Tor Browser 5.5.4 is released

by gk | March 18, 2016

Tor Browser 5.5.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release updates firefox to 38.7.1. Mozilla decided to disable the Graphite library in this release and we are taking the same action: irrespective of the security slider settings the Graphite library won't be used for rendering fonts in Tor Browser 5.5.4. The Graphite font rendering library was already disabled for users on the security level "High" or "Medium-High".

The full changelog since 5.5.3 is:

Tor Browser 5.5.4 -- March 18 2016

  • All Platforms
    • Update Firefox to 38.7.1esr
    • Update Torbutton to 1.9.4.5
      • Bug 18557: Exempt Graphite from the Security Slider (Firefox disables Graphite by default)
    • Bug 18536: Make Mosaddegh and MaBishomarim available on port 80 and 443

Comments

Please note that the comment area below has been archived.

Anonymous (not verified) said:

March 20, 2016

Permalink

درود بر مصدق کبیر، او راه آزادی و استقلال را به مردم ايران نشان داد. او در تاریخ ایران مانند ستاره ای میدرخشد.

درود بر مصدق کبیر، او راه آزادی و استقلال را به مردم ايران نشان داد. او در تاریخ ایران مانند ستاره ای میدرخشد

بت سازی نکنید دوست گرامی. مصدق هم مثل هر سیاستمدار دیگر یک انسان بود و پر از تصمیمات درست و نادرست.پیشنهاد میکنم پیش از شعتر دادن، کتاب خاطرات دکتر مصدق و و نوشته های مهدی شمشیری و علی میرفطروس رو هم بخوانید. با سپاس

شازده مصدق السلطنه را می گویی
همانی که مجلس را منحل کرد
همانی که حکومت نظامی اعلام کرد
همانی که قاتلین شادروان کسروی را از زندان آزاد کرد
همانی که از دستور قانونی شخص اول مملکت (با توجه به قانون اساسی آن زمان)برای واگذاری پست نخست وزیری خودداری کرد
رهبر جبهه ملی های که این بلا را سر ما آوردند
یه کمی بجای شعار دادن فکر کنید
عقل برای تفکر اسنت

Mossadegh was the Persian president (Iran) assassinated to make way for the Shah, supposedly by the British Secret Service and the CIA. The reasons were, supposedly, that he was an independent freedom loving democrat but the West wanted an autocrat it could control. Not much of this is true. But someone had to make a political statement, didn't he?

Mr.Mossadegh was a nationalist prime minster and believed the benefits of Iranian oil resources should be allocated to Iranian in order to make a prosperous life to his nation and along with this believed democratic procedures to govern the community and owing to these believe he opposed to the interferences of foreigners especially great Britain in our oil industry and triumphed to nationalize the oil industries eventually ,but unfortunately the US& the UK. overthrew his legal government and returned the ex Shah which escaped in consequent of people revolution to the throne it should be added that Dr.Mossadegh is a loving character for most of Iranian ,

sad to say, but ur theory is all bullshit. the CIA and maybe the British did oust the ruling parting, but the cia certainly did. they did want a puppet they could control. was great for big oil in the US.

There's little doubt about the WEST assassinating Mossadegh to install the SHAH, who was virtually a servant to the CIA and the BSS. I would imagine the KGB was close at hand, considering their prey was a freedom loving democrat.
Should the previous writer have more detailed information, for it to be divulged, might help to burst the bubble which is causing so much havoc in the Middle East.

Hi, happy Iranian New Year to all TOR officials who do their best to let us leap thru the barriers created by our molla and semi-molla-driven regime here in Iran and go to blocked sites, which wouldn't havve happened if it weren't for your big help. By the way Mosdegh was an Iranian Prime minister overthrown by British and American agents of intelligence of my birth and has to be forgotten to build a better world but it gives our present so-called rulers to drive us to MIDDLE AGES.
I appreciate your favors on part of me, my family , and many many friends known or unknown in Iran with lots of difficulty and reduced speed of the net to communicate with other humans thinking differently from mollas and semi-mollas who have be-theft our so-called revolution of 1979 and 80s for a better western or libro-democratic way of governing. We are at the bottom of a bg ditch dug by ourselves.
BYE>

Hey! :) Has ANYBODY from America ever just said that WE...as a PEOPLE>>>KNOW that YOU GUYS...the real people, the ones that see and live all of this...are held as hostages to your situation. WE...as a PEOPLE...although glad that we don't suffer your circumstance...realize that on any given day, should you fall into peril in front of us, the real American...You would be swarmed with love and help and understanding so fast it would make a King's EYES twirl in its head. WE...ALL OF US...ARE THE PEOPLE! :)

I KNOW that the very same would happen should I ever need your help. This is the comfort that will allow us to carry on, but never fail to let others run what you inherently know to be right...weigh all with the measures of the multitude, do the math, and then spring from your heart to cause the change. Don't try it alone. There is more than one way to skin a CAT! Take heart, and good luck over there. The universe is watching US! :) TOMMY TUNES...FLORIDA USA

Anonymous (not verified) said:

March 18, 2016

Permalink

... just to add... wish there was a way to encrypt bookmarks, like a bookmark locker - password protected ... would be nice.

Anonymous (not verified) said:

March 19, 2016

Permalink

Thank you for that thoughtful and insightful comment. Your contribution to this blog is much appreciated.

Anonymous (not verified) said:

March 18, 2016

Permalink

cool

Anonymous (not verified) said:

March 18, 2016

Permalink

great software and constantly kept up to date by a small dedicated group of folk who are passionate about privacy and security on the WWW.
We all appreciate your hard work !!!

Anonymous (not verified) said:

March 18, 2016

Permalink

For the first time yesterday, as I was reading Twitter while using Tor & Ghostery, an advertisement appeared on Twitter that should have been blocked. Hopefully this Tor update will stop this happening again.

1. most sites use javascript in some manner, to put ads on a web page.
2. unless the javascript domain is whitelisted, those ads are usually blocked by noscript extension.
3. So, I think you should check if you have twitter in noscript > options > whitelist (tab)
4. if you allow javascript on twitter, then check that untrusted menu while on a twitter pag. And if you rely on ghostery, check the ghostery settings?

Noscript Untrusted domains menu:
(A search found screen capture on http://www.addictivetips.com/internet-tips/noscript-provides-enhanced-s…)
I use the noscript button to access untrusted list. This screen capture shows the list by using firefox orange thing menu?
http://cloud.addictivetips.com/wp-content/uploads/2011/11/context-menu-…
you can see that many domains have not yet been marked untrusted.
I trend toward restricting javascript. So i don't know if I would need to allow javascript on addictivetips.com, but if I did allow addictivetips.com, I would untrust all others in that screen capture list.

Using Tor Browser with Ghostery is likely to make you fingerprintable; depending on your settings in Ghostery you might present a unique fingerprint. Depending on your threat model, this can be a bad thing.

Anonymous (not verified) said:

March 19, 2016

Permalink

Sorry - I appreciate TOR - But last month all Web pages display squares instead of symbols
This does not happen on other browsers -
I tried everything - update programs, cleaning the computer - Nothing
I do not know what to do
Any solution?
birdland.birdland@laposte.net

Anonymous (not verified) said:

March 19, 2016

Permalink

I'm guessing this is referring to symbols getting replaced with the unicode number in a square if you have font downloads disabled with a high security level.

Anonymous (not verified) said:

March 19, 2016

Permalink

When you click n the archives tab from the home screen it responds with Forbidden.

Anonymous (not verified) said:

March 20, 2016

Permalink

"ARCHIVES" link at the top of this blog always returns "Forbidden."
This is confusing to many and some fixes/clarification will be needed.

Comment is about violet colored "tabs" near the top of https://ocewjwkdco.tudasnich.de/ ("home page"). Link is https://ocewjwkdco.tudasnich.de/archive

The same observation as
https://ocewjwkdco.tudasnich.de/blog/tor-browser-554-released#comment-164363

a web search found longer https://ocewjwkdco.tudasnich.de/archive... link, which also comes back as 403
https://ocewjwkdco.tudasnich.de/archive/all/2013/8/4

Anonymous (not verified) said:

March 19, 2016

Permalink

A little bit 1/8off-topic but important -- i burst:

Where is Vidalia in new Tails gone?
With Vidalia you has a relay list overview, can stop circuits, edit the torcc(NORMAL Guard security! NO bridge).
Now you get nearly nothing -WTF- they call it Onion Circuits.

Why they do it? Security without PRACTICALITY is really great sh*T -sorry, it's true. More than true.
As a normal user you have no right to say in a matter?
And in https://labs.riseup.net/code/projects/tails/roadmap
they talk to oneself only..... . Great ..... -a lot of nothing you don't need.

Please bring the practicality of Vidalia back.
If you -Tails developers- won't, describe why an why no practical replacement.

With Linux i hope it's not like talking to microsoft, lol.
Or is using tor controller software like Vidalia being in a super secret nerd society?
Hello torproject can you help Tails users?

Vidalia development hasn't been active for years; Tails has been using it despite it being unsupported and depreciated. We have no clue what security related bugs are in there and no one is looking for them. Tails should have dropped it after shortly after The Torproject stopped developing it.
You've got no reason to trust the information that the relays supply that you can see through Vidalia. Vidalia has a very nice pretty interface, but it doesn't prove many more features than say, Arm.
If you can't figure out how to edit torcc without assistance, you probably don't know enough to not shoot yourself in the foot with your edits.

Onion Circuits is new software; give it time to age and it may gain the features you desire.

"If you can't figure out how to edit torcc without assistance, you probably don't know enough ... shoot yourself in the foot ...."
It's not helpful in any way to assume only hypothetical things about Tails users.
Please explain how interested Tails users can edit the torcc in an effective and secure way.
Simple editing torcc as root doesn't work?

"give it time to age and it may gain..."
Weeks, years, likely never?
Using tor secure is the main reason to use Tails and Vidalia was a HIGHLIGHT. Arm and his GUI is disabled -to old or usable only for the super secret nerd society?

Anyway, in Tails there is NO SIMPLE proper way to set a STATIC set of Entry Guard / Directory Guards like ALL TBBs do.
THAT'S the real problem. It has nothing to do with setting bridges.

Anonymous (not verified) said:

March 19, 2016

Permalink

The prompt action of the security/privacy communities and the appreciative responses from the users constantly reminds me that I'm not on my own island of thought and beliefs. I give back in the ways I'm able. It infinitely bugs me there are armies of people trying to dismantle these efforts in return for a government paycheck... so I run a dedicated relay with extremely tight security and poke around the implementations/code to see if I can spot vulnerabilities/weaknesses early. Anything to help hold the hill.

Anonymous (not verified) said:

March 19, 2016

Permalink

I only use add-ons bundled with torbrowser, but is it safe to update the addons via the "check for update" option in the extension drop down menu? are man in the middle attacks or other compromises a concern? I notice even with brand new versions of torbrowser, sometimes the addons included are not the latest versions and updates to the add-ons get installed when I do this. Is it not recommended?

Ideally, we would review every change of NoScript and HTTPS-Everywhere before we allow new versions of them in Tor Browser but that is currently not possible engineering-wise. So, updating them over the in-browser update mechanism is currently the recommended way of getting newer versions of them. Yes, compromises are a concern and we are thinking about possible mitigations in this regard.

Anonymous (not verified) said:

March 21, 2016

Permalink

Answer unclear to me (like other times the question has been asked).

Because there are apparently TWO "in-browser update mechanisms".

For NoScript and HTTPS-Everywhere, are you recommending:

the __extension (add-on) __
"in-browser update mechanism",
that the questioner wants for quicker updates,

or
the __whole-Torbrowser__
"in-browser update mechansim"

that is less frequent but presumably Tor-reviewed a bit.

Thank you.

TOR for mobile is a lie....or any OS that is so very willing to collect location data (Windows 10).

With ORBOT for Android, you're given the choice of 'proxy all traffic' with '(recommended)' next to it, or just specific apps. Why don't you want to proxy all traffic though it? Well, google, linkedin, facebook and every other location data hungry apps know where you are, and that you came from a TOR exit node. If you're google they have your Device ID with that location data. The following post had me within 2 meters of my exact location, and my GPS was not on - just cell-tower triangulation.

POST /userlocation/v1/reports/1605150082?devicePrettyName=SAMSUNG-SM-N900A&nlpVersion=2015&osLevel=18&platform=android%2Fsamsung%2Fhlteuc%2Fhlteatt%3A4.3%2FJSS15J%2FN90xxxxxxxJ5%3Auser%2Frelease-keys HTTP/1.1

Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip
X-Goog-Spatula: CjYKFmNvbS5nb29nbGUuYW5kcm9pZC5nbXMaHE9KR0tSVDBIR1pOVStMR2E4RjdHVml6dFY0Zz0SIxxxxxxxxxxxxxxxxxxxxxxxgOw1E/6wkVsdB223JZlCQ94FH9GMWSuLGZuOKdMyCcicielKiY35AB
Authorization: OAuth ya29.fQHM6zZH33xRlsyPX6WI7NJoo7FFNxd52-dJn89bkAq68xMFtxxxxxxxxxxxxxxxxxxxewxBKOiZjy-Lygp7RNjLmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-Agent: unused/0 (hlteatt JSS15J); gzip
Host: www.googleapis.com
Connection: Keep-Alive
Content-Length: 13904

{"batch":{"activityReadings":[{"activities":[{"confidence":85,"type":"still"},{"confidence":15,"type":"inVehicle"}],"readingInfo":{},"timestampMs":1432433587998},{"activities":[{"confidence":100,"type":"still"}],"readingInfo":{},"timestampMs":1432433769103},----------SNIP---------{"description":"stationary","newRequest":false,"samplePeriodMs":1080000,"sampleReason":"stationary","sampleSource":"internal","timestampMs":1432434129998},"timestampMs":1432434129998}],"locationReadings":[{"location":{"approximatelyStationary":true,"horizontalAccuracyMeters":146,"latitudeE7":377144316,"longitudeE7":-xxxxxxxxxx},"longitudeE7":-xxxxxxxxxx},"readingInfo":{"batteryCondition":{"charging":"usb","level":75,"scale":100,"voltage":4056},"source":"wifi","wifiScans":[{"mac":163309631168576,"strength":-48},{"isConnected":true,"mac":66064160513366,"strength":-48,"wifiAuthType":"wpaPsk"},{"mac":172444063773272,"strength":-78},{"mac":172444063773273,"strength":-78},{"mac":172444063773264,"strength":-77},{"mac":273699571546912,"strength":-85},{"mac":66206466797504,"strength":-90},{"mac":163021170350512,"strength":-90},{"mac":35344975904280,"strength":-90},--------SNIP---------
"readingInfo":{"batteryCondition":{"charging":"usb","level":76,"scale":100,"voltage":4060}

iPhone does the same thing. You should man-in-the-middle it sometime.

Anonymous (not verified) said:

March 19, 2016

Permalink

Thanks for your hard work, love your browser, tor in general and your talks :)

Next time I see you guyes a have to buy you a beer (or a mate)!

Anonymous (not verified) said:

March 19, 2016

Permalink

I've heard rumors that the 2015 FBI Tor Browser attack exploited a font rendering bug.

Was the security slider around to disable web fonts at that time?

Anonymous (not verified) said:

March 19, 2016

Permalink

i'm getting the following when using transport scramblesuit.

19-03-2016, 11:04:52.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
19-03-2016, 11:04:52.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
19-03-2016, 11:04:53.800 [NOTICE] Bootstrapped 5%: Connecting to directory server
19-03-2016, 11:04:53.800 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
19-03-2016, 11:04:54.000 [WARN] Proxy Client: unable to connect to 83.212.101.3:443 ("Connection refused")
19-03-2016, 11:08:43.600 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
19-03-2016, 11:08:43.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
19-03-2016, 11:08:43.600 [NOTICE] Closing old Socks listener on 127.0.0.1:9150

Anonymous (not verified) said:

March 19, 2016

Permalink

Long time ago youtube videos in TBB stopped playing up to the end. Playing always finished few seconds before the end, so each time I need to reload the page and point to last seconds of video to get them played. Why this is happening? Is there any bugticket on this issue?

Anonymous (not verified) said:

April 01, 2016

Permalink

Not the original poster, but surely you've noticed that ALL YouTube videos no longer work properly in Tor. This started with 5.5.3.

Anonymous (not verified) said:

March 20, 2016

Permalink

Maybe this is a minor concern for some TBB users?

Firefox 44 (I think) removed the "Ask me every time" under "Accept cookies from site" on about:preferences#privacy the privacy tab
As a temporary setting, "Ask me every time" is most useful on sites with many "hidden" domains. Ebay may be most notorious for excessive domains, many of which do not need cookies allowed. (ebay is only an example, because i don't think people should do ebay stuff on TBB)

Search easily finds complaints (to mozilla, of course). Maybe mozilla will restore the setting.

Tor + ghostery = a nightmare for fingerprinting and security.

Ghostery will give you a different fingerprint which, depending on your settings, might be unique. In addition, every addon increases attack surface, so using the fewest addons is optimal. To make matters worse, Ghostery's developers seem to be moving in a problematic direction recently. I might trust them to stop websites from spying on me, but I don't trust them to not spy on me. I used to use it for my non-Tor browsing, but I've moved to other more trustworthy options.

Anonymous (not verified) said:

March 21, 2016

Permalink

Would the recent font rendering exploits have been averted by having "forbid @font-face" enabled in the embeddings section of Noscript's preferences, even if one's security slider settings were set to low?

It seems like you would need to craft a malicious font and embed it in a page in order to exploit font rendering bugs, and "forbid @font-face" prevents this, right? Shouldn't it also prevent other potential font related exploits, whether to do with rendering or not?

So very true (the part where your caps lock key got stuck at least).

Don't forget the advances in quantum computers. In about 5-10 years max imho at least the NSA and Google will be able to decrypt all captured and stored traffic regardless of the used encryption (except maybe for quantum resistant curves) or the ever so hailed forward secrecy.

It's sufficient to watch only 2 talks of the last CCC (the one about quantum computers and Joanna's talk) to come to the "we really are doomed, aren't we?" conclusion.

Just my 2 cents.

actually, according to trusted USG inside sources, and Glenn Greenwald, Edward Snowden, and Wikileaks, the NSA have only been proven to have full, 100% permanent transparent backdoors installed, and completely broken encryption to the highest known degrees of sophistication, in cases where users host specific errors in keyboard functionality - namely impaired caps lock integration (aka 'shouting')

Everyone else is safe

Anonymous (not verified) said:

March 21, 2016

Permalink

TBB changes it's size very subtly, is it a hidden fingerprinting feature???

I use an add-on called "Browsizer" to keep a track on the window size, when I install TBB and when starting first time TBB is according to this addon 1008x1025, but when TBB is restarted it changes its size and becomes 1008x1029.
My question, does these 4 extra pixels tell I am using a certain OS, so if I install it on another OS which I haven tried yet, maybe it changes its size by 3 or 5 pixels revealing users OS?
So far I have tested on Windows XP, will check other OS later.

EVERYONE, I would like to know what sizes you guys get, please add
https://addons.mozilla.org/en-US/firefox/addon/browsizer/
to your TBB and report your size here, both from first start after install, and restart of TBB, and if you are conmfortable please also tell what OS you are using.

The good part with this addon is one can add and save their own window sizes and positions, and I have of course 1008x1025 stored so I can reset that "fingerprinting" bug.
Also, I would like to know from the TBB team, what is the exact size of TBB browser window supposed to be?

NOTE: Browsizer seems to report a different size than many online browser tests such as:
https://www.browserleaks.com/
http://browserspy.dk/
https://panopticlick.eff.org/
but that doesn't matter as the relative difference is constant.

Sure we can toggle the Javascript on/off which is a no brainer, I too turn it on only for the purpose to read out the window and screen size, and there are web sites that are pretty useless without some Javascript.

Anyhow, I got the same results as before on these sites:
ip-check.info
https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
Window and Screen W x H = 1000 x 1019
and 1019 is not a multiple of 100 or 200.

Every time I restart TBB it becomes 4 pixel higher and a black bar appears in the bottom, I can see it flickering quickly, until Browsizer addon catches up and sets it back to previous size.
Would you mind tell your size so we can compare?

ip-check.info reports same height, width as arthuredelstein.github.io/tordemos/media-query-fingerprint.html
the sizes aren't multiples of 100 px. the last digit of size can be 1, 7, 9, or other odd numbers, or nonzero even numbers.
what is tbb pref? i tend to use high security setting, so i must have set the slider to maximum when that feature was introduced.
extensions.torbutton.security_slider user set value is 1

I use an add-on called Down Them All, or for short DTL
https://addons.mozilla.org/en-US/firefox/addon/downthemall/
Add it to your rbowser and right click on any addon and chose DTL, some times the dowload fails, but clicking on resume button seems to handle it.

Also, you could install all your addons into your browser, then go to the .../profile.feault/extension folder and copy the XPI file from there, but keep in mind the browser renamed the XPI file during the installation process, often to some random looking file name such as:
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
which in this case is the NoScript addon.

Anonymous (not verified) said:

March 21, 2016

Permalink

I assume the entry for Graphite font rendering under about:config is:
gfx.font_rendering.graphite.enabled (true = default)

Hopefully those other gfx.font_rendering.* aren't vulnerable... :(

Anonymous (not verified) said:

March 21, 2016

Permalink

TTB Team, can't we turn OFF the pipelining network function under about:config?
network.http.pipelining; (default = true)

If I disable it in the prefs.js, TBB crashes during start up.

Pipelining is an ancient thing used in the old days when phone line modems were common, pipelining means the browser sends several requests to the server in advance instead of sending one request and waiting for the return, that was good back then with slow lines and returns, but from a privacy and security point of view it has its drawbacks.

At least I would like to be able to turn it off even if it wont become standard in future TBBs.
If it's not possible to turn it off, can you describe briefly why it's needed in TBB.
Regards the curious geek :)

Anonymous (not verified) said:

March 21, 2016

Permalink

That blog post explains an idea on how to utilize the pipelining with some added randomization which is indeed an appealing idea, but I wonder how effective it is the way it is implemented in the current TBB, is it the browser itself that handles the randomization or is it the Torbutton that handles it?

Under about:config the "network.http.pipelining.maxrequests" is set by default value to 12, if it is set to 0 or 1 it crashes, I guess it is the same as disabling the pipelining, and 2 is the lowest value without causing TBB to crash on start up, now the question is, how much of "randomization" is going on if the lowest value is only 2 without TBB protesting, I never experienced any problems surfing around the net when trying with that value.
But request A before B, or B before A is not much of a randomization?

Further..
https://trac.torproject.org/projects/tor/ticket/3914
one of the comments mentions about "minrequest" to be set to 4, but such entry doesn't exist in TBB 5.5.3, but perhaps I could create under about:config a:
"network.http.pipelining.minrequests" and set the value to 4?

Anonymous (not verified) said:

March 21, 2016

Permalink

"Change details that distinguish you from other Tor users" what does this mean in the security??? please more details

That's one heck of a Chinglish I cannot fathom either... ahem, do I want to be distinguished when using TBB? :)

For privacy, not computer security.
Do not increase uniqueness of your browser: makes it easier for servers to fingerprint yours versus Tor browsers being used by others.

Anonymous (not verified) said:

March 21, 2016

Permalink

Thanks for the strong discussion and feedback, everyone
Happy Nowruz to Iranians and the Farsi speaking community everywhere

RE: risk of fingerprinting in using ad on software not including in the Tor Browser project.
The question I have is regarding Disconnect search
While yes I was very pleased when you made this the default search engine, is this a point of failure?
Is Disconnect open source (I am guessing it is not)
Edward Snowden papers discuss NSA breaking VPN's as a rule - this is the primary functionality of Disconnect I understand?

Tor, or others, are you able to comment upon the safety or lack there of regarding Disconnect fitting inside the Tor software - what is essentially a third party installation
Hugs and love to all

I don't believe they mean Disconnect the ad-on

they mean the use of Disconnect as a search engine

is it simply a web page that Tor visits - maybe not as it is accessible from the address bar

but even it is is 'just' a web page that Tor visits - is disconnect
vulnerable to state sponsored targeted attacks (leaking of content like the search string, or leaking of IP ) if the VPN they use to link to google is vulnerable or broken?

Anonymous (not verified) said:

March 22, 2016

Permalink

Is there a keyboard shortcut for "New Tor Circuit for this Site?"

It shows Underscore "C" but pressing C or ALT+C won't work

tons of websites block Tor traffic and it's getting just unusable

thanks

Anonymous (not verified) said:

March 22, 2016

Permalink

Hej folks - you are doing a great job. Keep on running. A searchengine project is might be of interest "MetaGer"...

Anonymous (not verified) said:

March 23, 2016

Permalink

obsf4 bridge is no longer loading / working straight off... I'm having to use obsf3 first, then when the browser has loaded, I can switch to obsf4 using Tor Network Settings.

Trying to load obsf4 bridge at browser start gives error:

25/03/2016 01:32:48.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:48.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
25/03/2016 01:32:50.100 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
25/03/2016 01:32:50.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:50.100 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
25/03/2016 01:32:57.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:57.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:57.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:57.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
25/03/2016 01:33:05.000 [NOTICE] Bootstrapped 5%: Connecting to directory server
25/03/2016 01:33:05.000 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
25/03/2016 01:33:06.300 [WARN] Proxy Client: unable to connect to 109.105.109.165:10527 ("general SOCKS server failure")
25/03/2016 01:33:06.400 [WARN] Proxy Client: unable to connect to 83.212.101.3:41213 ("general SOCKS server failure")
25/03/2016 01:33:06.400 [NOTICE] Ignoring directory request, since no bridge nodes are available yet.
25/03/2016 01:33:06.400 [WARN] Proxy Client: unable to connect to 109.105.109.147:13764 ("general SOCKS server failure")
25/03/2016 01:33:06.400 [WARN] Proxy Client: unable to connect to 104.131.108.182:56880 ("general SOCKS server failure")
25/03/2016 01:33:07.000 [NOTICE] Delaying directory fetches: No running bridges
25/03/2016 01:33:25.600 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
25/03/2016 01:33:25.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:33:25.600 [NOTICE] Closing old Socks listener on 127.0.0.1:9150

Any help much appreciated.

Anonymous (not verified) said:

March 24, 2016

Permalink

I have noticed a quite weird phenomenom when visiting
https://www.browserleaks.com/whois
While clicking on the Tor button (the green onion icon) and hold the mouse courser on there while loading the browserleaks page, I notice that the middle and exit nodes changes very quickly 2-3 times, so browserleaks only shows the first exit country which was visible under tor button just before TBB changes all those nodes several times.
I can open browserleks in a new tab next to the old one, and it gives yet another result, it seems like browserleaks have a capability to cause the TBB doing these switches, meaning it is some kind of hack to fingerprint all the nodes I am using, for instance if I have only a few entry and exit nodes allowed in the torrc file they will find out quite quickly, this is Not good.
It happens both with Javascript on or off.

Also, I would strongly but respectfully urge the TBB team to change the code so the TBB really respects the function of
EnforceDistinctSubnets when set to '1', because I have seen too many times where 2 nodes are in the same country, and I regard that as if we don't have 3 nodes but only 2 nodes, and in a worst case scenario all 3 nodes appears in the same country.

Further, I am going to give you another horror example how TBB behaves, this I once experienced few weeks ago, we have 3 nodes, let's give them fictitious IP numbers
Entry = 11.11.11.11
Middle = 22.22.22.22
Exit = 33.33.33.33
So it would look like this from my browser to the exit
TBB => 11.11.11.11 => 22.22.22.22 => 33.33.33.33 => internet
Now.. after a while the EXACT same IP number for the Entry AND exit node changes place with each other, so it became
TBB => 33.33.33.33 => 22.22.22.22 => 11.11.11.11 => internet
How much of privacy and how much can we trust the Tor project when we encounter such sick example??

Anonymous (not verified) said:

March 26, 2016

Permalink

The entrance node is fixed to U.S.A adress (96.233.111.125). As you know, fixation of entrance node to one adress is very vulnerable for security. How can I settle it?

Anonymous (not verified) said:

March 28, 2016

Permalink

This question comes up again and again, and Tor people are just pointing to the FAQ, which does not answer the question. The FAQ talks about "Tor client selects a few relays at random to use as entry point", while what we observe in reality is that a single node is fixed. In fact, I'm not aware of any justification for the change for "a few" (which was correct in the past" to "a single one". Please clarify.

Anonymous (not verified) said:

March 30, 2016

Permalink

"They know already."

.....yes. But WHEN they change it? A long time till 2017.

It's an decisive weak point of Tails.
In older versions of Tails you have had a alternative, Vidalia, in current version you have a problem.

yawning

yawning said:

March 31, 2016

Permalink

Any one of:

* Complaining about it where the people involved will actually read it (like in the ticket on their bug tracker that I linked).

* Contributing the development work required for the functionality.

Would be more productive than commenting here, since no one really reads the comments regularly.

Anonymous (not verified) said:

March 26, 2016

Permalink

Is there an obvious disadvantage to set dom.event.highrestimestamp.enabled to false - beside the ususal warning that one might stand out with a changed configuration?

Anonymous (not verified) said:

March 27, 2016

Permalink

When TBB 5.5.1 succesfully connects to tor network, I get the following entry in tor-log TWICE:

New control connection opened from 127.0.0.1.
New control connection opened from 127.0.0.1.

Should I be worried? (for earlier TBB versions, there used to be only one entry)

thanks

Anonymous (not verified) said:

March 28, 2016

Permalink

Firstly, thank you to all the great folks that make Tor possible!
Bless You All

One problem though, maybe just my ignorance. I cannot view my saved passwords/usernames. I have plenty but they are just not visible!

Please help!

Much thanks....

Anonymous (not verified) said:

March 31, 2016

Permalink

Is it really worth upgrading to "Tor Browser 5.5.4 release"? or, are there problems associated with it? and, if there are problems associated with it - what are they? Thanks.

Anonymous (not verified) said:

March 31, 2016

Permalink

If I upgrade to "Tor Browser 5.5.4 release" will all my Bookmarks be transferred over to it and still existing and functioning as it is with the current version (older version) that I'm using? or, will all my Bookmarks be wiped clean and I will no longer be able to find my current Bookmarks anymore? Thank you.

Anonymous (not verified) said:

April 01, 2016

Permalink

hello,
can someone tell me how to fix this issue ... there is the log from browser console

getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
about:blank : Unable to run script because scripts are blocked internally.
about:blank : Unable to run script because scripts are blocked internally.
[NoScript HTTPS] AUTOMATIC SECURE on https://bam.nr-data.net: JSESSIONID=e60d4164b8a2cce3; domain=.nr-data.net; path=/; Secure
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIMIMEService.getTypeFromExtension] external-app-blocker.js line 131 > eval:1:0
"statusChangeCallback" index.php:325:4
Object { authResponse: undefined, status: "unknown" } index.php:326:4
getFirstPartyURI failed for about:blank: 0x80070057
getFirstPartyURI failed for unknown: 0x80070057

Anonymous (not verified) said:

April 01, 2016

Permalink

Please fix passwords/usernames not showing.

Many praises for all your hard, tiring work you do for us all....

Anonymous (not verified) said:

April 02, 2016

Permalink

I read on the Tor Metrics Portal, a new pluggable transport named 'snowflake' is listed and has 1 user ( so far ). Comment from TP people as to what snowflake does as a pluggable transport and where can I download / install it would be helpful.

Anonymous (not verified) said:

April 02, 2016

Permalink

can anyone help me with this issue ... i can't load ... this is what i get in browser console

getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
getFirstPartyURI failed for unknown: 0x80070057
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
getFirstPartyURI failed for unknown: 0x80070057
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057spades.js:405:12
[NoScript HTTPS] AUTOMATIC SECURE on https://spadesplus-yahoo.peakgames.net: PHPSESSID=emfedfq98ke1ekcbs2fj9hrpo7; domain=spadesplus-yahoo.peakgames.net; path=/; Secure

Anonymous (not verified) said:

April 11, 2016

Permalink

i cant have acces in anything, i use bridges and nothing works, neither one website whats wrong?

Anonymous (not verified) said:

April 14, 2016

Permalink

I can't connect to onioni sites after having updated to Tor 5.5.4 - and the onion logo in the browser is greyed out with a red cross over it.
Anyone might have a suggestions as to what I'm doing wrong?

Anonymous (not verified) said:

April 15, 2016

Permalink

Can anyone tell why can't I use only a Swiss entry node, setting EntryNode {ch} doesn't work, no guard node will even pick up, or may it also have to do with which countries are under the ExcludeNodes list?
I get the following lg messages

[NOTICE] While fetching directory info, no running dirservers known. Will try again later. (purpose 14)
[WARN] You have asked to exclude certain relays from all positions in your circuits. Expect hidden services and other Tor features to be broken in unpredictable ways.

Anonymous (not verified) said:

April 15, 2016

Permalink

Flash STILL does not work. Now before every starts screaming about not using flash, let me say this. IF we aren't supposed to use flash then WHY does it still have options built into the TOR browser to turn it on? Yes I FULLY understand the risks of using flash, all I want to do is unblock MY ip from a site, once TOR does that for me, the site doesn't suddenly start blocking me once flash is active, so I don't wanna hear "you shouldn't use flash" useless comments. I need flash to work, period. whatever settings I have to change to make that happen are fine.

Anonymous (not verified) said:

April 16, 2016

Permalink

I have lots of tabs open that I keep over restarts. I don't want them to reload when restarting. "Work Offline" solves this in Firefox. When I restart Tor Browser after updates, "Work Offline" is automatically deactivated. Not just annoying, but anonymity killer.

Anonymous (not verified) said:

April 20, 2016

Permalink

بله درود بر شازده مصدق السلطنه
شازده قاجار که بخاطر نفرت سقوط سلطنت کثیف قاجار می خواست شاه را سرنگون کند
از دستور قانونی برای ترک پست نسخت وزیری تمرد کرد و حامل پیغام را توقیف کرد
در تمام دنیا این معنی کودتا می دهد
حکومت نظامی اعلام کرد مجلس را منحل کرد
در تمام دنیا اینها معنی حکومت دیکتاتوری می هد
و آخرین کار کثیف جبهه ملی اینکه قیام مردم در 28 امرداد را کودتا اعلام کردند
مردم ساده لوح ایران نیز هنوز قرقره می کنند

Anonymous (not verified) said:

April 24, 2016

Permalink

I'm using version 5.5.4 for now and most Asian scripts are not shown. Instead are squares with codepoints like I have not installed the necessary fonts, but I have. This is thus on every site.
A test page:
http://www.ltg.ed.ac.uk/~richard/unicode-sample-3-2.html

Latin, Greek, Cyrillic, Armenian, Hebrew, Arabic, Thai and some others work, but Indic, CJK etc. do not.

I checked with version 4.5 and it has worked perfectly well with any exotic script.
I googled and found that there have been similar complains about the previous 5.5-ish versions.

Anonymous (not verified) said:

April 28, 2016

Permalink

чо за фигня??? соединиться с сервером не могу ни хрена