Tor Browser 7.0.1 is released

by boklm | June 13, 2017

Tor Browser 7.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 7.0 series, updating Firefox to 52.2.0esr, Tor to 0.3.0.8, and HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying freezing of Tor Browser which is due to a NoScript bug and made the security slider window slightly larger.

Here is the full changelog since 7.0:

  • All Platforms
    • Update Firefox to 52.2.0esr
    • Update Tor to 0.3.0.8
    • Update Torbutton to 1.9.7.4
      • Bug 22542: Security Settings window too small on macOS 10.12
    • Update HTTPS-Everywhere to 5.2.18
    • Bug 22362: NoScript's XSS filter freezes the browser
  • OS X
    • Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0

Comments

Please note that the comment area below has been archived.

June 15, 2017

In reply to by portugal (not verified)

Permalink

TOR is by far one of the best internet tools i have ever come across, thank you guys, keep up the good work.

Tor Browser looks and feels just like Firefox, because it is modification of Firefox. So why use Tor Browser instead of "plain vanilla" Firefox? There are many reasons, but two of the most important reasons why "TB is for everyone" are that:

o TB offers strong (but by no means perfect or perfectly assured) anonymity, preventing your ISP and other actors--- or rather the behavioral predictive analysis software run by their corporate clients which are continually analyzing the "data exhaust" constantly emitted by unprotected citizens--- from learning every detail of our private lives, and using the information to manipulate us into acting in their interest rather than the interests of our friends and families,

o TB offers strong (but by no means perfect) protections against various other kinds of internet nastiness which is often associated with criminal activity or--- increasingly--- with state sponsored cyberwar actions targeting the entire populations of "combatant" nations in some secretive undeclared cyberwar.

Explaining why such protections are increasingly required urgently even by "ordinary citizens"--- even by the most modest grocer in some open air market using a cell phone to carry out financial transactions in order to operate a fruit stall, or a housewife doing the family shopping--- would require more space than the moderators will allow us, but you might look for any of these books:

Cathy O'Neil, Weapons of Math Destruction

Bruce Schneier, Data and Goliath

Julia Angwin, Dragnet Nation

Brian Krebs, Spam Nation

(to mention just a few of the best of many on related topics which I've read in the past few years).

June 15, 2017

In reply to by portugal (not verified)

Permalink

es una mierda mi antivirus lo detecta como un virus con troyanos tr/atraps.gen2 mejor pongan una opcion para bloquear actualizaciones automaticas

June 13, 2017

Permalink

using torbrowser 7.0.1 at ipcheck.info,, authentication shows in red [bad]
why is this? is cause for concern?

June 14, 2017

In reply to gk

Permalink

But I think there is real problem when I closed all tabs, cleaned cache web content, changed tor circuit and if I reloaded ipcheck.info it shows me the same unique ID number of authentication until I quit torbroser.

Let's assume you have domain A in your URL bar which embedds an iframe C doing the tracking trick ip-check.info deploys. In Tor Browser < 7 we did not allow A reading authentication credentials C tried to set which is why the ip-check test showed a green result. Think about forbidding 3rd party cookies which is basically the same. Now while this is blocking tracking across domains (e.g. if C were embedded in a different URL bar domain B as well) the downside is that it may break some sites, e.g. if A tries to access that information which is usually available.

In Tor Browser 7 we changed that by allowing A to access the HTTP auth saved by C which is all the ip-check test checks (and hence is showing you the scary warning now) BUT we prevented at the same time B from reading that value saved by C formerly while the user has been on A. Thus, tracking across domains (across A and B) is prevented, but the ip-check needs an update to take that into account. If you want to have a test, take the one Arthur has written in https://trac.torproject.org/projects/tor/ticket/21756#comment:2. It's not so fancy, yes, but it tests what is actually happening.

June 13, 2017

Permalink

thanks for another great release! tracking mozilla's release cycle so closely is exciting and much appreciated

June 13, 2017

Permalink

For some reason I cannot get the Mac version of TOR 7.0.1 to download. Tried it multiple times with no success. The file directory page shows the file links are broken. I've been using the the 7.0.1a RC version for some time now without issue.

June 13, 2017

Permalink

has anybody had experience with protonmail issues? since version 7.0 there are some performance problems. works still with older versions before 7.0

Yes, you should set the security slider to low to get it to work without issues.

It's because in the Medium settings JS JIT (Just-in-time compilation) is disabled.

I think that since v7 some site don't work as they used to. For example, some images aren't loaded or the layout of some sites looks different.

Also, taking a screenshot using shift+F2 doesn't work the same as before, for example the dpr or the fullscreen switches don't work, and you don't get the option to select the path of the file.

I think that the first part was due to cloudflare messing things up, maybe more aggressively than how it used to.

The second part is easily reproduced, for example Shift+F2, then 'screenshot test.png --fullscreen'

Which operating system is that? FWIW there is no --fullscreen option it seems. I guess you mean --fullpage? Testing on a Linux box I have both options available. But, yes, there is no option to select the path to save the item. But that is not available with a vanilla Firefox as well it seems.

Tested on a Windows 7 machine both with normal Firefox and with Tor Browser 7: the result is the same for me. Both options are there, the fullpage mode is working and in both browsers there is no prompt for the path. What steps to reproduce your problem am I missing?

June 13, 2017

Permalink

v7.0 & v7.0.1 - neither one can I save any image files to disc. v6.5.2 works fine. No modifications or changes to the settings, whatsoever.

Anyone with this same issue?

Maybe, but only with video.

NoScript requires the video to be blocked, you mustn't have allowed a temporary permission for it, in order to successfully download the file. Otherwise, it may ask you where to save it but not actually download it. This is a regression by the way.

I tested downloading an image with high security settings and it worked. Have you changed any settings to TorBrowser or NoScript?

June 14, 2017

In reply to gk

Permalink

Yes.

1. Go to: https://gemmei.ftp.acc.umu.se/pub/debian-meetings/2016/miniconf_cambrid…, NoScript will display the video as a blocked object.
2. Click on the object and allow the video to play.
3. Right click "Save Video As...", choose a location, and accept.
4. Open "about:downloads" to verify the video isn't downloading.
5. Now, right click anywhere and under the NoScript menu click "Revoke Temporary Permissions".
6. Repeat step 1, you will presented with the blocked object. Right click on that object and choose "Save Link As...", accept.
7. Open "about:downloads" and verity the video is now downloading.

June 14, 2017

In reply to gk

Permalink

linux64, it would blow my mind if this was linux specific, though.

And if I may, I'll sneak another minor bug report in, when running tor-browser with "./start-tor-browser.desktop --detach --log" two "tor-browser.log" files are created, one inside "tor-browser_en-US/", the current working directory, which is where it should be, and an empty one in the users home dir. That one shouldn't be there.

Thanks!

Hm, interesting. I just checked but I only get the first, intended one. Do I need to do something in particular to trigger the creation of the other log file starting with a clean, new Tor Browser?

June 15, 2017

In reply to gk

Permalink

I just did some testing, the problem is somewhere in "start-tor-browser.desktop".

This is what I did: extracted the tor-browser tarball into the home dir, changed the working directory to ~/tor-browser_en-US, ran "./start-tor-browser.desktop --log --detach". The extra empty log file was there. I also tried swapping '--log' and '--detach', and not changing the working directory from home, it still happened.

If I run "~/tor-browser_en-US/Browser/start-tor-browser --log --detach" directly, then only one log file is created.

I don't use *.desktop files so I may be way off, but isn't '--detach' implied? I don't know how options are being passed to 'start-tor-browser', if at all, but maybe it's running '--detach' twice?

Same here.

TorBrowser 7.0.x is garbage, everything is broken. Cannot save images, cannot save pages, cannot delete cookies, cannot nothing
TBB 6.5.x worked correctly.

I made bug reports about those issues:
https://trac.torproject.org/projects/tor/ticket/22714#ticket
https://trac.torproject.org/projects/tor/ticket/22715#ticket
https://trac.torproject.org/projects/tor/ticket/22711#ticket

June 28, 2017

In reply to by jewish (not verified)

Permalink

I don't think "garbage" is warranted, but FWIW I also experienced problems with TB 7.0.1 under Debian 9 (Stretch):

When I try to download files from links seen in TB, trying to save them in Browser/Downloads directory, no files are downloaded (according to "Downloads") and no files appear in any directory I looked in. Perhaps some security measure gone afoul?

I verified the TBB 7.0.1 tarball before unpacking it. Did I miss new instructions for where to try to put files one is trying to download via TB?

(Tails has long restricted where users can try to stash downloaded files, for security reasons, which explains my guess above for the cause of the issue.)

June 13, 2017

Permalink

Avast(antivirus) flipped out on tor after it updated to 7.0.1 for me, same with the 7.0.1 installer. (Both got were "IDP generic Infection") Now I can't even download the installer (Avast is blocking it), what do I do?

June 13, 2017

Permalink

Cloudflare is going crazy again?
Can't goto theregister.co.uk with tbb7.0.1, tested without javascript.
Is this the permanent state of affairs now?

I see this.
"Please turn JavaScript on and reload the page.
DDoS protection by Cloudflare"
but I don't go to theregister regularly.

June 14, 2017

In reply to gk

Permalink

Cannot speak for the OP but i see the same without securitysliderproblem.
javascript off, cookies thirdparty never, looadingloop after posting.

June 14, 2017

Permalink

In torbrowser-install-x.x.x_ru (Russian localization) a long-standing problem when after two restarts website (gmail, youtube, livejournal ...) with several of the language versions opens in English. Although in the settings of TB priority is set - Russian.

Hm. I think that might depend on your exit relay. If that is in an english speaking country it often happens that you'll get english content. There is not much we can do about that. The localized bundles should give you a localized user interface.

June 14, 2017

In reply to gk

Permalink

It's not because of the exit relay. After unpacking until the first two restarts TB - everything is fine, but it's worth twice to restart TB - this problem manifests itself. If you move Up "Русский [ru-ru]" in the settings, the problem is solved. But exactly up to two restarts TB - then everything repeats.

So, I looked at it and found at least one bug (I opened https://trac.torproject.org/projects/tor/ticket/22659) but I am not sure whether it is your bug. :) So, when you hit this issue did [ru] get dropped (again) from Options -> Content -> Languages or do you see the problem but it is still there?

Giving your "longstanding issue" I am assuming the latter but I want to be sure to investigate further if necessary.

EDIT: Re-reading your original post I found "Although in the settings of TB priority is set - Russian. " so it seems you experience that problem despite Russian still be the top priority, hm.

June 14, 2017

Permalink

Tor Browser v7.0.x (Linux x86_64) seems slower than the previous v6.5.x series. It this because the underlying Firefox ESR got slower, or something to do with the Tor mods?

By "slower"I mean browser functionality, not networking throughput.

June 15, 2017

In reply to gk

Permalink

Before, when I clicked New Identity, the browser was immediately closed and re-opened. With v7.0.x there's a hesitation of a few moments before the browser window is closed. In some cases the new window is opened even before the old one is closed, leaving 2 browser windows on the screen for an instant.

There is a way to instrument Firefox performance, and one of the metrics is browser start up. Sorry, I don't recall how to enable the metrics. It's been years since I've done it.

June 14, 2017

Permalink

Again Tails comes out at the same time on the day Torbrowser has a new release, leaving Tails insecure and unusable with an insecure version of Torbrowser.

This ongoing cooperative disconnection is a gift for governments and organizations that want to break peoples safety and security.
What is the agenda behind this ongoing not working together?
Please give the Tails people a chance to put the latest Torbrowser versions in their newest Tails versions.
Please work together.

Or is it mozilla that is always planning important security updates on release dates of Tails?
It is not a coincident anymore and it is not good for trust in your products.

June 14, 2017

In reply to gk

Permalink

Your news update on Tails in
https://ocewjwkdco.tudasnich.de/blog/tails-30-out
states

"Update Tor Browser to 7.0 (based on Firefox 52 ESR) ".

If your work together which is and would off course highly be appreciated, why do you mention 'update to Torbrowser 7.0" instead of "7.0.1" ?
7.0 is both mentioned on Torproject blog page as on the tails website.

Please make clear which browser version of Tor is in Tails.
The latest 7.0.1 one or the 7.0 one?

Thank you very much

June 14, 2017

Permalink

I wonder why 7.0 asks me to update to 7.0.1, and I found out that's because app.update.auto=false, but I hadn't change it! Possibly, it happened during 6.5.2 to 7.0 update. I'm on Windows 10.

July 06, 2017

In reply to gk

Permalink

There's indeed some problem with the print preview since TOR version 7.00 including 7.01 and 7.02 :_

Only a scale setting of 100% or "scale to fit page size" shows a correct print preview window. Any other value below 100% shows a grey area only.

This is on Ubuntu Linux with an European localised TOR version where our decimal point is a comma (i.e. "3,14" instead of "3.14"). When setting the scale factor in the print preview to, say, 80%, the localised TOR stores in about:config window this:
print.print_scaling = 0.50

But it should be:
print.print_scaling = 0,50

When I manually set the "0,50" in the about:config window, I can see a correct print preview once, and then I can also print with the correct scaling, but after I close the print preview window, the next time It opens it's again a grey area only, and with value = "0.50" again in the about:config window.

In TOR versions 6.x the values always have been "0,x" i.e. with comma instead of point, and everything worked fine. When having automatically upgraded from 6.x to 7.x the print preview worked (i.e. "0,50" values were stored in print_scaling) but with a fresh TOR 7.x installation, it won't work.

June 14, 2017

Permalink

Bug 22542: Security Settings window too small on macOS 10.12

It is still too small to fit Medium level description on Windows :)

June 14, 2017

Permalink

why it's not possible to create account on Instagram via tor browser?it says :"Sorry, something went wrong creating your account. Please try again soon."

June 14, 2017

Permalink

The following custom torrc for Tor 0.3.0.8 causes it to exit unexpectedly only when launched through the browser:

AvoidDiskWrites 1
Log notice stdout
CookieAuthentication 1
ControlPort 9622
SocksListenPort 9623

The problem lies with these three variables:

ControlPort
SocksPort
SocksListenAddress

Remove all three of them, the browser can start tor without issue. Put any one of them back and tor crashes.

The strange thing is if you launch tor.exe separately and supply those on the commandline it launches without crashing:

NOTE: I also tried HashedControlPassword with same result

June 15, 2017

In reply to gk

Permalink

It appears to be a problem with the ports, It works fine if I change the ports to something else.

The strange thing is that netstat (windows) does not report those ports in use but tor.exe definitely crashes before the browser can even connect to it. The browser reports it exited unexpectedly.

Are they maybe used by the browser already without specifying them in the torrc file? network.proxy.socks_port and extensions.torlauncher.control_port are the relevant preferences (you can look the values of those up on the about:config page in Tor Browser).

I would expect magnet: link to show up in
Options (or Preferences), Applications pane

The help button (question mark in upper right side) goes to

https://support.mozilla.org/en-US/kb/applications-panel-set-how-firefox…

Then the follow link to

https://support.mozilla.org/en-US/kb/change-firefox-behavior-when-open-…
Adding Download actions.
Does that help?

Could you give us more details about your setup? Does that happen with a newly download Tor Browser? Does it matter which URL (i.e. can you give us an example)? Which operating system are you on? If Windows, do you have antivirus/firewall software installed that could interfere with Tor Browser? If so, could you uninstall it for testing purposes (disabling is often not enough)?

June 15, 2017

Permalink

Should I change dom.ipc.processCount to i.e. 8 to launch a new process for every tab (8) open in the browser?

June 15, 2017

Permalink

I just posted a comment (reply to another comment).

Besides the expected:

Your comment has been queued for review by site administrators and will be published after approval.

I also got this:

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

June 15, 2017

Permalink

Can't connect with bridges after updating from 700 to 701. Started fine before update and worked before I did the update, now stuck on the connecting window. It was working literary 5minutes earlier. custom obf4 bridges. win 32-bit. Now I have to connect w/o bridges or it wont work. This happened about a year ago too after an update.

16.6.2017 04:24:59.900 [NOTICE] Ignoring directory request, since no bridge nodes are available yet.
16.6.2017 04:24:59.900 [NOTICE] Bootstrapped 5%: Connecting to directory server
16.6.2017 04:25:00.100 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
16.6.2017 04:25:00.600 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
16.6.2017 04:25:00.700 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
16.6.2017 04:25:00.800 [NOTICE] Bootstrapped 50%: Loading relay descriptors
16.6.2017 04:25:02.300 [WARN] Proxy Client: unable to connect to xxxxxxxxxxxxxxx ("general SOCKS server failure")
16.6.2017 04:25:07.100 [WARN] Proxy Client: unable to connect to xxxxxxxxxxxxxxx ("general SOCKS server failure")
16.6.2017 04:25:40.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
16.6.2017 04:25:40.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
16.6.2017 04:25:40.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
16.6.2017 04:25:40.900 [NOTICE] Delaying directory fetches: DisableNetwork is set.

June 15, 2017

Permalink

How do I change my IP without clicking "new identity", "New Tor Circles for this Site", or waiting some minutes?

June 16, 2017

Permalink

Many thanks for providing Tor, Tor Browser, Tor Messenger &c!

It seems that your web page listing signing keys

https://sedvblmbog.tudasnich.de/docs/signing-keys.html.en

is seriously out of date. Both keys listed for Roger D appear to have been revoked (but this is "unverified", says at least one key server). The first key listed for Peter P also appears to have been revoked. And Jacob A is listed as signing some Tor products, but if memory serves he is no longer with Tor Project.

Also, when try to post page appears to reload endlesslly, so the new blog format may not be working correctly.

June 16, 2017

In reply to arma

Permalink

Hi, arma, thanks for opening the bug report.

> (It is fine and reasonable to have old keys on the list, since the goal of the page is to describe all of the keys that have signed all of the packages over time.)

Fair enough, but you should state this on the page and should probably explain that Tor Project knows some of the keys have expired.

It would be of great interest to hear anything you are willing to share about why the keys were revoked. I am guessing "was tired, goofed, revoked key in abundance of caution" rather than "uncovered unambiguous evidence of GRU messing with my keyring", but as World+Dog finally appears to recognize, the latter scenario should never have been regarded as highly implausible.

Neither of my keys have been revoked. The 4096-bit one has a subkey, and the subkeys periodically expire and I replace them with fresh ones. It's possible that your pgp or gpg or whatever is displaying the expired ones as revoked, when really it should just be saying "expired".

It's also possible you have fake keys that claim to be mine but aren't. Some years ago some jerk published fake keys (i.e. keys that collide in the last 8 hexes) for all of the top 1000 pgp keys. See e.g. https://lwn.net/Articles/698203/

June 22, 2017

In reply to arma

Permalink

Interesting discussion, thanks--- I am rarely able to read LWN so a working link was a treat! I was aware of the short key-id issue but we should all probably do more to make more Tor users aware of it.

I have a link for you too. The Intercept is publishing an important series of stories which I hope Tor leadership will read, since I think it supports the view I have expressed for many years that ordinary citizens are far more likely than most people yet acknowledge to be targeted by some pretty frightful operatives, and reveals the urgency of strengthening Tor to help ordinary citizens protect themselves from political stalking and other targeted surveillance:

https://theintercept.com/2017/06/21/as-standing-rock-camps-cleared-out-…
As Standing Rock Camps Cleared Out, TigerSwan Expanded Surveillance to Array of Progressive Causes
Alleen Brown, Will Parrish, Alice Speri
21 Jun 2017

I note that people with all kind of political views can be targeted in such operations--- the takeaway of the Intercept series, I think, is that citizens need not encourage even modestly illegal actions (e.g. sit-ins) or even to be very "radical" to be personally targeted by all kinds of groups, potentially including non-governmental hate groups as well as corporate or "establishment" political operatives, and of course various "security authorities".

I worry about the authenticity of security-critical keys used to sign Tor products and other personal cybersecurity products. No doubt you would agree that the Web of Trust has many deficiencies (e.g most Tor users lack opportunity to attend key-signing parties with Tor employees who sign packages), but it seems no-one has yet developed a credible improvement and I think that has to change as governments (and . I recognize that "absolute confidence" is a chimera, but ask developers to recognize that "defense in depth" against malicious schemes employed by governments and other attackers hardly requires large quantities of Unobtainium to be effective. The goal should be significantly hinder attackers while maintaining a reasonable level of convenience for users. Even a very sophisticated state-sponsored attacker, like any kind of predator, is likely to focus on "low hanging fruit", in the context of what governments and megacorporations view as a global environment rich with multiple potential threats to their wealth and power.

I love the notion of using onion services to thwart governments and other attackers using MITM type schemes to trojan software as it is being downloaded (potentially altering signing keys and detached signatures to mask a malicious modification to a software package). As Tor Messenger matures, is it possible that some brainstorming might reveal a useful scheme exploiting TM and/or onion services to improve user confidence in authenticity of signing keys? (Ideally, not just for Tor Project but for any FOSS project.)

June 16, 2017

In reply to arma

Permalink

Can you ask the Tails developers to integrate the Tor-keys in Tails. It would be a smart! possibility to test the integrity of an TBB download.

"[...] integrate the Tor-keys in Tails."

Yesss, please do that. I propose that,too.
It's comical to trust the process of verifiying TBB download on the same PC with installed operating system, if you don't trust this downloaded TBB.exe with fingerprint integrated -sha1(-:.
The possibility to test this TBB download with good verified Tails would help more than a little bit.

June 16, 2017

Permalink

Well, this is certainly an awkward development:

From:

https://sedvblmbog.tudasnich.de/about/sponsors
...
Active Sponsors in 2017:
...
SRI International (2011-2017)

And from

https://wikileaks.org/vault7/#Cherry%20Blossom

Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International).

CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for "Man-In-The-Middle" attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.
...

Interesting!

We've used them as a pass-through funder for two grants:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorR
https://lists.torproject.org/pipermail/tor-talk/2015-April/037538.html
and that second one is ending in August.

It looks like SRI is a big place, and they do some harmful things. I'm still happy they've helped us handle the bureaucracy of receiving government funding.

As a final link you might find interesting, check out
https://ocewjwkdco.tudasnich.de/category/tags/form-990

June 16, 2017

In reply to arma

Permalink

Hi arma, thanks much for the prompt reply.

I think you once told me what "pass-through" means, but that was years ago and I have forgotten the definition.

Agree that these government think-tanks and even some federal agencies tend to be huge institutions which have stuck their fingers in many pies, not all of them very savory.

Still, I hope this will serve as a reminder to Shari and all of the continued urgent requirement to struggle to move away from USG funding to user funding. By this point I expect a depressing report on the result of the funding drive, but even disappointing numbers might help to make some users realize that the Project really needs them to find some way to send money, precisely in order to avoid being "captured" by USG. Which is involved in all manner of "effects operations" which run completely contrary to Tor Project goals. (And to some of the USG's occasionally benign activities, no doubt.)

While I have your ear, I hope Shari is also continually working to strengthen "political" alliances which can perhaps fight off the very real danger that unbackdoored cryptology will simply be outlawed in USA, EU, or both. As I trust you both know,

o embattled PM May continues to call for backdoors in all UK crypto,

o former DNI Clapper (he of the "least untruthful answer" while testifying under oath) and other "moderate" figures [sic] continue to demand US backdoors,

o similar insistent demands in DE and other EU countries continue.

So this is a political battle which Tor Project simply cannot ignore, because if such mandates become law in nation X, Tor will no longer be legal to use in nation X. Unless TP decides to abandon the "no backdoor" vow. Which I hope will never happen, particularly if it is done *secretly*, for example after a *secret* law with a *secret* mandate forcing all technologies to *secretly* incorporate *secret* backdoors, which seems to be what Clapper & co. are really demanding when they make the nonsensical claim that society can have strong crypto and instant accessibility (to the "security authorities') at the same time.

It's likely most of the five eyes and partners were also pressured to loosen up the public as they suddenly started talking about backdooring as well as companies/manufacturers/citizens handing over crypto keys at the same time.

June 17, 2017

Permalink

02:44:50.645 IndexedDB Maintenance finished with error: NS_ERROR_NOT_AVAILABLE: ActorsParent.cpp:18869 1 (unknown)

June 17, 2017

Permalink

13:24:12.532 Unknown source for one-off search: paste 1 BrowserUsageTelemetry.jsm:286
recordSearch resource:///modules/BrowserUsageTelemetry.jsm:286:15
BrowserSearch.recordOneoffSearchInTelemetry chrome://browser/content/browser.js:3856:7
handleSearchCommandWhere chrome://browser/content/search/search.xml:401:15
handleSearchCommand chrome://browser/content/search/search.xml:362:11
BrowserSearch.pasteAndSearch chrome://browser/content/browser.js:3778:5
oncommand chrome://browser/content/browser.xul:1:1

June 17, 2017

Permalink

my browser does not open after the update. im using windows 10 and no screen appears or anything else after the update. ???????

Me too. Took 7.01 out, reboot, put it back reboot. No error, nothing happens. Tried a Launch from the app folder, nothing happens. Tried the 7.5a test one, nothing happens. If I was not paranoid, I'd think MS had shut Tor out. Er...

Try uninstalling your antivirus/firewall software, it often prevents Tor Browser from starting if it ship new tor versions as the recent major version did. Disabling it might not be enough for what it is worth.

June 17, 2017

Permalink

Ok, I realise ip-check.info needs to fix their test for authentication... but why is it that the unique ID the test shows never changes even after manually selecting a new tor circuit?

Can someone please tell me if this is purely a result of outdated code on their site or is there also some bugs in the client? Should i feel secure using this build right now or not?

We are quite sure that this is a bug in the test. You get the same ID as the site can still access the tracking data it planted in your browser (but that tracking data will *not* be available to a different website which is the whole point of our defense and the ip check does not test) and selecting a new Tor circuit does not change that. You'd need to request a New Identity (on the same Torbutton menu) in that case.

June 17, 2017

Permalink

Debian users anxiously awaiting the advent of Stretch (expected any minute as I write) will be heartened by this note confirming that the onion service mirrors should work for Stretch:

https://micronews.debian.org/index22.html

A followup post from Peter P on the mirrors in this blog would be good.

> confirms

Ooops--- it doesn't; I missed the date on that post. Nevertheless I hope and believe (haven't yet been able to check) that the onion mirrors will correctly handle the rollover to the new stable (Stretch, aka Debian 9), as long as your sources.list does not contain repositories which are not designated by the version name (e.g. Jessie, Stretch).

June 23, 2017

In reply to by Anonymous (not verified)

Permalink

From

https://www.debian.org/releases/stretch/amd64/release-notes/ch-informat…

it appears that the sources.list lines needed to use the Onion mirrors of the Debian repository is:

# deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
# deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main

As I read the page, you can change "main" to "main contrib non-free" to obtain the full repos.

My initial attempt to use this did not appear to work, but I'll try again and report back if possible. Has anyone here used the Debian mirrors with Debian 9 (stretch) successfully?

Anyone know why a base install of Debian 9 (stretch) includes linear programming solvers and other rather sophisticated mathematical tools? Is this cryptography related?

June 17, 2017

Permalink

Can you guys help me out? I got Tor 6.5.2 but when I updated to 7.0.1 it stopped working and won't open. I tried installing it again but it doesn't work.

i have the same issue that you do but it is quite simple to fix
just "install" it somewhere else, that worked for me but i still have the issue that when i update to 7.0.1 it stops working (i used tor with ublock origin, i tried tor without it and i still have the same issue so i dont think it is the issue)

I found this thing loading with firefox is stopping the load on mine.
Trusteer\Rapport
It is a bank website security thing that seems to think Tor is a valid browser to load into.
Tor disagrees.
I shut down the service and Tor loaded OK.

June 18, 2017

Permalink

Ever since upgrading to Tor Browser 7.0.1, I have to download images twice. First the image loads in my browser, then when I click "Save Image As..." the file has to be downloaded a second time in order to save it to disk. This is new behavior that did not occur in previous versions of Tor Browser. (Fyi - I am using Windows XP, but please don't judge. Thanks!)

June 19, 2017

In reply to gk

Permalink

Thanks for replying to my question! I'm glad to know what was causing the problem. Good luck with the fix. Cheers.

June 18, 2017

Permalink

Tor update not possible, System Unsupportive!

I refuse to update Osx Mountain Lion, no need for SIRI shit!
But I hope TOR is still safe, even it refuses to update.

No, it is not safe anymore to use the old Tor Browser (6.5.2). In the new Tor Browser version there have been a number of critical Firefox vulnerabilities fixed. Some of those might not apply to the old Tor Browser but some do.

June 19, 2017

Permalink

(1) Every time Tor Browser restarts, Adblock Plus loses all of its filter subscriptions! This is highly annoying and also perhaps not immediately noticeable by some (which could be a security issue).

(2) The zoom level of a tab gets reset to 100% every time I choose a different link from bookmarks. Simplest example: I open a blank tab, set zoom level to 90%, go to Bookmarks and select any page - the result will be that the tab will open with a 100% zoom level!

June 20, 2017

In reply to gk

Permalink

(2) Wow, you are right! That is weird...

(1) Well, this is easy. :)

- install Tor Browser,
- install Adblock Plus add-on,
- add any filter subscription to Adblock Plus (e.g. EasyList),
- close Tor Browser,
- open Tor Browser again,
- look at Adblock Plus's filter subscription list - it is empty.

Does this reproduce?

I followed your steps with a clean Tor Browser 7.0.1 (en-US) on a Linux box. The filter list I added (I chose the first from the drop-down menu) was still there after a restart. Note, there was already an EasyList list enabled by default before I added yet another one. And both survived a new start. So, I wonder what is different in your scenario then? Does that happen with a clean, new Tor Browser 7.0.1 if so on which platform?

June 24, 2017

In reply to gk

Permalink

I am running Tor Browser on Windows 7. And it's not a clean install, it's an upgrade from the previous version. (BTW, the bug with Adblock Plus might have appeared in version 7.0, not necessarily in 7.0.1; I used the 7.0 for too short a time to notice.)

However, since most Tor Browser users, like me, probably upgrade instead of doing a clean install each time a new version comes out, I do not believe this disqualifies the issue I've found from being looked into...

(I don't think anybody is saying "Oh, you're upgrading? Then of course it should be broken and we don't want to fix it." Rather, they are trying to give you debugging steps to help you reproduce the problem better, and ideally to help you reproduce the problem in as simple a scenario as possible, so other people can see it happening too.)

June 27, 2017

In reply to arma

Permalink

I didn't say they were saying that... :) Sorry if it came out a bit harsh.

However, I have, lamentably far too often, found that developers take the approach: "Oh, this bug doesn't reproduce on a clean install? You have some other stuff going on? Sorry, not our problem. Try a clean install." And one is left wondering: "Umm... Ok, and what about my bookmarks / extensions / configs / other software / etc?.."

So, to resume the debugging, does that happen with a clean, new install of Tor Browser (and Adblock Plus) on your system? If not, we need to compare the differences to narrow the issue down.

July 21, 2017

In reply to gk

Permalink

- Ok, so I just deleted my Tor Browser and did a FRESH install of version 7.0.2.
- Added the AdBlock Plus addon, added a subscription.
- Restarted Tor Browser.
- The subscription is GONE...

July 22, 2017

In reply to gk

Permalink

PS. Gotta say, it's REALLY annoying - having to reinstall the filter subscriptions EVERY time you restart Tor Browser.

June 19, 2017

Permalink

Bad that new version Tor does not support Windows XP Pro SP3. Not all and not everywhere can itself to allow to buy the new modern computer and not there is desire beside all to move to more modern versions Windows.

June 19, 2017

Permalink

Hi torteam!

Little mess here. After my update from torbrowser (browserbundle) 6.5.(?) to 7.0.0 I realized, that the entrynode never changed. Nevermind what I do, new circuit, new identity, close torbrowser and reopen, wait some minutes for the automatic circuitchange – every time the same result, every time the same IP-adress of the same entrynode appears. I purged the browserbundle, download the new version directly, every thing was fine.

Then version 7.0.1 was out, I updated, the problem with the same entrynode again appears. Purged browserbundle, download new version directly, same problem. Purged, download experimental version, same problem. Tried it any times. Than go back to versions 6.5 and 6.0.8 (had still the tar-archives), but now had the same problem with the old versions too.
Happened on an old machine with a Pentium(R) M (by default with WinXP as OS) with the latest stable Debian Jessie.

At the weekend I installed the new Debian 9 as a complete fresh OS on that machine, download torbrowserbundle 7.0.1, start torbrowser, had again the same entrynode, nevertheless I do (close, new circuit, new identity). All downloads were right from your page here, 32-bit-versions.

To clearyfy: the entrynodes between the several installations are different (5xFrance, 8xGermany, 3xNetherlands, 1xDenmark, 1xChech, 1xMoldavia, 1xLuxembourg), only in one case an IP appear twice.
But once installed, the IP of the entrynode never changed.

Made I a mistake, is the hardware too out of date, is it a bug or should I go for tinfoil?

June 19, 2017

In reply to gk

Permalink

Ah, ok, thanks!
I´ve never noticed that before, since when is it included?
And what means „often is a feature“? There are situations when its not a feature?

In the details u linked is written about a few relays used as entrynodes. Is this means if I open the torbrowser in one hour or tomorrow I should see another entrynode?

We added the entry guard feature in Tor 0.1.1.11-alpha in 2006.

You can read a whole lot more about entry guards, and why they're critical to security, in this blog post:
https://ocewjwkdco.tudasnich.de/blog/improving-tors-anonymity-changing-guar…

(As for your other question, I think gk meant "(not rotating your entry guard often) (is a feature)", not "(not rotating your entry guard) (often is a feature)". If that clarifies. :)

June 20, 2017

In reply to arma

Permalink

Thanks, I understand. The point I never noticed before that not rotating of the entrynodes is my own inattention and bias I think.

But to be shure: there is a pool of few (3-4) entrynodes for me since I installed and started the torbrowserbundle, but only one will appear for me/my client will use until this relay precipitates or in a few weeks (6-8) the pool itself will change (a bit?)? So for several weeks the same IP have to be appear as my entrynode if the torbrowser work correctly. But if the same IP stay much longer as my entrynode, something went wrong. Right?

June 19, 2017

Permalink

I running Mac OS and noticed that the "Tor circuit for this site" displays

Bridge: OBFS4 followed by the other couple of IPs.

My concern is sometimes I will see Bridge: OBFS4 (United states)

Why does it show the country and as far as I can see only U.S.?

It shows the country as for all the other relays in your circuit. Thus, there is nothing special in that regard. There are bridges in other countries as well but your Tor Browser picked a U.S.-based one and sticks to it.

June 19, 2017

Permalink

it doesn't matter what settings I use to stop auto-updates, nor even if I go into the about:configs and hard-code everything against auto-updates.
The browser keeps forcing auto-updates from v6_5_2.
I am having issues with the newest v7 tree, and need to wait on the 7s
Why? why can the auto-updates NOT be stopped? what have you done?

I just tested it with a clean new Tor Browser 6.5.1 and it is not updating provided I change the update related preferences *before* I start the browser (you can specify to never check for updates or check but only apply them after a click, both works for me). The update check happens even before you switch any preferences in your about:config during start-up.

June 20, 2017

In reply to gk

Permalink

No, that's not the solution, nor does it address the bug and security hole. I have done the same thing numerous times, and the error WILL replicate. Cycle through several runs of the browser after it has already been installed and at one point in a subsequent startup it will just override all browser update options(including manual changes to the about:config and even removing update URL addresses in the about:config) and just install the new version automatically. In other words, completely re-install the browser and set all variables to NOT update at the initial launch. And then run the browser a few times, visit some sites, leave it open for a bit. Then close it, and restart. Do that a few times, and then suddenly, it will just override all your settings and just update itself automatically contrary to your settings.
Respectfully, this is a big security hole, if that is all that is. It is certainly a bug. Where in the code base are your forcing this update?? Is that also replicated in the new v7 series?
I appreciate your quick answer in reply, but that's not really an answer that has any depth.
Let me repeat the obvious, this is not merely a bug, but instead one of the standard items on the list of SECURITY HOLES. If you've hard-coded forced updates, just disclose that. But if you have not, then you have left a big hole here that can be triggered by something other than the user. If the update process is open to be triggered by an hole in your code, then a malevolent process, or site, or party (M-T-M) could trigger an update and compromise security. To be fair, let's assume that you have the code-signing process in your auto-updates all properly locked down. (that's a big assumption, but we want to trust you). If a new vector or exploitable bug is introduced in a new version-- particularly as you update the rolling changes in Firefox-- that was non-existent in a prior version, then you have just forced the user into a security compromise. There is also the other annoyance of simple system incompatibility with the new version. Either way, it is for this very reason that organizations routinely lag with updates until new versions have had a chance to fully bake-in.
Now, I realize that this is a long post, but this is a pretty big bug, and it is replicable. Either you address it, or it needs to be broadcast to the larger Tor user base and let them start asking questions. Could I delve into the code-base myself? Sure, but that is a big investment of time that might be unnecessary if you (the developers) just please be transparent about this issue and disclose what, exactly, you have coded this to do. If you don't know, then that's another problem altogether. But let's wait for your answer. Please do. And if you don't have one, at least point to the location in the code-base where the community developers should start looking to contribute a possible fix to your coding or design errors.
Please, answer with something more substantive that a flippant response. This issue is replicable, and it is serious.
thank you in advance.

Even though my answer was not as long as yours it was not flippant: I tested your issue yesterday quite for some time with different configurations and could not reproduce it.

Now, first of all, we don't ship our own updater but the one Firefox uses. You might be interested in reading how it works: https://wiki.mozilla.org/Software_Update + linked pages. While we are patching the updater to fit our needs we don't patch the mechanism that is responsible for automatic updates. The two patches we have are

a) for using the Firefox update process (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52…) and

b) for making use of MAR file signing (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52…).

If you don't trust the preferences I mentioned in my previous reply you can set app.update.url to "" or some internal URL as we do for Torbutton/Tor Launcher updates (we use data:text/plain,).

What would be helpful is seeing some log in case that happens again. You can enable update logging with the app.update.log preference.

Finally, no, website can't trigger an update. Not sure where malevolent processes come into play here but they can just easily overwrite your firefox binary and then it is game over. Not sure what "party (M-T-M)" is? You mean some man-in-the-middle attacker? They can't trigger an update either unless they can break TLS/bypass the key pinning.

June 19, 2017

Permalink

the auto-updates are functioning independent of the toggle in the options dialogue. In addition, not even manually editing the about:config file solves the problem. I'm not sure what exactly is causing the over-rides, but after wasting entirely too much time I suspect that it may be related to one of two things: (1) permitting messaging to Windows OS from a site after granting permission in the browser window, or (2) some bug in the Tor launcher. I did notice that when I completely turn off updates, the browser just ignores the settings and updates itself, but when I choose the option to let me decide whether to install updates, the browser doesn't update itself for a while. Not sure what does cause the eventual update in this configuration, but it eventually triggers. I'm fairly fluent in browser programming, but don't have the time to deep debug this issue. Nonetheless, I must say that I consider this an extremely serious security issue. I know, I know, certificates & signing etc. etc. But SOMETHING IS MIS-CODED here that is causing the system run against the manual controls and toggles. Assuming that's true, then I suspect that the error could be hijacked by a 3rd party or M-T-M.
If you have any response-- and by you, I mean the developers, please respond here so that all can see. I've already searched the blog, and even Googled the issue, but there is nothing. Respectfully, I consider this both a BUG, and a serious security hole/threat.
Thank you in advance.

June 20, 2017

Permalink

Why are login pages for all onion sites showing me a crossed out lock icon and telling me "this connection is not secure" whenever I click in the password boxes?

How come everything is coming up http and not https?

June 20, 2017

Permalink

I have noticed lately that Tor Browser often shows one exit node, the IP, and the country, while various testing sites, such as ip-check.info , and http://www.dnsstuff.com/, will now show something entirely different, different IP and different country entirely. This is a new behavior and occurs consistently on both Tor Browser and Tails, as well as on different machines, and running from a DVD or USB key.

I find this disturbing. Any explanations?

How can we reliably know and verify the country where our exit node resides if different services are at odds with what Tor Browser is reporting, more often than not?

The circuit you used while the tests looked for your IP could have timed out before you landed on the final page or there are various redirects to different top level domains in the test included that could lead to this result. Hard to tell.

You can click on the onion menu next to the URL bar when loading sites and see live what your circuit usage looks like.

June 24, 2017

In reply to gk

Permalink

I have checked to see if the circuit has changed during the test, but it has not.
As I said, this is entirely new behavior.

When I go to https://check.torproject.org/?lang=en_US, it always agrees with what Tor Button is reporting. But, when i go to the testing sites mentioned, they show a different IP and a different country. Very disturbing.

Just now I changed the circuit and Tor Button shows an exit node in Sweden. I now have ten minutes before it changes automatically. I go to IP-check.info, and it shows a different IP with an exit in Romania, which is often the case. Tor Button still shows an IP in Sweden.

Doesn't boost my confidence at all.

> I now have ten minutes before it changes automatically.

That hasn't been the case forever (Tor Browser sets and uses `KeepAliveIsolateSOCKSAuth`).

> I go to IP-check.info, and it shows a different IP with an exit in Romania, which is often the case.

You don't think that all your traffic to every single site goes down the same circuit do you? That hasn't been the case, basically ever. And if it were otherwise, it would be a bug.

> Doesn't boost my confidence at all.

Maybe if you correctly understood how it is supposed to behave, you'd have more confidence.

June 25, 2017

In reply to yawning

Permalink

I may not be a rocket scientist, a cyber-security erxpert, or a network engineer, but I do understand how Tor Browser has behaved in these tests in the past, up until this release. The current behavior never occured until this release. So, where is the clear layman's explanation for the change?

If the end user cannot reliably test and have confidence in at least knowing which entry and exit nodes are being used, at any time, then there is no utility in having Torbutton show the supposed nodes.

Which one is to be believed? Tor button or the testing site? Both? Is more than one Tor circuit being used at a time, when only a single browser tab is opened? Are two instances of Tor running, when there should only be one? How and why should that occur?

When what was once testable becomes untestable, because the reliability of popular tests is now in question, which in turn throws tor button node reporting into question, where should our confidence come from? Tor button alone? Why is it no longer easily and independently verifiable, when it has been, up until now?

See my answer below. When you say "different", do you mean "different from what the last site in the other tab told me"? Or do you mean that the text on the web page disagrees with the "Tor circuit for this site" read-out you get by clicking on the green onion while you're on that tab?

Why do you want to believe something? Torbutton shows you the last circuit for some site. Testing site uses different addresses to check the linkability and shows IP of some exit. What's the problem?

Right, Tor Browser started using per-tab isolation (or more precise, per "destination listed in the url bar" isolation) went into Tor Browser 4.5-alpha-1 in November 2014:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bund…
" * Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain"
https://bugs.torproject.org/3455

See also Section 4.5 of
https://sedvblmbog.tudasnich.de/projects/torbrowser/design/

In short, the "now have 10 minutes" thing is what the program Tor does by default, but Tor Browser configures Tor to do its circuits differently.

Hope that helps!

Hmmm.... while watching Onion circuits and the circuit data in TB itself, I reloaded this page, then followed the link in your post. My circuit did not change (which suprised me since I thought following a link to a third party site would give a new circuit), but the exit server did agree with one named by ipcheck. I called "new circuit" in TB (which did indeed create a new circuit) and tried again, with same result for the new exit server.

(FWIW, I am using TB in Tails 3.0.)

June 21, 2017

Permalink

Hi, since I downloaded this latest version, tor doesn't open anymore, I've tried everything, I changed the install location but nothing seems to work

I suspect you are on Windows? If so, which version? Do you have an antivirus/firewall software installed? If so which one? Could you uninstall it and test whether that solved your problem? This kind of software is pretty intrusive and is known to prevent Tor Browser from starting in some cases. Do you get error messages when trying to start Tor Browser?

June 29, 2017

In reply to gk

Permalink

I have exactly the same issue. I have windows 7 64 bit and i have tried everything it said, i have closed my firewall and antivirus i have deleted tor and reinstalled it, i have installed it in a different location. Nothing! I use to just update tor and it normal works, what must i do know to get it to work?

June 21, 2017

Permalink

every time I tor update from 6.5.2 to the new version it does not open.. please help very computer illiterate... thanx

I suspect you are on Windows? If so, which version? Do you have an antivirus/firewall software installed? If so which one? Could you uninstall it and test whether that solved your problem? This kind of software is pretty intrusive and is known to prevent Tor Browser from starting in some cases. Do you get error messages when trying to start Tor Browser?

June 21, 2017

Permalink

Since the new tor browser 7.0.1 and tor 0.3.0.8 are out pageloads are much faster than before. I guess this is due to the multiprocess firefox. Good work so far.

Ok. So ...

If not, where did you set StrictNodes 1? What file? And are you expecting this to affect Tor Browser or your system's Tor?

June 26, 2017

In reply to pastly

Permalink

torrc
i just want that 'excluded' means excluded?
how to do?

June 22, 2017

Permalink

US Deputy Attorney General Rod Rosenstein has been much in the US news of late, but there's another reason why Tor users worldwide should be paying attention to what he's saying to the US Congress: that Tor poses a drastic "threat" which "cannot be overstated".

https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosens…
...
> Department of Justice must continue to take a leading role in enhancing the capabilities of the law enforcement and national security communities. This budget request will provide $21.6 million in funding to counter the “Going Dark” threat. The seriousness of this threat cannot be overstated. “Going Dark” refers to law enforcement’s increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools. The Department’s role has been to collect, house, analyze, and share critical data among our federal, state, local, and tribal partners.

Rosenstein is demanding an extra 21 million USD of funding to fight the "Going Dark" threat [sic]. Can Tor user donations match that figure? If every Tor user gave ten dollars this year, I suspect the answer is "yes".

June 22, 2017

Permalink

Hi!
My OS is debian wheezy 32bit

Since long I have 2 installations of torbrowser
The first one with fairly standard settings in
~/tor-browser_en-US/
The second one (with noscript and httpseverywhere disabled for sites that need it)
in
~/tor-browser_en-US2/

Both installations were on 6.52. The second installation auto-updated to 7.01 and later to 7.02

I kept the 6.52 installation just in case.

When starting tb 7.02 the system monitor shows processes tor, firefox and for a split second a process named 'Web'.
Then only processes tor and firefox remain (of course a lot of standard processes out of focus here...)

As soon as I connect to a site, the 'Web' process returns.
'Web' is alive till I exit torbrowser or choose new_identity.

Torbrowser 6.52 doesn't start such a 'Web' process.

'Web' seems to stem from
~/tor-browser_en-US2/Browser/plugin-container -greomni

Is that something to worry about?

EDIT:

(-- > mysterious 'Web' process)
correction: tor browser auto-updated to 7.0 and then to 7.0.1 (I wrote about auto-update to 7.01 and then to 7.02, my fault)

Yes, I believe this situation is normal.

The new Firefox, which Tor Browser 7.0 is based on, has some sandboxing features, where each tab can run things in its own sandbox. Those extra processes you see are from the sandboxed tabs.

June 24, 2017

In reply to arma

Permalink

thanks for calming me down :)

Today I have updated the non-tor firefox to 52.2.0 and it does as well create that 'Web' process.

greetings

> My OS is debian wheezy 32bit

You may have good reasons for sticking to wheezy (no need to explain here if so), but otherwise I'd urge you to consider updating to the new stable (stretch, aka Debian 9). This is available for 32 bit machines, but as someone else noted recently in a blog comment here, 64 bit machines offer some security innovations which are worth taking advantage of if you can upgrade. Also, as you may have noticed, Tails is no longer compatible with 32 bit machines.

If you're using the Medium security setting, switch to Low instead when using ProtonMail. This is due to the fact that JIT (Just-in-time JS compilation) is disabled with Medium and High security settings, and hence you notice those performance hits. Hope that helps!

June 23, 2017

Permalink

yes

New color scheme in... this blog?

If so, previously I could not see buttons but in the new version I can. (Using either the TB version provided with Tails 3.0, and also TB 7.0.1 under Debian 9.0.) Not perfect by any means (I experience the endless reload after each comment submission), but not worse than previous, and presumably an improvement in terms of anti-robo-trolling for the TP maintainers.

Welcome to the Tor community!

You may also want to try out Tails:

https://ocewjwkdco.tudasnich.de/blog/tails-30-out

This comes as an iso image you can burn to DVD, and if you have a 64-bit computer (PC or laptop) which can boot from a live DVD, you can gain significant anonymity/security assurances from using Tails (although nothing is perfect).

I just installed Debian 9 ("stretch") using the onion mirrors and am very enthusiastic about the increased cooperation in the past year or so among Tor Project, Tails Project, and Debian Project, so you may want to look at Debian too

debian.org

I have confirmed that you can install Debian 9 off-line (no network mirror) from the DVD#1 and then installing apt-transport-tor and putting these lines in your synaptic configuration

deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main

enables you to install and update entirely via Tor, which among other benefits entirely evades the mounting problems with those horrid fake certificates used for state-sponsored MITM in order to trojan software as it is being downloaded to a citizen's personal computer. See

https://ocewjwkdco.tudasnich.de/blog/tor-heart-apt-transport-tor-and-debian…

for a somewhat outdated posting on the onion mirrors. In particular, the onion mirrors now include the *full* Debian repository, which is a huge advance.

There is a huge flaw in this scheme: many otherwise valuable STEM applications (or security-enhancing things like FOSS IDS) in the Debian archive appear to come with small or large mail programs which attempt send useless unencrypted email messages to the user. Worse, this "misconfiguration by default" is often impossible for ordinary citizens to disable. Even worse, these mail programs typically assume any user must be on a large .edu system, and if this assumption is not met, the emails are not always sinkholed. Even if actual emails (very possibly containing sensitive information about the system) are not sent, unencrypted DNS lookups make things much too easy for the bad guys.

The most serious issue here might be the possibility that sensitive system information could be exposed to the internet by "misconfigured" utilities installed on the PC which offer no disable option for "helpful" unencrypted emails to "root", and which incorrectly assume that

o the operator has a valid email address

o used the correct domainname for the "domainname" setting when using the Debian installer.

Such misbehavior could perhaps be stopped by setting up a personal firewall which blocks outbound (and inbound) traffic on port 25 might at least prevent sensitive unencrypted emails from being sent into the internet.

The following HOWTO seems to describe firewalling a server rather than making a personal firewall for a PC, but I can't find better advice:

https://wiki.debian.org/HowTo/shorewall

A personal firewall won't fix outbound dns lookups by bsd-mailx or exim4 trying to email the hapless user (since you can't block outbound dns lookups without breaking Tor, yes?), or the lack of security awareness of certain otherwise useful STEM applications.

Question: what iptables rules are likely to break the proper functioning of Tor traffic from a PC which uses a commercial SOHO router with DHCP server to connect to the internet?

Examples of legit Tor traffic from a PC running Debian 9.0:

o Tor Browser

o debian-tor for updating software via the onion mirrors

"HOWTO make an anonymous blog using Onion services" would be a good subject for a future post in this blog.

Do you need to have a working "clearweb" site before you can add a "darkweb" site?

June 27, 2017

Permalink

i've been using hotspot shield vpn elite to hide my ip address. does anyone know if this is a good app to use for this purpose?

I think the right answer you should get here is: using Tor Browser will be much safer.

There are many differences, but the first two that come to mind are:

A) Hotspot shield is a centralized service, so it gets to see everything you do, and sell it:
https://svn.torproject.org/svn/projects/articles/circumvention-features…

B) You need all of the application-level privacy and security fixes that Tor Browser provides. Using a default Chrome or Safari or Firefox or whatever, even if your underlying VPN service is somehow perfect, means you leave many huge holes open:
https://sedvblmbog.tudasnich.de/projects/torbrowser/design/

June 28, 2017

Permalink

I'm really enjoy surfing with Tor, I don't have a bunch of money grubbing assholes following me around. What a refreshing change.

June 30, 2017

Permalink

Seit dem Update läuft Tor nicht mehr stabil und schmiert ständig ab. Erweiterungen lassen sich auch nur noch bedingt nutzen. Rückschritt!

My possibly horrendous translation:

> Updating Tor (Browser) is not very stable and is always a pain. Let's work towards keeping (updating) usable. Falling back (to the previous version)!

I don't dare try to attempt to translate my reply:

Updating never works for me either, but I have always been able to simply download the latest tarball (link will be the Download page at torproject.org), verify the detached signature, unpack the tarball in an suitable directory, untar, and away I go!

pastly

June 30, 2017

Permalink

You will probably have better luck getting help if you are able to speak English. :/

It sounds like your Tor Browser no longer works. What OS are you on? Do you have antivirus installed? If you uninstall the antivirus, uninstall Tor Browser, then reinstall Tor Browser, does it work?

June 30, 2017

Permalink

I've read that several large ISPs (I think ATT, Charter, Comcast among others) have at times routinely used MITM (Man in the Middle) attacks to perform DPI (deep packet inspection) on *all* their customers for the purpose of selling data about individual browsing history, calling circle, banking transactions, etc, to corporations, governments, stalkers, whomever is willing to pay whatever the ISPs charge for these vast troves of detailed (and potentially dangerous) data on the habits of individual citizens and their families.

Do we have reason to think Tor Browser provides strong protection against this kind of DPI?

Short answer is yes, that's one of the things Tor does quite well.

The DPI at the ISP point can discover that you are using Tor, but not easily discover what you are *doing* with Tor.

All of the browser layer stuff is wrapped in many layers of encryption at that point, so it should be quite hard for the attacker to reconstruct.

It's not perfect -- nothing is -- but it's way better than the situation where you use a VPN provider and then the VPN provider is in exactly the right position to screw you just like your ISP was.

For more reading check out
https://svn.torproject.org/svn/projects/articles/circumvention-features…

July 03, 2017

Permalink

Browser window warning

Your standard browser window size is probably square.
Unfortunately this size is not an option on some laptops which means that the size is cut off underneath.
This gives a yellow browser window size warning, over and over again, maybe it stops after 10 or 15 warnings.
Please reduce the standard window-size or come up with something smart.
Older laptops do not have 4k resolution and have therefore limited vertical space.

Interesting. I wonder how this is happening in your case. We round the browser window (the one for the content) to a multiple of 200x100 depending on your screen site with max 1000x1000. Thus it seems something is gone wrong for you.

Is "Your standard browser window size is probably square." part of the error message? If so, what is the whole error message (that's a bit hard for me to figure out)? Do you get it during start-up just once or every time you start Tor Browser?

July 04, 2017

Permalink

Still learning this new version of internet. Really enjoy how helpful people are, and the epicness of everything that the community releases to move us forward. I'm sold, and am here to stay!

July 05, 2017

Permalink

hi

August 23, 2017

Permalink

hi,
tor browser dont start after 6.5 version on windows 8.1. all versions from 7.0,up to 7.0.4 dont work, i must reinstall the 6.5 version eveytime after all update to all 7 version .
have you an idea?
ps: on windows xp sp3 it work nice , no problems