Tor Browser 7.0.1 is released
Tor Browser 7.0.1 is now available from the Tor Browser Project page and also from our distribution directory.
This release features important security updates to Firefox.
This is the first minor release in the 7.0 series, updating Firefox to 52.2.0esr, Tor to 0.3.0.8, and HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying freezing of Tor Browser which is due to a NoScript bug and made the security slider window slightly larger.
Here is the full changelog since 7.0:
- All Platforms
- OS X
- Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0
Comments
Please note that the comment area below has been archived.
tenks
tenks
TOR is by far one of the…
TOR is by far one of the best internet tools i have ever come across, thank you guys, keep up the good work.
i dont know what i can do it…
i dont know what i can do it .. what is so special about tor browser
Tor projects your anonymity…
Tor projects your anonymity. You can communicate freely on Tor without worrying that your information will be used to harm you. It's worth doing. Free and easy to use.
If you are concerned about…
If you are concerned about your security and anonymity there are times when you need this and a vpn that is on all of the time.
Tor Browser looks and feels…
Tor Browser looks and feels just like Firefox, because it is modification of Firefox. So why use Tor Browser instead of "plain vanilla" Firefox? There are many reasons, but two of the most important reasons why "TB is for everyone" are that:
o TB offers strong (but by no means perfect or perfectly assured) anonymity, preventing your ISP and other actors--- or rather the behavioral predictive analysis software run by their corporate clients which are continually analyzing the "data exhaust" constantly emitted by unprotected citizens--- from learning every detail of our private lives, and using the information to manipulate us into acting in their interest rather than the interests of our friends and families,
o TB offers strong (but by no means perfect) protections against various other kinds of internet nastiness which is often associated with criminal activity or--- increasingly--- with state sponsored cyberwar actions targeting the entire populations of "combatant" nations in some secretive undeclared cyberwar.
Explaining why such protections are increasingly required urgently even by "ordinary citizens"--- even by the most modest grocer in some open air market using a cell phone to carry out financial transactions in order to operate a fruit stall, or a housewife doing the family shopping--- would require more space than the moderators will allow us, but you might look for any of these books:
Cathy O'Neil, Weapons of Math Destruction
Bruce Schneier, Data and Goliath
Julia Angwin, Dragnet Nation
Brian Krebs, Spam Nation
(to mention just a few of the best of many on related topics which I've read in the past few years).
I agree! Thanks guys!
I agree! Thanks guys!
es una mierda mi antivirus…
es una mierda mi antivirus lo detecta como un virus con troyanos tr/atraps.gen2 mejor pongan una opcion para bloquear actualizaciones automaticas
using torbrowser 7.0.1 at…
using torbrowser 7.0.1 at ipcheck.info,, authentication shows in red [bad]
why is this? is cause for concern?
Should I use v6.5.2 or v7.0…
Should I use v6.5.2 or v7.0.1 with session authentication fail?
You should use version 7.0.1…
You should use version 7.0.1. Version 6.5.2 has known security vulnerabilities.
thx. so it's not a problem…
thx. so it's not a problem with Authentication red in ip-check.info?!
If you create a new identity…
If you create a new identity it will show a different authentication number. The site must have not noticed the update or something
We think this is a bug in…
We think this is a bug in the test which is not able anymore to detect our defense against that tracking method. See: https://trac.torproject.org/projects/tor/ticket/21756.
But I think that is real…
But I think there is real problem when I closed all tabs, cleaned cache web content, changed tor circuit and if I reloaded ipcheck.info it shows me the same unique ID number of authentication until I quit torbroser.
So where does the number…
So where does the number come from ?
Let's assume you have domain…
Let's assume you have domain A in your URL bar which embedds an iframe C doing the tracking trick ip-check.info deploys. In Tor Browser < 7 we did not allow A reading authentication credentials C tried to set which is why the ip-check test showed a green result. Think about forbidding 3rd party cookies which is basically the same. Now while this is blocking tracking across domains (e.g. if C were embedded in a different URL bar domain B as well) the downside is that it may break some sites, e.g. if A tries to access that information which is usually available.
In Tor Browser 7 we changed that by allowing A to access the HTTP auth saved by C which is all the ip-check test checks (and hence is showing you the scary warning now) BUT we prevented at the same time B from reading that value saved by C formerly while the user has been on A. Thus, tracking across domains (across A and B) is prevented, but the ip-check needs an update to take that into account. If you want to have a test, take the one Arthur has written in https://trac.torproject.org/projects/tor/ticket/21756#comment:2. It's not so fancy, yes, but it tests what is actually happening.
thanks for another great…
thanks for another great release! tracking mozilla's release cycle so closely is exciting and much appreciated
For some reason I cannot get…
For some reason I cannot get the Mac version of TOR 7.0.1 to download. Tried it multiple times with no success. The file directory page shows the file links are broken. I've been using the the 7.0.1a RC version for some time now without issue.
Which link is broken?…
Which link is broken?
The download links from the Tor Browser page should be working:
https://sedvblmbog.tudasnich.de/download/download-easy.html.en
Why does TB 7.0* need access…
Why does TB 7.0* need access to:
/proc/*/net/route r,
/proc/*/net/arp r,
How do you tell it does?…
How do you tell it does? What are you using, SELinux or what?
Debian Jessie, apparmor…
Debian Jessie, apparmor.
"Could not connect to control port"
"Failed to take control of Tor"
How do you tell it does?…
How do you tell it does? What are you using, SELinux?
My guess is https://bugzilla…
My guess is https://bugzilla.mozilla.org/show_bug.cgi?id=1240932. See https://trac.torproject.org/projects/tor/ticket/21727 for the ticket on our side.
has anybody had experience…
has anybody had experience with protonmail issues? since version 7.0 there are some performance problems. works still with older versions before 7.0
Yes, you should set the…
Yes, you should set the security slider to low to get it to work without issues.
It's because in the Medium settings JS JIT (Just-in-time compilation) is disabled.
Change security slider.
Change security slider.
see…
see
https://trac.torproject.org/projects/tor/ticket/22544
https://trac.torproject.org/projects/tor/ticket/22500
or try to get access to…
or try to get access to protonmail bridge
I think that since v7 some…
I think that since v7 some site don't work as they used to. For example, some images aren't loaded or the layout of some sites looks different.
Also, taking a screenshot using shift+F2 doesn't work the same as before, for example the dpr or the fullscreen switches don't work, and you don't get the option to select the path of the file.
It would be great if you…
It would be great if you could post some way to reproduce your issues.
I think that the first part…
I think that the first part was due to cloudflare messing things up, maybe more aggressively than how it used to.
The second part is easily reproduced, for example Shift+F2, then 'screenshot test.png --fullscreen'
Which operating system is…
Which operating system is that? FWIW there is no --fullscreen option it seems. I guess you mean --fullpage? Testing on a Linux box I have both options available. But, yes, there is no option to select the path to save the item. But that is not available with a vanilla Firefox as well it seems.
You are right, the option is…
You are right, the option is --fullpage and the bug appears on windows.
Tested on a Windows 7…
Tested on a Windows 7 machine both with normal Firefox and with Tor Browser 7: the result is the same for me. Both options are there, the fullpage mode is working and in both browsers there is no prompt for the path. What steps to reproduce your problem am I missing?
v7.0 & v7.0.1 - neither one…
v7.0 & v7.0.1 - neither one can I save any image files to disc. v6.5.2 works fine. No modifications or changes to the settings, whatsoever.
Anyone with this same issue?
How are you trying to do…
How are you trying to do that? Could you give us an example URL where that is not working anymore for you as well?
Maybe, but only with video…
Maybe, but only with video.
NoScript requires the video to be blocked, you mustn't have allowed a temporary permission for it, in order to successfully download the file. Otherwise, it may ask you where to save it but not actually download it. This is a regression by the way.
I tested downloading an image with high security settings and it worked. Have you changed any settings to TorBrowser or NoScript?
Have you steps to reproduce…
Have you steps to reproduce that regression?
Yes…
Yes.
1. Go to: https://gemmei.ftp.acc.umu.se/pub/debian-meetings/2016/miniconf_cambrid…, NoScript will display the video as a blocked object.
2. Click on the object and allow the video to play.
3. Right click "Save Video As...", choose a location, and accept.
4. Open "about:downloads" to verify the video isn't downloading.
5. Now, right click anywhere and under the NoScript menu click "Revoke Temporary Permissions".
6. Repeat step 1, you will presented with the blocked object. Right click on that object and choose "Save Link As...", accept.
7. Open "about:downloads" and verity the video is now downloading.
Interesting, thanks. Which…
Interesting, thanks. Which operating system are you on?
linux64, it would blow my…
linux64, it would blow my mind if this was linux specific, though.
And if I may, I'll sneak another minor bug report in, when running tor-browser with "./start-tor-browser.desktop --detach --log" two "tor-browser.log" files are created, one inside "tor-browser_en-US/", the current working directory, which is where it should be, and an empty one in the users home dir. That one shouldn't be there.
Thanks!
Hm, interesting. I just…
Hm, interesting. I just checked but I only get the first, intended one. Do I need to do something in particular to trigger the creation of the other log file starting with a clean, new Tor Browser?
I just did some testing, the…
I just did some testing, the problem is somewhere in "start-tor-browser.desktop".
This is what I did: extracted the tor-browser tarball into the home dir, changed the working directory to ~/tor-browser_en-US, ran "./start-tor-browser.desktop --log --detach". The extra empty log file was there. I also tried swapping '--log' and '--detach', and not changing the working directory from home, it still happened.
If I run "~/tor-browser_en-US/Browser/start-tor-browser --log --detach" directly, then only one log file is created.
I don't use *.desktop files so I may be way off, but isn't '--detach' implied? I don't know how options are being passed to 'start-tor-browser', if at all, but maybe it's running '--detach' twice?
I see, thanks for reporting…
I see, thanks for reporting and investigating. I've opened https://trac.torproject.org/projects/tor/ticket/22633.
But it works for the second…
But it works for the second time (or any? when extapphelper dialog appears :)
Okay, I've filed https:/…
Okay, I've filed https://trac.torproject.org/projects/tor/ticket/22616 for this problem. Thanks for reporting.
Same here…
Same here.
TorBrowser 7.0.x is garbage, everything is broken. Cannot save images, cannot save pages, cannot delete cookies, cannot nothing
TBB 6.5.x worked correctly.
I made bug reports about those issues:
https://trac.torproject.org/projects/tor/ticket/22714#ticket
https://trac.torproject.org/projects/tor/ticket/22715#ticket
https://trac.torproject.org/projects/tor/ticket/22711#ticket
I don't think "garbage" is…
I don't think "garbage" is warranted, but FWIW I also experienced problems with TB 7.0.1 under Debian 9 (Stretch):
When I try to download files from links seen in TB, trying to save them in Browser/Downloads directory, no files are downloaded (according to "Downloads") and no files appear in any directory I looked in. Perhaps some security measure gone afoul?
I verified the TBB 7.0.1 tarball before unpacking it. Did I miss new instructions for where to try to put files one is trying to download via TB?
(Tails has long restricted where users can try to stash downloaded files, for security reasons, which explains my guess above for the cause of the issue.)
Avast(antivirus) flipped out…
Avast(antivirus) flipped out on tor after it updated to 7.0.1 for me, same with the 7.0.1 installer. (Both got were "IDP generic Infection") Now I can't even download the installer (Avast is blocking it), what do I do?
I think you should get rid…
I think you should get rid of Avast. If you really think you need some firewall/antivirus means use the Windows ones.
Cloudflare is going crazy…
Cloudflare is going crazy again?
Can't goto theregister.co.uk with tbb7.0.1, tested without javascript.
Is this the permanent state of affairs now?
I see this…
I see this.
"Please turn JavaScript on and reload the page.
DDoS protection by Cloudflare"
but I don't go to theregister regularly.
See this comment https:/…
See this comment https://ocewjwkdco.tudasnich.de/comment/268994#comment-268994
Everytime you post to blog…
Everytime you post to ocewjwkdco.tudasnich.de, it's loading endless. Striking and traceable?
It might be https://trac…
It might be https://trac.torproject.org/projects/tor/ticket/22530 but it is hard to say without knowing more about your Tor Browser settings.
Cannot speak for the OP but…
Cannot speak for the OP but i see the same without securitysliderproblem.
javascript off, cookies thirdparty never, looadingloop after posting.
I have same problem using TB…
I have same problem using TB 7.0.1 with security slider on high, as per
https://trac.torproject.org/projects/tor/ticket/22530
I have same problem but find…
I have same problem but find that hitting "reload" and surfing back seems to "work".
Confirm both the problem and…
Confirm both the problem and the awkward workaround.
In torbrowser-install-x.x.x…
In torbrowser-install-x.x.x_ru (Russian localization) a long-standing problem when after two restarts website (gmail, youtube, livejournal ...) with several of the language versions opens in English. Although in the settings of TB priority is set - Russian.
Hm. I think that might…
Hm. I think that might depend on your exit relay. If that is in an english speaking country it often happens that you'll get english content. There is not much we can do about that. The localized bundles should give you a localized user interface.
It's not because of the exit…
It's not because of the exit relay. After unpacking until the first two restarts TB - everything is fine, but it's worth twice to restart TB - this problem manifests itself. If you move Up "Русский [ru-ru]" in the settings, the problem is solved. But exactly up to two restarts TB - then everything repeats.
Thanks, what do you mean…
Thanks, what do you mean with "If you move Up [...] in the settings"? Where do I need to do that in order to reproduce your problem?
Настройки > Содержимое >…
Настройки > Содержимое > Языки (Выбрать).
[Options > Content > Languages (Choose)]
So, I looked at it and found…
So, I looked at it and found at least one bug (I opened https://trac.torproject.org/projects/tor/ticket/22659) but I am not sure whether it is your bug. :) So, when you hit this issue did [ru] get dropped (again) from Options -> Content -> Languages or do you see the problem but it is still there?
Giving your "longstanding issue" I am assuming the latter but I want to be sure to investigate further if necessary.
EDIT: Re-reading your original post I found "Although in the settings of TB priority is set - Russian. " so it seems you experience that problem despite Russian still be the top priority, hm.
Yes, that problem despite…
Yes, that problem despite Russian still be the top priority.
Tor Browser v7.0.x (Linux…
Tor Browser v7.0.x (Linux x86_64) seems slower than the previous v6.5.x series. It this because the underlying Firefox ESR got slower, or something to do with the Tor mods?
By "slower"I mean browser functionality, not networking throughput.
I'd assume that's because of…
I'd assume that's because of the underlying Firefox ESR, although it is hard to tell. What does "seems slower" mean? Do you have some kind of measurements? If so, how can I repeat those?
Before, when I clicked New…
Before, when I clicked New Identity, the browser was immediately closed and re-opened. With v7.0.x there's a hesitation of a few moments before the browser window is closed. In some cases the new window is opened even before the old one is closed, leaving 2 browser windows on the screen for an instant.
There is a way to instrument Firefox performance, and one of the metrics is browser start up. Sorry, I don't recall how to enable the metrics. It's been years since I've done it.
Okay, thanks. That…
Okay, thanks. That particular issue is tracked in https://trac.torproject.org/projects/tor/ticket/22536. We might be able to do something about it, not sure yet, though.
Again Tails comes out at the…
Again Tails comes out at the same time on the day Torbrowser has a new release, leaving Tails insecure and unusable with an insecure version of Torbrowser.
This ongoing cooperative disconnection is a gift for governments and organizations that want to break peoples safety and security.
What is the agenda behind this ongoing not working together?
Please give the Tails people a chance to put the latest Torbrowser versions in their newest Tails versions.
Please work together.
Or is it mozilla that is always planning important security updates on release dates of Tails?
It is not a coincident anymore and it is not good for trust in your products.
Tails shipping at the same…
Tails shipping at the same day as Tor Browser gets out already includes that new Tor Browser version. We coordinate with the Tails folks to avoid exactly the scenario you describe.
Your news update on Tails…
Your news update on Tails in
https://ocewjwkdco.tudasnich.de/blog/tails-30-out
states
"Update Tor Browser to 7.0 (based on Firefox 52 ESR) ".
If your work together which is and would off course highly be appreciated, why do you mention 'update to Torbrowser 7.0" instead of "7.0.1" ?
7.0 is both mentioned on Torproject blog page as on the tails website.
Please make clear which browser version of Tor is in Tails.
The latest 7.0.1 one or the 7.0 one?
Thank you very much
A bigger problem with Tails…
A bigger problem with Tails is you get NO persistent Guard nodes!
Tails should come out with a…
Tails should come out with a new Debian release on June 17 to prevent such cases.
I wonder why 7.0 asks me to…
I wonder why 7.0 asks me to update to 7.0.1, and I found out that's because app.update.auto=false, but I hadn't change it! Possibly, it happened during 6.5.2 to 7.0 update. I'm on Windows 10.
Hard to tell what is going…
Hard to tell what is going on. I just tried to reproduce your theory but the preference stay "true"...
Unable to print preview,…
Unable to print preview, crashes the tor browser (windows 10).
This is repeatable? In case…
This is repeatable? In case you did use a previously installed version, does this happen as well with a clean, new Tor Browser installed in a different location?
There's indeed some problem…
There's indeed some problem with the print preview since TOR version 7.00 including 7.01 and 7.02 :_
Only a scale setting of 100% or "scale to fit page size" shows a correct print preview window. Any other value below 100% shows a grey area only.
This is on Ubuntu Linux with an European localised TOR version where our decimal point is a comma (i.e. "3,14" instead of "3.14"). When setting the scale factor in the print preview to, say, 80%, the localised TOR stores in about:config window this:
print.print_scaling = 0.50
But it should be:
print.print_scaling = 0,50
When I manually set the "0,50" in the about:config window, I can see a correct print preview once, and then I can also print with the correct scaling, but after I close the print preview window, the next time It opens it's again a grey area only, and with value = "0.50" again in the about:config window.
In TOR versions 6.x the values always have been "0,x" i.e. with comma instead of point, and everything worked fine. When having automatically upgraded from 6.x to 7.x the print preview worked (i.e. "0,50" values were stored in print_scaling) but with a fresh TOR 7.x installation, it won't work.
It has problems with fonts …
It has problems with fonts (tofu on buttons), but not crashes.
Yes, I added that to https:/…
Yes, I added that to https://trac.torproject.org/projects/tor/ticket/22070.
I dont have Mac Os. Why does…
I dont have Mac Os. Why does the bug 22542 report that ? it is a cause of concern?
No. It was just reported in…
No. It was just reported in a macOS context and we fixed it for that one.
Bug 22542: Security Settings…
It is still too small to fit Medium level description on Windows :)
Which is why you have a…
Which is why you have a scrollbar. :)
Maybe, make it wider this…
Maybe, make it wider this time? :)16
why it's not possible to…
why it's not possible to create account on Instagram via tor browser?it says :"Sorry, something went wrong creating your account. Please try again soon."
Thank you for this. I think…
Thank you for this. I think you keep improving Tor and I appreciate it.
The following custom torrc…
The following custom torrc for Tor 0.3.0.8 causes it to exit unexpectedly only when launched through the browser:
AvoidDiskWrites 1
Log notice stdout
CookieAuthentication 1
ControlPort 9622
SocksListenPort 9623
The problem lies with these three variables:
ControlPort
SocksPort
SocksListenAddress
Remove all three of them, the browser can start tor without issue. Put any one of them back and tor crashes.
The strange thing is if you launch tor.exe separately and supply those on the commandline it launches without crashing:
NOTE: I also tried HashedControlPassword with same result
So I tried the following…
So I tried the following thing:
1) I took a clean Tor Browser 7.0.1
2) I started it and closed it
3) I edited the
torrc
file and addedControlPort 9622
SocksPort 9623
4) I restarted Tor Browser and it worked
Regarding
SocksListenAddress
see: https://trac.torproject.org/projects/tor/ticket/22546Do you have by chance steps to reproduce your issue?
It appears to be a problem…
It appears to be a problem with the ports, It works fine if I change the ports to something else.
The strange thing is that netstat (windows) does not report those ports in use but tor.exe definitely crashes before the browser can even connect to it. The browser reports it exited unexpectedly.
Are they maybe used by the…
Are they maybe used by the browser already without specifying them in the torrc file?
network.proxy.socks_port
andextensions.torlauncher.control_port
are the relevant preferences (you can look the values of those up on theabout:config
page in Tor Browser).How to enable torrent…
How to enable torrent-magnets to work ?
I.e, calling the torrent client on a click.
I would expect magnet: link…
I would expect magnet: link to show up in
Options (or Preferences), Applications pane
The help button (question mark in upper right side) goes to
https://support.mozilla.org/en-US/kb/applications-panel-set-how-firefox…
Then the follow link to
https://support.mozilla.org/en-US/kb/change-firefox-behavior-when-open-…
Adding Download actions.
Does that help?
Both 7.0 and 7.0.1 don't…
Both 7.0 and 7.0.1 don't work for me. Tabs crashes immediately when trying to open an url.
Could you give us more…
Could you give us more details about your setup? Does that happen with a newly download Tor Browser? Does it matter which URL (i.e. can you give us an example)? Which operating system are you on? If Windows, do you have antivirus/firewall software installed that could interfere with Tor Browser? If so, could you uninstall it for testing purposes (disabling is often not enough)?
Should I change dom.ipc…
Should I change dom.ipc.processCount to i.e. 8 to launch a new process for every tab (8) open in the browser?
I think that won't work in…
I think that won't work in Tor Browser 7 which is based on Firefox 52. e10s-multi (which means more than one content process) is not available before Firefox 55 on release channels.
I just posted a comment …
I just posted a comment (reply to another comment).
Besides the expected:
Your comment has been queued for review by site administrators and will be published after approval.
I also got this:
Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).
Can't connect with bridges…
Can't connect with bridges after updating from 700 to 701. Started fine before update and worked before I did the update, now stuck on the connecting window. It was working literary 5minutes earlier. custom obf4 bridges. win 32-bit. Now I have to connect w/o bridges or it wont work. This happened about a year ago too after an update.
16.6.2017 04:24:59.900 [NOTICE] Ignoring directory request, since no bridge nodes are available yet.
16.6.2017 04:24:59.900 [NOTICE] Bootstrapped 5%: Connecting to directory server
16.6.2017 04:25:00.100 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
16.6.2017 04:25:00.600 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
16.6.2017 04:25:00.700 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
16.6.2017 04:25:00.800 [NOTICE] Bootstrapped 50%: Loading relay descriptors
16.6.2017 04:25:02.300 [WARN] Proxy Client: unable to connect to xxxxxxxxxxxxxxx ("general SOCKS server failure")
16.6.2017 04:25:07.100 [WARN] Proxy Client: unable to connect to xxxxxxxxxxxxxxx ("general SOCKS server failure")
16.6.2017 04:25:40.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
16.6.2017 04:25:40.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
16.6.2017 04:25:40.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
16.6.2017 04:25:40.900 [NOTICE] Delaying directory fetches: DisableNetwork is set.
The web site http://torforum…
The web site http://torforum.org is fake and has nothing to do with the Torproject. Right?
Yes, that is nothing we…
Yes, that is nothing we maintain, see "Unofficial forum about Tor Project" on that page.
How do I change my IP…
How do I change my IP without clicking "new identity", "New Tor Circles for this Site", or waiting some minutes?
Many thanks for providing…
Many thanks for providing Tor, Tor Browser, Tor Messenger &c!
It seems that your web page listing signing keys
https://sedvblmbog.tudasnich.de/docs/signing-keys.html.en
is seriously out of date. Both keys listed for Roger D appear to have been revoked (but this is "unverified", says at least one key server). The first key listed for Peter P also appears to have been revoked. And Jacob A is listed as signing some Tor products, but if memory serves he is no longer with Tor Project.
Also, when try to post page appears to reload endlesslly, so the new blog format may not be working correctly.
Yeah, this one's been…
Yeah, this one's been bugging me for a while too. I just opened
https://bugs.torproject.org//22637
so we can remain aware of it.
(It is fine and reasonable to have old keys on the list, since the goal of the page is to describe all of the keys that have signed all of the packages over time.)
Hi, arma, thanks for opening…
Hi, arma, thanks for opening the bug report.
> (It is fine and reasonable to have old keys on the list, since the goal of the page is to describe all of the keys that have signed all of the packages over time.)
Fair enough, but you should state this on the page and should probably explain that Tor Project knows some of the keys have expired.
It would be of great interest to hear anything you are willing to share about why the keys were revoked. I am guessing "was tired, goofed, revoked key in abundance of caution" rather than "uncovered unambiguous evidence of GRU messing with my keyring", but as World+Dog finally appears to recognize, the latter scenario should never have been regarded as highly implausible.
Neither of my keys have been…
Neither of my keys have been revoked. The 4096-bit one has a subkey, and the subkeys periodically expire and I replace them with fresh ones. It's possible that your pgp or gpg or whatever is displaying the expired ones as revoked, when really it should just be saying "expired".
It's also possible you have fake keys that claim to be mine but aren't. Some years ago some jerk published fake keys (i.e. keys that collide in the last 8 hexes) for all of the top 1000 pgp keys. See e.g. https://lwn.net/Articles/698203/
Interesting discussion,…
Interesting discussion, thanks--- I am rarely able to read LWN so a working link was a treat! I was aware of the short key-id issue but we should all probably do more to make more Tor users aware of it.
I have a link for you too. The Intercept is publishing an important series of stories which I hope Tor leadership will read, since I think it supports the view I have expressed for many years that ordinary citizens are far more likely than most people yet acknowledge to be targeted by some pretty frightful operatives, and reveals the urgency of strengthening Tor to help ordinary citizens protect themselves from political stalking and other targeted surveillance:
https://theintercept.com/2017/06/21/as-standing-rock-camps-cleared-out-…
As Standing Rock Camps Cleared Out, TigerSwan Expanded Surveillance to Array of Progressive Causes
Alleen Brown, Will Parrish, Alice Speri
21 Jun 2017
I note that people with all kind of political views can be targeted in such operations--- the takeaway of the Intercept series, I think, is that citizens need not encourage even modestly illegal actions (e.g. sit-ins) or even to be very "radical" to be personally targeted by all kinds of groups, potentially including non-governmental hate groups as well as corporate or "establishment" political operatives, and of course various "security authorities".
I worry about the authenticity of security-critical keys used to sign Tor products and other personal cybersecurity products. No doubt you would agree that the Web of Trust has many deficiencies (e.g most Tor users lack opportunity to attend key-signing parties with Tor employees who sign packages), but it seems no-one has yet developed a credible improvement and I think that has to change as governments (and . I recognize that "absolute confidence" is a chimera, but ask developers to recognize that "defense in depth" against malicious schemes employed by governments and other attackers hardly requires large quantities of Unobtainium to be effective. The goal should be significantly hinder attackers while maintaining a reasonable level of convenience for users. Even a very sophisticated state-sponsored attacker, like any kind of predator, is likely to focus on "low hanging fruit", in the context of what governments and megacorporations view as a global environment rich with multiple potential threats to their wealth and power.
I love the notion of using onion services to thwart governments and other attackers using MITM type schemes to trojan software as it is being downloaded (potentially altering signing keys and detached signatures to mask a malicious modification to a software package). As Tor Messenger matures, is it possible that some brainstorming might reveal a useful scheme exploiting TM and/or onion services to improve user confidence in authenticity of signing keys? (Ideally, not just for Tor Project but for any FOSS project.)
Can you ask the Tails…
Can you ask the Tails developers to integrate the Tor-keys in Tails. It would be a smart! possibility to test the integrity of an TBB download.
"[...] integrate the Tor…
"[...] integrate the Tor-keys in Tails."
Yesss, please do that. I propose that,too.
It's comical to trust the process of verifiying TBB download on the same PC with installed operating system, if you don't trust this downloaded TBB.exe with fingerprint integrated -sha1(-:.
The possibility to test this TBB download with good verified Tails would help more than a little bit.
Plus one. This is exactly…
Plus one. This is exactly the kind of easy measure which can improve user confidence with very little extra trouble to developers.
Well, this is certainly an…
Well, this is certainly an awkward development:
From:
https://sedvblmbog.tudasnich.de/about/sponsors
...
Active Sponsors in 2017:
...
SRI International (2011-2017)
And from
https://wikileaks.org/vault7/#Cherry%20Blossom
Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International).
CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for "Man-In-The-Middle" attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.
...
Interesting!…
Interesting!
We've used them as a pass-through funder for two grants:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorR
https://lists.torproject.org/pipermail/tor-talk/2015-April/037538.html
and that second one is ending in August.
It looks like SRI is a big place, and they do some harmful things. I'm still happy they've helped us handle the bureaucracy of receiving government funding.
As a final link you might find interesting, check out
https://ocewjwkdco.tudasnich.de/category/tags/form-990
Hi arma, thanks much for the…
Hi arma, thanks much for the prompt reply.
I think you once told me what "pass-through" means, but that was years ago and I have forgotten the definition.
Agree that these government think-tanks and even some federal agencies tend to be huge institutions which have stuck their fingers in many pies, not all of them very savory.
Still, I hope this will serve as a reminder to Shari and all of the continued urgent requirement to struggle to move away from USG funding to user funding. By this point I expect a depressing report on the result of the funding drive, but even disappointing numbers might help to make some users realize that the Project really needs them to find some way to send money, precisely in order to avoid being "captured" by USG. Which is involved in all manner of "effects operations" which run completely contrary to Tor Project goals. (And to some of the USG's occasionally benign activities, no doubt.)
While I have your ear, I hope Shari is also continually working to strengthen "political" alliances which can perhaps fight off the very real danger that unbackdoored cryptology will simply be outlawed in USA, EU, or both. As I trust you both know,
o embattled PM May continues to call for backdoors in all UK crypto,
o former DNI Clapper (he of the "least untruthful answer" while testifying under oath) and other "moderate" figures [sic] continue to demand US backdoors,
o similar insistent demands in DE and other EU countries continue.
So this is a political battle which Tor Project simply cannot ignore, because if such mandates become law in nation X, Tor will no longer be legal to use in nation X. Unless TP decides to abandon the "no backdoor" vow. Which I hope will never happen, particularly if it is done *secretly*, for example after a *secret* law with a *secret* mandate forcing all technologies to *secretly* incorporate *secret* backdoors, which seems to be what Clapper & co. are really demanding when they make the nonsensical claim that society can have strong crypto and instant accessibility (to the "security authorities') at the same time.
It's likely most of the five…
It's likely most of the five eyes and partners were also pressured to loosen up the public as they suddenly started talking about backdooring as well as companies/manufacturers/citizens handing over crypto keys at the same time.
good
good
02:44:50.645 IndexedDB…
02:44:50.645 IndexedDB Maintenance finished with error: NS_ERROR_NOT_AVAILABLE: ActorsParent.cpp:18869 1 (unknown)
13:24:12.532 Unknown source…
13:24:12.532 Unknown source for one-off search: paste 1 BrowserUsageTelemetry.jsm:286
recordSearch resource:///modules/BrowserUsageTelemetry.jsm:286:15
BrowserSearch.recordOneoffSearchInTelemetry chrome://browser/content/browser.js:3856:7
handleSearchCommandWhere chrome://browser/content/search/search.xml:401:15
handleSearchCommand chrome://browser/content/search/search.xml:362:11
BrowserSearch.pasteAndSearch chrome://browser/content/browser.js:3778:5
oncommand chrome://browser/content/browser.xul:1:1
my browser does not open…
my browser does not open after the update. im using windows 10 and no screen appears or anything else after the update. ???????
Me too. Took 7.01 out,…
Me too. Took 7.01 out, reboot, put it back reboot. No error, nothing happens. Tried a Launch from the app folder, nothing happens. Tried the 7.5a test one, nothing happens. If I was not paranoid, I'd think MS had shut Tor out. Er...
Try uninstalling your…
Try uninstalling your antivirus/firewall software, it often prevents Tor Browser from starting if it ship new tor versions as the recent major version did. Disabling it might not be enough for what it is worth.
Ok, I realise ip-check.info…
Ok, I realise ip-check.info needs to fix their test for authentication... but why is it that the unique ID the test shows never changes even after manually selecting a new tor circuit?
Can someone please tell me if this is purely a result of outdated code on their site or is there also some bugs in the client? Should i feel secure using this build right now or not?
We are quite sure that this…
We are quite sure that this is a bug in the test. You get the same ID as the site can still access the tracking data it planted in your browser (but that tracking data will *not* be available to a different website which is the whole point of our defense and the ip check does not test) and selecting a new Tor circuit does not change that. You'd need to request a New Identity (on the same Torbutton menu) in that case.
Debian users anxiously…
Debian users anxiously awaiting the advent of Stretch (expected any minute as I write) will be heartened by this note confirming that the onion service mirrors should work for Stretch:
https://micronews.debian.org/index22.html
A followup post from Peter P on the mirrors in this blog would be good.
> confirms…
> confirms
Ooops--- it doesn't; I missed the date on that post. Nevertheless I hope and believe (haven't yet been able to check) that the onion mirrors will correctly handle the rollover to the new stable (Stretch, aka Debian 9), as long as your sources.list does not contain repositories which are not designated by the version name (e.g. Jessie, Stretch).
From…
From
https://www.debian.org/releases/stretch/amd64/release-notes/ch-informat…
it appears that the sources.list lines needed to use the Onion mirrors of the Debian repository is:
# deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
# deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main
As I read the page, you can change "main" to "main contrib non-free" to obtain the full repos.
My initial attempt to use this did not appear to work, but I'll try again and report back if possible. Has anyone here used the Debian mirrors with Debian 9 (stretch) successfully?
Anyone know why a base install of Debian 9 (stretch) includes linear programming solvers and other rather sophisticated mathematical tools? Is this cryptography related?
If you actually have the #…
If you actually have the # marks before the deb lines, that makes them comments, so they'll be ignored. So, remove the # characters and try again?
See also https://ocewjwkdco.tudasnich.de/blog/tor-heart-apt-transport-tor-and-debian… for more on apt-transport-tor and friends. (Note: this topic has nothing to do with tor browser.)
Can you guys help me out? I…
Can you guys help me out? I got Tor 6.5.2 but when I updated to 7.0.1 it stopped working and won't open. I tried installing it again but it doesn't work.
i have the same issue that…
i have the same issue that you do but it is quite simple to fix
just "install" it somewhere else, that worked for me but i still have the issue that when i update to 7.0.1 it stops working (i used tor with ublock origin, i tried tor without it and i still have the same issue so i dont think it is the issue)
What system are you on?
What system are you on?
Are you using Windows? If so…
Are you using Windows? If so, try uninstalling your antirvirus/firewall software first and see if that fixes things. (Disabling it is often not enough.)
Tor Browser rules!
Tor Browser rules!
I found this thing loading…
I found this thing loading with firefox is stopping the load on mine.
Trusteer\Rapport
It is a bank website security thing that seems to think Tor is a valid browser to load into.
Tor disagrees.
I shut down the service and Tor loaded OK.
Ever since upgrading to Tor…
Ever since upgrading to Tor Browser 7.0.1, I have to download images twice. First the image loads in my browser, then when I click "Save Image As..." the file has to be downloaded a second time in order to save it to disk. This is new behavior that did not occur in previous versions of Tor Browser. (Fyi - I am using Windows XP, but please don't judge. Thanks!)
Yes, we did not get the…
Yes, we did not get the isolation for the first party domain right in the Save As... case (see: https://trac.torproject.org/projects/tor/ticket/22343). We have a patch which is currently under review. I hope it will be available in one of the next Tor Browser versions.
Thanks for responding! I'm…
Thanks for replying to my question! I'm glad to know what was causing the problem. Good luck with the fix. Cheers.
Tor update not possible,…
Tor update not possible, System Unsupportive!
I refuse to update Osx Mountain Lion, no need for SIRI shit!
But I hope TOR is still safe, even it refuses to update.
No, it is not in the new Tor…
No, it is not safe anymore to use the old Tor Browser (6.5.2). In the new Tor Browser version there have been a number of critical Firefox vulnerabilities fixed. Some of those might not apply to the old Tor Browser but some do.
Every time Tor Browser…
(1) Every time Tor Browser restarts, Adblock Plus loses all of its filter subscriptions! This is highly annoying and also perhaps not immediately noticeable by some (which could be a security issue).
(2) The zoom level of a tab gets reset to 100% every time I choose a different link from bookmarks. Simplest example: I open a blank tab, set zoom level to 90%, go to Bookmarks and select any page - the result will be that the tab will open with a 100% zoom level!
Re (2): This happens in a…
Re (2): This happens in a normal Firefox as well now it seems. Feel free to open a bug in Mozilla's bug tracker at https://bugzilla.mozilla.org.
Re (1): Do you have steps to reproduce that I could try? We don't ship adblockers and don't test with any of them. Thus, I could need some help here.
(2) Wow, you are right! That…
(2) Wow, you are right! That is weird...
(1) Well, this is easy. :)
- install Tor Browser,
- install Adblock Plus add-on,
- add any filter subscription to Adblock Plus (e.g. EasyList),
- close Tor Browser,
- open Tor Browser again,
- look at Adblock Plus's filter subscription list - it is empty.
Does this reproduce?
I followed your steps with a…
I followed your steps with a clean Tor Browser 7.0.1 (en-US) on a Linux box. The filter list I added (I chose the first from the drop-down menu) was still there after a restart. Note, there was already an EasyList list enabled by default before I added yet another one. And both survived a new start. So, I wonder what is different in your scenario then? Does that happen with a clean, new Tor Browser 7.0.1 if so on which platform?
I am running Tor Browser on…
I am running Tor Browser on Windows 7. And it's not a clean install, it's an upgrade from the previous version. (BTW, the bug with Adblock Plus might have appeared in version 7.0, not necessarily in 7.0.1; I used the 7.0 for too short a time to notice.)
However, since most Tor Browser users, like me, probably upgrade instead of doing a clean install each time a new version comes out, I do not believe this disqualifies the issue I've found from being looked into...
(I don't think anybody is…
(I don't think anybody is saying "Oh, you're upgrading? Then of course it should be broken and we don't want to fix it." Rather, they are trying to give you debugging steps to help you reproduce the problem better, and ideally to help you reproduce the problem in as simple a scenario as possible, so other people can see it happening too.)
I didn't say they were…
I didn't say they were saying that... :) Sorry if it came out a bit harsh.
However, I have, lamentably far too often, found that developers take the approach: "Oh, this bug doesn't reproduce on a clean install? You have some other stuff going on? Sorry, not our problem. Try a clean install." And one is left wondering: "Umm... Ok, and what about my bookmarks / extensions / configs / other software / etc?.."
So, to resume the debugging,…
So, to resume the debugging, does that happen with a clean, new install of Tor Browser (and Adblock Plus) on your system? If not, we need to compare the differences to narrow the issue down.
- Ok, so I just deleted my…
- Ok, so I just deleted my Tor Browser and did a FRESH install of version 7.0.2.
- Added the AdBlock Plus addon, added a subscription.
- Restarted Tor Browser.
- The subscription is GONE...
PS. Gotta say, it's REALLY…
PS. Gotta say, it's REALLY annoying - having to reinstall the filter subscriptions EVERY time you restart Tor Browser.
Well, my issue certainly…
Well, my issue certainly hasn't been fixed in the new release...
Bad that new version Tor…
Bad that new version Tor does not support Windows XP Pro SP3. Not all and not everywhere can itself to allow to buy the new modern computer and not there is desire beside all to move to more modern versions Windows.
The minimum rquirement is…
The minimum rquirement is Windows XP SP2. Do you get an error message or how do you know it is not supported on your Windows XP?
Hi torteam!…
Hi torteam!
Little mess here. After my update from torbrowser (browserbundle) 6.5.(?) to 7.0.0 I realized, that the entrynode never changed. Nevermind what I do, new circuit, new identity, close torbrowser and reopen, wait some minutes for the automatic circuitchange – every time the same result, every time the same IP-adress of the same entrynode appears. I purged the browserbundle, download the new version directly, every thing was fine.
Then version 7.0.1 was out, I updated, the problem with the same entrynode again appears. Purged browserbundle, download new version directly, same problem. Purged, download experimental version, same problem. Tried it any times. Than go back to versions 6.5 and 6.0.8 (had still the tar-archives), but now had the same problem with the old versions too.
Happened on an old machine with a Pentium(R) M (by default with WinXP as OS) with the latest stable Debian Jessie.
At the weekend I installed the new Debian 9 as a complete fresh OS on that machine, download torbrowserbundle 7.0.1, start torbrowser, had again the same entrynode, nevertheless I do (close, new circuit, new identity). All downloads were right from your page here, 32-bit-versions.
To clearyfy: the entrynodes between the several installations are different (5xFrance, 8xGermany, 3xNetherlands, 1xDenmark, 1xChech, 1xMoldavia, 1xLuxembourg), only in one case an IP appear twice.
But once installed, the IP of the entrynode never changed.
Made I a mistake, is the hardware too out of date, is it a bug or should I go for tinfoil?
Not rotating your entry node…
Not rotating your entry node (a.k.a entry guard) often is a feature and not a bug to help against certain attacks, see: https://sedvblmbog.tudasnich.de/docs/faq.html.en#EntryGuards for some details.
Ah, ok, thanks!…
Ah, ok, thanks!
I´ve never noticed that before, since when is it included?
And what means „often is a feature“? There are situations when its not a feature?
In the details u linked is written about a few relays used as entrynodes. Is this means if I open the torbrowser in one hour or tomorrow I should see another entrynode?
We added the entry guard…
We added the entry guard feature in Tor 0.1.1.11-alpha in 2006.
You can read a whole lot more about entry guards, and why they're critical to security, in this blog post:
https://ocewjwkdco.tudasnich.de/blog/improving-tors-anonymity-changing-guar…
(As for your other question, I think gk meant "(not rotating your entry guard often) (is a feature)", not "(not rotating your entry guard) (often is a feature)". If that clarifies. :)
Thanks, I understand. The…
Thanks, I understand. The point I never noticed before that not rotating of the entrynodes is my own inattention and bias I think.
But to be shure: there is a pool of few (3-4) entrynodes for me since I installed and started the torbrowserbundle, but only one will appear for me/my client will use until this relay precipitates or in a few weeks (6-8) the pool itself will change (a bit?)? So for several weeks the same IP have to be appear as my entrynode if the torbrowser work correctly. But if the same IP stay much longer as my entrynode, something went wrong. Right?
I running Mac OS and noticed…
I running Mac OS and noticed that the "Tor circuit for this site" displays
Bridge: OBFS4 followed by the other couple of IPs.
My concern is sometimes I will see Bridge: OBFS4 (United states)
Why does it show the country and as far as I can see only U.S.?
It shows the country as for…
It shows the country as for all the other relays in your circuit. Thus, there is nothing special in that regard. There are bridges in other countries as well but your Tor Browser picked a U.S.-based one and sticks to it.
it doesn't matter what…
it doesn't matter what settings I use to stop auto-updates, nor even if I go into the about:configs and hard-code everything against auto-updates.
The browser keeps forcing auto-updates from v6_5_2.
I am having issues with the newest v7 tree, and need to wait on the 7s
Why? why can the auto-updates NOT be stopped? what have you done?
I just tested it with a…
I just tested it with a clean new Tor Browser 6.5.1 and it is not updating provided I change the update related preferences *before* I start the browser (you can specify to never check for updates or check but only apply them after a click, both works for me). The update check happens even before you switch any preferences in your about:config during start-up.
No, that's not the solution,…
No, that's not the solution, nor does it address the bug and security hole. I have done the same thing numerous times, and the error WILL replicate. Cycle through several runs of the browser after it has already been installed and at one point in a subsequent startup it will just override all browser update options(including manual changes to the about:config and even removing update URL addresses in the about:config) and just install the new version automatically. In other words, completely re-install the browser and set all variables to NOT update at the initial launch. And then run the browser a few times, visit some sites, leave it open for a bit. Then close it, and restart. Do that a few times, and then suddenly, it will just override all your settings and just update itself automatically contrary to your settings.
Respectfully, this is a big security hole, if that is all that is. It is certainly a bug. Where in the code base are your forcing this update?? Is that also replicated in the new v7 series?
I appreciate your quick answer in reply, but that's not really an answer that has any depth.
Let me repeat the obvious, this is not merely a bug, but instead one of the standard items on the list of SECURITY HOLES. If you've hard-coded forced updates, just disclose that. But if you have not, then you have left a big hole here that can be triggered by something other than the user. If the update process is open to be triggered by an hole in your code, then a malevolent process, or site, or party (M-T-M) could trigger an update and compromise security. To be fair, let's assume that you have the code-signing process in your auto-updates all properly locked down. (that's a big assumption, but we want to trust you). If a new vector or exploitable bug is introduced in a new version-- particularly as you update the rolling changes in Firefox-- that was non-existent in a prior version, then you have just forced the user into a security compromise. There is also the other annoyance of simple system incompatibility with the new version. Either way, it is for this very reason that organizations routinely lag with updates until new versions have had a chance to fully bake-in.
Now, I realize that this is a long post, but this is a pretty big bug, and it is replicable. Either you address it, or it needs to be broadcast to the larger Tor user base and let them start asking questions. Could I delve into the code-base myself? Sure, but that is a big investment of time that might be unnecessary if you (the developers) just please be transparent about this issue and disclose what, exactly, you have coded this to do. If you don't know, then that's another problem altogether. But let's wait for your answer. Please do. And if you don't have one, at least point to the location in the code-base where the community developers should start looking to contribute a possible fix to your coding or design errors.
Please, answer with something more substantive that a flippant response. This issue is replicable, and it is serious.
thank you in advance.
Even though my answer was…
Even though my answer was not as long as yours it was not flippant: I tested your issue yesterday quite for some time with different configurations and could not reproduce it.
Now, first of all, we don't ship our own updater but the one Firefox uses. You might be interested in reading how it works: https://wiki.mozilla.org/Software_Update + linked pages. While we are patching the updater to fit our needs we don't patch the mechanism that is responsible for automatic updates. The two patches we have are
a) for using the Firefox update process (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52…) and
b) for making use of MAR file signing (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-52…).
If you don't trust the preferences I mentioned in my previous reply you can set
app.update.url
to""
or some internal URL as we do for Torbutton/Tor Launcher updates (we usedata:text/plain,
).What would be helpful is seeing some log in case that happens again. You can enable update logging with the
app.update.log
preference.Finally, no, website can't trigger an update. Not sure where malevolent processes come into play here but they can just easily overwrite your firefox binary and then it is game over. Not sure what "party (M-T-M)" is? You mean some man-in-the-middle attacker? They can't trigger an update either unless they can break TLS/bypass the key pinning.
the auto-updates are…
the auto-updates are functioning independent of the toggle in the options dialogue. In addition, not even manually editing the about:config file solves the problem. I'm not sure what exactly is causing the over-rides, but after wasting entirely too much time I suspect that it may be related to one of two things: (1) permitting messaging to Windows OS from a site after granting permission in the browser window, or (2) some bug in the Tor launcher. I did notice that when I completely turn off updates, the browser just ignores the settings and updates itself, but when I choose the option to let me decide whether to install updates, the browser doesn't update itself for a while. Not sure what does cause the eventual update in this configuration, but it eventually triggers. I'm fairly fluent in browser programming, but don't have the time to deep debug this issue. Nonetheless, I must say that I consider this an extremely serious security issue. I know, I know, certificates & signing etc. etc. But SOMETHING IS MIS-CODED here that is causing the system run against the manual controls and toggles. Assuming that's true, then I suspect that the error could be hijacked by a 3rd party or M-T-M.
If you have any response-- and by you, I mean the developers, please respond here so that all can see. I've already searched the blog, and even Googled the issue, but there is nothing. Respectfully, I consider this both a BUG, and a serious security hole/threat.
Thank you in advance.
See my answer to the…
See my answer to the previous comment.
https://blog.qualys.com…
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
Everyone with running Linux should update!
Why are login pages for all…
Why are login pages for all onion sites showing me a crossed out lock icon and telling me "this connection is not secure" whenever I click in the password boxes?
How come everything is coming up http and not https?
Because a lot of .onion…
Because a lot of .onion sites don't have certificates for a bunch of reasons. But we have a bug on our radar to address at least some of the issues you mentioned: https://trac.torproject.org/projects/tor/ticket/21321
onion services are encrypted…
onion services are encrypted already.
to deactivate the warning message:
security.insecure_field_warning.contextual.enabled - toggle to false
I have noticed lately that…
I have noticed lately that Tor Browser often shows one exit node, the IP, and the country, while various testing sites, such as ip-check.info , and http://www.dnsstuff.com/, will now show something entirely different, different IP and different country entirely. This is a new behavior and occurs consistently on both Tor Browser and Tails, as well as on different machines, and running from a DVD or USB key.
I find this disturbing. Any explanations?
How can we reliably know and verify the country where our exit node resides if different services are at odds with what Tor Browser is reporting, more often than not?
The circuit you used while…
The circuit you used while the tests looked for your IP could have timed out before you landed on the final page or there are various redirects to different top level domains in the test included that could lead to this result. Hard to tell.
You can click on the onion menu next to the URL bar when loading sites and see live what your circuit usage looks like.
I have checked to see if the…
I have checked to see if the circuit has changed during the test, but it has not.
As I said, this is entirely new behavior.
When I go to https://check.torproject.org/?lang=en_US, it always agrees with what Tor Button is reporting. But, when i go to the testing sites mentioned, they show a different IP and a different country. Very disturbing.
Just now I changed the circuit and Tor Button shows an exit node in Sweden. I now have ten minutes before it changes automatically. I go to IP-check.info, and it shows a different IP with an exit in Romania, which is often the case. Tor Button still shows an IP in Sweden.
Doesn't boost my confidence at all.
> I now have ten minutes…
> I now have ten minutes before it changes automatically.
That hasn't been the case forever (Tor Browser sets and uses `KeepAliveIsolateSOCKSAuth`).
> I go to IP-check.info, and it shows a different IP with an exit in Romania, which is often the case.
You don't think that all your traffic to every single site goes down the same circuit do you? That hasn't been the case, basically ever. And if it were otherwise, it would be a bug.
> Doesn't boost my confidence at all.
Maybe if you correctly understood how it is supposed to behave, you'd have more confidence.
I may not be a rocket…
I may not be a rocket scientist, a cyber-security erxpert, or a network engineer, but I do understand how Tor Browser has behaved in these tests in the past, up until this release. The current behavior never occured until this release. So, where is the clear layman's explanation for the change?
If the end user cannot reliably test and have confidence in at least knowing which entry and exit nodes are being used, at any time, then there is no utility in having Torbutton show the supposed nodes.
Which one is to be believed? Tor button or the testing site? Both? Is more than one Tor circuit being used at a time, when only a single browser tab is opened? Are two instances of Tor running, when there should only be one? How and why should that occur?
When what was once testable becomes untestable, because the reliability of popular tests is now in question, which in turn throws tor button node reporting into question, where should our confidence come from? Tor button alone? Why is it no longer easily and independently verifiable, when it has been, up until now?
See my answer below. When…
See my answer below. When you say "different", do you mean "different from what the last site in the other tab told me"? Or do you mean that the text on the web page disagrees with the "Tor circuit for this site" read-out you get by clicking on the green onion while you're on that tab?
Why do you want to believe…
Why do you want to believe something? Torbutton shows you the last circuit for some site. Testing site uses different addresses to check the linkability and shows IP of some exit. What's the problem?
Right, Tor Browser started…
Right, Tor Browser started using per-tab isolation (or more precise, per "destination listed in the url bar" isolation) went into Tor Browser 4.5-alpha-1 in November 2014:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/Bund…
" * Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain"
https://bugs.torproject.org/3455
See also Section 4.5 of
https://sedvblmbog.tudasnich.de/projects/torbrowser/design/
In short, the "now have 10 minutes" thing is what the program Tor does by default, but Tor Browser configures Tor to do its circuits differently.
Hope that helps!
Hmmm.... while watching…
Hmmm.... while watching Onion circuits and the circuit data in TB itself, I reloaded this page, then followed the link in your post. My circuit did not change (which suprised me since I thought following a link to a third party site would give a new circuit), but the exit server did agree with one named by ipcheck. I called "new circuit" in TB (which did indeed create a new circuit) and tried again, with same result for the new exit server.
(FWIW, I am using TB in Tails 3.0.)
Hi, since I downloaded this…
Hi, since I downloaded this latest version, tor doesn't open anymore, I've tried everything, I changed the install location but nothing seems to work
I suspect you are on Windows…
I suspect you are on Windows? If so, which version? Do you have an antivirus/firewall software installed? If so which one? Could you uninstall it and test whether that solved your problem? This kind of software is pretty intrusive and is known to prevent Tor Browser from starting in some cases. Do you get error messages when trying to start Tor Browser?
I have exactly the same…
I have exactly the same issue. I have windows 7 64 bit and i have tried everything it said, i have closed my firewall and antivirus i have deleted tor and reinstalled it, i have installed it in a different location. Nothing! I use to just update tor and it normal works, what must i do know to get it to work?
every time I tor update from…
every time I tor update from 6.5.2 to the new version it does not open.. please help very computer illiterate... thanx
I suspect you are on Windows…
I suspect you are on Windows? If so, which version? Do you have an antivirus/firewall software installed? If so which one? Could you uninstall it and test whether that solved your problem? This kind of software is pretty intrusive and is known to prevent Tor Browser from starting in some cases. Do you get error messages when trying to start Tor Browser?
Since the new tor browser 7…
Since the new tor browser 7.0.1 and tor 0.3.0.8 are out pageloads are much faster than before. I guess this is due to the multiprocess firefox. Good work so far.
Thanks, and, yes,…
Thanks, and, yes, multiprocess mode plays a big role here.
does someone know why i get…
does someone know why i get circuits with excluded nodes
(StrictNodes 1) ?
StrictNodes doesn't apply to…
StrictNodes doesn't apply to ExcludeExitNodes nor ExitNodes. Did you know that? https://sedvblmbog.tudasnich.de/docs/tor-manual.html.en Does that help?
If not, where did you set StrictNodes 1? What file? And are you expecting this to affect Tor Browser or your system's Tor?
neither it helps nor it is…
neither it helps nor it is an answer to my question.
StrictNodes 1 applies to ExcludeNodes and i still have circuits with nodes i have
excluded.
Ok. So …
Ok. So ...
If not, where did you set StrictNodes 1? What file? And are you expecting this to affect Tor Browser or your system's Tor?
torrc…
torrc
i just want that 'excluded' means excluded?
how to do?
US Deputy Attorney General…
US Deputy Attorney General Rod Rosenstein has been much in the US news of late, but there's another reason why Tor users worldwide should be paying attention to what he's saying to the US Congress: that Tor poses a drastic "threat" which "cannot be overstated".
https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosens…
...
> Department of Justice must continue to take a leading role in enhancing the capabilities of the law enforcement and national security communities. This budget request will provide $21.6 million in funding to counter the “Going Dark” threat. The seriousness of this threat cannot be overstated. “Going Dark” refers to law enforcement’s increasing inability to lawfully access, collect, and intercept real-time communications and stored data, even with a warrant, due to fundamental shifts in communications services and technologies. This phenomenon is severely impairing our ability to conduct investigations and bring criminals to justice. The FBI will use this funding to develop and acquire tools for electronic device analysis, cryptanalytic capability, and forensic tools. The Department’s role has been to collect, house, analyze, and share critical data among our federal, state, local, and tribal partners.
Rosenstein is demanding an extra 21 million USD of funding to fight the "Going Dark" threat [sic]. Can Tor user donations match that figure? If every Tor user gave ten dollars this year, I suspect the answer is "yes".
(-- > mysterious 'Web'…
Hi!
My OS is debian wheezy 32bit
Since long I have 2 installations of torbrowser
The first one with fairly standard settings in
~/tor-browser_en-US/
The second one (with noscript and httpseverywhere disabled for sites that need it)
in
~/tor-browser_en-US2/
Both installations were on 6.52. The second installation auto-updated to 7.01 and later to 7.02
I kept the 6.52 installation just in case.
When starting tb 7.02 the system monitor shows processes tor, firefox and for a split second a process named 'Web'.
Then only processes tor and firefox remain (of course a lot of standard processes out of focus here...)
As soon as I connect to a site, the 'Web' process returns.
'Web' is alive till I exit torbrowser or choose new_identity.
Torbrowser 6.52 doesn't start such a 'Web' process.
'Web' seems to stem from
~/tor-browser_en-US2/Browser/plugin-container -greomni
Is that something to worry about?
EDIT:
(-- > mysterious 'Web' process)
correction: tor browser auto-updated to 7.0 and then to 7.0.1 (I wrote about auto-update to 7.01 and then to 7.02, my fault)
Yes, I believe this…
Yes, I believe this situation is normal.
The new Firefox, which Tor Browser 7.0 is based on, has some sandboxing features, where each tab can run things in its own sandbox. Those extra processes you see are from the sandboxed tabs.
thanks for calming me down :…
thanks for calming me down :)
Today I have updated the non-tor firefox to 52.2.0 and it does as well create that 'Web' process.
greetings
> My OS is debian wheezy…
> My OS is debian wheezy 32bit
You may have good reasons for sticking to wheezy (no need to explain here if so), but otherwise I'd urge you to consider updating to the new stable (stretch, aka Debian 9). This is available for 32 bit machines, but as someone else noted recently in a blog comment here, 64 bit machines offer some security innovations which are worth taking advantage of if you can upgrade. Also, as you may have noticed, Tails is no longer compatible with 32 bit machines.
"svg.in-content.enabled" set…
"svg.in-content.enabled" set to false (security level: high) breaks some pages
Would the pages that break,…
Would the pages that break happen to be those that use SVG in content?
7.01 with protonmail is slow…
7.01 with protonmail is slow. It can take more than a minute to turn a page.
If you're using the Medium…
If you're using the Medium security setting, switch to Low instead when using ProtonMail. This is due to the fact that JIT (Just-in-time JS compilation) is disabled with Medium and High security settings, and hence you notice those performance hits. Hope that helps!
yes
yes
I don't like my privacy…
I don't like my privacy breached, so Tor is perfect for helping to remain anonymous.
the new color scheme is no…
the new color scheme is no improvement. still obscure.
New color scheme in... this…
New color scheme in... this blog?
If so, previously I could not see buttons but in the new version I can. (Using either the TB version provided with Tails 3.0, and also TB 7.0.1 under Debian 9.0.) Not perfect by any means (I experience the endless reload after each comment submission), but not worse than previous, and presumably an improvement in terms of anti-robo-trolling for the TP maintainers.
Please don't do that …
Please don't do that ....really useless move -download info disappears- to TBB
https://bugzilla.mozilla.org/show_bug.cgi?id=1354568
Please don't do what?…
Please don't do what?
I don't understand what you're advocating for here.
I am pretty new to tor, and…
I am pretty new to tor, and want to thank you all for setting this up. much love fellows.
Welcome to the Tor community…
Welcome to the Tor community!
You may also want to try out Tails:
https://ocewjwkdco.tudasnich.de/blog/tails-30-out
This comes as an iso image you can burn to DVD, and if you have a 64-bit computer (PC or laptop) which can boot from a live DVD, you can gain significant anonymity/security assurances from using Tails (although nothing is perfect).
I just installed Debian 9 ("stretch") using the onion mirrors and am very enthusiastic about the increased cooperation in the past year or so among Tor Project, Tails Project, and Debian Project, so you may want to look at Debian too
debian.org
I have confirmed that you can install Debian 9 off-line (no network mirror) from the DVD#1 and then installing apt-transport-tor and putting these lines in your synaptic configuration
deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main
enables you to install and update entirely via Tor, which among other benefits entirely evades the mounting problems with those horrid fake certificates used for state-sponsored MITM in order to trojan software as it is being downloaded to a citizen's personal computer. See
https://ocewjwkdco.tudasnich.de/blog/tor-heart-apt-transport-tor-and-debian…
for a somewhat outdated posting on the onion mirrors. In particular, the onion mirrors now include the *full* Debian repository, which is a huge advance.
There is a huge flaw in this…
There is a huge flaw in this scheme: many otherwise valuable STEM applications (or security-enhancing things like FOSS IDS) in the Debian archive appear to come with small or large mail programs which attempt send useless unencrypted email messages to the user. Worse, this "misconfiguration by default" is often impossible for ordinary citizens to disable. Even worse, these mail programs typically assume any user must be on a large .edu system, and if this assumption is not met, the emails are not always sinkholed. Even if actual emails (very possibly containing sensitive information about the system) are not sent, unencrypted DNS lookups make things much too easy for the bad guys.
The most serious issue here…
The most serious issue here might be the possibility that sensitive system information could be exposed to the internet by "misconfigured" utilities installed on the PC which offer no disable option for "helpful" unencrypted emails to "root", and which incorrectly assume that
o the operator has a valid email address
o used the correct domainname for the "domainname" setting when using the Debian installer.
Such misbehavior could perhaps be stopped by setting up a personal firewall which blocks outbound (and inbound) traffic on port 25 might at least prevent sensitive unencrypted emails from being sent into the internet.
The following HOWTO seems to describe firewalling a server rather than making a personal firewall for a PC, but I can't find better advice:
https://wiki.debian.org/HowTo/shorewall
A personal firewall won't fix outbound dns lookups by bsd-mailx or exim4 trying to email the hapless user (since you can't block outbound dns lookups without breaking Tor, yes?), or the lack of security awareness of certain otherwise useful STEM applications.
Question: what iptables rules are likely to break the proper functioning of Tor traffic from a PC which uses a commercial SOHO router with DHCP server to connect to the internet?
Examples of legit Tor traffic from a PC running Debian 9.0:
o Tor Browser
o debian-tor for updating software via the onion mirrors
the best browser
the best browser
Use Tor for my anonymous…
Use Tor for my anonymous blog. Couldn't do it without you. Thanks!
"HOWTO make an anonymous…
"HOWTO make an anonymous blog using Onion services" would be a good subject for a future post in this blog.
Do you need to have a working "clearweb" site before you can add a "darkweb" site?
i've been using hotspot…
i've been using hotspot shield vpn elite to hide my ip address. does anyone know if this is a good app to use for this purpose?
I think the right answer you…
I think the right answer you should get here is: using Tor Browser will be much safer.
There are many differences, but the first two that come to mind are:
A) Hotspot shield is a centralized service, so it gets to see everything you do, and sell it:
https://svn.torproject.org/svn/projects/articles/circumvention-features…
B) You need all of the application-level privacy and security fixes that Tor Browser provides. Using a default Chrome or Safari or Firefox or whatever, even if your underlying VPN service is somehow perfect, means you leave many huge holes open:
https://sedvblmbog.tudasnich.de/projects/torbrowser/design/
I'm really enjoy surfing…
I'm really enjoy surfing with Tor, I don't have a bunch of money grubbing assholes following me around. What a refreshing change.
Seit dem Update läuft Tor…
Seit dem Update läuft Tor nicht mehr stabil und schmiert ständig ab. Erweiterungen lassen sich auch nur noch bedingt nutzen. Rückschritt!
My possibly horrendous…
My possibly horrendous translation:
> Updating Tor (Browser) is not very stable and is always a pain. Let's work towards keeping (updating) usable. Falling back (to the previous version)!
I don't dare try to attempt to translate my reply:
Updating never works for me either, but I have always been able to simply download the latest tarball (link will be the Download page at torproject.org), verify the detached signature, unpack the tarball in an suitable directory, untar, and away I go!
You will probably have…
You will probably have better luck getting help if you are able to speak English. :/
It sounds like your Tor Browser no longer works. What OS are you on? Do you have antivirus installed? If you uninstall the antivirus, uninstall Tor Browser, then reinstall Tor Browser, does it work?
I've read that several large…
I've read that several large ISPs (I think ATT, Charter, Comcast among others) have at times routinely used MITM (Man in the Middle) attacks to perform DPI (deep packet inspection) on *all* their customers for the purpose of selling data about individual browsing history, calling circle, banking transactions, etc, to corporations, governments, stalkers, whomever is willing to pay whatever the ISPs charge for these vast troves of detailed (and potentially dangerous) data on the habits of individual citizens and their families.
Do we have reason to think Tor Browser provides strong protection against this kind of DPI?
Short answer is yes, that's…
Short answer is yes, that's one of the things Tor does quite well.
The DPI at the ISP point can discover that you are using Tor, but not easily discover what you are *doing* with Tor.
All of the browser layer stuff is wrapped in many layers of encryption at that point, so it should be quite hard for the attacker to reconstruct.
It's not perfect -- nothing is -- but it's way better than the situation where you use a VPN provider and then the VPN provider is in exactly the right position to screw you just like your ISP was.
For more reading check out
https://svn.torproject.org/svn/projects/articles/circumvention-features…
Browser window warning…
Browser window warning
Your standard browser window size is probably square.
Unfortunately this size is not an option on some laptops which means that the size is cut off underneath.
This gives a yellow browser window size warning, over and over again, maybe it stops after 10 or 15 warnings.
Please reduce the standard window-size or come up with something smart.
Older laptops do not have 4k resolution and have therefore limited vertical space.
Interesting. I wonder how…
Interesting. I wonder how this is happening in your case. We round the browser window (the one for the content) to a multiple of 200x100 depending on your screen site with max 1000x1000. Thus it seems something is gone wrong for you.
Is "Your standard browser window size is probably square." part of the error message? If so, what is the whole error message (that's a bit hard for me to figure out)? Do you get it during start-up just once or every time you start Tor Browser?
Still learning this new…
Still learning this new version of internet. Really enjoy how helpful people are, and the epicness of everything that the community releases to move us forward. I'm sold, and am here to stay!
hi
hi
hi,…
hi,
tor browser dont start after 6.5 version on windows 8.1. all versions from 7.0,up to 7.0.4 dont work, i must reinstall the 6.5 version eveytime after all update to all 7 version .
have you an idea?
ps: on windows xp sp3 it work nice , no problems