As always, download links are at https://cryptostorm.is/connect.html. Anyone using v1.20 or later should automatically see a notification that this new version is available the next time they run the widget.
The only changes in this version are to the "nostun.bat" file. Previously, we were doing IP based blocking to stop the STUN leak. But as it's been pointed out, anyone could run their own STUN server to bypass it. Now "nostun.bat" blocks the STUN port instead to prevent the leak.
Here's the release notes for the previous versions:
This is a quick bugfix (or rather, "feature modification") release. The DNS leak prevention feature that was added in the last version (the same one from dnsleaktest.com) doesn't always work. The problem is with systems that have multiple internet capable interfaces. That fix would only apply to one interface, but with more than one some leaking would still occur. The way the widget does it now is that just after connecting, right before the widget minimizes it does a `netsh interface ipv4 show dnsserv` to list all the interfaces and their DNS servers. If the interface's DNS servers are statically set or set by DHCP to any DNS server other than the one's sent by the cryptostorm, they'll be changed to to the cryptostorm DNS servers. And yes, when you disconnect/exit from the widget, there's also code there that will return the DNS settings of the modified interfaces to whatever they were before.
Only other thing added to this version is a new option under the "Startup" tab that allows you to disable the startup splash screen if you need to.
And now, for our anniversary version of the widget, v2.2 "Narwhal".
A lot of changes in this version. First of all, security features. Now under the Options window there's a new "Security" tab. Under there you can disable IPv6 when the widget is on CS. There's also a "DNS leak prevention" option in there that uses the automatic fix from dnsleaktest.com. Then there's another new one, "STUN/WebRTC leak prevention". See http://torrentfreak.com/huge-security-f ... es-150130/ for information. Note that some Windows software based firewalls prevent the STUN/WebRTC leak prevention from working. It's strongly recommended that you disable any of those programs when using the widget.
Another new tab in the Options window is "Connecting". Under here you can specify any port (1-65534) or protocol (TCP or UDP) to use to connect to cryptostorm. This feature has been enabled server-side for some time now, but before the only way to use it with the widget was to manually edit the config files.
A lot of bug fixes are included in this version as well. Some of them are threading related, some of them are fixes for obscure crashes that rarely happen. For example, if a connection isn't made within 30 seconds, the widget would show an error then attempt a reconnect but sometimes it would crash instead of reconnecting. Too many other minor bugfixes to list.
The TAP driver is now installed by the Inno Studio compiled setup.exe ("cstorm_setup.exe") as well as verified by the widget just before connecting. We're pretty sure that will fix the "zombie TAP" issue some people have been having in Windows 7/8/8.1.
Another new feature is that all the English words/sentences that exist in the widget are now written in the source code as elements in a single array near the top of the script. The reason for this is to make it much easier for people in the community to provide translations of the widget.
Finally, here's v2.01 of the widget, code named "Narwhal". For any other additional 2.x sub-versions we will continue to use that code name (i.e., "v2.02 Narwhal", "v2.25 Narwhal" etc.). When 3.x comes around, we'll switch to another code name.
The most obvious new feature in this version is support for our free VPN service named "Cryptofree". You can use it by selecting "Cryptofree" from the drop down server/node list in the widget. The only limitation is that bandwidth will be capped. Other than that, it's unlimited usage, no time limits or anything silly like that. As for the security, it will be the exact same high grade we use on all the paid nodes (firewalls blocking anything but the VPN, custom kernel with grsec, etc.).
One minor feature added is some signal catching code that will notify you if another program tries to close the widget.
Also, there was a minor bug in previous versions where, when upgrading, your token and other settings would get lost after the upgrade. Plus the upgrade would sometimes fail if you ran it while the widget was still running. Now your token and settings will be copied to the windows temp dir (as defined by the %TEMP% environment variable) before the upgrade, then restored from that temp dir after the upgrade completes. If you upgrade from within the widget (i.e., click "Yes" on the window that notifies you that there's a new widget version available), the widget will now exit afterwards to solve that problem where the upgrade would fail because the previous widget is still running. If you manually download the installation file and run it, it will try to kill the widget process to solve the same problem.
Another change is that we've switched from the NSIS installer (http://nsis.sourceforge.net/Main_Page) to the Inno Setup installer (http://www.jrsoftware.org/isinfo.php). The main reason for this switch is because the NSIS installer's "uninstall.exe" file is falsely identified as malicious by a few obscure AV products, probably because a few worms/trojans have used NSIS in the past. The Inno ones aren't identified as malicious by any of the AV products used by http://virusscan.jotti.org/ or https://www.virustotal.com/, so no more confusion there. Inno is also open source, and just as well known in the community as the Nullsoft one. You can view the source code at https://github.com/jrsoftware/issrc.
Yet another fix was actually noticed and almost fixed in v1.23. Regarding the Windows 8/8.1 TAP-Win32 bug mentioned in the v1.23 notes below, the widget fix was looking for "Initialization Complete With Errors" to recognize the bug. Turns out the text the widget should have been looking for is "Initialization Completed With Errors" (was missing the "d" in "Completed"). So that fix is functional now.
Some code was also adding where, if a successful connection is not made in 30 seconds, it will continue to try reconnecting indefinitely.
I've been told that not everyone reads the message boxes that the widget sometimes pops up (like "Authorization failed"), so code was added that will show the text "Connected" in a big green font in the log window so nobody mistakes their connection state. Also a big red "Disconnected" when you disconnect. Makes it a lot easier to notice whether you're connected or not. Other miscellaneous warnings use a yellow text.
And of course, the OpenVPN binary has been updated to the latest 2.3.5 (changelog available at https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23), and the OpenSSL DLLs upgraded to the latest v1.0.1j (security advisory at https://www.openssl.org/news/secadv_20141015.txt).
This version is to fix a potentially serious bug that exists in Windows 8/8.1 that affects the TAP-Win32 driver. The widget would look for the text "Initialization Sequence Complete" in the OpenVPN output to determine whether or not a successful OpenVPN session was started. If a system was running Windows 8/8.1, the TAP driver wouldn't always initialize correctly. If this happens, the widget would incorrectly state that you were "connected to the cryptostorm darknet", when you actually weren't. OpenVPN outputs "Initialization Sequence Complete With Errors" in that instance, which would pass the widget's regular expression check for "Initialization Sequence Complete". So now in this fixed version, if "Initialization Sequence Complete With Errors" is detected, the user will be alerted and the connection will be halted.
Another new feature is that the widget will now only allow one instance to be ran at a time.
Also, the OpenSSL .dll's that come with the widget have been updated to the latest version (1.0.1j). The TAP-Win32 drivers included have also been updated to the latest version to attempt to automatically fix the aforementioned Windows 8/8.1 bug.
This is mainly a bug fix release. There was a problem several users were having that was related to the server-side "reneg-sec" option. The nodes have "reneg-sec 1200" which means renegotiate the session every 20 minutes. A bug in the widget was causing the openvpn output to stop once connected and minimized, and when this renegotiation tried to happen, it wouldn't since the output wasn't being processed. After 60 seconds or so, the server-side would timeout the session since it didn't receive anything from the client. This would cause the user to loose all connectivity to everything. It's fixed in v1.22, now the widget will continue to monitor the openvpn output even when minimized.
Oh yea, and there was also a tiny bit of code added that causes the widget version to be shown on the splash screen and in the options menu.
The main feature in this version is an option that'll check for updates on widget startup (enabled by default).
Also, I completely rewrote most of the threading code, and did a lot of CPU monitoring during development and the only time I saw a spike was the second or two between when the widget executes OpenVPN and when it waits for it's output. Once OpenVPN is executed I never saw the CPU go above 12%. In the previous 1.10 version, once connected and minimized, the widget would continue an unnecessary while loop that was the main cause for the CPU spikes everyone was seeing. In v1.21, some code was added that'll stop most widget code if the main window is minimized to the system tray (since the widget won't be necessary until it's window is brought back up from the systray since OpenVPN is doing all the work), so nobody should be experiencing any more CPU lag from the widget. Also, the "Find node with lowest users" button/feature was removed, and the "Find node with quickest reply" button's threading code was rewritten to prevent another heavy CPU usage thread that kept running after the Options window was closed.
For about a day, there was a version 1.20 but a silly bug was quickly discovered in it where tokens wouldn't work but hashes would. It's fixed now in v1.21, and also in this version you can use your token to login or the sha512 hash of the token.