Stable Torbutton Release Approaches

by mikeperry | July 7, 2008

For those of you just tuning in: Over the past year, I have been the maintainer of the Torbutton Firefox extension, adding a number of features and security enhancements to transform Torbutton from a simple proxy switcher into a secure way to fully isolate all browser state from one proxy state to another and defend against all known privacy and IP address leakage attacks.

The release candidate phase of the extension started about a month ago, but with the release of Firefox 3 and Torbutton 1.2.0rc series occurring at the same time, we've hit a number of unexpected rough spots and snags. However, with the 1.2.0rc5 release of Torbutton, I'm pleased to report that the majority of those now seem to be behind us (a few annoying Firefox bugs notwithstanding).

Thanks to contributions from arno, the Cookie Jar features now work with Firefox 3. They have even been improved to allow cookies to persist in memory-based jars across Tor toggle (as opposed to requiring Tor cookies to be written to disk to preserve them), which I personally already find very useful.

In addition, Torbutton is now much better about preserving users' custom Firefox preferences, including password and form fill preferences. Amusingly, the fact that we touch these preferences to protect users during Tor usage led to wild speculation on the addons.mozilla.org page that we were using them to steal passwords and send user details to Alexa. Of course, simply grepping the source code for 'Alexa' and related IP addresses proves this to be false, but that didn't stop at least three people (or at least three sock puppets) from running with the rumor that Torbutton is a password stealer. Ignorance sure is contagious.

At any rate, after over a year since development began, it looks like we're finally getting really close to declaring Torbutton 1.2.0 'stable', which should coincide nicely with the upcoming Tor 0.2.0 stable release and bundles. It's been a long road!

Comments

Please note that the comment area below has been archived.

I have no idea how that Thunderbird page was created. Well, I do have an idea how it was created, but I don't know why it still exists. Torbutton used to support basic proxy switching on Thunderbird back in the 1.0 days, but that support has been removed because it has not been analyzed for security. My developer tools page on addons.mozilla.org clearly lists Firefox support only, so I don't know why they didn't delete that Thunderbird listing.

I am not a Thunderbird user and unfortunately, I don't have time to analyze the security issues involved with toggling proxy settings in that app. It likely suffers from similar (but not identical) state and proxy leak issues with html mail, embedded images, javascript, plugins and automatic network access. My recommendation is to create a completely separate Thunderbird profile for your Tor accounts and use that instead of trying to toggle proxy settings. But if you really like to roll fast and loose with your IP, you could try another proxy switcher like ProxyButton, SwitchProxy or FoxyProxy (if any of those happen to support thunderbird).

Anonymous (not verified) said:

July 14, 2008

Permalink

Hi, how do i block unwanted IPs in TOR. Some one the tor nodes are malicious, they are injecting ActiveX in HTML code and modifies the data.

How do I block IPs doing this?

Find the exit node and put it in "exclude nodes" in your torrc file.

However, you shouldn't be using a browser that honors activex through Tor. Your anonymity can be compromised through activex.

Anonymous (not verified) said:

July 16, 2008

Permalink

Easier to block with.

ReachableAddresses reject x.x.x.x/16:*,accept *:80,accept *:443,reject *:*

Anonymous (not verified) said:

July 17, 2008

Permalink

is there somebody else who experienced this bug...?

I can´t uninstall

the program leaves xp-install/unistall-window but remain in the tray and keep sending up configuration-window.

how can I get rid of this version? (experimental vers)

I want the stable version instead...

best regards

mike

Anonymous (not verified) said:

July 19, 2008

Permalink

I can't figure out how to submit when I have tor enabled. My form buttons don't work. I can't check email or anything.

Router Login continuously reloads "Status Webpage" only.

Firefox 3.01
Dlink DGL-4300 Firmware v1.6
Torbutton 1.2.0rc6
Firebug 1.2.0b3

Temporary Solution: Disable both Torbutton and Firebug Plug-in extensions.

Can someone please explain why these two plug-in extensions cause the Dlink router status webpage to continuously reload? Is this a Dlink, Firefox or plug-in extension issue here?

Anonymous (not verified) said:

July 26, 2008

Permalink

Hi ,I recently installed the stable download for windows xp but after I realised I had to use firefox I uninstalled it .Due to the recent net security flaw scare about network vulnerability I went on Doxpara and tested my system to see if my provider was patched and it keeps coming up with toorrr.com is trying to gain access to my ports ...is that you guys? could there be still remnants of the program on my pc after uninstall.

Tarpeian (not verified) said:

January 03, 2009

Permalink

Have uninstalled not just torbutton but all the related TOR suite, yet Mozilla Firefox still won't accepted needed cookies for such things as gmail. All the correct preferences in Mozilla for cookies are checked. Mozilla now twice reinstalled. Even Did a p[re-TOR System Restore. Cookies still not accepted.

Have switched back to IE, but would prefer Mozilla.

Any help appreciated.