Tor Browser 4.5-alpha-1 is released

by mikeperry | November 18, 2014

The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.

This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!

Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.

Here is the complete changelog since 4.0.1:

  • All Platforms
    • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
    • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
    • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
    • Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
    • Bug 13301: Prevent extensions incompatibility error after upgrades
    • Bug 13460: Fix MSVC compilation issue
    • Bug 13504: Remove stale bridges from default bridge set
    • Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
    • Update Tor to 0.2.6.1-alpha
    • Update NoScript to 2.6.9.3
    • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
    • Bug 12903: Include obfs4proxy pluggable transport
    • Update Torbutton to 1.8.1.1
      • Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
      • Bug 13019: Synchronize locale spoofing pref with our Firefox patch
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
      • Bug 13651: Prevent circuit-status related UI hang.
      • Bug 13666: Various circuit status UI fixes
      • Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
      • Bug 13746: Properly update third party isolation pref if disabled from UI
  • Windows
    • Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
    • Bug 13558: Fix crash on Windows XP during download folder changing
    • Bug 13091: Make app name "Tor Browser" instead of "Tor"
    • Bug 13594: Fix update failure for Windows XP users
  • Mac
    • Bug 10138: Switch to 64bit builds for MacOS

Comments

Please note that the comment area below has been archived.

November 17, 2014

Permalink

This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time.

I'm curious. How does/will this work when using a system-wide tor instance for the Tor Browser instead of TorLauncher?

November 19, 2014

In reply to gk

Permalink

Will the TorButton preferences have settings for the control port and password at some point?

November 17, 2014

Permalink

Is it safer to use Tor browser 4.5-alpha-1 than to use Tor browser 4.0.1?
Also when I go to the Download Tor page, I right click on my mouse and I click on "properties", and this is what it tells me,
Protocol: HyperText Transfer Protocol with Privacy
Type: Chrome HTML Document
Connection: Not Encrypted
Zone: Internet | Protected Mode: On
Address: Unknown
(URL)
Size: Not Available
So my point is, is their an encryption problem with the Tor browser download page?

Where are you clicking? I don't get a "Properties" menu entry. And I'd suggest using 4.0.1 as the alpha contains new stuff which is not so good tested yet that might break in interesting ways...

November 18, 2014

Permalink

Hi,
infos about Torbutton config are hard to find,however, can i set extensions.torbutton.debug to 'false' in Tails or is it a problem?Set extensions.torbutton.loglevel to 4 or 5 would be really nice,too?
Searching details about Torbutton config is like searching for Windows sourcecode(-:

November 18, 2014

Permalink

Great news.
If one uses Torsocks (or Torbidry for example) while running this version of TBB, which circuit will be used? The last one will be the "default one" or will the first one stay as "default one" until it rotates 10 minutes later?

Come to think of it, I will try this myself :P But would like to hear from you what is the "best option". Maybe Tor could use a "main circuit" for the proxy setup and just create new ones for the tabs and windows the user opens...

November 18, 2014

Permalink

  1. <br />
  2. $ curl -O <a href="https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha-1/sha256sums.txt&#10" rel="nofollow">https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha…</a>;$ curl -O <a href="https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha-1/sha256sums.txt.asc&#10" rel="nofollow">https://archive.torproject.org/tor-package-archive/torbrowser/4.5-alpha…</a>;$ gpg --verify sha256sums.txt.asc<br />
  3. gpg: Signature made Fri Nov 14 14:53:44 2014 PST using RSA key ID D2F1E186<br />
  4. gpg: BAD signature from "Mike Perry (Regular use key) <<a href="mailto:mikeperry@fscked.org" rel="nofollow">mikeperry@fscked.org</a>>" [unknown]<br />
  5. $ openssl sha -sha256 -r sha256sums.txt*<br />
  6. 37f6fe5f4de2d891e94b0b4c9d6c5b5190c5f80f00ecf32a83604f6140084667 *sha256sums.txt<br />
  7. 3c3343ecdbba31256872e7545aa66971986c7ecf03d759a48da9099ee5209eaf *sha256sums.txt.asc<br />
  8. $ du -b sha256sums.txt*<br />
  9. 13128 sha256sums.txt<br />
  10. 801 sha256sums.txt.asc<br />
  11. $<br />

gk

November 19, 2014

In reply to by Anonymous (not verified)

Permalink

I seem to be not able to fix that right now. Please, use the -gk.asc and/or -mikeperry.asc as a temporary workaround.

November 18, 2014

Permalink

Great work!

However, I would really suggest adding a text window that pops up when the slider is moved to give a short explanation of what each setting does, such as "disables JavaScript and cookies" or whatever.

Without that info I know I was left thinking "well, how do I know what level I want if I don't have a clue about what each level does?"

I will open a ticket for this feature request, unless it's already planned?

On second thought, there seems to be lots of space next to the four slider setting terms (low, med-low, med-high, and high), maybe add a short description of each setting next to the setting on the slider?

Also, wouldn't these be better in terms of they're more accurate description of security?:
Weak (default)
Medium-Weak
Medium-Strong
Strong

Yes, there are some tooltips/help buttons planned explaining things. Whether "weak"/"strong" are better here I don't know. I think using "low"/"high" if one describes a certain level might be good (enough).

November 19, 2014

In reply to gk

Permalink

Yes, I agree, given your going to explain what they mean. Cheers.

November 18, 2014

Permalink

On Windows 7 this release seem MUCH faster to surf the 'net than previous releases. Page load times are very noticeably reduced! :) (using the highest security setting)

Was this intended? Or am I just the only one using Tor right now so that's why it's so fast?! :)

Stop telling lies! Another fool that don`t read the research paper.Look at this:" Our method revealed
the actual sources of anonymous traffic with 100% accuracy for
the in-lab tests, and achieved an overall accuracy of about 81.4%
for the real-world experiments, with an average false positive rate
of 6.4%"
"the real-world experiments"is equal to "the actual wilds of the Tor network"?Are you kidding?
https://ocewjwkdco.tudasnich.de/blog/traffic-correlation-using-netflows
Hi
I am here to myself clarify all misconceptions. Firslty, they have blow it a bit out of proportion by saying that "81% of Tor traffic", which is not true. It was only 81.4% of our experiments, and we have spoken about this upfront in our paper. Secondly, its only a case of experimental validation and the challenges involved in it that is the highlight of the paper. In my thesis I have also tried to address how to solve this particular attack, which might work for other attacks as well...
Regards
Sambuddho

no it's true. just ask your net admin - he can show you that there are several order of traffic amount difference in established connections for tor users compared to others short lived connections without reference to an entry guard address. and who say silly words about 100% accuracy in court decisions?

November 18, 2014

Permalink

my system was crashed and shut down when i Run obfs4 transport!!!
also my antivirus acted (Bitdefender)

Hmm, that's odd. The code doesn't do anything all that special, and I know that it works on Windows (tested on Win 8.1 64 bit/Win 7 32 bit). It certainly shouldn't be able to bring your whole system down since it's a extremely straight forward piece of software.

Anything special about your setup? What version of Windows is it? On what architecture?

As far as the antivirus goes, it's probably a false positive. Complain to your AV vendor.

November 18, 2014

In reply to yawning

Permalink

win 7/ultimate 32 bit
ofcourse as i said only when i Run obsf4
there are no problems when i connect directly or via bridges..
ISPs can figure out when we connect to tor?if Yes how we can prevent of it? by using VPN or Open DNS ( changing DNS )

i wonder does anyone know anything about security of Cyberghost VPN,Sumrand VPN and etc ? are they really encrypted?

also About Open DNS software ? is usefull?

an encrypted and safe Vpn can be helpful!
But not in all countries
For Example :if you use An encrypted and strong Vpn in iran ..is just safe for first use !
Once the ISP was informed of user connecting to the vpn ,creates a Fake Locally server (or host name) With the same name ..so User connected to the Fake server after second connecting ...

indeed In a country like Iran.The most secure VPN is only safe for the first time ! not at all

November 18, 2014

Permalink

- NoScript
NoScript Default : "Scripts Globally Allowed (dangerous)"

When you put this off (as you should) it will be set back to "Scripts Globally Allowed (dangerous)" every time you open a new tab or window.

Do we now have to disallow this every time we open a new tab or window, instead of maybe allow once in a while?

- Page info ... Security (Media, Feeds) ... still missing

It is 64 bit indeed ..

You can take advantage of the new security slider: click on the green onion -> Preferences... -> Privacy and Security Settings and change the value to "High". This disables JavaScript and a bunch of other things (see: https://trac.torproject.org/projects/tor/ticket/9387#comment:43 for the details) and is saved across New Identity/Restart. That said it might make sense to save custom settings this way as well. Should be available in the next release.

November 19, 2014

In reply to gk

Permalink

Thank you, I did found out the influence of the new slider function on NoScript after my posting.
Nice / Good function that deserves the attention.

But and please consider also to change at least one NoScript pre-setting under "medium High".
One cannot consider the "Scripts Globally Allowed (dangerous)" activated as 'Security' (my opinion, you can discuss about it) but especially not associate it with High security settings (Medium High).

Deactivated under both 'High-labeled' settings would also be more balanced (2 times activated under Low, 2 times deactivated High).

Compliments for the new Torbutton function showing the connection path with countries (saves a lot of time searching for trusted exit node countries, do not understand the need for entry nodes in Torbrowser user's own country / and maybe even direct nabor countries as well)!
Hopefully that internetroute function can be activated with a blank starting page as well, so people can judge a connection before they visit a website (now you have to visit an 'excuse' page first).

I did try to import the new Torbutton in the 4.0.1 browser, did succeed a bit but did not get the wanted extra internet connection path window working.
Would it be an idea to make this Torbutton version available for non-alpha users right away as well?
I hope so.

Thank you for answering my questions
Best regards

November 18, 2014

Permalink

My TOR browser keeps crashing, it show's a message saying, You are unable to connect to the TOR network. It is happening to me almost every time I try to use my TOR browser, can someone please tell me why my Tor browser 4.0.1 is crashing so often?

November 18, 2014

Permalink

I'd like to have an option for not closing the browser window upon changing identity.
There is already a preference "extensions.torbutton.close_newnym" for this in about:config, but it doesn't work because a "return" statement is missing after the preference test in chrome/content/torbutton.js:

  1. <br />
  2. function torbutton_close_on_toggle(mode, newnym):<br />
  3. []<br />
  4. if (newnym) {<br />
  5. if (!close_newnym) {<br />
  6. torbutton_log(3, "Not closing tabs");<br />
  7. }<br />
  8. } else if((mode && !close_nontor) || (!mode && !close_tor)) {<br />
  9. torbutton_log(3, "Not closing tabs");<br />
  10. return;<br />
  11. }<br />
  12. []<br />
  13. }<br />

November 19, 2014

In reply to gk

Permalink

Thanks, but I just wanted to report this issue and a possible fix anonymously, without having to open a bugtracker account.

November 18, 2014

Permalink

Tried to create a bug report, but that needs an account, so I'm posting it here.

NoScript is always reset to allow all on startup. To reproduce:
- Download linux64 4.5-alpha-1 tor bundle and open
- Run addons update to get NoScript 2.6.9.4
- Turn off scripts globally allowed
- Close and reopen browser
* Scripts will again be globally allowed

I get why it's initially enabled, but I'm really hoping this is a bug. Thanks.

See my reply above. Yes, this may indeed be a bug. We should save custom settings as well or better: we should not fall back to the currently selected security slider mode.

Here's the anon account access (as guest):

user: cypherpunks
pass: writecode

(To Tor folks: it's probably a good idea to make this guest pass wider known?...)

November 19, 2014

Permalink

Hello and thank you so much for all the work on TBB and other associated projects.

I'm using Win 7 32 bit (don't laugh)

I always test my TBB using the ip-check.info site from JonDo to make sure all my settings haven't changed every time I open it to browse the web.

My 4.0.1 stable release only has 5 sections which are orange and therefore medium safe for tracking purposes:

Cookies
HTTP session
Referer
Do-not-track
Browser Window

I've just downloaded and successfully verified the new 4.5-alpha-1 TBB and everything on the ip-check.info site is the same except for one new area which went from green 'protected' (good) to angry red (danger):

Authentication

"This allows 3rd party tracking using HTTP authentication headers"

Is this a problem or should I not worry too much about it?

I'm so used to having all my sections green and orange, it would be a shame to lose that calming effect.

Loving the new TOR Circuit data btw, thank you whoever did that. :)

November 19, 2014

In reply to gk

Permalink

Thank you.

November 19, 2014

Permalink

@ "...and different websites should use different circuits, even when viewed at the same time..."

Unfortunately, they do not! 6tabs w/ diff sites open, but only 2 diff circuits for 6 of them. This would be a great feature, if it actually works.

November 19, 2014

Permalink

can anyone Explain about mac addresses:

i have heared Iran's cyber police does not need to IP addresses.they figures out and nabs Offenders By system MAC addresses(or modem mac addresses ).is it true?if Yes I'm curious to know how??

November 19, 2014

Permalink

唉,还是不行,必须双重代理,中国湖北联通网络。
opps,cannot work by meek-amazon/azure here, in China...

November 24, 2014

In reply to dcf

Permalink

MEEK doesn't work with windows 7 OS,but it could work reluctantly under the GNU/Linux, eg. Ubuntu.BTW, Here's Hubei, in P.R.China

November 19, 2014

Permalink

New identity "Tor circuit for this site" function error ?

When you visit the page " https://check.torproject.org/ "
and follow the link "Atlas" to the page
https://atlas.torproject.org/#details/(a-Fingerprint-number-follows)
you will see the ip address as well as the country of the exit node.

Comparing the country and ip address of the 3rd 'station' before the 'internet' in the new Torbutton pane under "Identity" gives totally different results when compared to the results given on the Atlas page! (tested several times).

Which one gives the right country location of the exitnode?
And if the Torbutton is not giving the exitnode location in the 3rd 'station' during browsing, why not?
It seems to me that the exitnode country location information the info is what users want to see.

How do we know for sure that the new Torbutton pane is giving the right data?

The exit node you are seeing in the Torbutton pane is an exit node from ONE of Tor's (multiple) circuits but not necessarily the exit node you are exiting from; if you want to know your REAL exit node it would be best to use an IP checking service and just ignore whatever the Torbutton browser panel is saying.

it would be best to use an IP checking service

No I don't think so.
Some populair IP checking services do give a lot of times very different (or no) geo location/country results compared to the atlas results.
This experience is based on comparisons using Torbrowser 3.5 /3.6 versions and do not have anything to do with the new Torbutton function in Torbrowser 4.5.
I tended to believe the Atlas results.

Btw, A visible country flag (or Country code top-level domain extention like Us, Ca, Aq, ) of the exitnode next to the Torbutton and NoScript button would be even more awesome.

Thanks for answering anyway

A lot of IP checking services do give the (local) time but are unable to check the (system) time unless javascript is enabled.

The behavior you are seeing makes perfect sense. The circuit is made dependent on the domain in the URL bar. Thus, first the domain is check.torproject.org and the fingerprint you find in the link to atlas is for the exit relay used for this domain. Now you go to atlas.torproject.org which is a different domain. Atlas shows the exit relay you used to visit check.torproject.org but if you look at the circuit UI while being on atlas.torproject.org you see the circuit used for reaching atlas.torproject.org which is very likely a different one.

November 20, 2014

In reply to gk

Permalink

I see ;), checked and it works indeed very well.
Thanks for the answer.

November 19, 2014

Permalink

I'm getting this error on Mac OS "A copy of Firefox is already open. Only one copy of Firefox can be open at a time." even though FireFox is closed. I restarted my computer and still got the same error.

Some thoughts on this Mac (only?) problem

Sounds familiar, I think it could be the result of wrong file permissions on files and folders.
Although the security-concept of "Read only" permissions on files is an attracting idea, it is not working on all the files in your Torbrowser application.

What you could do, just check the permissions on this folder (and some of their enclosed items) within your Torbrowser.app (ctrl-klick on the app an choose "Show package contents).

- "TorBrowser" (directory within the Torbrowser.app)
Path: TorBrowser.app/TorBrowser/

When the user permissions on this folder and enclosed items are all set to "Read only" (select the folder and open the info pane with keys "cmd" "i") you will get the same FF warning while trying to start your Torbrowser.
At least one user in the permissions list (the .. local user/owner user, not "wheel" or "everyone") should have "Read & Write permissions (when changing permissions, in this case also use the "Apply to enclosed items" option to that "Torbrowser" folder).

I don't know if this is permission issue is directly related to your problem and if it's solving it. For me it did the trick.
But when it does, could it be that you did put your Torbrowser in a folder somewhere, set the permissions on read only for that folder while using the option "Apply to enclosed items"?
Then all the items within the enclosed application will get the "Read only" status as well and that won't work because Torbrowser has 'swallowed' a whole read & write directory with a lot of browser files you usually find in your local library, mozilla browser directory like (path) ~/Library/Application\ Support/Firefox.
These files change (at least some) while using your browser and therefore the permissions do need to have the status read and write.
Another possibility, from my experience is when you duplicate an already installed Torbrowser.app it sometimes will be (± 1 mb) smaller (files missing in the Torbrowser folder) and also not working.

In the end I think a reinstall of your Torbrowser app would be a better option than changing the read and write permissions within your app (but I could not resist to share some thoughts about this issue).

.. One last thing, Warning!
If you are experimenting with file permissions on your Mac ..
Be really really really careful with that, especially with the "Apply to enclosed items" option, extra especially with important (system)folders. Doing this on system directories or maybe on a whole hard disk can get you in deep trouble which will cost you a lot of work to get things working again, if so (disk utility won't help you with that, make sure you have at least a recent trustworthy back up of everything to replace the unfortunate results of too much experiment enthusiasm).

Good luck

November 19, 2014

Permalink

"circuit status reporting UI (visible on the green Tor onion button menu)". Doesn't work with tor bridges tried obfs3, obfs4, scramblesuite. No circuit status UI comes up!!!!

November 19, 2014

Permalink

The tor circuit satus UI is not working in Bridge mode. The following have been tested: obfs3 obfs4 scramblesuit

November 20, 2014

Permalink

Is it feasible to add support for more flexible proxy configuration with PAC scripts to Torbutton? Currently Torbutton only knows manual proxy setting (network.proxy.type 1) or direct connection (network.proxy.type 0) for transparent torification, but not network.proxy.type 2 for automatic proxy configuration with a PAC script (network.proxy.autoconfig_url with file:///... URL pointing to a local script).

With this feature and an appropriate PAC script it would be possible to connect to the open web and onion sites via Tor SOCKS and to other "darknets" via other proxies, e.g. connect to .i2p domains via the HTTP proxy port of the local I2P relay.

November 20, 2014

Permalink

None of meeks and obfs3 obfs4 scramblesu does not work in Iran .
indeed Tor works only directly and by suing custom bridges

Hmm, that's interesting. Lacking a vantage point in there to test things for myself, it's sort of hard to look into this further, though I'm surprised that they allow connections to the DirAuths and public relays, but explicitly block the default bridges and a bunch of cloud providers.

I assume if you obtain obfs3, obfs4 and ScrambleSuit bridges from BridgeDB that they work?

November 20, 2014

Permalink

Good news:The obfs4 bridge can work normally in China.
Bad news:Where is the circuit status reporting UI?I can`t find it anywhere!(TBB 4.5.1a zh-cn windows version )
And I still can`t edit certs in TBB.Please fix it as soon as possible.

November 20, 2014

Permalink

"All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time."

From a general point of view, without being privy to the Tor protocol details, it occurs to me that recent changes like only one entry guard and the aforementioned single circuit per website reduces complexity for an observer. Indeed I would have wished for this as an observer: With less elements involved and a clear separation of streams per site there is less doubt about who does what and correlation appears much easier to me.

Is there an objective analysis backing these design decisions? Because for me they are counterintuitive.

Exactly! Mixing circuits is like a built-in fuzzer! Now I understand it may be necessary for the implementation of the circuit status reporting.... but what exactly will that do? Hopefully it will be worth the tradeoff. And even more importantly, hopefully Tor soon implements some channel masking measures to thwart traffic correlation attacks.

November 20, 2014

Permalink

I downloaded the mac version and when I tried to open it it gave me error "firefox is still running, close firefox..." even though firefox was not running.

November 20, 2014

Permalink

Does the per-site circuit isolation also isolate cookies, in-memory cache objects, etc.?

Cookies: Obvious concern.

Cache: Evercookie-style tracking via last-modified, etag, etc. using appropriate HTTP headers (If-Modified-Since/If-None-Match). Perfect for linking sessions loaded with "Like/Tweet/+1" buttons, and other assorted evil web bugs.

Local storage: (Does Tor Browser even allow this at all? It shouldn't.)

Separate questions:

* Do Security Slider's higher settings disable remotely-loaded webfonts? (CUT YOUR ATTACK SURFACE, always disable these when you disable script! Font rendering code is complicated, and often ignored from a security perspective; it has been subject of exploits before. Obviously, disabling HTML5 fonts while permitting script would be stupid, and allow some fingerprinting.)

* Do Security Slider's higher settings disable HTML5 audio/video, or at least make them require user action to play? (Same issue, codecs are complicated beasts...)

Thanks!

No, the per-site circuit isolation has no influence on the the cookie/cache etc. isolation. We are already binding e.g. the cache to the URL bar domain. Have a look at https://sedvblmbog.tudasnich.de/projects/torbrowser/design/#identifier-linka… for where we are now in this regard.

For the security slider related questions see:
https://bugs.torproject.org/9387#comment:43 Disabling MathML and SVG is still missing all the other things should be implemented accordingly.

November 20, 2014

Permalink

A bug? If the open tab is shut using the X the whole browser closes. This did not happen on the 3 series TOR. If you clicked on the tab to close it a new tab opened.

November 21, 2014

Permalink

how should i get obf3 bridges for Tails?
why Tor Browser on tails does not support obf3 ??!!!

which one do you Recommend?

using my own windows and Tor Browser 4.5-alpha-1?(ofcourse with changing mac address)

or

Tails operating system??

i am not able to config bridges on Tails ! it connects directly

-"how should i get obf3 bridges for Tails?"
Copy pste them from bridges.torproject.org to a .txt file and move them to a usb/flash, and when you boot tails and asked for bridges copy paste the ones on the usb/flash stick

-" why Tor Browser on tails does not support obf3 ??!!!"
It does support obfs3, it even supports scramblesuit

-"using my own windows and Tor Browser 4.5-alpha-1?(ofcourse with changing mac address) or Tails operating system??"
Tails on a dvd (much better than on usb) is definitely recommended over any other operating system, even linux. I would have explained the reasons, but there's simply no enough space here for it.

-"i am not able to config bridges on Tails ! it connects directly "
that's because you have to choose "more options" after you boot it, then a new window will appear, at the bottom of this long window there's a box that begins with "my connection is censored..." click it and then click login. after you connect to a wifi connection it will ask you about bridges.

thanks so much ! it now works fine .
but when i verify tails.iso this messages appear: Bas signal

it means i should Redownload iso image ???

November 21, 2014

Permalink

"...Tor Browser 4.5 series...restoring one of the features most missed by users following the removal of the now-defunct Vidalia interface from Tor Browser — the ability to quickly visualize the Tor circuit that the current page is using."
(ocewjwkdco.tudasnich.de/blog/tor-weekly-news-—-november-19th-2014)

A Vidalia main feature is 'Close Circuit' -for privacy highlights like US-US-US(-:.
I get this,too?

November 23, 2014

Permalink

Weird connection issue.

I noticed that after several 'new identity' reloads that if I then checked the 'tor circuit for this site' charts, the first hop was always 173.255.249.222 which seems to be a location in the USA. Looking up 'who is' it is not traceable. As I am not in the USA I find this peculiar as I thought the whole route was changed if the browser was reloaded. Incidentally i reloaded it about 20 times to check and used http://ipcim.com/hu/ to check.

November 25, 2014

In reply to arma

Permalink

"It depends on the malware. Disabling javascript is not a cure-all. Many attacks on browsers rely on javascript, but also many don't rely on it."
I just want to know if it can still download and run a virus/rat/rootkit/etc... can it?

November 25, 2014

Permalink

"Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs "
I can;t find this UI anywhere! (Yes, I clicked the tor button and still nothing)

November 25, 2014

Permalink

I wanted to open the following ticket, but then I saw the "Register" button. So I'm just going to write it here:
Mention TAILS and OrBot in about:tor

November 25, 2014

Permalink

The "Reset To Browser" in safe boot modus is still breaking the Torbrowser by throwing away the "profile.default" folder and replacing it with another having exotic names like this "3uizc0hnh.default-49752159205" (changed it a bit, don't know if its some kind of a code? It also looks like a nice, more unique, fingerprint).

After reset, Torbrowser will not connect to the Tor network anymore and looks like a normal Firefox without internet (still, you can use it as a local html page viewer then, very private and safe ;)

I don't know why you should use the reset function anyway. A fresh clean installation of Torbrowser seems anyhow a better idea to me, it's very easy (be sure that you backup first the necessary bookmarks, if you have, or other changes, if you have, for an easy import in the fresh Torbrowser).

November 25, 2014

Permalink

I really like the new feature that allows us to see where the used relays are located.

That made me see a security threat - sometimes all three relays are based in the same country or the entry and exit. I think there should be additional code added to make sure this never happens, imagine the chaos when exit and entry node is from the USA and controlled by NSA. Overall the Tor Browser 4.5-alpha-1 is great.

November 28, 2014

Permalink

Torbutton - Entry Guards & Exitnodes

Would it be an idea to introduce a "New Entry Guard" option beside the "New Identity" option in the Torbutton menu, so people can change easily their (unwanted country) entry guard?

Now you have to reinstall a fresh Torbrowser copy or throw some files away from the app internals to accomplish getting rid of an entry guard you feel not comfortable with.

Regarding the eavesdropping lab experiments news
Would, could it be possible to avoid the possibility that the entry guard and the exit node are the same country?
It happens quite often, even 3 times the same country in the Tor Circuit list.
Avoiding this maybe would make it harder to accomplish eavesdropping by connecting data analysis from entry guards and exitnodes?

See
https://trac.torproject.org/13843
for more discussion on this topic.

The short answer is that you're right that it could help against certain attacks, but it also likely hurts against certain attacks. So it probably isn't wise to expose this sort of thing to users, who will all use whatever their intuition is and end up splintering the anonymity set. The better answer would be to write up the known upsides and known downsides so people can make more informed decisions. See (and help with!) the ticket.

November 29, 2014

Permalink

Just set up TOR 45-alpha-1. I have a problem with the tabs and wonder if anyone knows a fix? With the older 3 series if you shut down one tab a new one opened automatically so the program stayed open. With this new version if I close the only tab that is open the whole program shuts which is a real annoyance. Anything in the settings that I can change to avoid this?

Win XP pro3

December 01, 2014

Permalink

I would like to run Torbrowser in read-only media, is this possible? I just extract the Torbrowser folder to read-only media and tried to run it, but the program broke when he tried to modify read-only files on it. Torbrowser works in live mode?

Mike Perry just told me it probably doesn't work and it would be quite some effort to make it work correctly.

So, patches happily accepted! :)

December 03, 2014

In reply to arma

Permalink

That's what I also wrote in this (long) post

On November 25th, 2014 Anonymous said:

Some thoughts on this Mac (only?) problem ...

It won't work.
Besides, on usb fat formatted disks you can't even set filepermissions (or am I wrong?). Setting file permissions will work on Mac hfs formatted usb sticks or disks. But you can't set all the internal app files to read only (see post).

December 02, 2014

Permalink

Startpage behaviour

People already mentioned Cloudfront is showing unacceptable behavior towards Torbrowser users.
We know Google (if you are using it) let's you fill in Capchas for simple services as well (quite dualistic behavior when they are part of the meek options in Torbrowser).

Now for a while Startpage has started asking you on a regular basis (a lot of times) to do the same thing, very annoying because you have to refresh the whole connection (there goes another open webpage besides your search) and it seems you sometimes even first have to start a renewed search attempt with another search term too ! (to avoid another captcha message)

Time for a constructive talk with Startpage company about this?
Or switch to another standard more 'legitimate' search engine for the best experience for Torbrowser users?

Their message in this very degrading service experience

Startpage

As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.

Thank you,
The StartPage Team
Please enter the text below to continue using StartPage.

Text in image is case-sensitive.
Having trouble reading the CAPTCHA?Please click here to view a new CAPTCHA.
You may do this as many times as you need.
Time remaining for this CAPTCHA : 02:00

..............

Submit

(I know the Manage Search options, btw)