New Release: Tor Browser 9.0.4
Tor Browser 9.0.4 is now available from the Tor Browser download page and also from our distribution directory.
This release fixes a critical security issue in Firefox: CVE-2019-17026.
The full changelog since Tor Browser 9.0.3 is:
- All Platforms
- Update Firefox to 68.4.1esr
Comments
Please note that the comment area below has been archived.
Is TBB 9.0.3 vulnerable to…
Is TB 9.0.3 vulnerable to CVE-2019-17026 if security slider is set to safer level? javascript.options.ion is set to false with this configuration which indicates not, but my layman interpretation may be wrong.
If anyone has information on who was the target of this attack and IOCs please share.
Yes, it looks like it's not…
Yes, it looks like it's not vulnerable in the safer level, but I don't know enough about this bug to be sure.
For several years, some Tor…
For several years, some Tor Browser users have urged Tor Project to consider relabeling the security levels as "Safest", "Safer", "LessSafe" and to set the default security setting at "Safer" or even "Safest".
The fact that this particular exploit appears to only work against TB at the default setting once again underlines the fact that it would help keep many users safer if Tor Project set the default security level higher and educated users about the possibility of dropping down to the unsafe level if they really need it to use a particular website on a particular day.
See the answer on this page…
See the answer on this page about why JavaScript is enabled by default:
https://jqlsbiwihs.oedi.net/tbb/tbb-34/
I understand the caution and…
I understand the caution and why you don't want to disable javascript by default.
I make the counter argument that if a user is not aware enough of the issues involved to know that some websites will not function without JavaScript enabled, they would also not be aware of the security risk present when JavaScript is enabled by default.
Perhaps a good have-your-cake-and-eat-it-too option would be to:
Disable JavaScript by default .
When a user tries to load any page with JavaScript, display a message saying that it is disabled, explain why, explain that some pages will work poorly or not at all without it, then tell how to reenable it (possibly include a link to the control).
Not everyone who has a car knows anout engines, but if you buy a muscle car with a customized engine, then you are likely a little bit more interested in how engines work...
Almost all websites include…
Almost all websites include some javascript, so we would be showing this message on almost every page. And when we show too much text or too much questions, users tend to not read it and click on the first button to hide it.
Point harder and brighter at…
Point harder and brighter at the shield on first open after installing then I guess.
Why Torbrowser is trying to…
Why Torbrowser is trying to update automatically despite i
DON'T want this?
How can i switch 'automatic update'/notification off reliably?
In preferences, in "Allow…
In preferences, in "Allow Tor Browser to" you can select "Check for updates but let you choose to install them".
You can also change app.update.silent:
http://kb.mozillazine.org/App.update.silent
disable the automatic update…
disable the automatic update option, ** on your device **
"Why Torbrowser is trying to…
"Why Torbrowser is trying to update automatically despite i DON'T want this?"
Because Tor Browser aims to keep its users safe. As shocking as this may seem to you, but you as a tinkerer are not the principal target audience, so a random feature that you wish for them to implement, that doesn't make any sense for regular users but instead would even be detrimental to them, is obviously not going to find its way into the browser.
"so a random feature that…
"so a random feature that you wish for them to implement,"
It's OK to set autoupdate as default but not to full force that compulsorily for all users and tell nudging fairy tales about random feature for shocked tinkerer.
This in your words "random feature" is a standard of ones choice.
To CHOOSE between autoupdate/telemetry and no-backchannel is essential for trust. No one is talking against autoupdate as standard for "regular users".
"is obviously not going to find its way into the browser."
Sounds ideologically and not technological.
By the way, do you remember the rofl from the NSA about MSWindows is sending all infos about your sys everytime it crashs?You could stop this behaviour with a click(-:.
I *still* have not succeeded…
I *still* have not succeeded in recovering two working Desktop VMs that have multiple user
accounts (Debian). Because of the apparmor issue. This WOULD have been easily recoverable
had my manual upgrade settings been honoured through all of the various major/minor deliberate
updates.
With something so critical it takes all of 4 mins to make a working backup copy of a VM file.
HUGELY disappointed at this testing failure. I still cannot recover my research and Dev
environment in an elaborate bookmarks setup that evolved over years.
Wont ever trust this again; I've moved over to using vivaldi and Brave. PERMANENTLY
At least I can rely on the settings and better VM performance with the alternatives.
Can you please disable that…
Can you please disable that spinning screen when clicking on the Security Level icon, then click "Advanced Security Settings". Also it was more efficient in prior versions when you could change the Security Level without going into a separate tab and menu. Thank you.
NB: Safer Security Levels…
NB: Safer Security Levels are not affected.
Yes, it looks like it's not…
Yes, it looks like it's not vulnerable in the safer level, but I don't know enough about this bug to be sure.
Хорошое приложение
Хорошое приложение
why does Tor not show…
why does Tor not show nicknames in 'Tor Circuit'?
Relay nicknames are less…
Relay nicknames are less unique than IP addresses. Operators could agree to name them all "Unnamed" if they wanted to. IP addresses are the basic thing to tell them apart because you have to know them to connect, and they are the key field to many other things like country names. Is there a reason why nicknames should be shown? Metrics.torproject.org is searchable by many flags including name or IP.
For example if mean that my…
For example if mean that my exit or entry node is fake..how to simply check this hmmm??????
It was always the most importnat function. Some times..exit nodes was usa or russia some people doesnt want to connect over this exit nodes and they refresh cirrcuit to change exit nodes automaticly. I know that we can pre definie entry or ecit nodes but dont cheat together..how many user know how to do this?? I think its few of all..So this fucntion mus be again avaliable..!!!!!!!
is " safest" and JavaScript…
is " safest" and JavaScript false in config ,safe of this 0day ?
Probably, but I don't know…
Probably, but I don't know enough about this bug to be sure.
Privacy Pass has stopped…
Privacy Pass has stopped working in Tor. Used to work. Stopped working a few releases ago. When a captcha has been solved, the check mark comes on, but does not advance. An error message comes on after a while that the solution has expired. No passes are added either. Tor only continues to work if the privacy pass is removed using the Add On Manager
Does it work in Firefox 68.4…
Does it work in Firefox 68.4.1esr?
What's actually going on in…
What's actually going on in China now? The number of meek users has decreased drastically recently, and there are now either 0 or next to 0 obfs4 users. Furthermore, how can there be thousands of relay users (apparently more than bridge users) there?
Is something going on with Microsoft Azure in China right now? Are Azure websites also only intermittently available there now?
I too see a trend inversion…
I too see a trend inversion for the number of users over meek. It starts around mid 2019. But it's not only in China, but worldwide. There are also 5 short periods afterwards that are statistically abnormal. Default OR bridge and meek bridge suddenly have their upper and lower bound for user count estimation diverge massively. At the same time the directories report huge swings in the activity over default OR bridges. [1][2] Maybe that breaks ther estimation heuristics. What causes those swings?
Meek-azure still works in China in at least some places with at least some providers, but it is very slow. It can take over half a minute to load duckduckgo. People would probably instead first tunnel over VPN.
Obfs4 does work in China but only with unpublished bridges. [3] The authorities are somehow able to reveal and block everything in the BridgeDB. The low obfs4 statistics can mean two things:
- Setting up a private server to run a private bridge with obfs4 is a bad investment. You could use other protocols to escape the Chinese internet instead (e.g. V2RAY). You get an optional faster clearnet connection and your protocol is less suspicious.
- People are actually using private obfs4 bridges but they don't arrive in the statistics.
There can't be any normal relay users. Tor is blocked and I am not going to test a direct connection. The GFW messes with all your connections afterwards for some time (slowing and time-outs). They must be from the government or not actually in China.
[1]: 2019.https://metrics.torproject.org/userstats-bridge-combined.html?start=201…
[2]: https://metrics.torproject.org/userstats-bridge-transport.html?start=20…
[3]: https://trac.torproject.org/projects/tor/ticket/29279
My guess is that many of…
My guess is that many of these alleged direct connections are due to GeoIP inaccuracies. Relays are using Maxmind's GeoLite2 to map client IP addresses to countries. GeoLite2 lags behind modern GeoIP databases in terms of accuracy and may mistakenly map IP addresses from, say, Hong Kong (where Tor works) to China.
Also, when setting up a private bridge, use
BridgeDistribution none
instead ofPublishServerDescriptor 0
. Both make your bridge private but the former also makes your bridge publish client statistics, which contribute to Tor Metrics.As far as I can tell, …
As far as I can tell, "blocked by GFW" means "available sometimes, but not most of the time". It's very hard to tell how GFW works, but it's clear it doesn't work consistently. Connection to Facebook and Google succeeds sometimes, but fails the vast majority of the time. Similarly, connections to GitHub succeed most of the time, but they fail sometimes. Connections to Wikipedia also fail very often, but not as often as connections to Google or Facebook. I'd expect the same to be true for TOR relays.
My guess is that those aren't actual users, but malware that connects (or, more likely, tries to connect but fails to bootstrap) to TOR. Given what I know, that appears to be the simplest explanation.
Why is Tor on mac not saving…
Why is Tor on mac not saving its window position and size when quitting, so it can re-open the same way the next time?
Do you have the same issue…
Do you have the same issue in Firefox 68.4.1esr?
I agree! Why can't the Tor…
I agree! Why can't the Tor window position and size remember when closing/opening? It's so annoying to always have to resize and reposition.
I really appreciate Tor for being more secure when we are online, and right now, I'm "testing" my usage and will be glad to pay for it, but later, after I am comfortable with my browser experience. Meanwhile, my "Favorites" saved websites and my bookmarks appear somewhat out of sorts. I know that those behind this wonderful and developing browser is still working on 'perfection' so to speak, but meanwhile, it will be a good idea to welcome user surveys/comments.
Meanwhile, keep up the good work! I'm sure there are people that will be glad to pay 'something' to use a secure browser, even if it's $2 a month.
It seems that many Tor users…
It seems that many Tor users are still disconcerted by the standardized window sizes and positions, but this is an important security/anonymity feature.
One way to think about this is that each place in your computer in which Tor Browser saves data opens up a potential security vulnerability.
More generally, increasing convenience tends to be inconsistent with improving cybersecurity. Bookmarks can be particularly revealing if an attacker is able to reach them.
I hope many more people will adopt Tor Browser in the months to come, and will start following the cybersecurity news (e.g. arstechnica.com, theregister.co.uk and many other sites). I have found that reading about real world exploits helps to maintain my awareness of the need to be very careful in trading away cybersecurity for some not truly necessary convenience.
Same on Linux (and Windows I…
Same on Linux (and Windows I guess), however, I consider this as expected behavior.
Despite letterboxing the default window size is still the recommended one to avoid fingerprinting, thus preserving custom window size would be a bug rather than a feature.
Do you know other browsers…
Do you know other browsers that do not send spying info, do not checks updates etc.
Why would a browser not…
Why would a browser not check for updates.
Thanks guys
Thanks guys
first time user.
first time user.
Beautiful
Beautiful
Anyone aware if TAILS will…
Anyone aware if TAILS will be releasing a new update so I can stop seeding the current one?
in this latest build tab…
In this latest build tab crashes again and again, can't use tor after update not even alpha build.
Which OS are you using?
Which OS are you using?
Why is access to chrome:…
Why is access to chrome: internal resources possible? For example, sites can detect modifying onboarding extension (TorZilla project).
In non-standard level NoScript overrides disabled webgl2. Maybe, better way is return {} for webgl1 and null for webgl2 for getContext?
Policies fully disabled for now. I edit omni.ja every time to re-enable it (disable updates, change search engines and etc.).
I think, policies.json-only variant is safe (as minimum not lesser then mozilla.cfg and user.js) and it's good to re-enable it (of course, with the system-wide group policies turned off).
TorButton always overrides network.proxy.type in startup-observer.js even if extensions.torbutton.use_nontor_proxy is false.
It's not useful, because I use the same TB instance with another profile for local and loopback network (without proxy and privacy/anonymity purposes).
I don't fully understand how resist font fingerprinting works. Linux doesn't expose fonts in tests in both variants of browser.display.use_document_fonts.
But Windows expose a lot of fonts. Is it garanteed that all of whitelist fonts present in OS? I noticed, Times and Helvetica get from registry via WinAPI advapi32, it's not very reliable.
Do you have any planning solutions or recommendations for FullScreen API screen resolution? In past, I use my own letterboxing protection with getBrowser().maxWidth/maxHeight overrides.
Hi, another pro cypherpunk!…
Hi, another pro cypherpunk! It's great you try to research how Tor Browser works. We recommend you to file your concerns directly to Trac, where pro discussions take place.
I was using TOR to access…
I was using TOR to access sites which for some stupid reasons weren't available in Russia. One example is: http://www.threesocksmedia.com/
All of a sudden I get this error:
Not Acceptable
An appropriate representation of the requested resource /index.html could not be found on this server.
I am not sure if it's related to the latest update, but I started seeing it only today.
The site works perfectly fine in Opera VPN and it's accessible fine from North America.
Regards!
It looks like this website…
It looks like this website is blocking access from Tor.
I got a red background…
I got a red background screen on startup after install of the latest update. There was a warning message on there that said "Something Went Wrong!" "Tor is not working in this browser."
This despite the install having worked correctly according to that same page displaying the Tor version in use (9.0.4) and my settings showing the newest browser version as being correct (68.4.1esr)
And I have full functionality including a definite Tor circuit.
What's with the warning screen?
Do you still have the issue…
Do you still have the issue after restarting the browser?
How do you edit omni.ja?…
How do you edit omni.ja?
Nothing i´ve found so far works
omni.ja is a zip file.
omni.ja is a zip file.
which is one of the things…
which is one of the things that doesn´t work.
Besides, which omni.ja and which .js, cannot find a .js saying anything about "app.update.".. Tried for hours and even the simplest little thing like unpacking and repacking a file makes tor not working.
Someone here must know. Zip doesn´t work.
What is your reason for…
What is your reason for going down the path of disabling updates? Perhaps there is a better solution if we understood your situation. Do you know that Tor Browser downloads and verifies the hashes of its automatic updates by going through the Tor network as it always does?
so what? do i need a reason…
so what? do i need a reason for deciding for my self?
you claim to want to "free" people, but you are being totalitarian in that you and you only decide what people cannot, must not be allowed to. Your arguments sounds so much like chinese leaders claiming they know what the people need. I bet your next "argument" will be like: "find another browser". Little by little you are becoming what you claim to fight against.
And, oh Winrar works, by the way.
My reason is irrelevant…
My reason is irrelevant. Your argument about how it goes through tor network is also irrelevant.
The only relevant question is why, why, why are users not allowed to choose for themselves?
Why is it necessary to take away peoples freedom of choice? You sound exactly like the Trump´s of the world, you have all the reasons why you need to be in control for the good of the people. How hard can it be to let people choose for themselves?
And, oh Winrar works, by the way.
You are free to do what you…
You are free to do what you want, and you could even take the source code and build your own version with the changes you want.
You don't have to give any reason if you don't want to, but explaining why you want to do something can help us decide if that's a use-case we want to use some of our time to support.
I did actually give my…
I did actually give my reason.
I want to be able to make the choice myself.
It should be an option to disable any kind of update, and those who wants auto-updating can choose that, that can even be the default setting.
You should never take away peoples right to choose for themselves. That is never a good solution however appealing to the ease of your work.
May i suggest working on a way to reintroduce policies without the proxy-issues?
There are ways to disable…
There are ways to disable updates. See for example:
https://redmine.tails.boum.org/code/projects/tails/repository/revisions…
You haven´t tried or you…
You haven´t tried or you would know it doesn´t work, of course Tor tries any possible attempt to "phone home", those steps are easily overruled by some hidden settings, possibly in omni.ja? (i´m definitely not an expert). I find it too complicated to edit omni.ja for every update, and i also haven´t found anything in there that stops it from looking for updates. Every time you open options, when you scroll to updates you see (i can see it) it tries to look for updates, and it just keeps on, because it can´t find it.
That´s what happens when you point to a wrong adress, it just keeps looking, endlessly apparently. It should be the users choice to decide whether to look or not.
And, oh... policies are forbidden in Tor, that used to be a good solution.
You haven´t tried or you…
You haven´t tried or you would know it doesn´t work, of course Tor tries any possible attempt to "phone home", those steps are easily overruled by some hidden settings, possibly in omni.ja? (i´m definitely not an expert). I find it too complicated to edit omni.ja for every update, and i also haven´t found anything in there that stops it from looking for updates. Every time you open options, when you scroll to updates you see (i can see it) it tries to look for updates, and it just keeps on, because it can´t find it.
That´s what happens when you point to a wrong adress, it just keeps looking, endlessly apparently. It should be the users choice to decide whether to look or not.
And, oh... policies are forbidden in Tor, that used to be a good solution.
outdated, all of it
outdated, all of it
omg. If you´d actually tried…
omg.
If you´d actually tried you´d know that doesn´t work anymore. Where have you been? E.g. policies are forbidden in TBB.
nice
nice
TOR as been working strange…
TOR as been working strange,despite the new update that took place recently the browser has not been displaying the webpage's images/information. I've tried to restart and re-downloaded the browser however the problem still remains the same.Any idea on my why this might be happening?
On which website do you have…
On which website do you have issue? Is it a particular website, or all websites? And what do you mean by "webpage's images/information"?
mega.nz shows my real…
mega.nz shows my real platform:
BrowserID: mozilla/5.0 (x11; linux x86_64; rv:68.0) gecko/20100101 firefox/68.0
(javascript active)
https://trac.torproject.org…
https://trac.torproject.org/projects/tor/ticket/28290
https://trac.torproject.org/projects/tor/ticket/26146
Intent to Deprecate and…
Intent to Deprecate and Freeze: The User-Agent string
Summary
We want to freeze and unify (but not remove) the User Agent string in HTTP requests as well as in `navigator.userAgent`
Motivation
The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.
Some parts of it, such as the browser version and the OS version, can be frozen without any backwards compatibility implications. Values that worked in the past will continue to work in the future.
https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/-2JIRN…
streaming doesn't work…
streaming doesn't work anymore on pornhub or xhamster
but download works suddenly - which was tricky on pornhub.
That could be the issue with…
That could be the issue with NoScript and embedded videos.
https://vbdvexcmqi.oedi.net/comment/286439#comment-286439
Hello, I don't know if this…
Hello, I don't know if this was covered. In numerous sites for the past 4 months or so, that yellow "pop-down" is saying do you want a site to post a page or wait or stop it. This happens whether I am looking at email or Courage.org or Reuters or several other sites. This disrupts the using of the computer more and more. Anything I could do to lessen this happening? Thank you so much in advance.
I don't see which "pop-down"…
I don't see which "pop-down" message you are talking about. What is the exact text of the message?
To _okim (my letter _ is…
To _okim (my letter _ is fried in my computer): Thank you for asking. The yellow _anner that "pops down" from the top states- "A we_ page is .slowing down your _rouser. What would you like to do? Stop it // Wait // . Sometimes it still pops down when I answer it! (Perhaps it doesn't like my answer). Any ideas how to lessen this happening? Thanks! PS Usually I choose Stop it, although I have tried them all including the X for hiding the thing.
This is usually caused by…
This is usually caused by websites which include scripts using a lot of resources. You can try changing the security level to Safest, which will disable javascript.
Thank you. I will adjust…
Thank you. I will adjust accordingly. Good "talking" to you again!
Your broken B key is…
Your broken B key is terrible for your privacy. I've been able to look in old posts and find you every time no matter what name you post as. Use your OS's virtual keyboard or keep Character Map open to copy "b" into your clipboard so you can paste it. Basic keyboards are not expensive as far as parts go. You can find used ones at secondhand stores, ebay, craigslist, from friends, or even in trash bins sometimes. If you have a laptop, there are portable USB ones. Or you could open it up to try and repair it.
after the update, tor become…
after the update, tor become seriously slow. i try back to 9.02 but it also slow. Something happen to TOR network especially obs4.
no videos on many websites…
no videos on many websites at any seclevel.
Did they work in previous…
Did they work in previous Tor Browser releases?
i'll try a fresh install and…
i'll try a fresh install and compare.
it is firejail. firejail …
it is firejail. firejail /PATH/tor-browser_en-US/start-tor-browser.desktop launches but TBB does not work properly. no videos on my preferred sites. download possible.
solved > More fixes for…
solved >
More fixes for ffmpeg support in Arch Linux
https://github.com/netblue30/firejail/commit/bc337e2330730e8ed8f2673398…
The link from the download…
The link from the download page points to 9.0.2, but I changed everything to 9.0.4 and found it, hope that's safe. Just fyi so you can change the link
Yes, we had an issue with…
Yes, we had an issue with the website yesterday:
https://trac.torproject.org/projects/tor/ticket/32946
Many thanks to Mozilla and…
Many thanks to Mozilla and the Tor Browser team for this critical security update!
But the most lethal threats to Tor may be legal, not technical. The DOJ backed away from their first attempt to force Apple to write malware to unlock a dead terrorist's phone, but now they are trying again:
thehill.com
Apple rejects Barr claim that company has given no 'substantive assistance' in Pensacola shooting probe
Justin Wise
13 Jan 2020
> Apple is refuting Attorney General William Barr's claim that the company has not given federal investigators "any substantive assistance" in its investigation into a December shooting at a Pensacola, Fla., military base that left three dead. The company also reiterated its stance on protecting encrypted devices in wake of Barr's push for law enforcement to gain access to the gunman's iPhone communications. Barr leveled the accusations against the Silicon Valley giant during a press conference Monday in which he detailed the findings of an investigation into the massacre, which was carried out by a member of the Royal Saudi Air Force who had enrolled in the Naval Air Station Pensacola training program. Lt. Mohammed Saeed Alshamrani killed three U.S. sailors and wounded eight others after entering the naval station grounds on Dec. 6.
One of the most frustrating aspects of this insanity is that DOJ has not even attempted to explain in rational terms what it expects to learn if it could decrypt the phone. However numerous NCTC and FBI documents (published at sites like publicintelligence.net) show that USG is obsessed with discovering "predictors" for which persons will commit terrorist acts in the future, a goal which is almost certainly quite impossible, given the extreme rarity of actual terrorists (i.e. not journalists and civil rights workers who are often absurdly labeled "terrorists" by governments and their media shills, offended CEOs, angry cops, etc).
Has this been addressed? …
Has this been addressed?
https://winaero.com/blog/update-mozilla-firefox-to-fix-a-critical-flaw/
Update Mozilla Firefox to fix a critical flaw
Mozilla has advised all users of its Firefox browser to update to the latest version in order to fix a highly critical security flaw that could allow attackers to take over your computer.
Firefox Quantum Logo BannerThe company revealed that a "security firm [called] Qihoo 360 reported a vulnerability that was used as part of targeted attacks on a local network". and that they released the patch on Wednesday morning. The flaw is a memory bug that would allow hackers to execute code on a hacked system that would allow them to take it over.
The CISA has also advised all users and administrators to perform an update to their Firefox installations, saying that they should "review the Mozilla Security Advisory". Standard users can simply update Firefox over the air, although the browser may have applied updates automatically, as it is set to do.
Check your Firefox version number
It's simple to check if the version of Firefox you're running is up to date. To see what version you are on, simply type about:support in the omnibox (main search bar) and look under 'Application Basics' for the version number. If you are on Firefox 72.0 or earlier, you're at risk to the fatal bug. Version 72.0.1 and later are protected.
Yes, this is what version 9…
Yes, this is what version 9.0.4 is fixing.
Thank you for the fix
Thank you for the fix
Hi all :) do i need to use…
Hi all :)
do i need to use VPN in order to use tor and be undetected?
try wikipedia, and try a…
try wikipedia, and try a search of
vpn vs tor
tor should give better privacy.
I've never used a vpn.
as i understand:
For tor browser, the route "out" is: your PC, then the ISP you are connected to, then through three tor "nodes", then the website that your browser shows you.
The locations of the three tor nodes change at times.
So, your ISP (of wherever you are) sees changing IPs of the first tor node.
Each website sees the changing IPs of the third tor node.
For vpn, the route "out" is: your PC, then the ISP you are connected to, then the vpn, then the website that your browser shows you.
The vpn's IP is the same (Other than they might use more than only one IP address).
So, your ISP (of wherever you are) sees the IP of the vpn.
Each website sees the IP of the vpn.
Some businesses have vpn for employees to connect to from home, or from elsewhere away from the business location.
People who use vpn often (try to) choose one with server located in a legally "safer" country. (stronger privacy laws)
I believe those are the most significant differences.
https://support.torproject…
https://jqlsbiwihs.oedi.net/faq/faq-5/
Is there a problem with this…
Is there a problem with this?
https://sha-mbles.github.io/
https://arstechnica.com/information-technology/2020/01/pgp-keys-softwar…
PGP keys, software security, and much more threatened by new SHA1 exploit
When you try to check Torbrowser or Tails downloads, Linux distro, etc. ?
I am also concerned that…
I am also concerned that SHA1 defines Git commit history.
GRRRR ... here we go again …
GRRRR ... here we go again ... How do you put tabs below address bar ?
this has been a continuous complaint for over 10 yrs and firefox coders still won't give the option of switching it to where we want/need it as part of regular settings! Why?
Major browsers haven't had…
Major browsers haven't had tabs below the address bar for a very long time. Tabs below is not intuitive from a user experience perspective. Each tab loads its own URL, so when a user clicks on a different tab, the state of that tab including its URL should be inside the frame of that tab; therefore, URL under the tab button. As for whether there should be an option to move it back, ask Mozilla (on bugzilla) and every other major browser because it's outside of the scope of Tor Project.
B"H Hello The new Tor 904…
B"H
Hello
The new Tor 904 version doesn't open on my computer, but does leave a Firefox.exe process running.
Please fix this.
Sincerely, Dovid
Do you have any error…
Do you have any error message? What OS are you using?
Improve the indicators of a…
Improve the indicators of a new version.
Most of the time, I start a new identity rather than close Tor browser. Today, I closed it to fix a taskbar problem. When I reopened Tor browser, I watched it install an update, and after it started, about:tor said 9.0.2. I opened Help -> About Tor Browser, and it had a button to restart and apply an update even though I just did. I clicked, it closed, installed an update, and said 9.0.2 again. I went to About Tor Browser, and it had the button again. It wasn't updating. I had more than enough space free. Maybe I ran out of space at some point weeks ago, but I had enough now. There wasn't any indication that versions above 9.0.2 were released. What caught my attention was the progress bar showing that Tor browser always installed an update every time I opened it. To a novice, that's all they would see. They wouldn't know they should open Help menu or the website or blog. They would think 9.0.2 was the latest version and be stuck on it none the wiser.
Linux 64, Cinnamon
I deleted the folder and installed 9.0.4 from scratch. About Tor Browser says "up to date". I'll remember to watch if it auto-updates to future versions properly. In blog posts for 9.0.1 to 9.0.3, a few comments talked about red screens, "Something went wrong", and problems updating. I never saw a red screen. I don't think my problem had something to do with to theirs.
If you still have a copy of…
If you still have a copy of the non-working 9.0.2, you can help us debug the issue, by setting the pref app.update.log to true, and starting the browser with the `--debug` option. You might also be able to find some update logs in the updates/ directory.
Unfortunately, I don't. I…
Unfortunately, I don't. I deleted it to avoid conflicts with two versions at the same time. If it happens again, I'll look for your instructions here and reply in the newest TB post.
Tor Browser Android …
Tor Browser Android
recommends about:config
browser.privatebrowsing.autostart ; false
Why?
Why?
Tor Browser android bug fix…
Tor Browser android bug fix about:comfig -> browser.privatebrowsing.autostart ; true
good! -> browser.privatebrowsing.autostart ; false
That is not a bug, private…
That is not a bug, private browsing mode is intentionally enabled by default.
Don't k3if this is 3bug or…
Don't k3if this is 3bug or what but Tor update broke my computer. I allowed an update about a day ago and have not been able to access the internet since then. The ISP see my computer online sending and receiving, but I cannot access the internet. rebooting and resetting the computer and router doesn't help. I've run out of ideas about a possible solution.
Ii am now afraid to do any further Tor updates, which probably means I won't be able to use Tor.
I looked at the support portal but I don't see anything there that might help.
Are you able to access the…
Are you able to access the internet outside of Tor Browser? If not then this is unlikely to be related to the Tor Browser update.
What is this? Open: Options…
What is this?
Open: Options->Tor->Tor logs.
In Browser Console:
Tor WARN: Error replacing "X:\...\TorBrowser\Data\Tor\torrc": Permission denied
Did you change permissions…
Did you change permissions on the torrc file? Or is the file owned by a different user?
Tor Browser needs write permission on this file to work.
"Tor Browser needs write…
"Tor Browser needs write permission"
The question is: Why and what the TB needs to write in the torrc?
Why the TB is 'touching' the torrc file without any neccesity?
The configuration of the tor…
The configuration of the tor daemon is done by torlauncher (through the tor control port), and then needs to be saved to the torrc file.
The 'Guard' IP doesn't…
The 'Guard' IP doesn't change between Tor Browser (TB) restart or when clicking on 'New Identity' (NI) or keyboard shortcut Ctrl+Shift+U.
Last time this happened was during a 8.5.x (or maybe 8.4.x). I can't recall what was the solution (but I think someone suggested, just installing again over the old version), but that did resolve the problem, until now. I don't know which version of 9.0.x started this.
The guard is not expected to…
The guard is not expected to change between Tor Browser restarts or on New identity:
https://jqlsbiwihs.oedi.net/tbb/tbb-2/
Thank you for the…
Thank you for the explanation. Do you know exactly which version and when, this was changed from the previous behavior of changing guard during every browser restart or with every 'New Identity'?
It's been like this for a…
It's been like this for a very long time.
The blog has some articles about entry guards:
https://vbdvexcmqi.oedi.net/category/tags/entry-guards
When will 9.5 be released?
When will 9.5 be released?
I think we have not decided…
I think we have not decided that yet. It will be in the next few months.
dispite that i have set…
dispite that i have set security lvl to safest,i will get this when i enter a dark web site ; WARNING: You have javascript enabled in your browser! Disable this for your own safety!
Having Javascript enabled may result in having your private IP leaked and having your computer fingerprinted! so for now i will not use TOR for anything,you can roll back or fix it so script show allowed or default/denied too while you are at it
Javascript should not be…
Javascript should not be enabled in the safest security level.
For example, does the following website tell you that javascript is enabled when you click on the "Test Javascript" button?
http://www.bom.gov.au/australia/radar/about/clickme.shtml
Let me guess, "a dark web…
Let me guess, "a dark web site" refers to Dread here?
It's false alarm: https://trac.torproject.org/projects/tor/ticket/29044#comment:3
You could've used Dread's search bar though, there's a post about this every other day.
hallo
hallo
The download function was…
The download function was broken. When it went to the last second of the download, it stopped and didn't complete. Please fix it.
Which download option? Where?
Which download option? Where?
The tor browser fails to…
The tor browser fails to start correctly at the first time I start it. I have to try it twice, three times. Please fix the problem.
Do you have more details…
Do you have more details about the issue? What operating system are you using, and do you have an error message when you try to start it?
Esta bueno
Esta bueno
Please add tor cirrcuit in…
Please add tor cirrcuit in browser...or simple gui function to user could chance exit nodes from browser..not from txt config file..
I thing you do big mistake to erase tor cirrcuit..this function was from years...
Many people are not happy from this change..to what direct tor browser is going now?? to the not transparanency ?
Tor cirrcuit schemat must be again..in tor browser.
Circuit display is still…
Circuit display is still available, it has not been removed.
https://tb-manual.torproject.org/managing-identities/
May he/she means Vidalia?
May he/she means Vidalia?
Probably in order to sell…
Probably in order to sell their VPN services some companies are saying that IPV6 can leak your real IP.
I see that under about:config network.dns.disableIPv6 the default is false.
Would it not be better to have this changed to true or, for the security-minded user, should he/she change this setting to 'true'.
Your thoughts would be appreciated.
Thank you
When I requested a bridge it…
When I requested a bridge it failed to connect to any site. the bridges used below
[bridges lines removed, please don't share bridges publicly]
Did the Tor bootstrap fail,…
Did the Tor bootstrap fail, or did it succeed, but browsing does not work after that?
Also, what OS are you using?
HTTPS Everywhere for some…
HTTPS Everywhere for some reason allows mixed - content sites.
Is there a way to block them?
The auto-play of youtube is…
The auto-play of youtube is blocked. It's so inconvenient. How to let it play automatically?
Auto-play on youtube works…
Auto-play on youtube works for me. Media auto-plays except if I open it in a new tab in the *background* that was not the active tab I was looking at. Autoplay of media is disabled in tor browser on first opening a page (any page, not simply youtube) because autoplay lowers privacy. If you accept the risk to enable it, you can read Mozilla's help here:
https://support.mozilla.org/en-US/questions/1238033
https://developer.mozilla.org/en-US/docs/Web/Media/Autoplay_guide
That is, unless you are talking about Noscript's yellowish layer covering media you haven't allowed in Noscript. Make sure you are on Standard security level unless you know how to configure Noscript.
The new version of tor…
The new version of tor shrinked the window. It brings an awful user experience to me. Please give me an option to turn it off. How to off it.
https://support.torproject…
https://jqlsbiwihs.oedi.net/tbb/maximized-torbrowser-window/
when you maximize tor…
when you maximize tor browser, there's a gray border around the content. I know that you're not supposed to maximize but I use tor for non-sensitive things to help those who do sensitive things and I'd really just like a proper browser window
privacy.resistFingerprinting…
privacy.resistFingerprinting.letterboxing is the pref that can be used if you want to disable this feature.
Hey guysI am new here jelp…
Hey guysI am new here jelp me to use this
Do you have a more precise…
Do you have a more precise question?