New Release: Tor Browser 8.0.9
Tor Browser 8.0.9 is now available from the Tor Browser Download page and also from our distribution directory.
This release fixes the issue which caused NoScript and all other Firefox extensions signed by Mozilla to be disabled.
If you used the workaround mentioned in our previous blog post, don't forget to set the xpinstall.signatures.required
entry in about:config
back to true
after installing this update.
Note: We did not bump the Firefox version number to be able to build faster, thus it will still show 60.6.1esr as the Firefox version.
The full changelog since Tor Browser 8.0.8 is:
- All platforms
- Update Torbutton to 2.0.13
- Bug 30388: Make sure the updated intermediate certificate keeps working
- Backport fixes for bug 1549010 and bug 1549061
- Bug 30388: Make sure the updated intermediate certificate keeps working
- Update NoScript to 10.6.1
- Bug 29872: XSS popup with DuckDuckGo search on about:tor
- Update Torbutton to 2.0.13
Comments
Please note that the comment area below has been archived.
Thank you.
Thank you.
I join in ....
I join in ....
Hopefully no one was…
Hopefully no one was compromised by Mozilla's failure.
Amen to that.
Amen to that.
I immediately stopped using…
I immediately stopped using tor, and will do so a week too. Security is number one priority.
Just exactly what does "will…
Just exactly what does "will do so a week too, mean?
Think you
Think you
There may actually be some…
There may actually be some good news buried in this messy story.
It seems that the cert which caused the inadvertent (presumably) disabling of NoScript expired late Fri 3 May 2019, and Mozilla apparently became aware of the situation within minutes or hours. They then were able to find a quick fix which was implemented in a few days, which allowed Tor Project and Tails Project to issue emergency bugfix versions in a very short time.
This means that the Tor user community was not affected during May Day, a time when some at risk users are all likely to be attacked by multiple US/EU agents who suspect us of involvement in street protests.
I was alerted to the problem by a popup which everyone who booted TB this weekend should have seen, and knew enough to come to this blog to look for more information. The main worry now seems to be that some at risk users might not have known they should come here and may not have understood the instructions (or rebelled, quite naturally, at instructions telling them to disable sig verification).
Hopefully this incident will serve as wake-up call to Mozilla that they need to work harder to prevent their cert chains from falling over.
Thanks for adding the extra…
Thanks for adding the extra info.
ditto!
ditto!
1. New bridge values is not…
1. New bridge values is not being issued when "tor is censored in my country" is selected. If I select 'request a bridge from torporject.org" The bridge is always XX.XX.XX.XX:PPPPP etc.. which is not open so will not complete a circuit,
2. I use tor browser for the Mac OS and if I select scramblesuit from https://bridges.torproject.org/ It will work but why doesn't the tor browser itself have the scramblesuit built in to the browser like obs4, obs3 and meek-azure. is scramblesuit deprecated?
Re 1) We are investigating…
Re 1) We are investigating that issue (although it seems I can't find the ticket right now).
Re 2) Yes, scramblesuit is deprecated in favor of obfs4 and other pluggable transports.
Hello! If I want to setup a…
Hello! If I want to setup a bridge, should I be only supporting obfs4?
I wondered the same thing. I…
I wondered the same thing. I searched the support site, manuals and trac wiki. The doc page about pluggable transports has the best answer I could find. "obfs4 is currently the most effective transport to bypass censorship. We are asking volunteers to run bridges for it." meek is designed for bridges hosted on a CDN. obfs4 is good for bridges hosted anywhere. The other PT's shown on BridgeDB are not recommended anymore in documentation.
Then fte, scramblesuit, and…
Then fte, scramblesuit, and none should be removed from the selection box on BridgeDB. They are removed from the built in selection box in TBB 8.5 but BridgeDB website continues to offer selecting them.
yes,is ok
yes,is ok
Thank You.
Thank You.
Shouldn't blog moderators…
Shouldn't blog moderators redact the bridge IP:port from public posts? Less damage is better than more damage.
Yes, I think you are right…
Yes, I think you are right. I thought, so, this is less problematic in this case as the bridge is non-functional anyway.
You guys ROCK! Thank you.
You guys ROCK! Thank you.
thank you, guys and girls!
thank you, guys and girls!
NoScript is BACK! :) Note:…
NoScript is BACK! :)
Note: Microsoft Edge does not have the ability to disable scripts, so an XSS exploit can be successful!
Thank you very much for…
Thank you very much for getting this out so fast it has only been a few days.
Thank you…
Thank you sooooooooooooooooooooooooooooooooooooooo much
How about fixing…
How about fixing vulnerability that allows for massive DDOS attacks??????
Now THAT would be a real help.
We are working on it, stay…
We are working on it, stay tuned.
Hello, is there any ETA on…
Hello, is there any ETA on when the DDOS issue will be fixed? Any ETA at all even if its really rough. It would help SO much to have any sort of time frame. Will it be fixed this month do you think?
What vulnerability? Haven't…
What vulnerability? Haven't seen anything in the mailing lists.
A single guard entry server…
A single guard entry server for 2-3 months is enough time to capture every user's behavior on the TOR network. I am not satisfied with esoteric arguments and research papers presented, favoring the guard entry server architecture. It seems to me that TOR is totally compromised and there is really no way to escape prying eyes. And the dependency on Google finances that The TOR Project has grown accustomed to, only seals the privacy fate of the TOR user.
That's nice, but not how…
That's nice, but not how science works. If you want to prove an opposing hypothesis, you need to present sufficient supporting evidence. Hand wringing does not suffice.
> the dependency on Google…
> the dependency on Google finances that The TOR Project has grown accustomed to,
I share your concern but...
> only seals the privacy fate of the TOR user.
I think you are too pessimistic. The solution is to move Tor Project toward a funding model which relies principally on user donations, similar to EFF, rather than corporate/govt largesse.
Please consider making regular donations as I and others here do.
> It seems to me that TOR is totally compromised and there is really no way to escape prying eyes.
Too pessimistic. Enemies such as NSA have frightful powers to harm people, but they have problems of their own. Exploits are often frangible (fail when a new version is introduced, even if the devs never knew about the hole), they are drowning in information (much of it duplicated in hard to notice ways), their systems tend to be in a state of near chaos, their own opsec is poor, and their very size and complexity ensures that they suffer from some systemic weaknesses which we can exploit to prevent them from getting too far ahead in the arms race.
Further, we have many enemies, but most of them are far less capable and far more focused on particular populations than NSA.
i got a leakage W32 file in…
i got a leakage W32 file in this update which was detected by my antivirus. maybe take a look at that Tor?
what it said exactly :
W32/Malware
but coming from Tor i am also suspecting it to be a false posetive ?
if not. i suspect you work hard on fixing it ASAP.
thanks.
There is nothing we can do…
There is nothing we can do about your antivirus. Our updates are signed (otherwise they would not get applied), thus everything we ship comes from us (we make sure we get exactly the same build results on different machines to better guard against build machine compromise). You need to get back to your antivirus vendor or, better, if you really think you need antivirus/firewall software then use Microsoft's own tools and nothing else.
Probably false positive. 8…
Probably false positive. 8.0.9 was very new when you posted. Wait for a day or two until your vendor updates its virus signature files, and scan again. ("Virus signatures" have nothing to do with cryptographic signatures.)
Meanwhile, you might verify Tor Browser's cryptographic signature in its sig file.
https://ijpaagiacu.tudasnich.de/#how-to-verify-signature
https://2019.sedvblmbog.tudasnich.de/docs/verifying-signatures.html.en
thanks
thanks
What about automatic updates…
What about automatic updates of https everywhere and noscript addons?
Is it recommend to disable automatic updates?
No, it is not. Those…
No, it is not. Those automatic updates is the way for you to get timely security updates.
Isn't it strictly forbidden…
Isn't it strictly forbidden to update the permanent add-ons (HTTPS Everywhere, NoScript, Torbutton and Torlauncher) ?
In fact I have once or twice accidentally updated them. How to cancel it, is it possible without re-installing?
Perhaps they could be protected in future? How about approving some add-ons, if adblocking was done by the exit, loading ads but not sending, there would be no fingerprint problem.
It is important to keep Tor…
It is important to keep Tor Browser updated, as this ensures that you have the important security updates. Tor Browser currently has automatic updates enabled by default for these add-ons.The add-ons will also be updated whenever you install an update to Tor Browser. You do not need to install other updates to these add-ons, as the updates included in TB are vetted by the development team to ensure compatibility with the browser.
What we don't recommend is installing other add-ons (i.e. any add-ons that don't come pre-installed with Tor Browser).
I'm pretty sure they were…
I'm pretty sure they were asking about the add-ons that are pre-installed with Tor Browser receiving updates that are not included in TB. For example, TB 8.0.9 has NoScript 10.6.1. TB checks addons.mozilla.org and finds NoScript 10.6.2. What happens? Are post-install updates from addons.mozilla.org or eff.org vetted by TB developers? Since automatic third-party updates of pre-installed add-ons are not bundled or signed by TP, vetting of those updates is meaningless. Does TB reject non-vetted automatic third-party updates of vetted pre-installed add-ons?
Currently the https…
Currently the https everywhere and noscript add-ons updates are enabled by default, which allows fixing bugs in those add-ons without releasing a new Tor Browser.
However, there are some plans to change that:
https://trac.torproject.org/projects/tor/ticket/10394
https://trac.torproject.org/projects/tor/ticket/22974
Great info. Thank you.
Great info. Thank you.
> if adblocking was done by…
> if adblocking was done by the exit, loading ads but not sending, there would be no fingerprint problem.
Exits can log all your traffic. You want them to control filters on your traffic too? Some exits already try to.
Effective ad-blocking can't be done by routers to end-to-end HTTPS. They can only see IP and domains, so it blocks too little or too much. Filters on the user's machine are the most effective.
But... if every user had the same filters and did not update from the filter publisher, their fingerprints would be identical if everything else in the fingerprints was identical. I think. Comparisons of fingerprints of Tor Browser to regular browsers are not meaningful. Comparisons of fingerprints of Tor Browser to other Tor Browser instances are meaningful. So if all Tor Browsers come with the same things and no leaks from them, they would all look alike. But it's also very hard to review filter lists.
Hey, this time time span…
Hey,
this time time span from discovery to 'repair' is great!
All Tor folks (this time with a focus on Tor browser) are doing really great work!!!
Many thanks!
Plus one!
Plus one!
Since 8.0.8 I'm constantly…
Since 8.0.8 I'm constantly getting NoScript popups, mostly for requests to a very small set of omnipresent domains like twitter. Considering all your efforts in recent months to make TBB more marketable, it seems this salvo of popups does not help you at all at keeping new users.
Is there any plan to block such common requests by default? Each user curating their block list on their own is not good for anonymity.
The problem is an underlying…
The problem is an underlying Firefox bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1532530) which caused large uploads to fail which is dangerous for whistleblowsers for instance. The workaround was to tweak NoScript which unfortunately results in more false positive XSS popups delivered by that extension. The Mozilla bug is fixed and we should get back to normal XSS warnings next week with Tor Browser based on ESR 60.7.0. Sorry for the inconvenience.
why not on ESR 60.6.2 ;]
why not on ESR 60.6.2? ;]
It's an additional fix that…
It's an additional fix that would have made that critical release even more complex. Besides that it would not have had immediate effect as we need a new NoScript release afterwards as well, so that the changes can take effect.
Hey! Does `certdb` support…
Hey! Does `certdb` support FPI that you enabled it?!
I'm not sure, but we're…
I'm not sure, but we're planning to disable certdb again in the release next week, since Mozilla provided a better patch that doesn't require certdb:
https://trac.torproject.org/projects/tor/ticket/30425
No. It's not about cross…
No. It's not about cross-origin linkability but about leaking things to disk.
only, thanks to tor (and…
only, thanks to tor (and mozilla?) for fixing the xpi sig problem.
Yes, Mozilla messed up but…
Yes, Mozilla messed up but did respond rapidly to devise a fix.
Great job fixing the desktop…
Great job fixing the desktop version!
Keep in mind that the android version of the Guardian Projects Fdroid repository was not updated yet and still contains this certificate problem.
We're currently building…
We're currently building/signing the alpha release (which includes the android version) that should fix this.
Certainly not asking this…
Certainly not asking this with any entitlement or expectation, please only answer if you have the time, but is there an outlook on the alpha release update? I'm very fond of the noscript preference retention in that! :-)
In a couple of hours. https:…
In a couple of hours. https://oiyfgiixvl.tudasnich.de/torbrowser/8.5a12/ has the bundles but it is not official yet.
Cheers, GK, nice one. ✌
Cheers, GK, nice one. ✌
Hi Tor Developers How is…
Hi Tor Developers
How is your progress against fixing the ddos issue within the tor onion services?
The ddos attack against all tor networks is going very strong.
Please fix it as soon as possible or it will all be over soon...
We're working on it, but we…
We're working on it, but we're not able to provide any ETA, so stay tuned. Thanks for your patience.
Thanks so much to everyone…
Thanks so much to everyone who helped respond so quickly to this emergency!
TP was placed in a really bad position by Mozilla's goof and handled it pretty well I think.
Does this release use the…
Does this release use the new Mozilla certificate or did you seize the opportunity and create your own?
No, add-ons are still signed…
No, add-ons are still signed by Mozilla.
How are jobs to prevent DDOS…
How are jobs to prevent DDOS attacks on Tor's onion servers.
You visit a TOR Onion site, and tomorrow it is closed because of the Onion attacks.
If nothing is done, I see that soon everything will end.
Ugh, the absolute state of…
Ugh, the absolute state of firefox.
Does tor browser have any plan to change from firefox to chrome?
There is no plans to do so…
There is no plans to do so currently. Switching to chrome/chromium would cause other problems.
Sure use googles spy browser…
Sure use googles spy browser thats a great idea.
NO
Has anyone used Tor Browser…
Has anyone used Tor Browser on a 4K monitor? (1000x1000 window size, I mean)
Is it a problem if I change Tor Browser's font size? (I never use JavaScript)
A similar comment was made…
A similar comment was made to the post for v8.5a11.
Hi, can som1 from tor ,…
Hi, can som1 from tor , give us any info on the DDoS fix or even if its possible as this is a major topic right now , The ATTACKS have definitely got worse as even clearnet sites are being hit now bad . So looks even more of an issue than before
We're working on it, but we…
We're working on it, but we don't have any ETA, so stay tuned. Thanks for your patience.
8.0.x Update to comment: Tor…
8.0.x
Update to: Tor Browser does not terminate correctly (2019-04-26).
https://ocewjwkdco.tudasnich.de/comment/280960#comment-280960
Setup of Tor Browser 7.56, 8.0 ... 8.09 x32 and x64 inside a fresh Win81x64 VMware WS guest. No config changes, no antivirus, no firewall. Just launching the browser an then closing.
Results: Tor Browser 7.56 works without any problems.
All 8.0x (32/64) versions do not close properly. About 60s ore more after closing a system error message appears.
With Process explorer one can track the increasing memory consumption.
No problems with linux version in a Debian 9 guest on the same host.
Can someone explain why TBB…
Can someone explain why TBB says Win32 for System Info but TAILS says Linux?
I thought you folks would be synchronized in that sense but it appears not. The complaint is an obvious one regarding fingerprinting. Any help in keeping your Sys Info the same across platforms?
https://trac.torproject.org…
https://trac.torproject.org/projects/tor/ticket/26146
https://trac.torproject.org/projects/tor/ticket/28290
Thank you for fixing the…
Thank you for fixing the issue so promptly. You are doing god's work.
Glad to say 8.0.9 seems to…
Glad to say 8.0.9 seems to be working fine for me (on Debian).
thank you !
thank you !
All of the different…
All of the different suggestions to change assorted settings can't be hygienic for the user base. I think it would help everyone if there was publicity for a permanent guide on the Tor Project website or wiki for how to do a backup and clean install.
Why did the creator of…
Why did the creator of JavaScript and co-founder of Mozilla abandon Firefox and its engine Gecko and chose Chromium and its engines (Blink and V8) for his Brave browser? Maybe the reality is, Mozilla has become a MESS and the Google engines became better over time, and now they are the best. We hate it because we don't want to admit that something coming from Google is the best, even if it's open source. I don't know, but if people don't trust Mozilla anymore, they won't trust Tor either. Tor might die in the next five years. It's sad, really. I guess people expect a serious project like Tor to have its own browser and features should be part of such browser. Relying on third-party solutions like engines is ok, but on browsers and "extensions" seems a cheap solution for such serious project.
Good to see the sigs are…
Good to see the sigs are back on the download page! Thank you for great work on tor browser!
Did you guys really patch…
Did you guys really patch stable before alpha? :|
When are you guys going to patch alpha?
https://oiyfgiixvl.tudasnich.de…
https://oiyfgiixvl.tudasnich.de/torbrowser/8.5a12/ has the new bundles but they are not official yet. And, yes, we really patched stable before alpha. Alpha is the development version and we expect users of those to be more tech-savvy and being able to better cope with breakage and unforeseen issues.
Mozilla has had improper…
Mozilla has had improper handling his signing infrastructure for addons in the past,
unbelievable handling this thing for webextensions in present, i'am waiting for the future mozilla is .....handling this.
May delete the user can change "xpinstall.signatures.required" for, mozilla will say,
more security. This is dangerous.
On Android don't Is possible…
On Android don't Is possible installing addons. Always corrupted files noticed from admin of circuit. BTW. Is not possible setting up excluding Country and or nodes in setting. Bad. Best old Orbot and Orfox. I am sorry.
There was a bug in Mozilla's…
There was a bug in Mozilla's code starting last Saturday that disabled many add-ons. Version 8.5a12 on Android is released and fixes the bug.
https://sedvblmbog.tudasnich.de/download/#android
https://ijpaagiacu.tudasnich.de/tbb/tbb-16/
It appears there is…
It appears there is something wrong with ob4s bridges provided from https://bridges.torproject.org/bridges?transport=obfs4.
The bridges are all the same 189.131.192.144:6237 etc..
Another bridge IP:port in a…
Another bridge IP:port in a public post.
Is the android platform been…
Is the android platform been updated too? It doesnt seem so
The alpha Tor Browser…
The alpha Tor Browser version (including the Android bundle) has been released:
https://ocewjwkdco.tudasnich.de/new-release-tor-browser-85a12
There is also a problem…
There is also a problem obtaining bridges via Email. when sending a request for obs4 bridges to bridges@bridges.torproject.org I get the below response.
Here are your bridges:
(no bridges currently available)
To enter bridges into Tor Browser, first go to the Tor Browser download
page [0] and then follow the instructions there for downloading and starting
Tor Browser.
When the 'Tor Network Settings' dialogue pops up, click 'Configure' and follow
the wizard until it asks:
Does your Internet Service Provider (ISP) block or otherwise censor connections
to the Tor network?
Select 'Yes' and then click 'Next'. To configure your new bridges, copy and
paste the bridge lines into the text input box. Finally, click 'Connect', and
you should be good to go! If you experience trouble, try clicking the 'Help'
button in the 'Tor Network Settings' wizard for further assistance.
[0]: https://sedvblmbog.tudasnich.de/projects/torbrowser.html
COMMANDs: (combine COMMANDs to specify multiple options simultaneously)
get bridges Request vanilla bridges.
get transport [TYPE] Request a Pluggable Transport by TYPE.
get help Displays this message.
get key Get a copy of BridgeDB's public GnuPG key.
get ipv6 Request IPv6 bridges.
Currently supported transport TYPEs:
fte
obfs3
obfs4
scramblesuit
--
<3 BridgeDB
I don't know the details…
I don't know the details about this, but I heard some people are investigating the issue with BridgeDB.
This is important without…
This is important without bridges anonymity can be compromised. thats why the Torproject provides 3 methods of obtaining bridges. 1. Email 2. tor bridge web site (https://bridges.torproject.org/) and 3. built in defaults
Should I be informing another forum?
They know. Give them time. …
They know. Give them time. Look here, but let them work.
Hi, can somone from tor ,…
Hi, can somone from tor , give us any info on the DDoS fix or even if its possible as this is a major topic right now , The ATTACKS have definitely got worse as even clearnet sites are being hit now bad . So looks even more of an issue than before. PLEASE ANSWER ME. Thanks in advance...
We're working on it, but we…
We're working on it, but we don't have any ETA, so stay tuned. Thanks for your patience.
Hey guys. Every time I input…
Hey guys. Every time I input a captcha answer on an onion link it fails and reloads a new onee to completevery time. Any idea why?
Try lowering the security…
Try lowering the security slider or setting Trusted permissions for websites in NoScript. No firm idea why.
Two days after mozilla-tor…
Two days after mozilla-tor-noscript-"bugfix", the noscript-Icon is gone again and browser says "all firefox addons disabled. WTF??? Should we go back to "about:config-false"again?
Which version are you using?
Which version are you using?
I just installed the new Tor…
I just installed the new Tor browser yesterday, but every time I try to open it, it says, "Tor browser is already running, but not responding." I have tried completely removing all the old Tor info and cleaned up my computer of "Tor" stuff. I then redownloaded Tor (8.0.9) and tried a "fresh" install but still get that screen, any ideas?
Which operating system are…
Which operating system are you on?
Many thanks to the team
Many thanks to the team
On May 8, 2019 Mozilla…
On May 8, 2019 Mozilla released a patch for the above bug. The version of the non-ESR browser stands at 66.0.5. Mozilla plans to release a patch for the ESR browser by May 9.
Tor users should expect an update to Tor Browser Bundle. The updated Tor Browser Bundle's version should be 8.0.10.
We currently don't plan to…
We currently don't plan to do yet another release. We'll likely pick up the remaining things next week when we prepare Tor Browser 8.5.
The above bug that I…
The above bug that I referred to is Bug 1549249, https://bugzilla.mozilla.org/show_bug.cgi?id=1549249
ALERT!!!!! Check NoScript…
ALERT!!!!!
Check NoScript default Per-site-permissions!!! My default "trusted" websites: google.com bootstrapcdn.com gstatic.com hotmail.com neflix.com paypal.com yahoo.com youtube.com and 30-40 more
Security slider "safest". Update/install yesterday, version 8.0.9.
Yet they have full permissions by default (trusted). Had to remove manually.
Behavior different than before Mozilla muckup. Please investigate!
PS, Noscript “General” tab default setting allows “fetch” and “other”
IIRC those should not be enabled.
PPS, Loaded this page without scripts infinite loop reloading. Stopped when turn on scripts.
Have seen other weird behavior from TOR since Mozilla muckup. Stay safe everyone.
Hm, I wonder whether that…
Hm, I wonder whether that could be something like https://trac.torproject.org/projects/tor/ticket/30443. What happens with a clean, new install of Tor Browser 8.0.9 and then setting the slider to safest?
> PPS, Loaded this page…
> PPS, Loaded this page without scripts infinite loop reloading. Stopped when turn on scripts.
Your final point is a long-standing bug, not new. The blog expects JavaScript enabled. It loads well on "safest", but it reloads infinitely if you load/refresh on "safer" and then go to "safest" and refresh.
> PS, Noscript “General” tab…
> PS, Noscript “General” tab default setting allows “fetch” and “other” IIRC those should not be enabled.
"fetch" and "other" are enabled for Default in the older 8.0.8. All are except "media". You say "should not". I do not know if they were meant to be or not.
I have a question for Tor…
I have a question for Tor developers.
For 99% of the time that I use TBB, my security level is set to Safest.
During the time when NoScript and all other Firefox extensions signed by Mozilla were disabled, I did the following:
I typed about:config in the address bar.
I toggled javascript.enabled to false.
What I did achieved the same result as using the NoScript add-on, right??
According to my…
According to my understanding the answer is "No", since NoScript provides protections other than simply disabling Javacript in some situations. Also, rolling your own fix to the issue (now fixed in TB 8.0.9) is likely to make you more individually recognizable to web trackers.
"According to my…
"According to my understanding the answer is "No""
Your understanding is based on the other protections that you claim NoScript provides.
"....since NoScript provides protections other than simply disabling Javacript in some situations"
What are these other protections that NoScript provides?
They have been mentioned in…
They have been mentioned in blog posts but I never claimed to undrestand the details. For those I must refer you to the Tor team. Please bear in mind that they are busy people.
See: https://2019.www…
See: https://2019.sedvblmbog.tudasnich.de/projects/torbrowser/design/#other-secur….
nice!
nice!
For users of very old…
For users of very old versions who don't upgrade and accept the risk, "Someone pointed me to a fix for older FF's and it seems to work! reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/ " Found on Mozilla Firefox bug tracker, #1549078.
TB 8.0.9 seems to be working…
TB 8.0.9 seems to be working fine for me both under Debian 9.9 and in Tails 3-13-2.
Thanks again to Tor and Tails team for your rapid and effective response to the NoScript debacle.
Deep breath... TP should…
Thanks again for fixing the NoScript problem.
Just wanted to warn that TP should make ready for possible state-sponsored cyberassaults on Tor coming up in a few weeks:
theguardian.com
Tiananmen Square: China steps up curbs on activists for 30th anniversary
Government’s critics say controls are more severe: ‘They know the 30th anniversary means a lot’
Lily Kuo in Beijing
9 May 2019
wired.com
Inside China's Massive Surveillance Operation
Isobel Cockerell
9 May 2019
(For example, having people on standby to deal with a new crisis.)
don't forget to For mission…
For mission-critical commands like this, say "remember to," or start with the command word: "Set the..."
"Warning statements should be written in the active voice, not the passive voice, and, when possible, using affirmative statements instead of negative statements. In several studies, active sentences were found to be verified faster than passive sentences, affirmative faster than negative, and true faster than false. The exception is a common warning instruction where a prohibition is required, such as “No Smoking.”
Negative and passive words in warning statements require more effort to interpret correctly. Statements having these features require a larger capacity of immediate memory than do otherwise identical statements lacking these negative and passive features."
Affirmative Warnings (Do This) May Be Better Understood Than Negative Warnings (Do Not Do That)
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3989081/
thank you all for your…
thank you all for your efforts!
hope you get the ddos situation under control soon
Changelog tab after update. …
Changelog tab after update. Learn More opens DuckDuckGo onion. What?
Yes, about:tbupdate, Learn…
Yes,
about:tbupdate
,Learn More
opens "How do circuits work?", a guide in the browser about the circuit display in the padlock icon. I don't know if it is a good idea to open DuckDuckGo suddenly from clicking to Learn More. Tor Project also runs many onions.@ Tails users: I tried to…
@ Tails users:
I tried to use the auto upgrade to upgrade two USB sticks to Tails 3.13.2 but the upgrade failed for one of them. But an alternative procedure works and is more efficient if you have several Tails USB sticks: use wget to obtain the ISO image (yes, this is in itself an issue since wget had a bug in Tails 3.13.1), verify it, burn it to a DVD, boot laptop with DVD, once Tails is entirely ready, insert USB stick, choose Tails -> Tails Installer. The location of the USB stick should appear and you should use the default "clone running Tails". Click "Upgrade". This preserves the persistent volume and installs new Tails OS over old one in the unencrypted boot area of USB.
If you have trouble with wget read the man page for some helpful options. If your computer lacks memory you can call wget from a directory on a data USB stick (assuming you have enough space and at least two USB ports and a DVD drive).
Let me start by saying that…
Let me start by saying that i have been a massive supporter of the tor network for many of years.
But its becoming impossible to use due to the constant DDoS attacks. The bug in the Tor software needs to be fixed and it needs to be fixed quickly.
The bug also potentially opens up possibility for large hidden services to be deanonymized too.
This is a serious problem which needs the Tor developers undivided attention.
Yes, we are working on that.
Yes, we are working on that.
Your software it blatantly…
Your software it blatantly un secure until you fix this. It should have been done yesterday unless you are working with the government
> But its becoming…
> But its becoming impossible to use due to the constant DDoS attacks. The bug in the Tor software needs to be fixed and it needs to be fixed quickly.
I think you are talking about onion sites, yes?
I have been able to use TB to surf to clearnet sites without any problems, but I sometimes notice problems with the Debian onion mirrors. Speaking of which, these include Buster for those who want to get ahead of the curve on the rollover from Stretch to Buster as the new Debian stable.
I am using TB 8.0.9 in Tails…
I am using TB 8.0.9 in Tails 3.13.2 but I just got the "all extensions have been disabled" yellow bar when I tried to surf to this duckduckgo.com
Toggling xpinstall.signatures.required to FALSE appears to fix this but I am sure what is the best way to disable unsigned autoupdates. In particular, can't find the option to prevent unsigned NoScript updates.
F/U: the problem only…
F/U: the problem only happened once and has not recurred since (a day later). Noscript and Ublock have been working again for me. I boot Tails from a DVD burned from the current ISO (verifed sig) which includes TBB 8.0.9 which should fix the expired cert issue. Maybe a sig check simply took longer than expected which temporarily disabled my add-ons? If that is possible, that would not be good.
On the bright side, at least I can confirm that users are alerted by a message in a yellow bar in TB that add-ons have been disabled.
> what is the best way to…
> what is the best way to disable unsigned autoupdates. In particular, can't find the option to prevent unsigned NoScript updates.
Read this comment thread on page 1. To prevent add-on autoupdates, https://support.mozilla.org/en-US/kb/how-update-add-ons The only way to prevent only unsigned add-on updates is to toggle xpinstall.signatures.required back to true.
Since there is a problem…
Since there is a problem with getting bridges. Eample email bridges always returns "no bridges available" Should I be look to enter a TOr bug https://trac.torproject.org/projects/tor/report or is this performed by Tor personsal?
We are aware of trouble with…
We are aware of trouble with getting working bridges. See: https://trac.torproject.org/projects/tor/ticket/30441 for instance. I am not sure about the bridges requested by email. Feel free opening a ticket in our bug tracker explaining what you did and what happened.
'New Circuit for this Site'…
'New Circuit for this Site' doesn't work if 'Secure Connection Failed'
Yes. This should be fixed in…
Yes. This should be fixed in the upcoming release, see: https://trac.torproject.org/projects/tor/ticket/22538.
Thanks for your efforts...
Thanks for your efforts...
As long torbrowser doesn't…
As long torbrowser doesn't make nodejs as required dependency, this browser have a futur.
Something Went Wrong! Tor…
Something Went Wrong!
Tor is not working in this browser.
Any suggestions? Thanks
Could you be a bit more…
Could you be a bit more explicit about your platform and steps to reproduce your problem?
HTTPS-Everywhere 2019.5.13…
HTTPS-Everywhere 2019.5.13 released - (May 13, 2019)
HTTPS-Everywhere - Homepage : https://www.eff.org/https-everywhere
HTTPS-Everywhere - ChangeLog : https://www.eff.org/files/Changelog.txt
HTTPS Everywhere - FAQ : https://www.eff.org/https-everywhere/faq
HTTPS-Everywhere - Mozilla-Extension - Firefox (en-US)
: https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
SHA1 for fun From…
SHA1 for fun
From Collisions to Chosen-Prefix Collisions - Application to Full SHA-1
https://eprint.iacr.org/2019/459.pdf
https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-…
First SHA1 was shattered.
Now it's reduced to shambles.
It's time to stop using SHA1. (HMAC-SHA1 is still okay.)
— Scott Arciszewski (@CiPHPerCoder) May 10, 2019
HI, Few minutes ago I…
HI,
Few minutes ago I downloaded a file from a website in our country that is 24/7 under surveillance by the Government,
Mistakenly It was not the latest version of TOR. Means after updating, I didn't restart the browser and I enter and downloaded the file from the previous version of TOR
I entered from the laptop.
After downloading the file, I immediately restarted and updated my Tor browser.
Can they trace me? or will i face any problem?
Download Tor Browser from…
Download Tor Browser from torproject.org, not from other websites. Tor Browser downloads updates when it finds them and notifies you to restart, but Tor Browser does not install the update until you restart the browser. Tor Browser installs the update when you fully close the browser and open it again, not before. Thus, you could not have updated it if you didn't restart the browser.
I think you are as safe as you normally are if you downloaded the files through Tor Browser, used sig files to verify signatures, and (if the file was a document) did not open documents downloaded through Tor while online. But I cannot answer confidently because I don't fully understand your English.
Torbrowser is not able to…
Torbrowser is not able to connect to http://www.ifdsgroup.com/ and strangely the circuit keeps changing every 15 seconds
I haven't got any problem…
I haven't got any problem with and without this update. I am disabled and I just find normal things but around the world. Please, don't laught about me but I usually use Duckduckgo Browser and I don't found any difference and I know it must exist.
P.D. Sorry, if my english is not too correct but I'm spanish... ;-|
Are you talking about…
Are you talking about DuckDuckGo Privacy Browser app for Android and iOS? It is very different and less private than Tor Browser. The fundamental thing about tor is onion routing. Click on the grey buttons for "Tor" and "HTTPS" in that link.
I will use torbrowser as…
I will use torbrowser as long doesn't add nodejs or add any supplementary dependency ... But I have the feeling it will follow the madness of Firefox.
I wanted to know more but…
I wanted to know more but could not find anything about Firefox depending on Node.js. Could you paste a link?
long live privacy
long live privacy
Tor is basically unusable to…
Tor is basically unusable to a big numb r r of us . We have a political Web site and the GOP activist are ddosing our anti trump page. We had to take it down. Can you olea as e fix this? It hold be your #1 priority
If it helps, Abuse FAQ: …
If it helps, Abuse FAQ:
First seen new behaviour…
First seen new behaviour. Every new tab looks like to be send to 31.31.78.49 by Tor, b u t the Guard is another IP and I've never seen always another IP than the Guard, or sometimes another IP for a second Guard, but now, this second IP is always there, new tab and appears, CR and appears, than traffic only through the Guard, next click, 31.31.78.49 appears but traffic through the Guard as usual. What' going on, is the ok?
I am not sure I understand…
I am not sure I understand your setup but that IP address in question seems to belong to a Guard relay: https://metrics.torproject.org/rs.html#details/46791D156C9B6C255C2665D4….
sometimes another IP for a…
indeed why jumping back and forth between two guards?
Some more details. After…
Some more details. After start, there are some connections done by TOR. Later on, may 2 or 3 staying alive, the others are closed. As usual, there is the Guard, and is some kind of fixed. So the traffic runs through the Guard and sometimes are keep alive from the 2 or 3 other connection made by TOR. That was always the case, the traffic is between the LAN IP and the Guard, and sometimes one keep alive from the others, but only sometimes. Now there was this second IP. It was easy to see, that all traffic runs through the Guard shown under (i) site information, but always after CR, there was this second IP once, one data packet, after every click, but what was the data and where did they go. This one data packet send to the second IP must be for reason, but who is the recipient? It is impossible to see, where this second connection ends. You said, this IP belongs to a Guard relay, but why is TOR doing this second line, never seen before, is some kind of weird. Looks like as if it sends my visited web pages somewhere.
Further infos. As I've…
Further infos. As I've written, it happens for the first time, that there was a second Guard relay active and after every CR or every click it appeard with one data packet, one packet was send from TOR somewhere through the second Guard and it disappeard after that, but all alive connections made by TOR. It was easy to see, all traffic runs through the Guard as shown under (i) site information as it should be. Also to see, other alive connections are there and made by TOR, but never seen before, such second 'Guard' and TOR sending datas once after any click. Captured traffic is from inside the windows system an from outside out of the 'wire', out of the switch, to check, if there are some differences. TOR is always downloaded for every session. The system is all new for every session, no traces of previous sessions, no trojans, automated system, fast setup. Next try yesterday with version 8.0.9 behaviour as usual, one Guard active, all traffic between LAN IP and active Guard, no second IP, only keep alive rarely from other hold connections. What was going on? Why there was this second parallel route/connection and it was impossible to see, what was the destination, no infos about the parallel line. Looked weird.
hi can you please make sure…
hi
can you please make sure the adverts content doesnt cover the browser content? my iphone tor browser has ads cover the bottom of the screen so i cant use any navigation, rendering the app useless!
thanks
Not sure what software you…
Not sure what software you use, but there is no Tor Browser for Iphone yet. Please use onion browser instead.
There are actually many…
There are actually many offerings on the iTunes App Store claiming to be a "Tor browser" or a browser that uses Tor.
https://duckduckgo.com/?q=site%3Aitunes.apple.com+%22tor%22
@ OP:
Tor Project recommends Onion Browser by Mike Tigas. There is a very tiny link to it on the Tor Browser download page under the Android section.
How can I put version 8.0.9…
How can I put version 8.0.9 if it was upgraded to 8.5? It is really bad...
What#s the issue with 8.5?
What's the issue with 8.5?