Tor Browser 7.5 is released

by boklm | January 23, 2018

The Tor Browser Team is proud to announce the first stable release in the 7.5 series. This release is available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Apart from the usual Firefox security updates it contains some notable improvements compared to the 7.0 series. Here are the highlights:

  1. We redesigned parts of the Tor Browser user interface. One of the major improvements for our users is our new Tor Launcher experience. This work is based on the findings published at 'A Usability Evaluation of Tor Launcher', a paper done by Linda Lee et al. At our work we iterated on the redesign proposed by the research, improving it even further. Here are the main changes we would like to highlight:

    Welcome Screen

    Our old screen had way too much information for the users, leading many of them to spend great time confused about what to do. Some users at the paper experiment spent up to 40min confused about what they needed to be doing here. Besides simplifying the screen and the message, to make it easier for the user to know if they need to configure anything or not, we also did a 'brand refresh' bringing our logo to the launcher.

    Censorship circumvention configuration

    This is one of the most important steps for a user who is trying to connect to Tor while their network is censoring Tor. We also worked really hard to make sure the UI text would make it easy for the user to understand what a bridge is for and how to configure to use one. Another update was a little tip we added at the drop-down menu (as you can see below) for which bridge to use in countries that have very sophisticated censorship methods.

    Proxy help information

    The proxy settings at our Tor Launcher configuration wizard is an important feature for users who are under a network that demands such configuration. But it can also lead to a lot of confusion if the user has no idea what a proxy is. Since it is a very important feature for users, we decided to keep it in the main configuration screen and introduced a help prompt with an explanation of when someone would need such configuration.

    As part of our work with the UX team, we will also be coordinating user testing of this new UI to continue iterating and make sure we are always improving our users' experience. We are also planning a series of improvements not only for the Tor Launcher flow but for the whole browser experience (once you are connected to Tor) including a new user onboarding flow. And last but not least we are streamlining both our mobile and desktop experience: Tor Browser 7.5 adapted the security slider design we did for mobile bringing the improved user experience to the desktop as well.

  2. We ship the first release in Tor's 0.3.2 series, 0.3.2.9. This release includes support for the Next Generation of Onion Services.
  3. On the security side we enabled content sandboxing on Windows and fixed remaining issues on Linux that prevented printing to file from working properly. Additionally, we improved the compiler hardening on macOS and fixed holes in the W^X mitigation on Windows.
  4. We finally moved away from Gitian/tor-browser-bundle as the base of our reproducible builds environment. Over the past weeks and months rbm/tor-browser-build got developed making it much easier to reproduce Tor Browser builds and to add reproducible builds for new platforms and architectures. This will allow us to ship 64bit bundles for Windows (currently in the alpha series available) and bundles for Android at the same day as the release for the current platforms/architectures is getting out.

The full changelog since Tor Browser 7.0.11 is:

  • All Platforms
    • Update Firefox to 52.6.0esr
    • Update Tor to 0.3.2.9
    • Update OpenSSL to 1.0.2n
    • Update Torbutton to 1.9.8.5
      • Bug 21847: Update copy for security slider
      • Bug 21245: Add da translation to Torbutton and keep track of it
      • Bug 24702: Remove Mozilla text from banner
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update Tor Launcher to 0.2.14.3
      • Bug 23262: Implement integrated progress bar
      • Bug 23261: implement configuration portion of new Tor Launcher UI
      • Bug 24623: Revise "country that censors Tor" text
      • Bug 24624: tbb-logo.svg may cause network access
      • Bug 23240: Retrieve current bootstrap progress before showing progress bar
      • Bug 24428: Bootstrap error message sometimes lost
      • Bug 22232: Add README on use of bootstrap status messages
      • Bug 10573: Replace deprecated nsILocalFile with nsIFile (code clean-up)
      • Translations update
    • Update HTTPS Everywhere to 2018.1.11
    • Update NoScript to 5.1.8.3
    • Bug 23104: CSS line-height reveals the platform Tor Browser is running on
    • Bug 24398: Plugin-container process exhausts memory
    • Bug 22501: Requests via javascript: violate FPI
    • Bug 24756: Add noisebridge01 obfs4 bridge configuration
  • Windows
    • Bug 16010: Enable content sandboxing on Windows
    • Bug 23230: Fix build error on Windows 64
  • OS X
    • Bug 24566: Avoid white flashes when opening dialogs in Tor Browser
    • Bug 23025: Add some hardening flags to macOS build
  • Linux
    • Bug 23970: Make "Print to File" work with sandboxing enabled
    • Bug 23016: "Print to File" is broken on some non-english Linux systems
    • Bug 10089: Set middlemouse.contentLoadURL to false by default
    • Bug 18101: Suppress upload file dialog proxy bypass (linux part)
  • Android
  • Build System
    • All Platforms
      • Switch from gitian/tor-browser-bundle to rbm/tor-browser-build
    • Windows
    • Linux
      • Bug 20929: Bump GCC version to 5.4.0
      • Bug 23892: Include Firefox and Tor debug files in final build directory
      • Bug 24842: include libasan.so.2 and libubsan.so.0 in debug builds

Comments

Please note that the comment area below has been archived.

January 23, 2018

Permalink

WOOOOOOOOOOHOOOOOOO SNOWFLAKE COMES TO Tor Browser Stable BUILDS FINALLY (for Linux and Mac) :D :D

To run a Snowflake bridge:

  1. go to your browser (obviously won't work with Tor Browser or browsers who disable WebRTC)
  2. Open https://keroserene.net/snowflake/options.html and click the Yes button to opt in to being a proxy.
  3. Go to https://keroserene.net/snowflake/snowflake.html (IMPORTANT: this is the page that you should always have open to be a Snowflake bridge.)

I'm not sure when the Snowflake addon will be available but it will make running a Snowflake bridge so much easier!

Not that ridiculous as long you have any basic perception on internetsecurity issues that are going on in this world.
Simple reading about basic security and the misfit of webrtc technology (and iframes, javascripts and flash as well).

"Uncovering 2017’s Largest Malvertising Operation"
https://blog.confiant.com/uncovering-2017s-largest-malvertising-operati…?

Enabling Webrtc in Torbrowser (or actually any browser) and allowing iframes as well is just a kind of bizarre view on privacy and security because this technology 'talks too much!' and both are also a security risk you should not allow.

Just some simple reading, no professor techtalks about architectures, that's all it takes to get both feet on the ground again.

Malvertising is the example for the misusage of techniques.
Fingerprinting (allowing webgl also) needs you to allow javascripts and webgl, or webrtc and iframes makes phishing techniques more possible.
Why? Moste people do not have any clue what is happening on many websites and who they are connecting to besides the domain they see in the url bar.
But, it is not the criminals we are afariad for here right? This website, Torproject is mainly about other people that are a threat to innocent people. And these people just use the same techniques criminals are using and vice versa.
So, tell me, why is it a good idea to just cooperate in advance with the people that are threatening you by making your defence ultimate weak by allowing javascripts, wengl, iframes and audio video tecnique that can reveal your identity?
And that is what someone make a litlle dance of joy for, a mindset of people lowering their torbrowser settings itstead of seeting hat security in its highest modus and forbid those iframes.
No iframes and no javascripts is less attack surface, but yes indeed it has the downside for the social media addictive, you do not see your favorite twitter or instagram images right away.
Another side o this topic, bandwith, I would be curious what would happen with Tortraffic if everybody that uses torbrowser was just blocking iframes for one day.
Would it drop by 5 times or more?
Our addiction (or yours) tot social media is already a big threat to the world, do not make it more worse by forcing people tot allow more usage of javascript, webgl, iframes and this webrtc profiling sjt.
The best browser is a clean browser and it seems already an enormous challenge for torproject (and mozilla users) to be aware of all the new fancy rappy things in every new release and take in out or break again to end up with a clean, safe browser.
Technique is ment to serve people and not to threaten people, when it does both, you shoul strongly consider tot completly avoid that technique or at least as much as possible.
You can do that certainly with iframes, webgl and webrtc, and a lot of times with a lot of javascropt too, just loo at the loading time of many pages and how many domains are passing underneath the browser screen.
The more you block, the faster the loading, the lower bandwith, the safer browsing.
Keep it as simple you can get, because mozilla has shown at least the last 5 years how many trouble you get if you are taking that other direction some people would say the bloatware direction, i would say the unneccesary complicated direction.
Keep that esr version clean!
Put the safety setting higher and don't 'bend as a service' for the people that are a threat to you by lowering your security because of all the easyness and fancy new shiny stuff.

February 01, 2018

In reply to gk

Permalink

Just wanted to say that I am often frustrated when my comments do not appear, but I always try to bear in mind the point gk just made---which has been pointed out in this blog before, but probably bears more frequent repetition.

Among "cosmetic" changes I'd like to see ASAP are:

o reorganize torproject.org website to present first the most recent and the most useful to the greatest number of Tor users, especially new Tor users,

o regular Friday "ask anything" blog where commentators can worry over potential security flaws, propose new features, etc., and get some feedback from TP,

o refactor the blog to eliminate annoying issues which appear to be related to Javascript, improve rapid posting of thoughtful comments, improve spambot resistance, etc.

o faster TP response to emergencies (IMO the Meltdown/Spectre qualifies as something which would obviously cause considerable concern among well-informed Tor users),

o better communication in other languages (e.g. Spanish).

But I realize that TP has very limited resources and I accept that just now it may be more urgent to direct key Tor people to work on researching the latest technical attacks, fixing bugs, reaching out to the media and to policy makers, etc. etc.

Sometimes we all just need to try to be patient and to save our strength for the biggest current threats.

Just chiming in so forgive me if I missed something, but the simple answer regarding features in single tabs is that Firefox is largely a single-process browser. AFAIK currently there is no strong degree of isolation between tabs. At least that was historically the reason Torbutton never had tab-by-tab modes, it was either on or off for the whole browser. In other words: because technical reasons.

As another commenter mentioned, malvertising isn't really any different from any other use of those features.

January 23, 2018

In reply to boklm

Permalink

I know some of you (o/ tjr) aren't very excited about Selfrando, but will it be available for stable release before the next switch to the new ESR? And what will be its future in the 60 ESR roadmap?

January 23, 2018

Permalink

21:30:44.932 browser.ownerGlobal is null 1 ext-utils.js:800
getBrowserId chrome://browser/content/ext-utils.js:800:9
chrome://browser/content/ext-tabs.js:79:26
runSafeSyncWithoutClone resource://gre/modules/ExtensionUtils.jsm:71:14
emit/promises< resource://gre/modules/ExtensionUtils.jsm:384:55
from self-hosted:595:17
emit resource://gre/modules/ExtensionUtils.jsm:383:20
WebRequestEventManager/register/listener chrome://extensions/content/ext-webRequest.js:51:7
runChannelListener resource://gre/modules/WebRequest.jsm:721:24
errorCheck resource://gre/modules/WebRequest.jsm:568:7
observeActivity resource://gre/modules/WebRequest.jsm:536:12

January 24, 2018

In reply to by test (not verified)

Permalink

Half of the us (and many other parts in the world) wished they had an internet connection of 'just' 2 mb a second.
Does it give just two mb with torrent sharing and big downloads, then it could be on purpose.

January 24, 2018

In reply to by test (not verified)

Permalink

> cant find "torrc" file to use this solution for speed up
Please don't do this. The link redirects through multiple ad splash pages, one of them blocks you if you try downloading it over tor, it asks you to install a third-party file without explaining what it does or link you to documentation, all of which are suspicious before you get the file. But then if you overwrite the default tor configuration with this completely unreviewed one, it could make your traffic stand out from other tor users, or it could force your tor traffic through an adversarial node. You have no idea unless you read tor's documentation and understand exactly what configuration the file applies and whether that configuration is safe. Think. You would be overwriting highly-secure privacy software with a file given to you by some random Joe on the internet.

January 24, 2018

In reply to by test (not verified)

Permalink

Get better internet, I have used tor browser on windows 10, and 2 different linux distros and they all worked fine, its you.

> Get better internet,

"Let them eat cake"?

This kind of attitude is self-defeating for the Tor community. We must persuade/help "ordinary people" all around the world to use Tor (wisely). Unkindly suggesting they have only to blame if they live in a region where few alternatives are available when it comes to Internet providers only helps our enemies.

January 25, 2018

In reply to by test (not verified)

Permalink

I've been having a similar problem. Starting roughly the same time all of my systems can only get about 25kbps over Tor. This includes a Qubes desktop on WiFi and an android phone on 4G. Really odd considering everything is different between then, including the ISP. I used to get around 1Mbps. The problem is still going on, and I think it might have something to do with recent versions of Tor, but I don't really know.

Point is I've never gotten anywhere near 2Mbps over Tor before. (And if you're talking 2MB/s and not 2Mbps, that's 8 times more insane.)

January 23, 2018

Permalink

Is there any more information about Tor Browser for Android? Or is all the information just related to Orbot?

We are working on Tor Browser for Android. We have hired two developers a while ago and are preparing the move from Orfox to Tor Browser for Android. We hope to have at least alpha releases up later this year.

February 04, 2018

In reply to gk

Permalink

Will there be an Orbot update in the interim? I'm stuck on 52.2 on Intel Tegra with Reading Mode not working at all.

January 23, 2018

Permalink

Mozilla has destroyed their browser and you seem to act as if it's no problem. Webextensions fundamentally does not work with a hardened, locked down browser. If you harden in about:config and disable javascript APIs, extensions lose access to these APIs as well, meaning if you need certain security tools to have access to these APIs there is no way unless the browser is fundamentally redesigned to prevent javascript that is run (not that I would recommend running any) by third party sites from also accessing these APIs. Separate javascript contexts must be set up such that specific APIs can be enabled for each extension as necessary, and then the old setup of having as many APIs disabled as possible can be maintained for the 3rd party site context. If someone were being ambitious, a system that intercepted API calls in each of these contexts and listed requested APIs and allowed the user to selectively allow/deny specific calls for the browser session or permanently, etc would be great. However, the chances of anything like that appearing are zero.

Mozilla every day makes their browser more and more dumbed down. I ask both Mozilla and TorProject to please stop the PR and focus on power users, the only users you have left who care about you at all, instead of promoting the incompetent, clueless users which Silicon Valley has managed to churn out worldwide. Perhaps if you focused on power users, we'd have less "regular users"!

Mozilla keeps whitewashing core issues, adding intrusive bloat/spyware and entertaining the ignorant userbase with more nonsense, while in the background they neuter and reduce configurability of their browser often without discussion, and destroy the tiny bit left of their competent userbase. The main thing Firefox had over Chromium was its configurability and ability to be manually yet practically hardened according to a power user's needs, which only Chromium's developers historically reacted to with hostility, but now it would seem that same culture of hostility has infected Mozilla, which alongside their incompetence is a great mix. What a shame. Using the argument of "security" is laughable at best. Yes the old extension systems had core security issues. However, I really don't see how webextensions has really solved this. In fact that it relies on the same javascript engine as third party websites in some ways it has actually reduced security. The main thing that was needed was isolation, removal of bloat, permissions system that controlled API access, etc. Webextensions brings little of value and actually makes the browser more exploitable in certain scenarios.

I hope the TorProject does not let itself be entirely compromised since it relies on Mozilla for a browser, and instead voices these issues, because otherwise frankly TorBrowser will be just as dead as Firefox, which would be a shame.

So please TorProject, avoid the PR and nonsense, focus on securing your browser and making it practical/configurable for power users instead of wasting all your time on a userbase that are already too far gone to save.

January 24, 2018

In reply to by Anonymous (not verified)

Permalink

+1

If you harden in about:config and disable javascript APIs, extensions lose access to these APIs as well
That is not an issue for the Tor Browser Bundle. They maintain a fork of firefox, so there's nothing stopping them from just moving the old XUL code to the browser core itself and shunning add-ons altogether. Nobody should ever be installing any new add-ons or changing any settings anyway, to avoid getting fingerprinted.

> Nobody should ever be installing any new add-ons or changing any settings anyway, to avoid getting fingerprinted.

On the one hand, I agree with this as general advice. Smart Tor people who have thought hard about many sides to various issues, and who probably know more than we do, are making decisions in an effort to keep most of us mostly safer, and we need to mostly trust them to make the decisions, in the current threat environment, which provide the most benefit for the most Tor users.

On the other hand: the slider is intended as a (necessary) compromise between two competing realities, both of which must be recognized:

o providing anonymity demands everyone look the same, as far as possible

o at-risk people confront a very different mix of likely threats depending up real time details of where they are, who they are associating with, what they are doing with electronic devices, etc.

So adjusting the security slider is one change which IMO every Tor user should feel free to make according to his/her best estimate of what makes most sense for them personally in the moment in terms of the trading better security for worse anonymity or vice versa.

I hate to rain on your parade because you make a lot of really important points here, but

1) the documentation strongly discourages installing extensions in Tor Browser, and
2) the documentation strongly discourages changing about:config settings

because both can make you vulnerable to fingerprinting attacks. Actually it's pretty much guaranteed if we're talking about after-market disabling specific JavaScript APIs.

I share your frustration about some design decisions, but I think you need to take a much wider view to appreciate all the factors which go into making them.

Tor Browser and other products are built by Tor Project, an NGO based in the US with a handful of paid employees and precarious funding. Even as Tor software products are subjected to endless technical attacks by well funded enemies, Tor Project is subjected to increasingly dangerous legal and political attacks. To counter the former, we need Tor Project to continue to exist. Obviously. And to ensure that TP continues to exist, IMO it is essential to *grow* the userbase worldwide, not to *shrink* it as you seem to want to do.

Let me point out two specific reasons why this point should be self-evident.

First: for years many Tor users around the world expressed increasing concern that TP's funding mostly came from sources tied to obscure portions of the US State Department or even USIC. Further, as all the worlds governments continue to shift towards dramatically increased authoritarianism, those "freedom-building" portions of the USG have come under increasing attack within "the swamp", seriously endangering their continued existence. This could lead to most TP funding simply disappearing, almost overnight.

Further, many users who depend upon Tor have expressed concern that because the USG has provided most of the funding for TP, the USG inevitably will exert undue influence upon TP policy decision and even technical decisions which could perhaps result in opening up holes of which Tor developers are unaware. (C.f. NSA's manipulation of NIST to weaken cryptographic protocols in obscure ways which no-one noticed.) As a result of these concerns, when Shari Steele became CEO, she made it a priority to evolve TP away from a funding model dependent upon highly endangered USG grants and towards funding based upon direct user contributions, similarly to US based NGOs such as ACLU and EFF (Steele previously worked at EFF). And clearly, to succeed in this, TP needs to greatly broaden the user base for Tor products, not to shrink it.

Further, it is clear that all around the world The People are calling for more privacy, even in CN. Tor products are among the very few which are available right now, are battle-tested, and usable by most non-technical citizens, and IMO as a matter of principle, the US tech world (which bears some responsibility for enabling NSA's "collect it all"/"pwn it all" global dragnet) has an urgent moral obligation attempt to redress NSA's abuses by providing privacy/security/anonymity-enhancing tools like Tor.

Second: Former FBI Director Comey, current FBI Director Wray, and deputy AG Rod Rosenstein are among the senior USG officials who have been insistently calling that a divided, weak, and self-loathing Congress slip a provision into some law which would outlaw non-backdoored encryption in the USA, which means to some extent, almost everywhere. Tor Project has repeatedly stated that the project will never put a secret federal backdoor into Tor. Assuming they mean, "not even under threat of imprisonment", if the provision which Rosenstein and the others demand are enacted (probably in dead of night, with no debate, in the context of a rider on some last second attempt to avoid the next USG shutdown), then Tor Project will become an illegal NGO. What then? I don't know, but it is certainly reasonable to fear that Tor products might simply no longer be available to anyone anywhere.

(As a matter of fact, Tor Project has not recently reiterated the "no backdoors ever" vow, and IMO it is not possible to repeat this vow too often, so Shari or Roger, please repeat it in unambiguous language!)

> So please TorProject, avoid the PR and nonsense, focus on securing your browser and making it practical/configurable for power users instead of wasting all your time on a userbase that are already too far gone to save.

Tor does not continue to exist by some magical process independent of the course of human events, and Tor Project does exist in a political vacuum.

If you want to continue to use new versions of Tor products, you should support growing the user base, not shrinking it.

This is not inconsistent with continuing to request specific features which you hope will improve security/anonymity for everyone.

> I wonder why not to move Tor Project from the US to Canada?

CA is alas one of the FVEY countries (US, UK, CA, AU, NZ).

When the Trudeau government was elected there was briefly hope that CSE (Canada's NSA) would cease cooperation with NSA in illegal dragnet surveillance, but that hope seems to have died.

OTH, the University of Toronto's Munk School of Journalism hosts Citizen Lab, which has done wonderful work in exposing malware abuses by "little" governments like Ethiopia, sometimes even by CN. So far, alas, Citizen Lab has not been able to expose abuses by FVEY governments.

Some years ago, there was hope that Iceland might prove to be a data refuge, but this was quickly brought into question by a horrific corruption scandal. Traditionally neutral countries like Switzerland or Finland beckon, but Switzerland is endangered by a dispute with USG over banking secrecy, and Finland is subject to bullying by RU as well as US. Hong Kong is increasingly dangerous.

Germany might be the best bet, but also seems to harbor the greatest concentration of (mostly non-German) spooks.

Belgium has waffles, but is also bugged like nobody's brother.

I think the only solution is for TP to ask advice from HRW and Amnesty how to establish a legal presence as an NGO based in multiple continents.

And to keep in mind the possibility of going underground.

February 14, 2018

In reply to by Anonymous (not verified)

Permalink

> Laugh as America turns itself into China.

I read that Tech dirt article too (shout out to Tech dirt, the exemplar of endangered journalism, and took it as vindication of my warnings here since many years.

No US media (AFAIK) have even attempted to study the effects on opinions in the US business community of ingenious CN propaganda (e.g. China Daily) which is doing so much to quietly convert the USA into a hateful model of technology-enabled authoritarianism.

The biggest untold aspect of the Snowden leaks story is the begged question of just what USG intends to do with all the data it is slurping up in all those ever-multiplying ever-expanding dragnet surveillance programs.

The answer, it appears, is precrime. Or even pre-thoughtcrime. CN is pointing the way, but US intends to go much further, according to NCTC, FBI and National Laboratory white papers. Most amazing of all: this is not even much of a secret, many of the discussion of how to implement American precrime is in openly published whitepapers. But apparently no muckraking journalists are reading them.

Given all the constant "save the children!" rhetoric coming from FBI, you'd think some swamp creature would perceive the problem with NCTC's explicit goal of identifying future bad actors/thinkers starting from age 2-7, which is quite literally their target group, and this shocking fact is not even secret. It is specifically mentioned in several obscure but unclassified documents.

We need LANL's counterpart to Snowden to bring out the secret documents, which are apparently even more horrifying that the unclassified ones.

Not all Tor Project employees are US citizens... it's not like ITAR is an issue for them. As the software is open source, if the organization itself could not legally exist in the US, development would likely resume in another country, under another organization, where it is legal. The software could be trivially forked and resumed like nothing happened (after some logistical nightmares, at least). US developers would either simply stop contributing, or would contribute anonymously.

As for the risk of backdoors, again, Tor is open source. Anyone can read the source code, and anyone can read every single changed line between two versions. Sure, it would be possible to insert a bug with some clever abuse of undefined behavior and other C oddities, but it will not ensure a backdoor will get through, much less get through undetected for any significant periods of time. Even if you do not read the source code, others do. The devs do, many programmers do, I do. That's a lot of eyes on the code. Could it be better? Yes. But should we be freaking out about the risk of backdoors? No. It's better to worry about the sad state of Firefox (and by extension, Tor Browser) security than it is to worry about the political future of Tor Project.

> As for the risk of backdoors, again, Tor is open source. Anyone can read the source code, and anyone can read every single changed line between two versions.

The problem with this argument is that NSA messed with at least one protocol (a public standard for a pseudo-random number generator published by NIST) and nobody noticed--- not even the supposed experts who work for NIST. (This was one of the many revelations from the Snowden leaks, and was discussed at length in this blog a few years ago.)

In other words, some of the most crucial elements of Tor can be meaningfully critiqued by only a tiny handful of cryptographic researchers. If USG arrests them all--- all those who live in the US and do not already work for NSA, that is--- it could be almost impossible for "anyone" to recognize that a subtle "backdoor" has been introduced into the published source code.

There has never been a more desperate need for technically able "fresh blood" in math and computer science than at present. The problem is that USG funds the education of most of the students and too many of them are forced into working for USG upon graduation.

The only answer, I think, is to try to be bold by trying to build campus organizations which try to persuade US techies to follow the example of Snowden by working for The People by working against the Universal Adversary.

NSA boycott, anyone?

I hope the new addon GUI in next FF59 release midjear? is somewhat ...usable.

When you look at https://hackademix.net
blog from author of NoScript, the new GUI api mozilla is forcing. You can't escape and it forces a lot of confusion.
The classic menu is practical, the new one ...TEEMING only? Scary)-:

January 23, 2018

Permalink

I keep getting the message:
Unable to start Tor.

Failed to get hashed password.

It won't start after that. It always worked for me previously.

January 23, 2018

Permalink

Doesn't work on Windows Vista x64.
Fully broken. Nothing works, Tor doesn't launch, Mozilla doesn't respond. Plenty errors.
I have only Vista Windows on all my PCs and some on XP (didn't test on XP though). And I'm not going to update to later Windows with MS spying on you. Never ever.
Mind that Vista works great on new AMD Ryzen, so that it ! Also recommended plenty people and companies to stay on Vista... best Windows ever.
I may have to download a 7.0 version of Torbrowser and stay on it, deactivate updates.
Mind that Mozilla bigger than 52 wont work on Vista too.

What does "fully broken" mean and "Tor doesn't launch"? Do you get error messages during start? Does this happen with a clean, new Tor Browser as well? How far in the start-up process are you coming with that one? Are you seeing some dialogs/windows and the browser is crashing then?

Do you have some antivirus/firewall tool that could block Tor Browser from running?

Vista is so secure that it's not needed. Ever asked yourself why MS replaced it ???
Just have to let it as is with it's security features. People were annoyed by the fact that they had security alerts and couldn't do anything they wanted, especially in user mode.
Windows 7 is Vista with security features dropped and lot of pathes to help.
Windows 10 is Windows 7 + ugly and stupid interface + spyware + all security features on (besides MS spying on you all time) and forced pathes which put their security features and spyware back every time you touch them.
I have Vista systems running everyday without any reinstall, no Virus, since when Vista came out 10 years ago. Most are C2Q with 8GB RAM, updated graphics (Nvidia Maxwell) so they run pretty well.

And I agree with the guy who says Firefox is becoming junkware like Chrome and all the stuff running after commercial features.
Fact is this has become so since Brendan Eich has been fired for private misbehaviour, that kind of stresses who are the people in charge now at Mozilla. Branching off at 52.x level is the good move for Torbrowser.
I hope TorBrowser is rapidly fixed to work on Vista again.

Vista doesn't even deny mapping pages to null addresses... I would call that a nasty security issue. Not to mention all the "security" features Vista added (read: UAC) are completely broken. UAC is a joke. 7 is slightly better, 8 is a lot better, 10 is better still (it doesn't render fonts in kernelspace anymore, though it still renders some windows and scrollbars that way...). 10 also has a boatload of new security features that make EMET practically obsolete. Now, is Windows 10 "good"? No. It's a privacy nightmare. But to say that Vista is secure in any way is just insane. Better than XP, but still shit.

January 24, 2018

In reply to gk

Permalink

Browser launches but Tor doesn't seem to. Very weird. But even browser is half down. It must be killed to close the opened Windows. There is no response when trying to surf. It should be something even if Tor is down (since it should try to connect the proxy). It's simply as if the people compiling never tested on Vista (x64). Version 7.0.11 works great.

7.5 "Doesn't work on Windows Vista x64"--the same for me. A connection is made, but when a window opens no page loads. I tried a new identity and received this message: "TypeError: frameLoader.tabParent is null". I restored Tor to its original settings (no add-ons etc.) and still no page loads. I uninstalled Tor 7.5 and reinstalled it and was successful up to pressing "Finish" when a blank window opens and no page loads.

January 23, 2018

Permalink

Trying to get onto a craigslist listing, I keep getting:
"This IP has been automatically blocked.
If you have questions, please email: blocks-b1514257262462964@craigslist.org"

Okay. Usually I click on "New Tor circuit for this site" and, on the new circuit, the site comes in. Often I have to click "new tor circuit" a couple of times, but then I guess the right countries are circuited and it comes up, no problem. But...
yesterday and today no matter how many times I do that I can't get the site to come up. A funny thing, I started to notice, was that Bulgaria kept being the first IP address, after "This browser", then I saw that it was the exact same IP address, in Bulgaria, every time. Something must be wrong, if every time I ask Tor to reroute me through a new set of onion-layers I keep being sent through the same one address.

The clearnet sites you visit can see only the exit node, the final IP, not the other nodes of your circuit to it. Many sites choose to block all known Tor exit nodes reasoning that Tor users who might behave maliciously cannot be blocked individually. Some help sites for network security admins compile lists of all Tor exit node IPs that website admins can import into their firewalls to block Tor traffic. Craigslist is doing something like this. Some exit nodes might not be blocked because they haven't been discovered yet by the people who compile the lists. The IPs of all Tor nodes except bridge nodes are published by the Tor network so that circuits can be created in the first place.

Some clearnet sites choose not to block but put Captchas, some requiring Tor users to enable JavaScript, as gates in the path of all Tor users before allowing them to view the site. Cloudflare's services are notorious for blocking and monitoring Tor users. Tor Project has FAQ pages describing options for website administrators who are considering to block or restrict Tor traffic:
https://sedvblmbog.tudasnich.de/docs/faq-abuse.html.en

The first node in your circuit is called the guard node. Tor developers have been increasing the guard rotation period since around version 0.2.7 in 2013. It is normal now for the first IP of your circuits to stay the same for many months. Research papers have found it statistically likely for a global adversary to correlate traffic entering and leaving the Tor network if your guard node changes frequently:
https://tor.stackexchange.com/questions/13328/guard-nodes-how-long-is-t…
https://ocewjwkdco.tudasnich.de/improving-tors-anonymity-changing-guard-par…
If you really want, you can change your guard node by deleting Tor Browser and downloading a fresh copy or by configuring Tor Browser to use a bridge node.

Craigslist might store cookies in your session that could identify you as the same visitor. Rather than "New Circuit", try "New Identity" (warning: closes all tabs).

January 23, 2018

Permalink

Tor Browser 7.5 is better than ever! I use it to surf all of my favorite porn sites and my female boss doesn't know shit!

January 23, 2018

Permalink

it sounds have been configured for the windows users only !
Disable logjam : security.ssl3.dhe_rsa_aes_256_sha
Disable ciphers with ECDH (non-ephemeral) : security.ssl3.ecdh_rsa_aes_128_sha
Disable 3DES : security.ssl3.rsa_des_ede3_sha
Disable ciphers with DSA/128-bit cyphers : security.ssl3.dhe_rsa_aes_128_sha
Disable ciphers with DSA : security.ssl3.dhe_rsa_aes_256_sha

Disable ciphers with ECDH (non-ephemeral) : lol
should be set to false

security.enable_tls
security.ssl.require_safe_negotiation
security.ssl.treat_unsafe_negotiation_as_broken
should be set to true

& puny code ?
& an implementation of the nice calomel addon ?

it is not poorly secured but could be set for the linux users a bit more hardened.

Qualified plus one.

> Disable logjam : security.ssl3.dhe_rsa_aes_256_sha
> Disable ciphers with DSA/128-bit cyphers : security.ssl3.dhe_rsa_aes_128_sha

I keep noticing that certain otherwise valuable activist and independent news media sites remain vulnerable to at least one of these.

There is a small conundrum here: is it better to insist on safer crypto at the expense of confusing puzzled non-power users who don't understand why they get a message warning that some site's encryption is broken (and probably fear that the site has suffered an intrusion, rather than that it is not well maintained from a security perspective).

At the very least, I hope TP leadership will try to ensure that this kind of default configuration decision is regularly revisited to take account of increasing cybersecurity mindfulnees among activists and news organizations, and current threats as observed in the wild (or reasonably expected to become common in the near future, e.g. Meltdown attacks on unpatched Cloud servers with Intel processors).

January 29, 2018

In reply to gk

Permalink

Well, well, gk. As you're saying there's no censorship in the blog, where is my reply here, disproving your comment? It seems this blog 'eats' some comments, because other comments, posted that day, are visible now.

February 01, 2018

In reply to gk

Permalink

Thanks, this is good to know!

I wish TP had posted promptly when the Meltdown/Spectre vulns were announced in early Jan. (Roger is pretty good at explaining complicated matters.)

My understanding (of the Meltdown flaw) is significantly different:

This is not one attack but a fundamental flaw which will enable a whole class of attacks. Currently known proof-of-concept Meltdown attacks require, AFAIK, that the attacker use some "ordinary exploit" to gain a local presence on the attacked device--- most likely a Cloud Computing server hosting sensitive information about millions of people, but quite possibly a workstation or laptop used by a reporter, activist, doctor, lawyer etc. So it is not just USG agencies (which have moved aggressively into the cloud) which should be very worried; at-risk individuals should also try hard to take proactive countermeasures.

In the case of attacks on at-risk individuals, some experts have specifically stated that exploits of zeroday flaws or unpatched flaws in javascript are one of the most likely ways that attackers will seek to gain a local presence on a PC in order to begin a Meltdown attack seeking to capture the most dangerous information, such as cryptographic material residing in the kernel space memory of a running PC with a mounted encrypted external drive holding (for example) casework for a sensitive lawsuit.

IMO the prospect of Meltdown attacks does at the very least demand a discussion of whether an "emergency adjustment" of the default slider configuration might be warranted.

January 23, 2018

Permalink

After installing update, Avast Antivirus saying that 7.5 update is malware.
I clicked that it is Not Harmful in some kind of popup in avast.
Is my 7.5 update safe??
Because I updated from that Green Tor button Check Update.

I guess what's happening is that your Avast tool has never seen this Tor Browser before and now thinks "Holy shit this must be malware then". Our updates are signed so that someones tampered with them and your browser is still working is very unlikely.

"I updated from that Green Tor button Check Update."
You are very probably OK. Tor Browser downloads updates from torproject.org by HTTPS over Tor. The variable is app.update.url in about:config. Only bad if Tor server or website certificate is hacked or exe changed after reproducible build and before signing. Not probable.

If you download new installer on TorProject website, you can verify signatures in sig file under download button.
https://sedvblmbog.tudasnich.de/docs/verifying-signatures.html.en

We are not building the Windows bundles on Ubuntu anymore in the alpha series but rather switched to Debian. While I have not checked that I think that's very likely the reason for the difference.

January 24, 2018

Permalink

Please fix control port

getinfo hs/client/desc/id/c5yc3v2qss6n7dddeazg32i4gkywxwdgd6johziwkzh2wphk3nf4tnid
551 Invalid address

January 24, 2018

Permalink

The new Tor Launcher UI is obviously an improvement, but once the user configures it (in most use cases once and forever) the UI wastes a lot of screen space to merely display a logo, a progress bar, and progress info.
I admit the uniformity of window size between configuration stage and connecting stage is fancy (the uniformity which in most cases the user will notice only once), but not enough to redeem the waste of screen space.

As long as it fits in low resolution displays such as 640x480 and RasPi displays, I'm fine with it. It disappears quickly anyhow. Maybe the slow end-users in the study were confused by the separate popup progress bar. Wasn't the progress bar or update bar on a large empty UI in the past?

January 24, 2018

Permalink

I still can't use twitter at all. I've got "allow scripts globally" enabled and all objects unblocked, but none of the buttons work: Tweet, Retweet, Like, Edit Profile, arrows for drop-down menus etc etc. I click and they get highlighted but nothing happens.

January 25, 2018

In reply to gk

Permalink

Yup that did it. I had security setting on "Safest" and switched it to "Standard" and now everything works. Didn't even know about that. Thanks for your help.

I was able to use it just fine with Tor a few years ago. Then I logged in again recently after a long break and it was disabled, so I appealed and they restored it.

Same with facebook. Only connected once with Torbrowser by mistake. They blocked my account and asked for my ID Card scan (phone number insufficient for Facebook).
They never got it.

January 24, 2018

Permalink

It seems that ReCAPTCHA (which comes up all the time if you search Google, visit CloudFlare protected websites etc.) is currently not serving CAPTCHA challenges to Firefox-on-Android (including Orfox/TorBrowser-on-Android) users, with a "browser not supported" message that points to https://support.google.com/recaptcha/answer/6223828?hl=en

Can anyone reproduce this issue? If so, is a mitigation planned, perhaps adding compatibility for whatever APIs ReCAPTCHA is relying on and supplying a different browser identity that they do support?

January 24, 2018

Permalink

When I post a comment on High or Medium security, sometimes the preview doesn't show up, and when it redirects me back to the blog post after clicking Save, the green "in moderator queue" box doesn't show up, and the blog post page refreshes infinitely.

January 24, 2018

Permalink

Just updated to TBB v7.5... dies under firejail. Dies independently of firejail. Executes mutual suicide pact with torbrowser-launcher package (which worked until seconds ago, with and without firejail). Re-installed torbrowser-launcher; no joy.

Death notice follows...

================

firejail /usr/bin/torbrowser-launcher 4:32
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 10161, child pid 10162

Child process initialized
Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.2.8
https://github.com/micahflee/torbrowser-launcher
Refreshing local keyring...
gpgkeys: HTTP fetch error 1: unsupported protocol
Traceback (most recent call last):
File "/usr/bin/torbrowser-launcher", line 30, in
torbrowser_launcher.main()
File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/__init__.py", line 62, in main
app = Launcher(common, url_list)
File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 91, in __init__
if not self.common.settings['installed'] or not self.check_min_version():
File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 603, in check_min_version
for line in open(self.common.paths['tbb']['versions']).readlines():
IOError: [Errno 2] No such file or directory: '/home/user/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources/versions'

Parent is shutting down, bye...

================

*This is marriage...?!?*

Yup, explanation and workaround (®works-for-me©)

Looks like TBB has moved faster than torbrowser-launcher package. This is not the first time it happened, unfortunately.

As a result, TBB is still just fine, but torbrowser-launcher is broken: it no longer finds what it is searching for, to determine if it needs to take care of upgrading TBB itself (e.g. first time or very obsolete, I see this feature as very usefull), or just launch it. When it fails to find these bits, then instead of deciding to try launching TBB gracefully anyway, it collapses.

Solution will come with a future version of torbrowser-launcher, I guess. I didn't look at the version available in sid as yet (version number is just higher), but its changelog doesn't mention anything about this, as I understand it.

Until then, we may open a terminal and just run TBB directly:

~/.local/share/torbrowser/YOURARCH/YOURTBBFOLDER/Browser/start-tor-browser

(YOURARCH: e.g. "i686", YOURTBBFOLDER: e.g.: torbrowser-browser_FR)

One step further, we may register TBB as a local app for the current user, then use the new launcher instead of torbrowser-launcher one, bypassing entirely the latter. Same as above, adding one argument:

~/.local/share/torbrowser/YOURARCH/YOURTBBFOLDER/Browser/start-tor-browser --register-app

(this results in a duplicate "icon" etc. also named "Tor Browser" in the available applications list for the current system user, but with a distinct description and which can be placed e.g. in desktop panels alongside or instead of the one from torbrowser-launcher)

I guess torbrowser-launcher package needs some love.

Maybe also, TBB release team could care a little bit more about its user base.

January 24, 2018

Permalink

(Probably not the correct forum for this but...) I would estimate that a full 60% of pages I visit are now blocked by cloudflare. In addition - on the exceedingly rare occation that I do actually enable js etc and lower my security settings to the point that the recaptcha will in fact work - google is now in many cases throwing up the very tiring "automated queries" error.

How is it possible that cloudflare controls/censors such a large part of the internet and, far more importantly, why is nothing being done about it?!

January 24, 2018

Permalink

Reposting -- it appears that unless NoScript is disabled, (attempted) posts here disappear into the void.
Anyway: automatically upgraded to "Tor Browser 7.5 (based on Mozilla Firefox 52.6.0) (64-bit)" under macOS 10.12.6; Tor crashes whenever I open a (specific) folder of bookmarks. This folder has 14 bookmarks -- so "a lot", but not A LOT. This seems to be replicable -- three or four crashes so far -- but if I close some of the tabs quickly, sometimes it doesn't crash. Didn't have this behavior in previous versions, needless to say.

Also, since I'm here: any reason not to have a global setting for declining canvas requests? If Tor is recommending not allowing as a matter of course, better to have it remembered somewhere to apply always. [I'd be ok with it remembering yea or nay for specific sites, and asking for new ones, but that's a way to fingerprint, sort of, if the attackers get ahold of the physical machine, right?]

Interesting, what crash log do you get? Could you open a ticket at our bug tracker https://bugs.torproject.org describing your issue and attaching the crash output? Thanks!

Re: the canvas prompt: there is no particular reason for not having that option right now. There is a bug report in our bug tracker: https://trac.torproject.org/projects/tor/ticket/23227 which urges us to implement that feature. One thing to think about, though, is what to do with all the broken sites that only work with canvas enabled if the user flipped the preference (and is now stuck). Maybe that's bad luck then or maybe there is something smarter we could do. I don't know yet.

January 24, 2018

Permalink

torbrowser-launcher &
[1] 4884
shit@linux-lvps:~> Tor Browser Launcher
By Micah Lee, licensed under MIT
version 0.2.8
https://github.com/micahflee/torbrowser-launcher
Refreshing local keyring...

shit@linux-lvps:~> Keyring refreshed successfully...
No key updates for key: EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
Traceback (most recent call last):
File "/usr/bin/torbrowser-launcher", line 30, in
torbrowser_launcher.main()
File "/usr/lib/python2.7/site-packages/torbrowser_launcher/__init__.py", line 62, in main
app = Launcher(common, url_list)
File "/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py", line 91, in __init__
if not self.common.settings['installed'] or not self.check_min_version():
File "/usr/lib/python2.7/site-packages/torbrowser_launcher/launcher.py", line 603, in check_min_version
for line in open(self.common.paths['tbb']['versions']).readlines():
IOError: [Errno 2] No such file or directory: '/home/shit/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources/versions'

[1]+ Exit 1 torbrowser-launcher

Yep this isn't good. Tumbleweed install.

  1. <br />
  2. mkdir ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources<br />
  3. echo 'TORBROWSER_VERSION=7.5' >~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources/versions<br />

Yup, I guess Tor will loose many newbies for this and/or they'll loose some personal data e.g. bookmarks over a blinded reinstall.

Good news is, torbrowser-launcher's reinstall feature seems to still work just fine so maybe, some will try that route. So far it results in the same error (both localized and English versions), but there's a chance they don't entirely give up before a fixed tarball is published.

Here, all upgraded instances (from 7.0.11 to 7.5) now die with the same error. Looking quickly at one of them, this path is invalid, there is no "sources" subfolder. Won't be able to dig tickets or investigate any further until much later today, so I came here to see if, at least, the blog post had been updated with some warning, or anyone else had commented.

Should we not recommend to DISABLE auto upgrade until this is resolved, whenever this is not too late?

January 24, 2018

Permalink

Why wont my tor browser load? Ive been using this thing for over a year and it just started taking the piss for no reason. keeps saying trying to establish circuit

January 24, 2018

Permalink

installed on windows 7

EMET detect a SimExecFlow coming from TorBrowser and close the app (crash).
Note : There was already some problems to make TBB work with EAF and EAF+ in EMET, but it wasn't the only App requiring to disable these two mitigation. As far as I know only TBB 7.5 requires to disable SimExecFlow.

Incidentally, this page has a very strange behaviour. Sometimes everything works okay and the minute after it keeps reloading until I hit the "escape" key. And all the "reply" button and the "join discussion" form disappear. Weird.

Yes, this is a known issue, see https://trac.torproject.org/projects/tor/ticket/13893 for a long history of comments. Interestingly enough some users where under the impression that this got fixed for 32bit bundles with the switch to ESR 52. However, that does not seem to be the case for you at least. The proper fix is to get away from GCC 5 as the compiler used for the Windows bundles to GCC 6 where this problem seems to have been fixed. We are working on that: https://trac.torproject.org/projects/tor/ticket/20301.

January 25, 2018

In reply to gk

Permalink

fixed, fixed, without sandbox. GCC 7.3 is out. How does it work with that?

January 25, 2018

In reply to gk

Permalink

This is weird, after copying the pref.js and user.js from my TBB7 folder to the TBB7.5 folder, it works. I didn't change anything on EMET, but now I can launch TBB 7.5.

I don't know which settings is responsible for this. Maybe "browser.tabs.remote.autostart.2" that I changed from "true" to "false" in TBB 7.
On the subject, when Emet crashed TBB 7.5, I've noticed that one instance of firefox.exe remain in the task manager. According to "process explorer.exe", the instance is on "suspended" state, when I click on resume, then firefox.exe shut down correctly.

I hope these infos can help.

January 25, 2018

In reply to gk

Permalink

ps : Yes, I confirm (my previous message hasn't been posted yet) after a fresh install that "browser.tabs.remote.autostart.2" was the guilty setting.
Problem solved, thank you.

Interesting, thanks for letting us know.

[EDIT]

FWIW: It seems that EMET is not compatible with sandboxing enabled. What you do with flipping that preference is outright disabling the sandbox Firefox ships. I think I'd rather rely on that one than on EMET, though. We have a long history of trying to make Tor Browser compatible with EMET (see: https://trac.torproject.org/projects/tor/ticket/13893) and it seems we still have some way to go.

It might be worth knowing whether that is actually just a Tor Browser issue or whether Firefox is affected as well. Does EMET work for you with a vanilla Firefox 52 ESR (see: https://www.mozilla.org/en-US/firefox/organizations/all/ for test versions).

January 26, 2018

In reply to gk

Permalink

EMET is not compatible with sandboxing

Hilarious! And Windows 1709 too? How could you think like that? Of course, Firefox is not affected. Just update your compiler. (It could fix sandbox on Vista and x64 too.)

January 29, 2018

In reply to gk

Permalink

Theory about Mozilla/Google is developing a sandbox incompatible with Windows?

I think I'd rather rely on that one than on EMET, though.

Hilarious #2! Sandbox level 1 has almost no protections vs. EMET.

January 26, 2018

In reply to gk

Permalink

Right now I've tested with Firefox Quantum. No problem with remote.autostart2 enabled. I expected a crash but no.

I used to disable remote.autostart stuff on Firefox 52 because I don't like to have too many process in the task manager. That's just me.
As I said, FF didn't work with EAF and EAF+ in EMET but so did many others apps.

I'll reinstall FF 52 ESR and run some tests in the future.

See you.

So I've installed and runned FF 52 ESR 32bits and 64bits out-of-the box, no crashes. Emet didn't complain for neither of them.
And I confirm that remote.autostart2. was enabled.

Weird...

I don't know, maybe it's remote.autostart2 + something else in Tor Browser like one of the extensions or something.

Good luck.

January 24, 2018

Permalink

torbrowser 7.5 no starting due to missing versions file.

After upgrade to 7.5 and closing and re-launching torbrowser, it will no longer launch.

Python error of missing file ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources/versions

sources directory does not exist.

  1. <br />
  2. mkdir ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources<br />
  3. echo 'TORBROWSER_VERSION=7.5' >~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources/versions<br />

torbrowser now starts with no problems

I think this is a bad idea. as you don't know if it will keep working with future versions of TBB and/or torbrowser-launcher, because neither will expect that this folder and file had been re-created manually by the user after TBB upgrade to 7.5. It could even "break things", depending on how torbrowser-launcher's maintainer decides to fix the issue.

Fact is, torbrowser-launcher still succeeds at launching TBB after the upgrade from 7.11 to 7.5, but only the first time. I did not read TBB source code, but I the only explanation I can think of is that TBB 7.5, during its first session, decides to do some clean up and deletes this part of its file tree, which it considers obsolete, and will likely do this again at least during each future upgrade.

Using "start-tor-browser --register-app" as a temporarly measure, as I described in my previous comment, should be more robust.

torbrowser 7.5 no starting due to missing versions file.

After upgrade to 7.5 and closing and re-launching torbrowser, it will no longer launch.

I have torbrowser to symbolic link to start-tor-browser -- that works.

  1. <br />
  2. hurtta:~$ torbrowser-launcher<br />
  3. Tor Browser Launcher<br />
  4. By Micah Lee, licensed under MIT<br />
  5. version 0.2.8<br />
  6. <a href="https://github.com/micahflee/torbrowser-launcher
  7. Refreshing" rel="nofollow">https://github.com/micahflee/torbrowser-launcher<br />
  8. Refreshing</a> local keyring...<br />
  9. gpgkeys: HTTP fetch error 1: unsupported protocol<br />
  10. Traceback (most recent call last):<br />
  11. File "/usr/bin/torbrowser-launcher", line 30, in <module><br />
  12. torbrowser_launcher.main()<br />
  13. File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/__init__.py", line 62, in main<br />
  14. app = Launcher(common, url_list)<br />
  15. File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 91, in __init__<br />
  16. if not self.common.settings['installed'] or not self.check_min_version():<br />
  17. File "/usr/lib/python2.7/dist-packages/torbrowser_launcher/launcher.py", line 603, in check_min_version<br />
  18. for line in open(self.common.paths['tbb']['versions']).readlines():<br />
  19. IOError: [Errno 2] Tiedostoa tai hakemistoa ei ole: '/home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Docs/sources/versions'<br />
  20. hurtta:~$<br />
  21. hurtta:~$ ls -la bin/torbrowser<br />
  22. lrwxrwxrwx 1 hurtta hurtta 91 kesä 23 2017 bin/torbrowser -> /home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser<br />
  23. <a href="mailto:hurtta@kasvihuone" rel="nofollow">hurtta@kasvihuone</a>:~$ torbrowser --verbose<br />
  24. Unable to update the static FcBlanks: 0x0600<br />
  25. Unable to update the static FcBlanks: 0x0601<br />
  26. Unable to update the static FcBlanks: 0x0602<br />
  27. Unable to update the static FcBlanks: 0x0603<br />
  28. Unable to update the static FcBlanks: 0x06dd<br />
  29. Unable to update the static FcBlanks: 0x070f<br />
  30. Unable to update the static FcBlanks: 0x2028<br />
  31. Unable to update the static FcBlanks: 0x2029<br />
  32. Unable to update the static FcBlanks: 0xfff9<br />
  33. Unable to update the static FcBlanks: 0xfffa<br />
  34. Unable to update the static FcBlanks: 0xfffb<br />
  35. Jan 27 09:09:21.686 [notice] Tor 0.3.2.9 running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.2n, Zlib 1.2.8, Liblzma N/A, and Libzstd N/A.<br />
  36. Jan 27 09:09:21.686 [notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://sedvblmbog.tudasnich.de/download/download#warning
  37. Jan" rel="nofollow">https://sedvblmbog.tudasnich.de/download/download#warning<br />
  38. Jan</a> 27 09:09:21.686 [notice] Read configuration file "/home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults".<br />
  39. Jan 27 09:09:21.686 [notice] Read configuration file "/home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc".<br />
  40. Jan 27 09:09:21.688 [notice] Scheduler type KIST has been enabled.<br />
  41. Jan 27 09:09:21.688 [notice] Opening Socks listener on 127.0.0.1:9150<br />
  42. Jan 27 09:09:21.688 [notice] Opening Control listener on 127.0.0.1:9151<br />
  43. Jan 27 09:09:21.000 [notice] Parsing GEOIP IPv4 file /home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip.<br />
  44. Jan 27 09:09:21.000 [notice] Parsing GEOIP IPv6 file /home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6.<br />
  45. Jan 27 09:09:21.000 [notice] Bootstrapped 0%: Starting<br />
  46. Jan 27 09:09:22.000 [notice] Starting with guard context "default"<br />

(Preview seems not work)

January 24, 2018

Permalink

Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

January 25, 2018

Permalink

Fedora 25 Cinnamon:Restart Tor button does not work.
I had to download Tor 7.5 and to configure everything
because the update of 7.11 is not working...

January 25, 2018

Permalink

I didn't find the new tor launcher easier to use. It's following most recent software by making features harder to find (or removing control from the user altogether) and dumbing down the interface with lots of white space. Please bring back Vidalia!

Vidalia was nice but it didn't scale well and it was apparently abandoned by its creator some years ago. So a better way would be to continue to try to improve the current way Tor Browser tries to accomplish some of the desirable functions of Vidalia.

January 25, 2018

Permalink

The special interest agenda, and other, censorship better stop. You are public, not private. On top of that, censorship is 100% out of step with the legal intent behind Tor's existence and funding. Those stupid little donation stunts don't change anything.

WE get to promote OUR views. YOU don't get to do shit.

WE don't have to talk to you certain ways. YOU have to talk to us certain ways.

WE pay you. YOU serve US.

Wooh! Someone finally said it! But the problem isn't that they won't post comments like that one. They will because doing so scores them some cheap symbolic value. Anyone can say "we're against censorship" but that's as far as it goes at Tor.

Try posting something grittier about their practices and policies. You'll be lucky if you even get the confirmation message. I can understand problems of topicality, spam and maybe a few other things, but this problem spans every whim and quirk of the highly paid employees at Tor and it is most definitely about their politics and stands on social issues.

I am another Tor user, a contributor but not affiliated with Tor Project in any way.

> On top of that, censorship is 100% out of step with the legal intent behind Tor's existence and funding.

So you believe your comments are being censored?

I've been using Tor for many many years, and my own comments often fail to appear. But while this is frustrating, I generally assume they just got buried under what I hear is a mountain of commentbot junk.

> Those stupid little donation stunts don't change anything.

As a long time Tor user, I vigorously dispute the claim that Tor Project's long term project of moving from a USG-dependent funding model to a user-supported funding model (as at EFF, ACLU, etc) "won't change anything". I think this drive can and must succeed, and it will change everything. For the better.

Please join me, everyone, in contributing something, no amount is too small, to Tor Project!

January 25, 2018

Permalink

Any news about Vista x64 fix for TorBrowser ? Both programs (Tor + Firefox) have problems as already described. Clearly became incompatible after version 7.0.11 (who worked and still works fine).
Take care that some new compilers and api are made Vista incompatible by MS on purpose. There is no benefit in using them on Tor Browser.

January 25, 2018

Permalink

Am I missing something, I thought torbrowser 7.5 was meant to allow me to visit onion v3 links?
"Problem loading" on every v3 site I try.

Okay, then you could try to change the extensions-overrides.js file before you start. You can find it in your Tor Browser directory in Browser\TorBrowser\Data\Browser\profile.default\preferences. Open it with notepad or some other editor and add at the end of the file pref("browser.tabs.remote.autostart.2", false);. Save and restart.

February 02, 2018

In reply to gk

Permalink

It keeps crashing nevertheless,i use win'10 home.

Do you have some Antivirus/Firewall software installed? If so, which one? Could you test whether uninstalling it fixes the problem? (disabling it is often not enough)

January 26, 2018

Permalink

oh nice, even thought my network is only 10KB/s, i still using Tor, because the chinese police is fucking my network and spying on it.

January 26, 2018

Permalink

Both updates this month failed!! They would neither restart nor therefore work tor. The earlier one to version 7.0.11 was such a hassle redownloading and finally restoring tor on my own, after the same thing happened trying the 7.5 update today, 1/2017, I just reloaded 7.0.11 and await tor, or mozilla, or whoever is going to disable it until it thus stops working (i hope that is not soon). Unhappy.

Which operating system are you on? Could you enable update logging and report back which error you are seeing? Set app.update.log to true and then open the browser console with Ctrl+Shift+J when downloading/installing the update. You should see debug output there.

January 26, 2018

Permalink

Torbrowser failed restart after download of 7.5

  1. <br />
  2. Jan 27 08:47:33.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.<br />
  3. Jan 27 08:47:33.000 [notice] Bootstrapped 100%: Done<br />
  4. Jan 27 08:47:34.000 [notice] New control connection opened from 127.0.0.1.<br />
  5. Jan 27 08:47:34.000 [notice] New control connection opened from 127.0.0.1.<br />
  6. Unable to update the static FcBlanks: 0x0600<br />
  7. Unable to update the static FcBlanks: 0x0601<br />
  8. Unable to update the static FcBlanks: 0x0602<br />
  9. Unable to update the static FcBlanks: 0x0603<br />
  10. Unable to update the static FcBlanks: 0x06dd<br />
  11. Unable to update the static FcBlanks: 0x070f<br />
  12. Unable to update the static FcBlanks: 0x2028<br />
  13. Unable to update the static FcBlanks: 0x2029<br />
  14. Unable to update the static FcBlanks: 0xfff9<br />
  15. Unable to update the static FcBlanks: 0xfffa<br />
  16. Unable to update the static FcBlanks: 0xfffb<br />
  17. Illegal AddressMatcher: [xpconnect wrapped nsIPrefBranch] -- TypeError: s.split is not a function<br />
  18. Illegal AddressMatcher: [xpconnect wrapped nsIPrefBranch] -- TypeError: s.split is not a function<br />
  19. Jan 27 08:48:18.000 [notice] Owning controller connection has closed -- exiting now.<br />
  20. Jan 27 08:48:18.000 [notice] Catching signal TERM, exiting cleanly.</p>
  21. <p>(firefox:27617): GLib-ERROR **: creating thread 'gdbus': Error creating thread: Resurssi ei tilapäisesti ole käytettävissä<br />
  22. /home/hurtta/bin/torbrowser: rivi 368: 27617 Jäljitys/katkaisupisteansa (luotiin core-tiedosto) TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class "Tor Browser" -profile TorBrowser/Data/Browser/profile.default "${@}" < /dev/null<br />
  23. hurtta:~$<br />

Starting it again worked

  1. <br />
  2. hurtta:~$ torbrowser --verbose<br />
  3. Unable to update the static FcBlanks: 0x0600<br />
  4. Unable to update the static FcBlanks: 0x0601<br />
  5. Unable to update the static FcBlanks: 0x0602<br />
  6. Unable to update the static FcBlanks: 0x0603<br />
  7. Unable to update the static FcBlanks: 0x06dd<br />
  8. Unable to update the static FcBlanks: 0x070f<br />
  9. Unable to update the static FcBlanks: 0x2028<br />
  10. Unable to update the static FcBlanks: 0x2029<br />
  11. Unable to update the static FcBlanks: 0xfff9<br />
  12. Unable to update the static FcBlanks: 0xfffa<br />
  13. Unable to update the static FcBlanks: 0xfffb<br />
  14. 1517035791500 addons.webextension.<unknown> WARN Loading extension 'null': Reading manifest: Error processing permissions.1: Unknown permission "privacy"<br />
  15. 1517035791500 addons.webextension.<unknown> WARN Loading extension 'null': Reading manifest: Error processing permissions.4: Unknown permission "unlimitedStorage"<br />
  16. 1517035791600 addons.webextension.<unknown> WARN Loading extension 'null': Reading manifest: Error processing devtools_page: An unexpected property was found in the WebExtension manifest.<br />
  17. Jan 27 08:49:52.142 [notice] Tor 0.3.2.9 running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.2n, Zlib 1.2.8, Liblzma N/A, and Libzstd N/A.<br />
  18. Jan 27 08:49:52.142 [notice] Tor can't help you if you use it wrong! Learn how to be safe at <a href="https://sedvblmbog.tudasnich.de/download/download#warning
  19. Jan" rel="nofollow">https://sedvblmbog.tudasnich.de/download/download#warning<br />
  20. Jan</a> 27 08:49:52.143 [notice] Read configuration file "/home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults".<br />
  21. Jan 27 08:49:52.143 [notice] Read configuration file "/home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc".<br />
  22. Jan 27 08:49:52.145 [notice] Scheduler type KIST has been enabled.<br />
  23. Jan 27 08:49:52.145 [notice] Opening Socks listener on 127.0.0.1:9150<br />
  24. Jan 27 08:49:52.145 [notice] Opening Control listener on 127.0.0.1:9151<br />
  25. Jan 27 08:49:52.000 [notice] Parsing GEOIP IPv4 file /home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip.<br />
  26. 1517035792100 addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232} WARN Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing permissions.1: Unknown permission "privacy"<br />
  27. 1517035792100 addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232} WARN Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing permissions.4: Unknown permission "unlimitedStorage"<br />
  28. Jan 27 08:49:52.000 [notice] Parsing GEOIP IPv6 file /home/hurtta/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6.<br />
  29. Jan 27 08:49:52.000 [notice] Bootstrapped 0%: Starting<br />
  30. Jan 27 08:49:52.000 [notice] Starting with guard context "default"<br />
  31. Jan 27 08:49:52.000 [notice] Bootstrapped 45%: Asking for relay descriptors<br />
  32. Jan 27 08:49:52.000 [notice] New control connection opened from 127.0.0.1.<br />
  33. Jan 27 08:49:52.000 [notice] New control connection opened from 127.0.0.1.<br />
  34. 1517035792800 <a href="mailto:addons.webextension.https-everywhere-eff@eff.org" rel="nofollow">addons.webextension.https-everywhere-eff@eff.org</a> WARN Loading extension '<a href="mailto:https-everywhere-eff@eff.org" rel="nofollow">https-everywhere-eff@eff.org</a>': Reading manifest: Error processing devtools_page: An unexpected property was found in the WebExtension manifest.<br />
  35. 1517035792800 <a href="mailto:addons.webextension.https-everywhere-eff@eff.org" rel="nofollow">addons.webextension.https-everywhere-eff@eff.org</a> WARN Please specify whether you want browser_style or not in your browser_action options.<br />
  36. Illegal AddressMatcher: [xpconnect wrapped nsIPrefBranch] -- TypeError: s.split is not a function<br />
  37. Illegal AddressMatcher: [xpconnect wrapped nsIPrefBranch] -- TypeError: s.split is not a function<br />
  38. Jan 27 08:49:53.000 [notice] Bootstrapped 52%: Loading relay descriptors<br />

( Preview seems not work on comment ... )

January 27, 2018

Permalink

My opinion. Just keep Torbrowser 7.0.11. Disable automatic updates and even alerts to update (though not all possible). Install Torbrowser 7.5 somewhere else as Torbrowser2, in a portable way. Use the one that works. My opinion, 7.5 is full of unsolved problems and new incompatibilities.

I'm autoquote myself. I've changed several first node (blacklisting the IPs on my firewall) and now v3 sites work fine. But there are some general problems with v3 sites because they go up/down frequently.
BTW, 7.5 works good with the normal .onion sites and the rest of the web.

January 28, 2018

Permalink

It is written on the download page :
Tor Browser
Version 7.5 (2018-01-23) - Windows 10, 8, 7, Vista, and XP

This is FALSE. Torbrowser 7.5 is completly incompatible with Vista x64 !!! Both, Firexof part and the Tor part DO NOT work on Vista 64.
Tried on several computers. This is simply put "not working".
You need to go back to Torbrowser 7.0.11 and configure it before anything to stay away from automated updates.
If you got in the menu, your links tranfered, you need to save them from Torbrowser 7.5 before deleting Torbrowser and restore them in 7.0.11.
Take care not to update to 7.5 if it was not automated, before this major bug, if this is one, is repaired.

You could help us debug that and try to find a fix for your problem. So, you said the Tor part is not working either on Vista 64bit. Could you download the expert bundle (32bit), extract it and run it on your machine? (The link to the file is: https://archive.torproject.org/tor-package-archive/torbrowser/7.5/tor-w… and to the signature: https://archive.torproject.org/tor-package-archive/torbrowser/7.5/tor-w…) What error are you getting?

January 28, 2018

Permalink

I am very glad to see TP using some thoughtful advice from a researcher who has studied usability issues!

However, I am concerned that your work in trying to improve usability (which is a good idea in general) will be rather quickly "buried" if TP neglects the needed follow up:

o reorganize the website so that the most up-to-date and most useful (to newbies) data is easy to find; for example

+ the nice "videos" [animated images] above showing how to use the new interface,
+ "follow these simple steps" tutorials on verifying the detached signature of the tarball,
+ EFF's diagram of the onion concept (a Snowden leak shows NSA teaches bad guys using it; why shouldn't we teach the world using it?),
+ links to EFF's "Surveillance Self-defense", ACLU's "They are Watching" sites, Riseup

(examples of information *not* useful to newbies would include the original Tor design specification and outdated technical information now of interest primarily to historians of technology not to newcomers to the Tor community),

o list of key people and Tor Board must be kept up to date and easy to find,

o statement of principles must be kept up to date and easy to find (in particular, keep trying to make "no backdoors ever" less ambiguous and easier to understand, perhaps by saying the same thing five different ways and by defining all terms e.g. [software application level] "backdoor"),

o list of Tor products and their status (mature, beta) must be easy to find and kept up to date,

o to help at risk people (e.g. soda tax advocates, bloggers, journalists) better understand the technical attacks they might reasonably expect to confront in the months and years ahead, I think the following should also be easy to find in TP's website:
+ link to EFF's collection (not up to date alas) of published Snowden leaks,
+ in particular, to GCHQ/NSA attacks on Tor circa 2012,
+ link to Micah Lee's encryption for activists tutorial,
+ link to WP "Top Secret America", The Intercept "Cell Spies", Wikileaks "Spy Files" sites,
+ link to Citizen Lab site (e.g. reports on Ethiopian government cyberattacks on USPERS),
+ links to best nontechnical explanations of Shellshock, Krack, Meltdown, Spectre flaws,

o institute a regular Friday post in this blog allowing users to "ask us anything", or make suggestions in the comments; sure it will be a pain to keep out spambot comments from such a regular posting, but such an institution will surely be useful and reassuring to newbie Tor users and non-US Tor users in particular, if they see a genuine question being answered promptly and authoritatively; many newbie questions are best answered by citing a link or two and currently these are too hard to find if for security reasons you don't keep them in browser bookmarks (see above for a better way to keep the most quotable links handy)

o ask Tails people to check the blog for questions about Tails; Tails Project is listed as partner of Tor Project so it is confusing and off-putting when some comment in the blog here angrily suggests that Tails questions don't belong here; of course they do; the purpose of this blog is or ought to be to offer helpful information to the Tor community--- including not only node operators, other volunteers and "power users", but also "ordinary users", especially newbies!

o in short, look over your entire website and outreach activities, and ask a hard question about everything you see: does this enhance our *current* drives to persuade/enable more ordinary people all over the world to use Tor (wisely) every day?

> Meltdown, Spectre flaws

While using Tails 3.5 (running on a laptop which uses an Intel chip) to comment in this blog, I am definitely seeing the unfortunate effects of the patch against Meltdown! This is interesting because although I upgraded Tails as soon as 3.4 and 3.5 became available, this is the first time I've definitely seen the slowdown due to preventing the problematic speculative execution.

Needless so say, as one journalist wrote, the needs of security must always come before matters of convenience, so I am happy to cope with changes.

We have a UX mailing list (https://lists.torproject.org/cgi-bin/mailman/listinfo/ux) and regular UX team meetings on IRC (https://trac.torproject.org/projects/tor/wiki/org/teams/UxTeam) Feel free to subscribe and contribute, and welcome to the meetings!

If you want to start working right away on branding issues in Tor Browser for instance, have a look at our bug tracker: https://trac.torproject.org/projects/tor/query?status=!closed&keywords=….

January 28, 2018

Permalink

Since I use 7.5 I see in my task manager constantly something being uploaded and downloaded. This was never before. What's that about?
And everytime I delete history in Tor, after logging in and out somwhere with my email, and refresh de page I see my email already filled in the box. How is that possible?

Not sure yet. Does this happen with a clean, new Tor Browser 7.5 as well? Do you see the email address filled in the box after doing a "New Identity" as well (click on the green onion icon -> New Identity)?

January 28, 2018

Permalink

Already reported on TBB 7.0 series, see https://ocewjwkdco.tudasnich.de/comment/273040#comment-273040

TBB ships with several sites allowed by default to install add-ons.
Even after they are removed, they are re-allowed upon restart.

This HUGE security hole still exists in TBB 7.5.

The excuse that they can't remove them because they get NoScript updates via those sites
is bull@#$%. The commenter was exactly correct who said that starting from firefox is a
bad idea for security. Better to start from scratch.

> Better to start from scratch.

Generally speaking, I share your concerns about possible security holes in Tor Browser.

But I think we need to place the decision to base Tor Browser on Firefox-ESR in context. Modern browsers are enormously complex things, and users (even Tor users) expect them to do many things seamlessly. That means browsers require a big team to make-- and also, as you know, it means they are hard to secure. Given the small size of the Tor Project's budget and developer staff, and the enormority of the technical/political threats TP must confront, I think it makes good sense to base Tor Browser on an existing open source browser.

There may be merit to discussing the possibility of basing Tor Browser on another open source browser, but this would raise another issue, the fact that making big changes in something millions of at risk people rely upon can be more dangerous than opting for slow evolution of something we know more or less works for most users.

So generally speaking, I feel we must place our trust in the TB developers to make the best (or "least bad"?) decision when choices are available.

January 29, 2018

Permalink

Tor for Windows works perfectly but Tor for Linux does not.A strange
situation in the sphere of anonymity and security. :)

> Tor for Windows works perfectly but Tor for Linux does not.

This is a very sweeping and ambiguously stated claim made without any evidence whatever.

You claim "Tor for Linux" does not work perfectly. Do you mean Tor Browser 7.5 for 64 bit Linux? Did you download the tarball from torproject.org and verify the detached signature before installing it on your 64 bit computer running some Linux distribution?

For all we know at this point, you tried to install 64-bit Tor Browser on an old 32-bit laptop, for example.

I am just an ordinary Tor user, not affiliated with Tor Project, but I've see enough comments to know that the more detail you can provide, the better, assuming you actually want TP to help you fix a genuine problem.

> A strange situation in the sphere of anonymity and security. :)

The Tor community is under constant assault, ranging from technical attacks (e.g. from Carnegie-Mellon nasties) to state-sponsored disinformation/suasion campaigns (e.g. those documented a few years ago in this blog).

Tor Project has very few paid employees and runs mostly on volunteer labor.

Given the forces arrayed against the Tor community, I feel we deserve a great deal of credit for having proven (so far) much harder to kill off than some of the nastiest governments on Earth wish.

January 29, 2018

Permalink

I wanted to watch a new story video in Australia that only plays to Australia, so I set exitnodes to Australia's country code (AU). This worked and Tor is exiting in Australia. I went to the news web page and it saw me from Australia and drew the page. But when I go to play the video it fails and says I am from the wrong country.

How is it the video was able to determine my real IP address? Is this an HTML5 thing, and I thought by default Tor prevented videos from obtaining your real IP? I am confused.

How do I configure Tor 7.5 to not give up my real IP to a video stream?

My guess: when your Tor Browser requested the page it used an exit server in AU, so the remote server gave you the exit server the page and it passed back down the circuit to you. But when your Tor Browser requested the video, owing to the vagaries of CDN networks, that was on a different server using a different URL domain and Tor created a new circuit for the second connection, for which the exit server was not in AU.

> I set exitnodes to Australia's country code (AU).

Or maybe my guess is wrong!

Tails may be safer for you, because Tails does better at avoiding leakages of your real IP.

January 29, 2018

Permalink

Hi there,

An error occured when I was trying to verify the signautre of tor browser 7.5 using GPG4WIN, plz see below:

gpg: requesting key 93298290 from hkp server pool.sks-keyservers.net
gpg: no valid OpenGpg data found
gpg: total number processed: 0
gpg: keyserver communications error : keyserver helper internal error
gpg: keyserver communications error: General error

Could you help me to see what is the problem?

Many thanks in advance!

February 02, 2018

In reply to by ABC (not verified)

Permalink

Sounds like it might not be listed in that keyserver, or something else went wrong on the server.

That key (the TBB signing key) has been around for a long time so it should have propagated to that keyserver. I checked and it is in pgp.mit.edu. Try downloading it there. Search for
"0x93298290"

My guess is this is due to something innocuous, but you certainly shouldn't install the new TBB until you can verify the detached signature.

January 30, 2018

Permalink

PERFECT

February 01, 2018

Permalink

It crashes immediately after opening in win'10 home,never had ANY problems with previous editions for many years.

What do you mean with "after opening". Do you see a browser windows that is crashing then? Or does this mean right after you are double-clicking on the link to start Tor Browser? Do you see any error message?

EDIT:

Oh, and does this happen with a newly installed Tor Browser as well?

February 03, 2018

In reply to gk

Permalink

It starts normally,it works for a few seconds and then i get either "windows closed the application" or "the tab has crashed",and everything after that crashes immediately.
Uninstalled it,made a clean install,previously was updated from earlier editions,it seems to work fine now.
Thank you!

February 02, 2018

Permalink

I am getting very many
"Your connection is not secure"
and similar. In fact my tor is almost useless. What to do? Its been happening before 7.5 too.

> I am getting very many "Your connection is not secure" and similar.

More detail would help, but I guess the problem is not with Tor but with the fact that browsers generally are complaining more these days about cryptographic misconfigurations. Possibly what is happening is that the browser is expecting a secure connection but an encountering poorly encrypted or unencrypted connection when you click on some link in some webpage. One common way in which this can happen is that a webpage includes "hard links" to third party websites, often holding pictures illustrating news stories, etc. Does this sound at all like what you were doing when you saw these error messages?

February 03, 2018

Permalink

I cannot use obfs4 built-in bridge after upgrade TorBrowser from 7.01 to 7.5 (windows + linux), WHY ? please help !

February 04, 2018

Permalink

"Unable to connect"
"Your connection is not secure"
or a simple
"404"
or just and infinite attempt to connect.
This has been the case even before 7.5.
All under Knoppix 8.1 on a Toshiba satellite.

Yesterday I tried to add that I was unable to connect to the onion version of DuckDuckGo

Secure Connection Failed

was the problem reported.
My comment did not stick. Now trying again.

I have now twice, different nights, tried to add a comment that I cannot even reach DuckDuckGo's onion site. I get

Your connection is not secure

My attempts, at least the second, went as far as that you promised me to considered them in a review, but they vanish without a trace. Have you found them of little interest?

This is the fourth evening I try to add that off and on I cannot even reach the onion version of DuckDuckGo. Often I get
Secure Connection Failed
other times Firefox just never reach DuckDuckGo.

There is no security classification on the document when something like this would be considered confidential. The guy even left his name and face in the picture which would be very dumb if he wanted to leak such information.

February 04, 2018

Permalink

Wow, I just went through the entire comment thread to make sure this hasn't been discussed already. The people who work on Tor have the patience of saints.
Anyway, I just noticed a typo on the changelog for version 7.5. That contains the following line:

* Bug 21245: Add da translation to Torbutton and keep track of it

I'm sure that "da" is supposed to be "a". So when time permits, you might want to change that.

February 04, 2018

Permalink

Blank "pr" in cached-microdesc-consensus file is right?

r DrinkPaint 163.172.190.130 9001 9030
s Fast Running Stable V2Dir Valid
v Tor 0.2.9.11
pr
w Bandwidth=1380

February 05, 2018

Permalink

Does the setting plugin.disable_full_page_plugin_for_types still exist? (I have it and its value is set to application/pdf.)

Is there an easy way to reset all about:config settings to default, without reinstalling Tor Browser?

Thank you for your work.

Looking at the Firefox source code, yes, it still exists in Firefox 52. No, there is no easy way to reset all the changes preferences. That's one of the reasons we encourage to use the security slider as doing so allows resetting crucial security preferences in a controlled and reproducible way.

February 05, 2018

Permalink

Problem dowloading Tor Browser
My System is Windows 8.1
I'm writing from Browser Mozilla Firefox 52.6.0.6607
Last charged : Tor browser 7.5 (don't know if clean) 23 Jan 2018
Until old version all worked OK - Now loading is ever blocked - Copied clip board messages where loading stopped with warning messages:
2/6/2018 7:17:19 AM.000 [WARN] Proxy Client: unable to connect to 154.35.22.9:443 ("general SOCKS server failure")
2/6/2018 7:17:19 AM.500 [WARN] Proxy Client: unable to connect to 154.35.22.12:80 ("general SOCKS server failure")
2/6/2018 7:17:20 AM.500 [WARN] Proxy Client: unable to connect to 154.35.22.10:80 ("general SOCKS server failure")
2/6/2018 7:17:20 AM.500 [WARN] Proxy Client: unable to connect to 192.99.11.54:443 ("general SOCKS server failure")

I think IP Addresses are located USA

Any suggestion?
Can I uninstall and clean all registers of Tor Browsre and Mozilla and then reinstall all?

February 06, 2018

Permalink

Dear sirs
How do you make sure the exit IP address is always one country. You used to put a line in Torrc file but it no longer seems to work. Could you advise what the procedure is now?

Yours
Allister Denyer

February 07, 2018

Permalink

TOR is as far as I know intended for all kinds of users (not just the technically expert ones), but it's not evident to me (maybe because I'm not a technically expert one) why all users are prompted to download every new version.

With the exception of those updates that include security-related improvements, it often doesn't seem that there is any reason to install certain updates, despite being encouraged to by prompting from TOR.

Couldn't TOR be specific about which users really need (or can benefit from) updates as they're released, instead of just automatically recommending every update to every user?

> it's not evident to me (maybe because I'm not a technically expert one) why all users are prompted to download every new version.

This can be inconvenient but it's the only way to ensure you have the latest everything bundled in a tested package (Tor Browser bundle). There is a maxim in the cybersecurity world which holds that everyone needs to patch *everything* they use, because leaving anything unpatched opens up a hole. Security experts often find themselves trying to clean up the mess which results when (all too often) bad actors exploit just such a hole.

Many people use Tor every day, so if you have evidence that some of them may be endangered by a specific flaw, please give technical details sufficient for devs to fix the problem.

February 14, 2018

Permalink

TBB 7.5(with Tor 0.3.2.9) is connecting slow when using Guard with Tor 0.3.2.9 or is it a problem with the first hop/Guard?
Guard has enough Bandwidth, bigger as 10000, heartbeat is inconspicuous.

February 14, 2018

Permalink

I just recently updated to the new Tor 7.5 and my Tor will now no longer work?
It keeps saying something about connection disabled or something like that?
I've checked my clock and it's fine!
I've looked everywhere and can't figure this out..
You see, I can install an older version of Tor and it works PERFECTLY fine but NOT when I update to the new version, so now why is this?

February 14, 2018

Permalink

I have a problem with the CAPTCHA on many sites. Is there some kind of formula or something I am not aware of?

February 17, 2018

Permalink

Nice work - thanks.

Would it be possible to have a version of Tor Browser that can be installed on Windows like a regular browser (in additional to the portable TBB)?

What does a regular browser differently? Registry entries? And installation + different profiles for different users? That's tricky. There are no concrete plans yet for providing those features.

February 17, 2018

Permalink

v.good

February 21, 2018

Permalink

To whom it may concern

My TBB stopped working after an autoupgrade, the bootstrap process appears unaffected, however, the browser cannot load any webpages, it keep saying 'Secure Connection Failed'.

I tried to use new identity, use various bridge modes, didn't help one bit. Suspecting a corrupted update, I downloaded a fresh copy of installer using VPN, and the problem still persists.

I'm on windows7 64bit, previous version of TBB works fine. Please help.

February 25, 2018

Permalink

Since this weekend, the website torproject.org is unreachable - through tor AND plain firefox. I live in Belgium and used telenet and orange as provider. Just this blog is reachable, the download pages and other links in this blog are unreachable too (connection timed out). Problem in BE with restrictions on our internet or at Tor?

February 27, 2018

Permalink

Since updating TOR - it won't work for me. I installed the update - wouldn't work - would put in the URL, and it simply wouldn't respond.

Then my PC crashed. When I got it back up the last version of TOR was there again. It worked, but then wanted the update. I updated it.

Now it won't work again....same problem. I put in the URL, hit the arrow or return - and nothing happens. I'm running 2007 Windows Vista, Home Pack Premium Service Pack 2. If it is not compatible, is there a way to revert back to the last version?

Not easily, I am afraid. We believe we have a fix for that, see: https://trac.torproject.org/projects/tor/ticket/25112 which will make it into the next stable release if all goes well. That one is planned for next week. Meanwhile I think a good option is to use the Tor Browser alpha which you can find on our website as well: https://sedvblmbog.tudasnich.de/projects/torbrowser.html.en#downloads-alpha. Sorry for the inconvenience.

March 08, 2018

Permalink

Starting from two days ago I am unable to sync Tor 7.5.
I get a standard notification box "500 Error" without password prompt and checking about:sync-log this error is displayed "Sync.ErrorHandler ERROR Sync encountered a login error".
Is anybody else experiencing the same issue?

April 10, 2018

Permalink

For the last few days, I can't go to any site. Tor browser starts up without the tor project page, just the Firefox logo page (as if this is plain old Firefox). Whenever I try to access a site, it tells me that the proxy server is refusing connections. I have no idea what's happened, but the browser wanted to update and I'm stuck with this.

August 01, 2018

Permalink

This is supposed to have NoScript that is a default for JavaScript, but the site says otherwise. I need JavaScript to enter the site. What am I supposed to do about it? I have seen every goofy comment known to man about how the bundle browser will be improved, yada yada. I am stuck with Duck Duck go to find information about how to enable JavaScript. It said (source:mybrowserupdates.com) to use the "Tor Browser" button to go to options. Guess what? It gives you an option to stick Duckduck go where the sun doesn't shine, or it tells you you haven't given it any permissions. How about some help here?