users to seize control of their privacy, anonymity and security in the face of government censorship, commercial tracking, and intrusive internet service providers.

Eben Moglen is Professor of Law at Columbia University Law School and the Founding Director of the FreedomBox Foundation, a new non-profit incorporated in Delaware. It is in the process of applying for 501(c)(3) status. Its mission is to support the creation and worldwide distribution of FreedomBoxes.

For further information, contact Ian Sullivan at or see

FreedomBox | news | 2013-08-21 18:44:58

Cryptocat Hackathon: Day 1Cryptocat’s first ever hackathon event was a great success. With the collaboration of OpenITP and the New America NYC office, we were able to bring together dozens individuals, which included programmers, designers, technologists, journalists, and privacy enthusiasts from around the world, to share a weekend of discussions, workshops and straight old-fashioned Cryptocat hacking in New York City.

During this weekend, we organized a coding track, led by myself, Nadim, as well as a journalist security track that was led by Carol Waters of Internews, with the participation of the Guardian Project. The coding track brought together volunteer programmers, documentation writers and user interface designers in order to work on various open issues as well as suggest new features, discover and fix bugs, and contribute to making our documentation more readable.

Ingrid Burrington's work-in-progress Cryptocat Quick Start Guide.

Many people showed up, with many great initatives and ideas. Off the top of my head, I remember Meghana Khandekar, of the New York School of Visual Arts, who contributed ideas for user interface improvements. Steve Thomas and Joseph Bonneau helped with discovering, addressing and discussing encryption-related bugs and improvements. Griffin Boyce, from the Open Technology Institute, helped with organizing the hackathon and contributed the first working build of Cryptocat for newer Opera browsers. Ingrid Burrington participated by working on hand-outable Cryptocat quick-start guides. David Huerta and Christopher Casebeer further contributed some code-level and design-level usability improvements. I worked on implementing a user interface for SMP authentication in Cryptocat.

We were very excited to have a team of medical doctors and developers figuring out a Cryptocat-based app for sharing medical records while fully respecting privacy laws. The team was looking to implement a medium for comparing X-ray images over Cryptocat encrypted chat, among other medical field related features.

Cryptocat Hackathon: Day 1

The journalist security track gave a handful of journalists and privacy enthusiasts the opportunity for expert hands-on training in techniques that can help them maintain their privacy and the privacy of their sources online and offline.  In addition, with the help of the Guardian Project, we were able to introduce apps such as Gibberbot and OSTel for secure mobile communications.
We were very pleased with the success of the first Cryptocat hackathon. Code was written, bugs were fixed, food was shared, and prize Cryptocat t-shirts were won. I sincerely thank OpenITP and New America NYC for their organizational aid, and my friend Griffin Boyce for helping me carry food, set up tables and chairs, and generally make sure people were comfortable. And finally, an equally big thanks to all the people who showed up and helped improve Cryptocat. Without any of these people, such a great hackathon would have never happened. Watch out for more hackathons in D.C., San Francisco, and Montréal!

Cryptocat Hackathon

Update: The hackathon is over, and you can find out what happened (and see photos) at our report!

Cryptocat, in collaboration with OpenITP, will be hosting the very first Cryptocat Hackathon weekend in New York City, on the weekend of the 17th and 18th of August 2013.

Join us on August 17-18 for the Cryptocat Hackathon and help empower people worldwide by improving useful tools and discussing the future of making privacy accessible. This two day event will take place at the OpenITP offices, located on 199 Lafayette Street, Suite 3b, New York City. Please RSVP on Eventbrite or email


The Cryptocat Hackathon will feature two tracks to accomodate the diversity of the attendees:

Coding Track with Nadim

Join Nadim in discussing the future of Cryptocat and contributing towards our efforts for the next year. Multi-Party OTR, encrypted video chat using WebRTC, and more exciting topics await your helping hands!

Journalist Security Track with Carol and the Guardian Project

Join Carol in a hands-on workshop for journalists on how to protect your digital security and privacy in your working environment. The Guardian Project will also be swooping in to discuss mobile security, introducing tools and solutions. Carol Waters is a Program Officer with Internews’ Internet Initiatives, and focuses on digital and information security issues. The Guardian Project builds open source mobile apps to protect the privacy and security of all of mankind.

Who should attend?

Hackers, designers, journalists, Internet freedom fighters, community organizers, and netizens. Essentially, anyone interested in empowering activists through these tools. While a big chunk of the work will focus on code, there are many other tasks available ranging from Q&A to communications.



10:00: Introduction and planning

11:00 Some hacking

12:00 Lunch!

1:00 – 5:00 Split into two tracks:

Coding track with Nadim

Journalist security track with Carol Waters


10:00: Some hacking

12:00 Lunch!

1:00 – 4:00 Split into two tracks:

Coding track with Nadim

Journalist security track with Carol

4:00 – 5:00 Closing notes and roundtable

CryptoCat | Cryptocat Development Blog | 2013-08-07 14:48:00

24 hours after last month’s critical vulnerability in Cryptocat hit its peak controversy point, I was scheduled to give a talk at SIGINT2013, organized in Köln by the Chaos Computer Club. After the talk, we held a 70-minute Q&A in which I answered questions even from Twitter. 70 minutes!

In the 45-minute talk, I discuss the recent bug, how we plan to deal with it, what it means, as well as Cryptocat’s overall goals and progress:

In the 70-minute Q&A that followed, I answer every question ranging from the recent bug to what my favourite TV show is:

I’m really pleased with these videos since they present a channel into how the project is dealing with security issues as well as our current position and future plans. If you’re interested in Cryptocat, they are worth watching.

Additionally, I recently gave a talk about Cryptocat at Republika in Rijeka, and will be at OHM2013 in Amsterdam as part of NoisySquare, where there will be Cryptocat talks, workshops and more. See you there!

CryptoCat | Cryptocat Development Blog | 2013-07-23 17:24:14

In the unlikely event that you are using a version of Cryptocat older than 2.0.42, please update to the latest version immediately to fix a critical security bug in group chat. We recommend updating to the 2.1.* branch, which at time of writing is the latest version. We apologize unreservedly for this situation. (Post last updated Sunday July 7, 2:00PM UTC)

What happened?

A few weeks ago, a volunteer named Steve Thomas pointed out a vulnerability in the way key pairs were generated for Cryptocat’s group chat. The vulnerability was quickly resolved and an update was pushed. We sincerely thank Steve for his invaluable effort.

The vulnerability was so that any conversations had over Cryptocat’s group chat function, between versions 2.0 and 2.0.42 (2.0.42 not included), were easier to crack via brute force. The period between 2.0 and 2.0.42 covered approximately seven months. Group conversations that were had during those seven months were likely vulnerable to being significantly easier to crack.

Once Steve reported the vulnerability, it was fixed immediately and the update was pushed. We’ve thanked Steve and added his name on our Cryptocat Bughunt page’s wall of fame.

In our update log for Cryptocat 2.0.42, we had noted that the update fixed a security bug:

  • IMPORTANT: Due to changes to multiparty key generation (in order to be compatible with the upcoming mobile apps), this version of Cryptocat cannot have multiparty conversations with previous versions. However private conversations still work.
  • Fixed a bug found in the encryption libraries that could partially weaken the security of multiparty Cryptocat messages. (This is Steve’s bug.)

The first item, which made some changes in how keys were generated, did break compatibility with previous versions. But unlike what Steve has written in his blog post on the matter, this has nothing at all to do with the vulnerability he reported, which we were able to fix without breaking compatibility.

Due to Steve’s publishing of his blog post, we felt it would be useful to publish an additional blog post clarifying the matter. While the blog post published by Steve does indeed point to a significant vulnerability, we want to make sure it does not also cause inaccuracies to be reported.

Private chats are not affected: Private queries (1-on-1) are handled over the OTR protocol, and are therefore completely unaffected by this bug. Their security was not weakened.

Our SSL keys are safe: For some reason, there are rumors that our SSL keys were compromised. To the best of our knowledge, this is not the case. All Cryptocat data still passed over SSL, and that offers a small layer of protection that may help with this issue. Of course, it does not in any way save from the fact that due to our blunder, seven months of conversations were easier to crack. This is still a real mistake. We should also note that our SSL setup has implemented forward secrecy since the past couple of weeks. We’ve rotated our SSL keys as a precaution.

One more small note: Much has been said about a line of code in our XMPP library that supposedly is a sign of bad practice — this line is not used for anything security-sensitive. It is not a security weakness. It came as part of the third-party XMPP library that Cryptocat uses.

Finally, an apology: Bad bugs happen all the time in all projects. At Cryptocat, we’ve undertaken the difficult mission of trying to bridge the gap between accessibility and security. This will never be easy. We will always make mistakes, even ten years from now. Cryptocat is not any different from any of the other notable privacy, encryption and security projects, in which vulnerabilities get pointed out on a regular basis and are fixed. Bugs will continue to happen in Cryptocat, and they will continue to happen in other projects as well. This is how open source security works. We’ve added a bigger warning to our website about Cryptocat’s experimental status.

Every time there has been a security issue with Cryptocat, we have been fully transparent, fully accountable and have taken full responsibility for our mistakes. We will commit failures dozens, if not hundreds of times more in the coming years, and we only ask you to be vigilant and careful. This is the process of open source security. On behalf of the Cryptocat project, team members and volunteers, I apologize unreservedly for this vulnerability, and sincerely and deeply thank Steve Thomas for pointing it out. Without him, we would have been a lot worse off, and so would our users.

We are continuing in the process of auditing all aspects of Cryptocat’s development, and we assure our users that security remains something we are constantly focused on.

CryptoCat | Cryptocat Development Blog | 2013-07-04 12:04:48

Today, with Cryptocat nearing 65,000 regular users, the Cryptocat project releases “Cryptocat: Adopting Accessibility and Ease of Use as Security Properties,” a working draft which brings together the past year of Cryptocat research and development.

We document the challenges we have faced, both cryptographic and social, and the decisions we’ve taken in order to attempt to bring encrypted communications to the masses.

The full paper is available for download here from the public scientific publishing site, arXiv.


Excerpts of the introduction from our paper:

Cryptocat is a Free and Open Source Software (FL/OSS) browser extension that makes use of web technologies in order to provide easy to use, accessible, encrypted instant messaging to the general public. We aim to investigate how to best leverage the accessibility and portability offered by web technologies in order to allow encrypted instant messaging an opportunity to better permeate on a social level. We have found that encrypted communications, while in many cases technically well-implemented, suffer from a lack of usage due to their being unappealing and inaccessible to the “average end-user”.

Our position is that accessibility and ease of use must be treated as security properties. Even if a cryptographic system is technically highly qualified, securing user privacy is not achieved without addressing the problem of accessibility. Our goal is to investigate the feasibility of implementing cryptographic systems in highly accessible mediums, and to address the technical and social challenges of making encrypted instant messaging accessible and portable.

In working with young and middle-aged professionals in the Middle East region, we have discovered that desktop OTR clients suffer from serious usability issues which are sometimes further exacerbated due to language differences and lack of cultural integration (the technology was frequently described as “foreign”). In one case, an activist who was fully trained to use Pidgin-OTR neglected to do so citing usability difficulties, and as a direct consequence encountered a life-threatening situation at the hands of a national military in the Middle East and North Africa region.

These circumstances have led us to the conclusion that ease of use and accessibility must be treated as security properties, since their absence results in security compromises with consequences similar to the ones experienced due to cryptographic breaks.

Cryptocat is designed to leverage highly accessible mediums (the web browser) in order to offer an easy to use encrypted instant messaging interface accessible indiscriminately to all cultures, languages and age groups. Cryptocat clients are available as Free Software browser extensions written in JavaScript and HTML5.

CryptoCat | Cryptocat Development Blog | 2013-06-24 14:02:02

A frequent question we get here at Cryptocat is: “why don’t you add a buddy lists feature so I can keep track of whether my friends are on Cryptocat?” The answer: metadata.

If you’ve been following the news at all for the past week, you’d have heard of the outrageous reports of Internet surveillance on behalf of the NSA. While those reports suggest that the NSA may not have complete access to content, they still allow the agency access to metadata. If we were talking about phone surveillance, for example, metadata would be the time you made calls, which numbers you called, how long your calls have lasted, and even where you placed your calls from. This circumstantial data can be collected en masse to paint very clear surveillance pictures about individuals or groups of individuals.

At Cryptocat, we not only want to keep your chat content to yourself, but we also want to distance ourselves from your metadata. In this post we’ll describe what metadata you’re giving to Cryptocat servers, what’s done with it, and what parts of it can be seen by third parties, such as your Internet service provider. We assume we are dealing with a Cryptocat XMPP server with a default configuration, served over SSL.

Reminder: No software is likely to be able to provide total security against state-level actors. While Cryptocat offers useful privacy, we remind our users not to trust Cryptocat, or any computer software, with extreme situations. Cryptocat is not a magic bullet and does not protect from all threats.

Who has your metadata?


Cryptocat does not ever store your metadata or share it with anyone under any circumstances. Always be mindful of your metadata — it’s part of your privacy, too! For our default server, we also have a privacy policy, which we recommend you look over.

CryptoCat | Cryptocat Development Blog | 2013-06-08 17:46:54

OpenITP is happy to announce the hire of Nadim Kobeissi as Special Advisor starting in June 2013 Kobeissi is best known for starting Cryptocat, one of the world's most popular encrypted chat applications.

Based in Montreal, Kobeissi specializes in cryptography, user interfaces, and application development. He has done original research on making encryption more accessible across languages and borders, and improving the state of web cryptography. He has also lead initiatives for Internet freedom and against Internet surveillance. He has a B.A. In Political Science and Philosophy From Concordia University, and is fluent in English, French, and Arabic.

As Special Advisor, Kobeissi will collaborate with OpenITP staff to improve and promote Cryptocat, advise on security and encryption matters, and organize developer meetings.

You can find him on @kaepora and @cryptocatapp

OpenITP | | 2013-05-30 19:58:46

Hacking to Empower Accessible Privacy Worldwide

Join us on August 17-18 for the Cryptocat Hackathon and help empower activists worldwide by improving useful tools and discussing the future of making privacy accessible. This two day event will take place at the OpenITP offices, located on 199 Lafayette Street, Suite 3b, New York City.

Cryptocat provides the easiest, most accessible way for an individual to chat while maintaining their privacy online. It is a free software that aims to provide an open, accessible Instant Messaging environment that encrypts conversations and works right in your browser.

Who Should Attend?

Hackers, designers, Internet freedom fighters, community organizers, and netizens. Essentially, anyone interested in empowering activists through these tools. While a big chunk of the work will focus on code, there are many other tasks available ranging from Q&A to communications.

For RSVP, please visit or email nadim AT crypto DOT cat,



10:00 Presentation of the projects

11:00 Brainstorm

12:00 Lunch

1:00 Hack

5:00pm End of Day


10:00-5:00pm Hacking


OpenITP | | 2013-05-30 15:38:05

Collateral Freedom: A Snapshot of Chinese Users Circumventing Censorship, just released today, documents the experiences of 1,175 Chinese Internet users who are circumventing their country’s Internet censorship— and it carries a powerful message for developers and funders of censorship circumvention tools. We believe these results show an opportunity for the circumvention tech community to build stable, long term improvements in Internet freedom in China.

This study was conducted by David Robinson, Harlan Yu and Anne An. It was managed by OpenITP, and supported by Radio Free Asia’s Open Technology Fund.

Read Report

The report found that the circumvention tools that work best for Chinese users are technologically diverse, but are united by a shared political feature: the collateral cost of choosing to block them is prohibitive for China’s censors. Survey respondents rely not on tools that the Great Firewall can’t block, but rather on tools that the Chinese government does not want the Firewall to block. Internet freedom for these users is collateral freedom, built on technologies and platforms that the regime finds economically or politically indispensable

The most widely used tool in the survey—GoAgent—runs on Google’s cloud hosting platform, which also hosts major consumer online services and provides background infrastructure for thousands of other web sites. The Great Firewall sometimes slows access to this platform, but purposely stops short of blocking the platform outright. The platform is engineered in a way that limits the regime’s ability to differentiate between the circumventing activity it would like to prohibit, and the commercial activity it would like to allow. A blanket block would be technically feasible, but economically disruptive, for the Chinese authorities. The next most widely used circumvention solutions are VPNs, both free and paid—networks using the same protocols that nearly all the Chinese offices of multinational firms rely on to connect securely to their international headquarters. Again, blocking all traffic from secure VPNs would be the logical way to make censorship effective—but it would cause significant collateral harm.

Read Report

Instead, the authorities steer a middle course, sometimes choosing to disrupt VPN traffic (and commerce) in the interest of censorship, and at other times allowing VPN traffic (and circumvention) in the interest of commerce. The Chinese government is implementing policies that will improve its ability to segment circumvention-related uses of VPNs from business-related uses, including heightened registration requirements for VPN providers and users.

Respondents to the survey were categorically more likely to rely on these commercially widespread technologies and platforms than they were to use special purpose anti-censorship systems with relatively little commercial footprint, such as Freegate, Ultrasurf, Psiphon, Tor, Puff or simple web proxies. Many of the respondents have used these non-commercial tools in the past—but most have now stopped. The most successful tools today don’t make the free flow of sensitive information harder to block—they make it harder to separate from traffic that the Chinese government wishes to allow.

The report found that most users of circumvention software are in what we call the “versatility-first” group: they seek a fast and robust connection, are willing to install and configure special software, and (perhaps surprisingly) do not base their circumvention decisions on security or privacy concerns. To the extent that circumvention software developers and funders wish to help these users, the study found that they should focus on leveraging business infrastructure hosted in relatively freedom respecting jurisdictions, because the Chinese government has greater reason to allow such infrastructure to operate.

The report provided five practical suggestions:

  1. Map the circumvention technologies and practices of foreign businesses in China.
  2. Engage with online platform providers who serve businesses in censored countries.
  3. Investigate the collateral freedom dynamic in other countries.
  4. Diversify development efforts to match the diversity of user needs.
  5. Make HTTPS a corporate social responsibility issue.

Read Report


OpenITP | | 2013-05-20 15:49:52