Tor Updates in Cloak

Runa A Sandvik asked me a question on Twitter:

The answer to that question is a little too complex for Twitter, so I am going to respond to it here.

First of all, the firmware upgrade process have been described in details in an earlier news post.  While it is technically possible to upgrade individual packages in OpenWrt, there are a number of issues with that (possible man-in-the-middle attack and dependency problems).  The before mentioned news post also explains why we do not believe automatic updates would be a good idea.

As for maintaining Tor as part of the Cloak firmware build, there is actually currently not much maintenance to do.  Tor compiles cleanly in the OpenWrt buildroot environment and needs no patching whatsoever to operate on the Cloak device.  Providing the next version of Tor compiles cleanly, upgrading the Cloak firmware source will be a simple matter of updating a version number and a MD5 sum in a makefile (see our Github source here).



I have actually just tried building Cloak with the latest release candidate based on tor- and that version still builds cleanly.

We are building OpenWrt itself directly from the Git source tree and always include the latest security updates.  This means that we will be releasing firmware updates for Cloak regularly.  The exact release cycle has not been determined yet, but personally I do imagine a rolling update system a bit like Debian – most probably a Stable build and a Daily (or Weekly) automated build.

I hope this post assure everybody who is concerned about stale firmware in Cloak that we will be actively updating and – perhaps most important – that there will be no need for a separate fork of the Tor software itself.

I am Lars from Bright Things UN Ltd.. I am responsible for maintaining the Cloak firmware. My profile on .

Posted in Cloak, Development, Security, Software, Technical, Tor
3 comments on “Tor Updates in Cloak
  1. DB says:

    Thanks for the assurance and comment on our recent post. Anonymity out of the box is a great concept. Here’s to the success of the Kickstarter!!

  2. Fake girl who is actually a dog but likes giraffes and only exists on the internet says:

    sign all updates with your pub/priv key, this could help alleviate some grievances with people. If you had a radius server you could also include an RSS ticker that reminds people upon accessing their TOR network that they need to update.

    • The best approach is being discussed at the tor-talk mailing list at the moment. Two approaches are being considered currently. The first would be something along what you suggest – a captive portal kind of page displaying a warning with directions on how to update. The alternative would be to use the multi-coloured RGB on the device to flash a red warning if device is not up-to-date and allow automatic upgrade with press of a button. Of course the upgrade will be verifiable somehow – for example with a cert.

Leave a Reply