Updates from the Tor Project

Tor Browser 13.0.14 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.0.13 is: All Platforms Updated Tor to 0.4.8.11 Bug tor-browser#41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a defense-in-depth Bug tor-browser#42335: Do not localize the order of locales for app lang Bug tor-browser#42428: Timezone offset leak via document.lastModified Bug tor-browser#42472: Timezone may leak from XSLT Date function Bug tor-browser#42508: Rebase Tor Browser stable onto 115.10.0esr Windows + macOS + Linux Updated Firefox to 115.10.0esr Bug tor-browser#42172: browser.startup.homepage and TOR_DEFAULT_HOMEPAGE are ignored for the new window opened by New Identity Bug tor-browser#42236: Let users decide whether to load their home page on new identity. Bug tor-browser#42468: App languages not sorted correctly in stable Linux Bug tor-browser-build#41110: Avoid Fontconfig warning about “ambiguous path” Android Updated GeckoView to 115.10.0esr Bug tor-browser#42509: Backport Android security fixes from Firefox 125 Build System All Platforms Updated Go to 1.21.8 Bug tor-browser-build#41107: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo for new type of URL Bug tor-browser-build#41122: Add release date to rbm.conf Android Bug tor-browser-build#40992: Updated torbrowser_version number is not enough to change firefox-android versionCode number applications releases

Since 2021, the Tor Project has been working on a project entitled “Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibet”, which aimed at improving the use of Tor in the China region. We had the following goals for this project: Implement new pluggable transports and add more bridges that are harder for censors to block.  Improve the bridge distribution systems so that it’s harder for censors to learn and block bridges, while making it easier for users to get them. Update a diverse set of proven open source circumvention applications so they are compatible with new bridges and censorship resistance/detection techniques. Surge adoption through the deployment of region-specific localization, outreach, and distribution efforts for target users. This project allowed us to release: Webtunnel, a new pluggable transport designed to mimic encrypted traffic.  Lox, a privacy preserving reputation-based bridge distribution system that is being integrated into Tor Browser. RDSys, a new distribution system for bridges that is replacing BridgeDB.  A new feature in Tor Browser, called Connection Assist, that makes censorship circumvention easier for users.  OnionShare, a secure and anonymous productivity and privacy suite built on Tor allowing users to share files, host websites, and chat with friends, available for desktop and mobile devices. Improvements on OnionShare for Desktop In January 2024 we contracted Cure53 to audit all the code that was changed or created during this project. The security audit helps uncover vulnerabilities produced through these changes in the software. We are happy to report that all the vulnerabilities that were uncovered have already been mitigated. For more details and information please access the complete audit report. We would like to thank Cure53 for an excellent and professional audit, as well as the U.S. State Department Bureau of Democracy, Human Rights, and Labor (DRL) for sponsoring this project. reports applications circumvention

Highlighting, exposing, and actively working against the proliferation and normalization of surveillance technology is crucial in protecting human rights worldwide. At the Tor Project, we know that it is through collective awareness and action that we can all build and contribute to privacy-preserving technologies that aim to protect people everywhere from the prevalence of surveillance and oppression. It is equally important to hold companies accountable and recognize the source and enablers of surveillance tech, especially now as we see these technologies being aggressively utilized in the ongoing genocide in Gaza. This post delves into the impact of Israeli surveillance technologies in Palestine, illustrating how localized instances of its use can have extensive repercussions that pave the way for the widespread acceptance and global adoption of such oppressive practices. There is a growing need for a global stance against the use of technology for oppression. Tech workers and the broader international community are urged to prioritize integrity over profit to protect privacy and prevent the deleterious impacts of pervasive surveillance on our lives. There is even more urgency to address these issues in the face of growing demand for surveillance solutions enhanced and exacerbated by AI. Global Surveillance and Oppression The examples below demonstrate the alarming sophistication of surveillance capitalism and its increasingly global footprint. They also explore how Israeli spyware and surveillance companies navigate global scrutiny by rebranding and establishing offices worldwide, all while a network of venture capital firms facilitate their operations and help them avoid much needed accountability. Elbit Systems is a leading military tech exporter in Israel, specializing in various advanced surveillance technologies, terrifyingly deployed in space, air, sea and ground operations. Its surveillance systems, drones, and other high-tech tools, which are used to enforce violent occupations and apartheid, are in high demand worldwide. This pervasive surveillance technology doesn’t end in Palestine, but it often starts with it.  Since at least 2014, Elbit Systems has been deploying these tools at the U.S Southern Border as well as in the UAE and UK. Some of these deals occur via a subsidiary of Elbit Systems of America called Kollsman Inc, which is involved in a controversial death of an employee during a work trip to Saudi Arabia. These relationships are further strengthened through VC investments. The UAE invested at least $100 million in Israeli VC firms, which is not surprising, considering it is a longtime customer of its spyware tools. An Israeli owned company, for example, is behind Abu Dhabi’s mass surveillance system, in a contract worth $600m. Dubai also operates a back-channel for Arab countries who wish to deploy Israeli surveillance technologies through a local entity called Black Wall Global, which is led by Israeli intelligence veterans.  In similarly structured deals, Israeli companies like IntuView have contracts with Saudi Arabia for efforts that include scanning Saudi citizens’ data. Its advisory board consists of a former head of Mossad and a former director of the CIA. The technology is becoming increasingly advanced and appealing to authoritarian governments. Israel, with the assistance of U.S companies, is deploying robots equipped with numerous sensors and cameras to surveil buildings and open spaces. AI-based systems like “The Gospel” largely consist of drone footage, intercepted communications, surveillance data and information drawn from monitoring the movements and behavior patterns of individuals and large groups to create bombing targets.  In a similar setup, through “Lavender”, Israel is using AI to detect assassination targets with little human oversight through information collected via mass surveillance of Gaza residents. The report highlights how many of these attacks result in the mass killing of civilians and entire families, often in their own homes.  Spyware has always been a highly lucrative and increasingly prominent business in Israel. Citizen Lab has spent years uncovering sophisticated spyware from Israeli companies like NSO, which contracts with governments with a long history of imprisoning, murdering and silencing dissidents and surveilling civil society organizations, including Saudi Arabia, Bahrain and the UAE. These governments normalize relations with Israel largely to facilitate access to such technologies, which they then deploy to oppress their own citizens. Israel-based Voyager Labs actively marketed and sold surveillance tools which have been used to profile and intimidate journalists and activists, including by Colombian military intelligence. They recently moved their headquarters to the U.S. to continue building such tools with a team of “world-class AI researchers.” U.S.-Israeli company Verint, whose products include surveillance cameras and analysis software to monitor and analyze large voice and video data sets, had sold their technology to repressive regimes in Azerbaijan, Indonesia, South Sudan, Uzbekistan and Kazakhstan. Among the uses of their tools is the violent crackdown on LGBTQ+ communities and human rights activists. These companies don’t operate alone. When facing scrutiny or exposure, they spin off new entities, often with the backing of venture capital firms that are equally complicit. Verint, for example, spun off a separate company called Cognyte to continue its lucrative deals, which an Israeli human rights lawyer says was “aiding and abetting crimes against humanity.” A New York-based hedge fund, Edenbrook Capital, is among its largest shareholders.  Another and more recent example is Dream Security from the former CEO of Pegasus Software. Their latest round was raised in a deal that was co-led with Los Angeles-based VC firm Group 11. This demonstrates a troubling cycle of evasion.  Corsight, an Israeli company, has been using facial recognition and Google Photos to conduct mass surveillance of Palestinians without their knowledge or consent. To date, Google has declined to answer, despite prohibiting their tech in being used for “immediate harm.” Apart from being an egregious privacy violation, the technology also misidentifies people, putting their lives at risk. Canadian-Israeli VC firm, AWZ ventures, is among its lead investors. Their tools are also deployed by the U.S. Department of Homeland Security for facial recognition purposes. AnyVision, an Israeli company with an international presence, is behind “advanced tactical surveillance” software used to monitor the movements of Palestinians. Its CEO is a former operating partner at SoftBank’s investment arm, which co-led a large fundraising round for the company alongside Eldridge, an American holding company headquartered in Connecticut. A few months after the extent of their surveillance systems were exposed in U.S schools, they rebranded to Oosto and resumed operations. One of the most prominent examples of these collaborations remains Palantir, which also continues to win major contracts with the UK government and various U.S agencies, most recently the U.S army on an AI-powered targeting system, and who will once again supply its surveillance products to Israel in a new “strategic partnership.”  The global market for “Border Security Technologies” is projected to exceed $70 billion by 2027, up from $48 billion in 2022. The significant growth in this market is partly attributed to the increasing adoption of AI-integrated surveillance towers, made possible by Israeli companies who test repressive technologies on Palestinians. This practice allows Israel to refine and demonstrate the effectiveness of its products in real scenarios, making them more appealing to international buyers, who, again, are often equally oppressive regimes with horrific human rights records. As shown above, these technologies, initially used to enforce violent occupation, apartheid, and genocide have found a lucrative global market, stretching far beyond the confines of Palestine. Antony Loewenstein, author of The Palestine Laboratory, notes to Tor: “Since 7 October, 2023, Israel has been live-testing new weapons in Gaza including drones, quadcopters, facial recognition tools and surveillance tech. The aim isn’t just to kill Palestinians indiscriminately in Gaza but sell these weapons of war to a global market. AI-enabled warfare is a key selling point for the Israeli state and its private backers. What starts in Palestine never stays there.” Building a Culture of Accountability The export of military systems by Israel reveals a harrowing journey of surveillance technologies from local deployments in Palestine to worldwide distribution, with a disturbing and alarming trend of normalization and acceptance of the grave human rights violations that are committed in the process of their creation and testing. The complicity of venture capital in the proliferation of such technologies highlights the intricate web of interests that prioritize power and profit over basic human rights. This is your reminder that standing against surveillance that continues to engulf us all is a global responsibility. There needs to be a consistent and immediate call to action for tech workers, companies, civil society organizations, and the global community at large to stand firm in our commitment to human rights and privacy. We must hold companies accountable, dissect and expose the origins of surveillance technologies, and resist their normalization. We applaud the companies and civil society organizations who have joined the No Tech For Apartheid campaign, including the many who risked their employment to do so, and urge others to join in this crucial effort. As many tech workers also have investment portfolios, we highly recommend that you align your investments with your values. This is one free screening tool you can use to ensure you’re not profiting off of weapons manufacturers, illegal occupations, apartheid, genocide and border militarization, all of which use intense surveillance that enable the perpetration of war crimes. human rights

Arti is our ongoing project to create a next-generation Tor client in Rust. Now we’re announcing the latest release, Arti 1.2.1. This release continues development on onion services, and adds several important security features. More such improvements are on the way. See doc/OnionService.md for instructions and caveats about running onion services with Arti today. This release also adds support for unmanaged pluggable transports. For more information on using Arti, see our top-level README, and the documentation for the arti binary. Thanks to everybody who’s contributed to this release, including Alexander Færøy, Jim Newsome, Tobias Stoeckmann, and trinity-1686a. Also, our deep thanks to Zcash Community Grants and our other sponsors for funding the development of Arti! announcements

Tor Browser 13.5a6 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox. We would like to thank the folowing community members for their contributions this release: RustyBird for their fix for tor-browser-build#41110 If you would like to contribute, our contributor guide can be found here. Letterboxing Improvements and Configuration Options Over the past month we have merged various usability improvements and configuration options for the new letterboxing UX. In about:preferences#general one may now configure some aspects of the letterbox behaviour, including whether the content area floats in the center of the window or is snapped to the browser chrome at the top. We also implemented a somewhat hidden feature which will allow you to remove the extra spacing when you resize the window by double-clicking within the letterbox gutter area. This will snap the whole window down to the size required by the content. Native Android Connect-Assist We have continued improving our connect-assist implementation on Android. This has included backend work continuing to improve and generalise the low-level systems used by both Desktop and Android versions, frontend work re-immplementing the same flow, configuration options, and error handling presently found in the Desktop frontend. We have also started refactoring the various Tor configuration related menus and the Tor Logs are once again accessible using the native ux by navigating to Settings > Connection > Tor Logs Please give the new systems a go by navigating to Settings > Connection > Enable beta connection features and toggling Enable beta connection features and selecting Native Android UI Known Issues We still have a lot of work to do, bugs to fix, and general polish to apply. We currently have one known issue whereby manually enabling bridges in the Config Bridge menu usually fails to stick after navigating away from that menu. This issue is being tracked in tor-browser#42486 Connect-Assist Backend Work As mentioned in the previous section, we have been iteratively improving the connect-assist backend code which is used on both Desktop and Android. If you are Desktop user we would appreciate you verifying that your bootstrapping experience is unchanged between releases, particularly if you have any custom configuration or settings. Localisation Updates We have been developing several improvements to our localisation pipelines and we have been merging patches which remove legacy ‘dtd’-based translation strings and migrate to the modern ‘fluent’ system used by modern Firefox. End-users should not see any changes as a result of these changes. Please keep an eye out for for any broken strings or translation regressions and report any issues you may find! Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.5a5 is: All Platforms Bug tor-browser#41114: Fix no-async-promise-executor on TorConnect Bug tor-browser#41676: Set privacy.resistFingerprinting.testing.setTZtoUTC as a defense-in-depth Bug tor-browser#42336: Review the relationship between TorSettings and the TorProvider Bug tor-browser#42428: Timezone offset leak via document.lastModified Bug tor-browser#42435: Update moat domain fronting configuration Bug tor-browser#42437: Drop “torbrowser.version” preference Bug tor-browser#42444: Remove the “Prioritize .onion sites when known” option Bug tor-browser#42449: Rebase Tor Browser alpha onto Firefox 115.9.0esr Bug tor-browser#42459: Add startpage onion service to list of search providers Bug tor-browser#42466: Drop the “Onion Logo” from trademark statement Bug tor-browser#42472: Timezone May leak from XSLT Date function Bug tor-browser#42473: ESR 115.9.1 fixes Bug tor-browser#42481: Modularize SecurityLevel Bug tor-browser-build#41105: Bump version of snowflake to v2.9.2 Windows + macOS + Linux Updated Firefox to 115.9.0esr Bug tor-browser#41916: Letterboxing preferences UI Bug tor-browser#41918: Add option to reuse last window size when letterboxing is enabled Bug tor-browser#42203: Fluent migration: about dialog Bug tor-browser#42209: Fluent migration: tor circuit Bug tor-browser#42211: Fluent migration: new identity Bug tor-browser#42214: Fluent migration: security level Bug tor-browser#42236: Let users decide whether to load their home page on new identity. Bug tor-browser#42443: Shrink the window to match letterboxing size when the emtpy area is doble-clicked Bug tor-browser#42446: Improve accessible descriptions in built-in dialog Bug tor-browser#42458: Update the “Submit Feedback” link in “About Tor Browser” Windows Bug tor-browser#42377: Hidden fonts are automatically added to the allow list Linux Bug tor-browser#42438: Adapt the data import wizard to use the original $HOME on Linux Bug tor-browser-build#41110: Avoid Fontconfig warning about “ambiguous path” Android Updated GeckoView to 115.9.0esr Bug tor-browser#41187: Improve Android’s bridge settings UI Bug tor-browser#42427: Do not ship bridges as prefences anymore Build System All Platforms Updated Go to 1.21.8 Bug tor-browser-build#41102: src archive does not match likely due to mismatched xz-utils version Bug tor-browser-build#41107: Update download-unsigned-sha256sums-gpg-signatures-from-people-tpo for new type of URL Bug rbm#40073: We should remove ./ when using 7-zip for zip files Windows + macOS + Linux Bug tor-browser#42305: (Semi-)Automatically merge translation resources across tor browser releases (desktop) Bug tor-browser-build#41088: Remove use of projects/browser/run_scripts Windows Bug tor-browser-build#41097: authenticode-timestamping.sh fails to run again because tmp-timestamp already exists Android Bug tor-browser#40502: Do not recommend addons on Tor Browser Bug tor-browser-build#41082: Package tor expert bundle on android as .aar that firefox-android can use in lieu of tor-android-service with geckoview bootstrap applications releases

Tor Browser 13.0.13 is now available from the Tor Browser download page and also from our distribution directory. This is an unscheduled emergency release with important security updates to Firefox for Desktop platforms. Android is unaffected. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.0.12 is: Windows + macOS + Linux Updated Firefox to 115.9.1esr Bug tor-browser#42473: ESR 115.9.1 fixes Bug tor-browser#42474: Rebase stable browsers on 115.9.1 applications releases

Tor Browser 13.0.12 is now available from the Tor Browser download page and also from our distribution directory. This version includes important security updates to Firefox. Removal of automatic .onion site prioritization The Tor Project has recently been notified of a potential fingerprinting vulnerability with automatic Onion-Location redirects. In an abundance of caution, we have removed the ‘prioritize .onion sites when known’ option from Tor Browser. We are looking further into this issue and will provide timely updates as more research and additional recommendations become available. Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.0.11 is: All Platforms Updated Snowflake to 2.9.2 Bug tor-browser#42376: The placeholder of datetime inputs keeps being localized when spoof English is on Bug tor-browser#42378: spoof english + htmlform <details> can leak app language Bug tor-browser#42444: Remove the “Prioritize .onion sites when known” option Bug tor-browser#42448: Rebase Tor Browser stable onto Firefox 115.9.0esr Bug tor-browser#42459: Add startpage onion service to list of search providers Bug tor-browser-build#41105: Bump version of snowflake to v2.9.2 Windows + macOS + Linux Updated Firefox to 115.9.0esr Windows Bug tor-browser#42377: Hidden fonts are automatically added to the allow list Android Updated GeckoView to 115.9.0esr Bug tor-browser#42407: TTP-03-010 WP3: Potential phishing Build System All Platforms Updated Go to 1.21.8 Bug tor-browser-build#41102: src archive does not match likely due to mismatched xz-utils version applications releases

Today, March 12th, on the World Day Against Cyber Censorship, the Tor Project’s Anti-Censorship Team is excited to officially announce the release of WebTunnel, a new type of Tor bridge designed to assist users in heavily censored regions to connect to the Tor network. Available now in the stable version of Tor Browser, WebTunnel joined our collection of censorship circumvention tech developed and maintained by The Tor Project.  The development of different types of bridges are crucial for making Tor more resilient against censorship and stay ahead of adversaries in the highly dynamic and ever-changing censorship landscape. This is especially true as we’re going through the 2024 global election megacycle, the role of censorship circumvention tech becomes crucial in defending Internet Freedom. If you’ve ever considered becoming a Tor bridge operator to help others connect to Tor, now is an excellent time to get started! You can find the requirements and instructions for running a WebTunnel bridge in the Tor Community portal. What is WebTunnel and how does it work? WebTunnel is a censorship-resistant pluggable transport designed to mimic encrypted web traffic (HTTPS) inspired by HTTPT. It works by wrapping the payload connection into a WebSocket-like HTTPS connection, appearing to network observers as an ordinary HTTPS (WebSocket) connection. So, for an onlooker without the knowledge of the hidden path, it just looks like a regular HTTP connection to a webpage server giving the impression that the user is simply browsing the web.  In fact, WebTunnel is so similar to ordinary web traffic that it can coexist with a website on the same network endpoint, meaning the same domain, IP address, and port. This coexistence allows a standard traffic reverse proxy to forward both ordinary web traffic and WebTunnel to their respective application servers. As a result, when someone attempts to visit the website at the shared network address, they will simply perceive the content of that website address and won’t notice the existence of a secret bridge (WebTunnel). Comparing WebTunnel to obfs4 bridges WebTunnel can be used as an alternative to obfs4 for most Tor Browser users. While obfs4 and other fully encrypted traffic aim to be entirely distinct and unrecognizable, WebTunnel’s approach to mimicking known and typical web traffic makes it more effective in scenarios where there is a protocol allow list and a deny-by-default network environment. Consider a network traffic censorship mechanism as a coin sorting machine, with coins representing the flowing traffic. Traditionally, such a machine checks if the coin fits a known shape and allows it to pass if it does or discards it if it does not. In the case of fully encrypted, unknown traffic, as demonstrated in the published research How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic, which doesn’t conform to any specific shape, it would be subject to censorship. In our coin analogy, not only must the coin not fit the shape of any known blocked protocol, it also needs to fit a recognized allowed shape–otherwise, it would be dropped. Obfs4 traffic, being neither a match for any known allowed protocol nor a text protocol, would be rejected. In contrast, WebTunnel traffic resembling HTTPS traffic, a permitted protocol, will pass. If you want to learn more about bridges, different designs and how they work, check out our video series. How to use a WebTunnel Bridge?  🌉 Step 1 – Getting a WebTunnel bridge At the moment, WebTunnel bridges are only distributed via the Tor Project bridges website. We plan to include more distributor methods like Telegram and moat.  Using your regular web browser, visit the website: https://bridges.torproject.org/options In “Advanced Options”, select “webtunnel” from the dropdown menu, and click on “Get Bridges”. Solve the captcha. Copy the bridge line. 💻 Step 2 – Download and install Tor Browser for Desktop Note: WebTunnel bridges will not work on old versions of Tor Browser (12.5.x). Download and install the latest version of Tor Browser for Desktop. Open Tor Browser and go to the Connection preferences window (or click on “Configure Connection”). Click on “Add a Bridge Manually” and add the bridge lines provided on Step 1. Close the bridge dialog and click on “Connect.” Note any issues or unexpected behavior while using WebTunnel. 📲 Or Download and install Tor Browser for Android Download and install the latest version of Tor Browser for Android. Run Tor Browser and choose the option to configure a bridge. Select “Provide a Bridge I know” and enter the provided bridge addresses. Tap “OK” and, if everything works well, it will connect. ✍️ Step 3 – Share feedback with us Your feedback is crucial to help us identify any issues and ensuring the reliability of WebTunnel bridges. For users living in censored regions, we would love to hear how this new bridge’s performance compares to other circumvention methods such as obfs4 and Snowflake. Thank you to all the volunteers who have contributed to making WebTunnel possible The more tools we have at our disposal, the better we will be able to target our response, keeping censors at bay and enabling millions of users to access the free and open internet. We first announced this new bridge type in October 2023 with a call for testers asking Tor users for whom it was safe to use WebTunnel to provide feedback. So many of you sprung into action and we received a lot of feedback, both public and private, that allowed us to make numerous stability improvements to WebTunnel.  Right now, there are 60 WebTunnel bridges hosted all over the world, and more than 700 daily active users using WebTunnel on different platforms. However, while WebTunnel works in regions like China and Russia, it does not currently work in some regions in Iran. Our goal is to ensure that Tor works for everyone. Amid geopolitical conflicts that put millions of people at risk, the internet has become crucial for us to communicate, to witness and share what is happening around the world, to organize, to defend human rights, and to build solidarity. That is why our community’s volunteer contributions are vital. Remember, there are many ways to get engaged: You can run more bridges, Snowflake proxies and relays to continue our fight against censorship and for free and open access to the unrestricted internet. circumvention human rights announcements

Tor Browser 13.0.11 is now available from the Tor Browser download page and also from our distribution directory. This is an emergency release which updates our the domain fronting configuration for the Snowflake pluggable transport and the moat connection to the rdsys backend used by the censorship circumvention system. A known issue is that the source archives do not match likely due to a change in xz-utils (the underlying source in the archive is identical, only the compressed archive differs). This is not considered a blocker for this release and is being tracked here: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41102 Send us your feedback If you find a bug or have a suggestion for how we could improve this release, please let us know. Full changelog The full changelog since Tor Browser 13.0.10 is: All Platforms Bug tor-browser#42435: Update moat domain fronting configuration Build System All Platforms Bug tor-browser-build#41085: kick_devmole_build script prints wrong URL for Mullvad’s build hashes Bug tor-browser-build#41097: authenticode-timestamping.sh fails to run again because tmp-timestamp already exists applications releases

Arti is our ongoing project to create a next-generation Tor client in Rust. Now we’re announcing the latest release, Arti 1.2.0. In Arti 1.2.0, trying out onion services will hopefully be a smoother experience. We have fixed a number of bugs and security issues, and have made the onion-service-service feature non-experimental. We have begun design work on some of the onion service security features on our roadmap, such as the memory DoS prevention subsystem, and the connection bandwidth rate-limiter. In addition, we have scoped the remaining work for supporting hidden service client authorization, which will be implemented in a future release. This release also fixes a low severity security issue: the relay message handling code was not rejecting empty DATA messages, which could be used to inject an undetected traffic signal. This issue is tracked as TROVE-2024-001. There are still some rough edges and missing security features, so we don’t (yet) recommend Arti onion services for production use, or for any purpose that requires privacy. For instructions on how to run an onion service in Arti, see our work-in-progress HOWTO document. We hope to make these instructions simpler and better as our implementation improves. For full details on what we’ve done, and for information about many smaller and less visible changes as well, please see the CHANGELOG. In the next releases, we will focus on implementing the missing security features and on improving stability. For more information on using Arti, see our top-level README, and the documentation for the arti binary. Thanks to everybody who’s contributed to this release, including Alexander Færøy, Jim Newsome, Tobias Stoeckmann, and trinity-1686a. Also, our deep thanks to Zcash Community Grants and our other sponsors for funding the development of Arti! announcements