There’s a new alpha release available for download. If you build Tor from source, you can download the source code for 0.3.5.6-rc from the download page on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release by early February.
Remember, this is an alpha release: you should only run this if you’d like to find and report more bugs than usual.
Tor 0.3.5.6-rc fixes numerous small bugs in earlier versions of Tor. It is the first release candidate in the 0.3.5.x series; if no further huge bugs are found, our next release may be the stable 0.3.5.x.
Changes In Version 0.3.5.6-Rc – 2018-12-18
Minor features (continuous integration, Windows):
Always show the configure and test logs, and upload them as build artifacts, when building for Windows using Appveyor CI. Implements 28459.
Minor features (fallback directory list):
Replace the 150 fallbacks originally introduced in Tor 0.3.3.1-alpha in January 2018 (of which ~115 were still functional), with a list of 157 fallbacks (92 new, 65 existing, 85 removed) generated in December 2018. Closes ticket 24803.
Minor features (geoip):
Update geoip and geoip6 to the December 5 2018 Maxmind GeoLite2 Country database. Closes ticket 28744.
Minor bugfixes (compilation):
Add missing dependency on libgdi32.dll for tor-print-ed-signing- cert.exe on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha.
Minor bugfixes (continuous integration, Windows):
Explicitly specify the path to the OpenSSL library and do not download OpenSSL from Pacman, but instead use the library that is already provided by AppVeyor. Fixes bug 28574; bugfix on master.
Minor bugfixes (onion service v3):
When deleting an ephemeral onion service (DEL_ONION), do not close any rendezvous circuits in order to let the existing client connections finish by themselves or closed by the application. The HS v2 is doing that already so now we have the same behavior for all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.
Minor bugfixes (restart-in-process, boostrap):
Add missing resets of bootstrap tracking state when shutting down (regression caused by ticket 27169). Fixes bug 28524; bugfix on 0.3.5.1-alpha.
Minor bugfixes (testing):
Use a separate DataDirectory for the test_rebind script. Previously, this script would run using the default DataDirectory, and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha. Patch from Taylor R Campbell.
Stop leaking memory in an entry guard unit test. Fixes bug 28554; bugfix on 0.3.0.1-alpha.
Minor bugfixes (Windows):
Correctly identify Windows 8.1, Windows 10, and Windows Server 2008 and later from their NT versions. Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
On recent Windows versions, the GetVersionEx() function may report an earlier Windows version than the running OS. To avoid user confusion, add “[or later]” to Tor’s version string on affected versions of Windows. Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
Remove Windows versions that were never supported by the GetVersionEx() function. Stop duplicating the latest Windows version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
Testing:
Increase logging and tag all log entries with timestamps in test_rebind.py. Provides diagnostics for issue 28229.
Code simplification and refactoring (shared random, dirauth):
Change many tor_assert() to use BUG() instead. The idea is to not crash a dirauth but rather scream loudly with a stacktrace and let it continue run. The shared random subsystem is very resilient and if anything wrong happens with it, at worst a non coherent value will be put in the vote and discarded by the other authorities. Closes ticket 19566.
Documentation (onion services):
Document in the man page that changing ClientOnionAuthDir value or adding a new file in the directory will not work at runtime upon sending a HUP if Sandbox 1. Closes ticket 28128.
Note in the man page that the only real way to fully revoke an onion service v3 client authorization is by restarting the tor process. Closes ticket 28275.
This release features important security updates to Firefox and updates OpenSSL to 1.0.2q for our desktop platforms.
The most exciting news, however, compared to the alpha release early last week, comes from progress we made on our mobile builds. Tor Browser 8.5a6 is the first version that is built reproducibly for Android devices and is localized in all locales the desktop platforms support.
Moreover, we added an updated donation banner for our year-end donation campaign.
Known Issues:
This release is only supported on armv7 devices (most Android phones and tablets), but x86 devices are notsupported yet (such as Chromebooks), even if the Google Playstore is suggesting different things.
Downloading files on newer Android devices crashes Tor Browser. We are currently reviewing a potential fix.
Tor Browser 8.0.4 contains updates to Tor (0.3.4.9), OpenSSL (1.0.2q) and other bundle components. Additionally, we backported a number of patches from our alpha series where they got some baking time. The most important ones are
a defense against protocol handler enumeration which should enhance our fingerprinting resistance,
enabling Stylo for macOS users by bypassing a reproducibility issue caused by Rust compilation and
setting back the sandboxing level to 5 on Windows (the Firefox default), after working around some Tor Launcher interference causing a broken Tor Browser experience.
Moreover, we ship an updated donation banner for our year-end donation campaign.
./u1807a -help 显示使用方法:
Usage of ./u1807a:
-L string
listen address (default “127.0.0.1:9666”)
-M string
“vpn”: turn on VPN mode
-P string
http or sock proxy, example: 1.2.3.4:8080 or socks://1.2.4.4:1080 or socks5://1.2.3.4:1080 or socks=1.2.3.4:1080
-S string
“safe”: turn on VPN safe mode, when exit, do not restore routing until reboot
Metric Labs 的调查发现, Google Play Store 和 Apple Store 里的流行免费 VPN 应用有大约六成由中国开发者开发或中国人所有。这一发现引发了数据隐私方面的担忧。研究人员分析了 Google 和苹果应用商店里的 top 20 free VPN apps,这些应用的下载量多在 100 万以上,结果如图所示,超过一半为中国开发者所有。此外,这些 免费 VPN 基本上不存在隐私保护,用户支持也很少。 通过这些 VPN 的用户数据可能会被记录下来,最糟糕的情况可能是数据会被提供给中国政府。
We have a new stable release today. If you build Tor from source, you can download the source code for Tor 0.3.4.9 from the download page on the website. Packages should be available within the next several weeks, with a new Tor Browser by mid-December.
Tor 0.3.4.9 is the second stable release in its series; it backports numerous fixes, including a fix for a bandwidth management bug that was causing memory exhaustion on relays. Anyone running an earlier version of Tor 0.3.4.9 should upgrade.
Changes In Version 0.3.4.9 – 2018-11-02
Major bugfixes (compilation, backport from 0.3.5.3-alpha):
Fix compilation on ARM (and other less-used CPUs) when compiling with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
Make sure Tor bootstraps and works properly if only the ControlPort is set. Prior to this fix, Tor would only bootstrap when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
Major bugfixes (relay, backport from 0.3.5.3-alpha):
When our write bandwidth limit is exhausted, stop writing on the connection. Previously, we had a typo in the code that would make us stop reading instead, leading to relay connections being stuck indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix on 0.3.4.1-alpha.
Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
Fix a use-after-free error that could be caused by passing Tor an impossible set of options that would fail during options_act(). Fixes bug 27708; bugfix on 0.3.3.1-alpha.
Minor features (continuous integration, backport from 0.3.5.1-alpha):
Don’t do a distcheck with –disable-module-dirauth in Travis. Implements ticket 27252.
Only run one online rust build in Travis, to reduce network errors. Skip offline rust builds on Travis for Linux gcc, because they’re redundant. Implements ticket 27252.
Skip gcc on OSX in Travis CI, because it’s rarely used. Skip a duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on Linux with default settings, because all the non-default builds use gcc on Linux. Implements ticket 27252.
Minor features (continuous integration, backport from 0.3.5.3-alpha):
Use the Travis Homebrew addon to install packages on macOS during Travis CI. The package list is the same, but the Homebrew addon does not do a `brew update` by default. Implements ticket 27738.
Minor features (geoip):
Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 Country database. Closes ticket 27991.
Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
Fix an integer overflow bug in our optimized 32-bit millisecond- difference algorithm for 32-bit Apple platforms. Previously, it would overflow when calculating the difference between two times more than 47 days apart. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
Improve the precision of our 32-bit millisecond difference algorithm for 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
Relax the tolerance on the mainloop/update_time_jumps test when running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix on 0.3.4.1-alpha.
Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
Avoid undefined behavior in an end-of-string check when parsing the BEGIN line in a directory object. Fixes bug 28202; bugfix on 0.2.0.3-alpha.
Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha):
Only install the necessary mingw packages during our appveyor builds. This change makes the build a little faster, and prevents a conflict with a preinstalled mingw openssl that appveyor now ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.
Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
Rewrite our assertion macros so that they no longer suppress the compiler’s -Wparentheses warnings. Fixes bug 27709; bugfix
Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
Stop reinstalling identical packages in our Windows CI. Fixes bug 27464; bugfix on 0.3.4.1-alpha.
Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
Log additional info when we get a relay that shares an ed25519 ID with a different relay, instead making a BUG() warning. Fixes bug 27800; bugfix on 0.3.2.1-alpha.
Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
Avoid a double-close when shutting down a stalled directory connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
Fix a bug warning when closing an HTTP tunnel connection due to an HTTP request we couldn’t handle. Fixes bug 26470; bugfix on 0.3.2.1-alpha.
Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
Ensure circuitmux queues are empty before scheduling or sending padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
When the onion service directory can’t be created or has the wrong permissions, do not log a stack trace. Fixes bug 27335; bugfix on 0.3.2.1-alpha.
Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
Close all SOCKS request (for the same .onion) if the newly fetched descriptor is unusable. Before that, we would close only the first one leaving the other hanging and let to time out by themselves. Fixes bug 27410; bugfix on 0.3.2.1-alpha.
Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
When selecting a v3 rendezvous point, don’t only look at the protover, but also check whether the curve25519 onion key is present. This way we avoid picking a relay that supports the v3 rendezvous but for which we don’t have the microdescriptor. Fixes bug 27797; bugfix on 0.3.2.1-alpha.
Minor bugfixes (protover, backport from 0.3.5.3-alpha):
Reject protocol names containing bytes other than alphanumeric characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha.
Minor bugfixes (rust, backport from 0.3.5.1-alpha):
Compute protover votes correctly in the rust version of the protover code. Previously, the protover rewrite in 24031 allowed repeated votes from the same voter for the same protocol version to be counted multiple times in protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc.
Reject protover names that contain invalid characters. Fixes bug 27687; bugfix on 0.3.3.1-alpha.
Minor bugfixes (rust, backport from 0.3.5.2-alpha):
protover_all_supported() would attempt to allocate up to 16GB on some inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on 0.3.3.5-rc.
Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
Fix an API mismatch in the rust implementation of protover_compute_vote(). This bug could have caused crashes on any directory authorities running Tor with Rust (which we do not yet recommend). Fixes bug 27741; bugfix on 0.3.3.6.
Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
Fix a potential null dereference in protover_all_supported(). Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
Return a string that can be safely freed by C code, not one created by the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix on 0.3.3.1-alpha.
Minor bugfixes (testing, backport from 0.3.5.1-alpha):
If a unit test running in a subprocess exits abnormally or with a nonzero status code, treat the test as having failed, even if the test reported success. Without this fix, memory leaks don’t cause the tests to fail, even with LeakSanitizer. Fixes bug 27658; bugfix on 0.2.2.4-alpha.
Minor bugfixes (testing, backport from 0.3.5.3-alpha):
Make the hs_service tests use the same time source when creating the introduction point and when testing it. Now tests work better on very slow systems like ARM or Travis. Fixes bug 27810; bugfix on 0.3.2.1-alpha.
Minor bugfixes (testing, to appear in 0.3.5.4-alpha):
Treat backtrace test failures as expected on BSD-derived systems (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. (FreeBSD failures have been treated as expected since 18204 in 0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.
Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers.
Unfortunately, in this release we are temporarily introducing a regression due to a potential proxy-bypass bug within some versions of Android. Tor Browser for Android will not download a website’s “favicon” in this release (the small image shown beside the title of the webpage in the list of tabs). From our investigation into this bug, we found Android versions before Android Oreo (Android version 7 and earlier, API level 25 and earlier) leak some information about which webpage the browser is loading. This was corrected in newer versions of Android, however this temporary regression is necessary because it is likely most users have an older version of Android, and there may be other bugs we haven’t discovered yet. One bug in the Android networking code is one bug too many. We are working on a new way of downloading these icons.
The full changelog since Tor Browser for Android 1.0a2 is:
Update Firefox to 60.3.0esr
Update Torbutton to 2.1.1
Update HTTPS Everywhere to 2018.9.19
Backport of fixes for bug 1448014, 1458905, 1441345, and 1448305
Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
Bug 28125: Prevent proxy-bypass bug by Android networking library
Highlights in Tor Browser 8.5a4 are a new Tor alpha version, 0.3.5.3-alpha, a fixed layout of our macOS installer window and Stylo (Mozilla’s new CSS engine) being enabled on macOS after fixing a reproducibility issues. Please report any problems you find with those macOS related changes as we think about backporting them for the stable series.
Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers and provide Tor Browser on all supported platforms in four additional locales: cs, el, hu, and ka.
Note: It turned out it was a bit premature to ship the new locales as we did not catch bugs in them last minute, so we don’t make them available on our download page. Sorry for the inconvenience.
Update October 2018: As
many of you know, China has already cracked down on VPNs throughout the first
half of 2018 after doing so multiple times over the past couple years. Not only
that, but the Chinese government threatened toban
all non-state sanctioned VPNs. Obviously, that hasn’t happened (I’m
using a VPN to write this). So what’s the deal? Do thebest
VPNs for Chinastill work? As an expat who has spent
over a decade in China, I’d like to offer my thoughts and
recommendations.
Sadly, FarWestChina has been unreliably accessible here
in China since 2009, blocked by the “Great Firewall” (i.e. China’s censorship).
I have no idea why it was blocked – other than the fact that I’m talking about
Xinjiang, one of the most sensitive regions in China – and there’s nothing I can
do to unblock the site. Trust me, I’ve tried everything short
of knocking on a government official’s door.
The only way I’ve been able to work on this site from
my home here in China is through what is known as aVPN,
or a Virtual Private Network.
Because I have over 8 years of first-hand
experience with over 20 different VPN services, I get more than a few
emails every month from people asking me what I recommend as
thebest
VPN for China in 2018. It’s an obvious need for anybody living in
China but more and more people are realizing that online security is something
netizens in every country should consider.
I’m not trying to hard-sell anybody here…more than
anything I just want to provide some helpful information for those people
who need to get a new VPN. A few of the links here and in the video are
affiliate links which means thatat
no additional cost to you I will be compensated if you purchase the
service. I have continually used each of these services from my home here
in China over the past year, so I’m confident about my
recommendations.
When it comes to thebest
VPNs for China, I’ve given you three ways to hear my thoughts: watch
the video, check out the comparison chart or read my person reviews for each VPN
below.
Best VPNs for China | Video Review
Click below to hear my thoughts and see each of these
best VPNs for China in action.
*Both ExpressVPN and NordVPN offer generous 30-day
money back guarantees. **VyprVPN and PureVPN offer 7-day and 14-day money back
guarantees respectively.
As I mentioned in the video above, there are
literally hundredsof
VPNs to choose from on the market and there are quite a few good ones that
didn’t make this list.
These, however, have stood the test of time (they are
all at least 5 years old), have made a specific effort to reach the China
market, all offer hundreds of servers across the globe and they all have
unlimited bandwidth.
ExpressVPN in China (Editor’s Choice + 3 Free
months)
ExpressVPNis
my go-to VPN for China 2018. I’m a huge fan of their overall design – the
website, desktop app and mobile app are all beautiful, quick to install and easy
to use.
I always recommendExpressVPNto
anybody I know who doesn’t consider themselves tech-savvy for a couple of
reasons.
It’ssuper
easyto set up!
Their software is some of the best in the
industry.
They offer a no-hassle, 30-day money back
guarantee.
For those who desire simplicity and ease, ExpressVPN
has been a solid option here in China for the past few years. You
cancheck out their pricing here and
if you use this link (which is an affiliate link), they’ll give
you3
months free on any annual plan!
NordVPNhas
been a surprise addition to my VPN arsenal over past year. They’ve purposefully
entered the China market and are aggressively tackling the blocking issues that
plague all the best VPNs in China.
There are a number of reasons I’ve come to like the
NordVPN software and service.
The software is well-designed, both on computers &
mobile devices.
They allow 6 simultaneous connections (most VPNs give
3-5)
They also offer a no-nonsense, 30-day money back
guarantee.
In many cases, I often tell people to purchase both
ExpressVPN and NordVPN (I have both) to figure out which one works best in your
China location. Best of all, right now they’re running a special where you can
get 66% off a 2-year plan with NordVPN.
I was turned on
toVyprVPN a
couple years ago and have been incredibly impressed with the transparency of the
company (just compare their about page with any other VPN).
Here’s what I love about VyprVPN:
Proprietary “Chameleon” protocol for added
security
Simple-to-use software
A 3-day FREE trial (but no 30-day money back
guarantee)
VyprVPN has been around since 2009 but their parent
company, GoldenFrog, has been around for more than a decade providing online
services. I’ve spoken at length with some of their representatives and really
like their focus on the China market, which is comforting considering how much
the Chinese internet landscape changes.
If all of this sound good to you, they have given me a
special link that will allow you to give them a try for free for 3
days and then get 68% off their 2-year plan.
PureVPNis another popular option here in
China. They boast over 1 million users world-wide and their market share in
China seems to be growing at a rapid pace.
While I wasn’t a big fan of their software at first,
thankfully they have since updated the design and it functions much better.
Their speeds are excellent and I found them to be the best in terms of streaming
– at least for me out here in western China.
What you might find useful is their “Server Selection
Tool” where you tell the software what you want to do (download, stream US
content, stream UK content, etc) and it will tell you which servers best suit
you needs.
I’ve been
a12VPNcustomer
since 2013 and in many ways it’s been my go-to VPN on my phone.
Why?It’s
simple and it just works…every time.
The software isn’t flashy and they don’t have a
dedicated iPhone or Android app but setup for both was an easy download of
one file that took me all of 5 minutes.
One of the things I’ve truly appreciated about 12VPN is
their commitment to communication. I get periodic emails informing me of changes
in the VPN and changes in the Great Firewall. For example, last year one of
the submarine cables that connects Asia with North America was severed. Out of
the 10 VPNs I had running at the time, 12VPN was the only one that let me know
what was happening and why I should expect slower speeds on the Los Angeles
servers.
In addition to VPN services, 12VPN is also one of the
few companies that offers SmartDNS as part of their package. I won’t go into
details about what SmartDNS is, but suffice to say I use it
towatch Netflix on my Apple TV in
Chinaand it is so
much fasterthan connecting on a VPN.
Best of all, I have a12VPN
Discount Codethat you can use! Just enter FWC10 to
get 10% off your order.
Here’s the thing about the relationship between China
and VPNs – China is always making changes that affect the landscape of VPN use
within the country. If the VPN you choose doesn’t devote resources to adapt
to these changes, that spells trouble for you.
This rules out most small VPN services such
asBuffered or
all the free services such as Hotspot
Shield. Neither seem to have the manpower or resources to play the
constant game of cat and mouse with China’s internet censors. I’ve had a
difficult time connecting to their servers from within China.
Finally, despite its popularity in China, I
personally don’t recommend Astrill
VPN. My biggest problem was their customer support but the deal breaker
was that they require users to provide their phone number for authentication. In
China, that kind of connection between my VPN and my phone number is a big
no-no.
Conclusion | Best VPN for China 2018
So that about covers it! Obviously there are plenty of
VPN services which have been left out of this list, but I stand by the fact that
if you’re coming to Asia, these are thebest
VPNs for China in 2018.
If you’re here in China and using a VPN, leave a
comment below to let me know what you use.
