The Tor Project dropped version 13.5 last week, and it’s not just another incremental update. This release patches three high-severity vulnerabilities that could’ve exposed user activity to determined adversaries. If you’re still running 13.0 or earlier, it’s time to update.

What Got Fixed

The most concerning issue was CVE-2026-1847, a timing attack that could potentially correlate traffic patterns across circuits. It’s not a complete deanonymization vector, but combined with other techniques, it narrows the anonymity set significantly. The Tor team worked with security researchers at ETH Zurich who discovered the flaw during network analysis testing.

The second patch addresses a JavaScript sandbox escape in Firefox ESR 115. While Tor Browser runs with JavaScript disabled by default for .onion sites, users who enable it for specific services were vulnerable. The exploit required user interaction but could leak local IP addresses through WebRTC even with the browser’s built-in protections.

Third is a certificate pinning bypass that affected connections to some directory authorities. This one’s more theoretical than practical, but it could’ve allowed sophisticated attackers to serve malicious consensus documents under specific network conditions.

Performance Improvements Too

Beyond security, version 13.5 brings noticeable speed improvements to circuit building. The Tor team optimized guard relay selection algorithms, reducing connection establishment time by about 15-20% in testing. That doesn’t sound like much, but when you’re routing through three hops, it adds up.

They’ve also improved bridge discovery for users in restrictive countries. The new release includes updated obfs4 bridge addresses and better fallback logic when primary bridges become unavailable. China and Iran have been particularly aggressive about blocking Tor entry points lately, so this matters.

The Snowflake Situation

One interesting change is enhanced Snowflake proxy support. For those unfamiliar, Snowflake is a pluggable transport that uses temporary WebRTC proxies provided by volunteers. It’s designed to circumvent blocking in countries where traditional Tor bridges get identified and blacklisted quickly.

The 13.5 update improves Snowflake’s NAT traversal capabilities and reduces the fingerprint that censors can use to detect and block it. Early reports from users in restricted regions suggest it’s working, though the cat-and-mouse game with censors never really ends.

Mobile Client Status

Tor Browser for Android also got the 13.5 treatment, though iOS users are still waiting. Apple’s restrictions on browser engines mean the iOS version remains a fork of Onion Browser rather than true Tor Browser. The feature gap between platforms continues to frustrate users who want consistent privacy across devices.

The Android update includes the same security patches plus mobile-specific improvements to circuit management when switching between WiFi and cellular networks. Previous versions sometimes leaked connection data during these transitions.

Should You Update?

Absolutely. The timing attack vulnerability alone justifies the update, and the performance improvements are a nice bonus. The Tor Browser includes automatic update checking, but it doesn’t force installation. If you’ve been postponing the update notification, don’t.

Download directly from the official Tor Project website, not third-party mirrors. Verify the GPG signature if you know how. The signing key fingerprint is published on their website and hasn’t changed in years.

For market vendors and other high-risk users, consider running Tails or Whonix rather than Tor Browser on a standard OS. These systems route all traffic through Tor and include additional hardening that makes certain attacks much harder to execute.

What’s Next

The Tor team is working on deeper integration with VeilID, a newer anonymity network that uses different routing algorithms. It’s experimental and probably years away from production readiness, but the research is promising. The goal is providing multiple anonymity layers that don’t share the same vulnerabilities.

They’re also continuing work on Arti, the Rust implementation of Tor. It’s already faster and more memory-efficient than the C implementation, though feature parity isn’t complete yet. Eventually, Arti will become the default, but that’s still a few releases away.

For now, update to 13.5, double-check your security settings, and remember that Tor is just one layer of operational security. No tool provides perfect anonymity on its own.