Tor Browser 4.0.3 is released
A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.
Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.
Here is the changelog since 4.0.2:
- All Platforms
- Update Firefox to 31.4.0esr
- Update NoScript to 2.6.9.10
- Update meek to 0.15
- Update Tor Launcher to 0.2.7.0.2
- Translation updates only
Comments
Please note that the comment area below has been archived.
I wonder how "current" the
I wonder how "current" the Crypto/HTTPS in the new browser version is.Have not try yet.
e.g. DSA or RC4 are outdated?
How trustworthy is DSS? And Camellia?
Or try download from the mozila ftp pub with GCM-sha256?Fail.
Why AES128 only in security.ssl3.ecdhe_rsa_aes_128_gcm_sha256?
Why not crypto with Twofish?
And so on.
I hope detailed crypto and media information is activared again.
Well, you can deactivate RC
Well, you can deactivate RC 4.
Type in the address bar of firefox
about:config
then search for "RC 4" or "RC4"
then deactivate all entries listed, so switch from "true" to "false"
that's it ! :)
Just wanted to say a huge
Just wanted to say a huge thank you to everyone that works on TBB and associated products. I know lots of people complain about stuff but I just wanted to say that your work is greatly appreciated (by me at least). THANKS AGAIN. There are many adversaries out there trying to watch every last little thing that we do but with your help we can hold them off a good while longer.
People who complain are also
People who complain are also grateful and appreciate what Tor devs are doing otherwise they wouldn't be using Tor! complaining=/=hate
So true. well said.
So true. well said.
I concur, keep up the good
I concur, keep up the good work!
Complaining is one thing,
Complaining is one thing, giving constructive criticism is another. Only the liberals and the government complain because things don't go their way.
thanks :)
thanks :)
thanks ! i have a question
thanks !
i have a question .
i have heared cyber police can track users by computer's IP ! is it true?
if Yes is there anyway to change computer's IP?
i mean the ip to be optained via :
Run> Cmd > ipconfig >IPv4
No. That is untrue. There is
No. That is untrue.
There is no such thing as Internet police. Laws vary from country to country, so what's legal in one country could be illegal in another.
If you don't take measures to hide your real IP address, and you then start using peer-to-peer sites to obtain content that is protected by Copyright - for example, you download the latest Red Hot Chili Peppers album. Because you are now sharing that with the world (by default with most P2P software), you could end up sharing it with one of many computers that the Recording Industry Association of America (RIAA) have set up to trace the sharing of Copyrighted material. The Motion Picture Association of America (MPAA) are the ones who get involved if you've downloaded and shared movies, RIAA take care of music, and so on.
The RIAA, in this example, then go to the local Courts to request a Court Order instructing the Internet Service Provider (ISP) of the IP address to give them the details of the person who used the IP address at the time the Copyright infringement occurred. Details in hand, they go to the Police because you broke the law, and you get a slap on the wrist. It's not exactly a huge criminal act as far as law enforcement are concerned.
With the criminal conviction in the bag, they then set about ruining you financially and they commence legal proceedings against you for sharing content that was Copyrighted, and demand no less than $750 per song shared to any 1 person. So if 100 people downloaded 1 song, they sue you for $75,000. They make up a random number of people that they think have downloaded the Copyrighted material you have made available for downloading, and slap you with a ridiculous bill in the millions that nobody would be able to pay.
There are several horror stories out there of the RIAA bullying families to bankruptcy because their children have been loading up on Copyrighted content, and it's not the downloading that they're hot and bothered about, it's the fact that you made the Copyrighted material available for others to download from you.
I'm not recommending that you break Copyrighted laws at all. However, a service like Tor will cloak your real IP address from any drone computer the RIAA may have set up, and if your IP address is in North Korea, the RIAA don't have jurisdiction there, so they'd have to drop it and move on to the next case, hoping it's easy and straightforward.
Bottom line: Use Tor.
Written by JerryU
could they still charge me
could they still charge me if i only download a copyright protected song directly ? (not form p2p websites)
thanks in advance.
Generally you shouldn't do
Generally you shouldn't do anything that's illegal in your country.
so your advise is - do not
so your advise is - do not use tor till you are in china??
There is always a way to
There is always a way to track someones i.p. and track their activity. There is internet police, but they don't actually act on something unless it's their own getting threatened. In other words, say for example, you go to a chat site where there are predators on it. You report it to the FBI because there are hackers and stalkers on there. They will blatantly ignore it because they don't consider it a priority, yet, if you send an e-mail to one of them threatening their life, over a sudden it becomes a priority and they're all over you like a pig in sh-t.
When it comes to the RIAA and copyright material, don't worry about it. I've been a pioneer to peer to peer programs and have never been caught on tor. There is a lot of gossip that peer to peer networks may leak information, but that's untrue otherwise I would've gotten notices in the mail like I did when I was testing tor with cable. I was getting them without tor and wasn't getting them with tor. The thing that everyone doesn't know is that when the RIAA began bringing people to court, they had to give back 9 billion dollars because they were illegally hacking computers and claiming people were illegally downloading when they weren't. That was in 2005, after that, the RIAA was scared to death of bringing someone to court in fear of the speculation from the court of them planting copyright material in someones computer for the sake of getting $250,000 from someone. The criminal mind is that it's easier to gain the profit back by falsely accusing someone that way they can gain the money back from what they lost from it. There are people who may say don't encourage copyright "Theft," in reality, the entertainment industry is worth about $90 billion dollars a year. They aren't going bankrupt.
I have a question, why are
I have a question, why are you asking about changing your i.p. if you're on this site knowing about tor?
Can I change the entry node
Can I change the entry node without restarting TBB? How to know which entry node I'm using?
I don't think you can change
I don't think you can change the entry node without restarting Tor Browser or having a different controller accessing it. Your circuit is visible in the alpha version of Tor Browser. We are currently testing this feature.
I want to know if I update
I want to know if I update the TBB needs to delete the folder and sub folders of TBB? Then extract the TBB to somewhere.
If you are using Tor
If you are using Tor Browser's own internal updater you don't have to do anything yourself.
What if I'm not using
What if I'm not using internal updater?
Does the internal updater
Does the internal updater automatically verify the update?
Verifying a signature
Verifying a signature embedded into the update just landed in the alpha series. Thus, this is not available in the stable series yet.
If GFW blocking meek...
If GFW blocking meek...
Hello, how secure is the
Hello, how secure is the included updater in 4.0.2? Does NSA has the capability to tamper with updates using this mechanism?
It's hard to say anything
It's hard to say anything about NSA's capacity but the updater is quite secure we think. It is getting even more secure with signed updates which is currently tested in the alpha series.
How secure can the internal
How secure can the internal updater be when it apparently doesn't even attempt to verify the update?
As secure as you can get it
As secure as you can get it with pinned certificates. See: https://vbdvexcmqi.oedi.net/blog/tor-browser-40-released for the details.
In the Tor Browser 4.0
In the Tor Browser 4.0 release announcement https://vbdvexcmqi.oedi.net/blog/tor-browser-40-released mikeperry wrote: "Please also be aware that the security of the updater depends on the specific CA that issued the decvnxytmk.oedi.net HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures."
So i'd like to know if now is safe to update TBB 4.0.x through the Help / "about browser" menu option or not yet.
Signed update files have not
Signed update files have not landed in the stable series yet. We are starting to test that feature in the alpha currently.
How can we examine the
How can we examine the fingerprints of the CA in this case?
Which case are you talking
Which case are you talking about? The things we pinned in the stable series are visible via about:config. Have a look at app.update.certs.1.*
I am seriously not trying to
I am seriously not trying to troll here, but:
What is the deal with the binaries not giving the same checksum as when we compile Tor ourselves from source? (Honest question and honest concern).
Someone might have tampered
Someone might have tampered with the binary you are downloading or the binary you are compiling yourself. Have a look at Mike Perry's and Seth Schoen's reproducible builds talk at the 31C3 for the issue.
hello The religious dictator
hello
The religious dictator regime In Iran Tortured and imprisoned the Bloggers.
The religious dictator regime In Iran is One of the greatest enemies of the Internet.
I'm a blogger And I'm blogging with security(with Tor).
Iran is a prison For journalists, freedom and Dissidents.
thank you.
>The religious dictator
>The religious dictator regime In Iran Tortured and imprisoned the Bloggers... Iran is a prison For journalists, freedom and Dissidents.
Josh Wolf says hi.
> The religious dictator regime In Iran is One of the greatest enemies of the Internet.
Did you mean to say NSA?
The NSA does things, which
The NSA does things, which can have positive and negative effects. They make it harder to be anonymous. But in Iran, you can die just for saying the government is stupid.
Good response.
Good response.
you should use tails
you should use tails
Dictators will be
Dictators will be toppled.
Freedom close.
Great! I have an idea for
Great! I have an idea for the Tor project, instead of making data go through 3 Tor relays, make data go through 6 Tor relays. That would make Tor impossible to be hacked by anyone.
Have a look at
Have a look at https://decvnxytmk.oedi.net/docs/faq.html.en#ChoosePathLength
Can you imagine how much
Can you imagine how much slower that would make using Tor?
The Tor network has a large
The Tor network has a large surplus of middle relays, so adding an additional middle relay would not necessarily take network capacity away from other users.
The extra time would consist of a) the additional latency of going through an additional relay and b) the chance of choosing an additional middle relay that has the lowest available bandwidth of each relay in the circuit.
The length should be four
The length should be four relays (at a minimum). That would place (at least) a two-relay onion route between either the entry relay or exit relay and any network observer (at one link) along the path. As it is with third-generation onion routing, the fixed three relay length allows the middle relay to know the IP addresses of both the entry and exit relays (as well as the timing information) of every circuit it serves as a middle relay for.
Since onion routing does not protect against an adversary that can see both endpoints of the onion route, no observer should know the physical locations of both endpoints, let alone so easily and with certainty.
Please see the paper "A Peel of Onion" by Paul Syverson at https://www.acsac.org/2011/program/keynotes/syverson.pdf section 4 for some of the rationale behind the circuit length design choices for each of the three generations of onion routing.
Has Erinn changed gpg keys?
Has Erinn changed gpg keys? I got a "bad signature" output when verifying tbb 4.0.3. Additionally, I noticed in archive.torproject.org that the asc files for this latest release have a different "last modified" date than that of the corresponding bundle. That isn't usually the case is it? Should I be worried?
As always, thank you Tor Project.
As long as the signature is
As long as the signature is properly verified you should not worry. Which bundle did you try to verify?
I tried to verify tbb 4.0.3
I tried to verify tbb 4.0.3 en_us.exe.
I've never had a "bad signature" output before. tbb4.0.2 and tbb4.0.0, wich i still have, produce the expected output, as do a couple of other applications that I verified today.
Thanks again.
Nevermind, it was a
Nevermind, it was a corrupted, somewhat smaller executable. I downloaded again, this time with no problems, and verified it. No problem. I feel a bit stupid, now.
Anyway, thanks.
Τhis is actually happening
Τhis is actually happening to me too! I keep getting:
gpg: Signature made Di 13 Jan 2015 20:10:16 CET using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "
I don't think it's a corrupted d/l, I redownloaded tor-browser-linux64-4.0.3_en-US.tar.xz three times.. Creepy.
Am I supposed to download my
Am I supposed to download my GPG through the tor browser?
Danke. But we waited almost
Danke.
But we waited almost 2 months for this?
I have windows 8.1 and its
I have windows 8.1 and its telling me my PC can't run this app, any solution or just a bug?
I think the problem is that
I think the problem is that we don't sign the installer properly. See: https://bugs.torproject.org/12678 for the problem. We are working on a solution: https://bugs.torproject.org/3861. I hope to get that fixed if not for the next release then for the one coming after it.
What type of processor do
What type of processor do you have? If it's ARM, you're not going to be able to run any modern browser other than IE. Windows on ARM doesn't provide the APIs they need for fast processing of Javascript including the internal Javascript the Browser is based on.
I keep getting: An error
I keep getting:
An error occurred during a connection to decvnxytmk.oedi.net. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert)
I'm using TBB 4.0.2.
This has been happening occasionally for the past several weeks, IIRC ever since POODLE. Clearing history, switching to new exit node, etc doesn't fix it. Waiting a couple days usually does fix it.
Is anybody else getting this, or is it just me?
Interesting. I've never seen
Interesting. I've never seen this happening with Tor Browser. Does this only occur while connecting to decvnxytmk.oedi.net?
Yes, I currently get
Yes, I currently get ssl_error_inappropriate_fallback_alert only for decvnxytmk.oedi.net. I still get it today (January 16), and it always fails (changing exit node doesn't help). I don't get it for vbdvexcmqi.oedi.net. IIRC I got it once for duckduckgo.com a few weeks ago, but never again. DDG works fine now.
I'm using Tor 0.2.4.24 configured as a transparent proxy on a separate gateway machine (so a browser exploit can't reveal my IP address), and TBB 4.0.2 (instead of regular FF, so I'll look like other TBB users) set to transparent proxy mode (i.e. doesn't use TBB's built-in Tor).
I don't know if my split configuration is the problem, but it works fine (and has for years) everywhere else, including with TLS; only decvnxytmk.oedi.net is currently failing.
OS is Debian 7 stable, with Linux 3.2, both for the gateway (running Tor) and for the client machine (running the browser).
More info: enabling 4.0.2's
More info: enabling 4.0.2's built-in Tor (so now I'm using Tor over Tor; extremely slow) solves the problem.
But my split configuration should not be causing the problem I'm seeing. And the problem only occurs for decvnxytmk.oedi.net, not for vbdvexcmqi.oedi.net or gitweb.torproject.org or any other site.
Tor 0.2.4.24 (on my transparent proxy) isn't the latest, but that shouldn't have any effect on a browser's use of TLS.
Updating my transparent
Updating my transparent proxy to 0.2.5.10 didn't help.
Set your TBB to transparent proxy mode, put it behind a transparent (i.e. intercepting) 0.2.5.10 proxy, and I think you'll see the problem I'm seeing.
But after updating Tor to
But after updating Tor to 0.2.5.10 AND updating TBB to 4.0.3, the problem is gone.
I have no idea why.
Hi. Thanks for all the
Hi.
Thanks for all the work.
I just updated, and now the icon in my task bar for Tor Browser is the stock Firefox icon. Any chance of switching it back in future releases?
I know it seems simple, but since I (and many people) use Tor Browser and Firefox concurrently, having different icons is a quick and easy way we can check to make sure we're using the right browser.
I'd hate for someone (especially beginners) to compromise our anonymity over something so rudimentary.
As a note to beginners who may read this, it's likely preferable to only have one browser window open, to avoid getting confused.
I wish I could use tor browser 100% of the time. For several reasons, that's not currently practical.
Thanks again,
me
How did that happen? You
How did that happen? You upgraded Tor Browser while having Firefox open? On Windows or an other OS?
Trying to think back, it is
Trying to think back, it is quite possible that I had firefox (clearnet) open while installing the new tor browser. It actually looks like it's now back to the tor browser icon.
It a certain linux distro, and it appears that after a reboot it's back to normal now. I don't know a lot about programming, but I guess since it appears to be back to normal it was some time of quirk. I had posted my comment under the assumption that it was a widespread "issue." Sorry if I posted hastily.
It does present a question, though.
Icons are harmless, but is it actually possible to have a vulnerability during installation if the firefox process is running? If not an active attack, then "just" the computer having bugs.
Next time I'll probably just shut down firefox to be safe, but it proves how tricky secure computing can really be.
Thanks again!
the auto-updater worked like
the auto-updater worked like a charm - thank you!
Let's hope there isn't an
Let's hope there isn't an attacker somewhere saying the same...
Hopefully this comment get's
Hopefully this comment get's posted. I have tried making a comment before but it didn't get posted(it was not an abusive or offensive or racist comment, it was a question about something to do with non exit Tor relays).
My question is, how do I tell if my non exit Tor relay is an entry relay, or a middle relay? I would prefer to be a middle relay(the relay which passes the data onto the exit relay).
How can we force Tor 4.0.3
How can we force Tor 4.0.3 to always present the "Download an External File Type?" dialog when we right click a link and "Save Link As"?
Some file types seem to bypass this dialog and take you straight to naming the file.
Does anyone have an insight
Does anyone have an insight on how we reset this feature for specific file types?
4.0.3 has a bug. The Tor
4.0.3 has a bug.
The Tor browser crashes every time I use it.
Please create a 4.0.4 as soon as possible to fix this bug.
Also has anyone noticed that when you download Tor your connection to the Download Tor page really isn't encrypted?
Right click somewhere on the Download Tor page, and click on properties, and you will see that the connection is Not Encrypted.
Because the Download Tor page isn't encrypted, that means that an attacker can modify your download and eavesdrop on the page.
How can I reproduce the
How can I reproduce the crash? 4.0.2 worked for you? Why do you think the page is not encrypted?
I also get random crashes
I also get random crashes since 4.0 or so. I'm on XP for what's it worth. Did you ditch XP-support for good?
I know it's virtually impossible to reproduce random crashes, but it would be great if something could be done about this. Is it a Firefox-issue?
So far the best solution for me is still Privoxy and the Expert Bundle. Works like a charm.
"I'm on XP for what's it
"I'm on XP for what's it worth."
It's worth a lot to an attacker, I would imagine...
are you saying that because
are you saying that because the certificate doesn't provide ownership information?
Hello i from china Tor here
Hello i from china
Tor here blocked
connections to public tor relays blocked
how do i circumnavigate this?
I think meek is your best
I think meek is your best bet.
With TOR 4.0.2 I had the
With TOR 4.0.2 I had the same guard node for a few days (which is how I assume it should be).
I have just downloaded 4.0.3.
Checking with Vidalia, it gave me one guard node for half an hour – call it Guard A (not the same one as under 4.0.2). Then it changed to another one (Guard B). I have just started TOR again and it has gone back to the previous guard A. But, under 'connections' on Vidalia Guard B is showing as well.
This does not seem right.
Any comments please?
What has Vidalia to do with
What has Vidalia to do with Tor 4.0.3? There is no Vidalia we ship anymore. It is long outdated and not maintained anymore. And changing guard nodes might happen, e.g. if the one you wanted to use is not available at the moment.
GK I use Vidalia to see
GK
I use Vidalia to see which three nodes make up my connection.
If you know of another way to see my entry, middle and exit nodes I would be very grateful - as, I am sure, many other users would be.
Thanks
Test the alpha bundles, it
Test the alpha bundles, it contains a circuit display behind the green Torbutton onion.
"[Vidalia] It is long
"[Vidalia] It is long outdated and not maintained anymore."
So why does Tails still use it?
Why no one answer this
Why no one answer this question? Maybe NSA like "not maintained" Vidalia.
maybe in frequently
maybe in frequently upgrading soft easier insert backdoors?
You would do best asking the
You would do best asking the Tails people this question.
I assume it's because they're still working on getting Tor Browser integrated.
Excelent
Excelent
I know how to transfer my
I know how to transfer my bookmarks to a new version.
What is the best way to transfer additional about:config settings and installed Add-ons with their partially extensive configurations?
Perhaps the internal updater
Perhaps the internal updater is your answer. Didn't check if it keeps extensions and settings but I know it keeps the bookmarks.
Manually, you have to copy your extension files (xpi) or folders into the new profile, you could also create a user.js file in the profile.default folder to enforce your settings at each browser launch. So you would copy the user.js file and the extensions into a new profile after each update.
ever since updating to 4.0.3
ever since updating to 4.0.3 the desktop shortcut wont launch. It doesnt even make an attempt to load Tor. Any Help and or Suggestions?
Im currently running Ubuntu 14.04
cravenraven89@gmail.com
Tor Browser is not shipping
Tor Browser is not shipping any desktop shortcut. So, not sure what is going on on your system.
usually there is a folder
usually there is a folder with the broswer icon in it. Don't remove it from the folder, needs those files to work. I'm guessing you moved it to your desktop manually, out of the folder?
Try and see what happens.
the folder names may have
the folder names may have changed.
if you go into tor browser folder, and see the shortcut to start tor browser, make a shortcut to that, and put the new shortcut on your desktop.
How to Change the country IP
How to Change the country IP of the browser?
Base Ip? you can get New
Base Ip?
you can get New bridges or click on New Identity to Restart Tor Browser
cant open the tor download,
cant open the tor download, on windows 8.1." It says NSIS error installer integrity check has failed. contact installers author for a new copy" I have tried redownloading multple times. Any idea what this means?
Your download got corrupted
Your download got corrupted somehow. The installer checks if everything is expected and ready for installation but detects some changes.
I have the same problem,
I have the same problem, download from everywhere, even from tor website, but stil not working. please help!
PLEASE help.I haven't a clue
PLEASE help.I haven't a clue what's going on.
Try downloading TBB with a mozilla browser(.zip - version) on Windows 7.
File is downloading but saving is BLOCKED, the download tab in the browser
says.
When i RENAME the file for saving, e.g. .txt insted .exe, it WORKS. ???
I am absolutely clueless.
Defender only as AV and Ad-blocker count is 0.
Some idea?
I've gotta ask. I've been
I've gotta ask.
I've been using tor almost ever since it began for communication purposes. I'm still around so yes, it is efficacious - good to see spell-check functional again lol - but now it's time to step up our activities.
Can I use it on the regular internet for making commentary? All non-tor sites - 'cepting this 'un, of course - require a functioning javascript for interaction.
Can our repressive regime, after compelling the isp/media owner to surrender data relating to this activity trace my genuine ip address or does the false ip securely block any and all further enquiries? I'm very much aware that tor net requires javascript to be disabled.
I'd hate to experiment and then find m'self back in goal. lol
Thanks in advance...
There is the possibility of
There is the possibility of traffic correlation in extreme (?) cases. There is always the risk of zero-day exploits.
I would recommend using multiple layers of security such as: firewall, anti-exploit, anti-logger applications, VPN(s), virtual machines such as Whonix or Qubes + Whonix, a local DNS proxy with wildcard support (like Acrylic DNS) and an ip blocker such as PeerBlock to gain control over (unwanted) connections.
But if you go the extremely secure Qubes + Whonix route, much of this stuff would be unnecessary.
Zero day exploits, hmmmm? It
Zero day exploits, hmmmm? It don't appear if I gonna be compromised either on tor or the regular www.
Thanks for response. I'll look into the rest.
Anyone else ever notice how
Anyone else ever notice how shortly after a new release of TBB occurs when just as suddenly there's a new release of NoScript available?
Really makes you think...
There's a new release of
There's a new release of noscript every two days or something -- the guy makes his money by putting out frequent new releases and having all his users load his page, with ads in it, on each update.
First of all i would like to
First of all i would like to say thanks to the torproject team
for all work and effort you guys put into keeping people safe.
not sure if this is a bug, but tor 4.0.3 has been out for 4 days now
but i haven't got any notice about that in the tor browser.
i think that several days is a bit slow update to notifi people
that there is a new version aviable.
would really appreciate if this could be fixed so that we get the
updates right away. thanks in advence.
Do you mean you got no
Do you mean you got no notice by the updater or no flashing onion icon? What does the version in the upper right corner say if you start Tor Browser?
considering that this is a
considering that this is a project with opensource help, then all questions about whether anyone has the ability to compromise your browser bundle or the ones about identity - we don't know who is who, anywhere.
That said, and unfortunately, it's probably a good assumption that the NSA/whoever, are also áiding' with the coding, helping them to input backdoors for themselves?
It's what i think, how the final bundle is assessed is never disclosed, so hopefully the Tor Dev Team are more towards the non-compromised view than allowing some.
Sorry it's very early, i'm tired - thanks for all your hard work guys! Keep it up.
Well, we do know all of the
Well, we do know all of the people who actually commit code to Tor components.
If you think "open source" means "we merge patches from strangers on the Internet without looking at them", then you're doing it wrong. :)
(Tor Browser is a tough case here though, because Firefox is enormous and has their own process for deciding who can merge patches.)
The iphone App "Onion
The iphone App "Onion Browser" uses Tor- but is its oversight run by the Tor project?
Was it updated with Tor's most recent update? If it does not belong to Tor do you have a recommendation how one would connect to the internet most securely from a mobile device? Many thanks.
The Onion Browser has
The Onion Browser has nothing to do with the Tor Project. Securing your mobile device is rather tricky. You might want to start from Mike Perry's blog post: https://vbdvexcmqi.oedi.net/blog/mission-impossible-hardening-android-s…
What about alpha version?
What about alpha version? Does it get no love?! (Or is it not needed to update?)
The update just went live.
The update just went live.
The old version of TOR
The old version of TOR worked great. This one doesn´t work at all or loads a page in 10+ minutes. Haven´t had any issues with TOR in years.
The NoScript context menu
The NoScript context menu isn't workng properly in the new (linux) release. It shows no options apart from general allow/ban globally even after changing the settings in the appearance tab of the options menu. Tried resetting after changing said options and tried to fix it in about:config to no avail. Any suggestions for a temporary fix until this bug is worked out? (I lack the time to register to file a ticket on the bug tracker)
We are not responsible for
We are not responsible for the NoScript code. You might want to contact Giorgio Maone about that issue. That said if it worked in the past having the NoScript version that introduced the bug would be a helpful information.
For me checking 'Permanent
For me checking 'Permanent "Allow" commands in private windows' under Options helped.
Otherwise some options are not supposed to be available in private browsing mode.
I had similar problems on
I had similar problems on Windows, all that was showing up was Temporally allow all this page even though I had the options ticked to show Allow, I reset all the permissions in NoScript then I updated NoScript to version 2.6.9.11, re-imported my previously saved whitelist and it now works.
Why does Tor send data
Why does Tor send data through 3 relays?
Why not 6 relays? Wouldn't that be more secure?
Although if that were the case using Tor would be a lot slower.
The relevant concern from "A
The relevant concern from "A Peel of Onion" by Paul Syverson:
"...in general, with two-hop circuits a compromised entry or exit would immediately know for each connection through it the single other point to attack to reveal the entire route. If the adversary has resources that can be readily mobilized for attacking at some of the nodes in the network when needed, two-hop circuits would make his job much easier than three-hop circuits, for which he would need to simply be lucky in knowing where to strike and when, or would need to keep his resources persistently mobilized everywhere."
I would argue that in a world where Internet connection data is retained, sometimes by legal mandate, that legal authorities monitoring middle relays are in a position to trivially query that data from both the entry and exit relays. The only thing to stop them would be if one of those relays were operating within an uncooperative regime.
Hi, what does it mean by
Hi,
what does it mean by permanent "Allow" commands in the command in private window???
You are allowing that
You are allowing that particular site not only in the Private Browsing Mode but the permission will still be there if you are leaving it.
GK Since 'Private browsing
GK
Since 'Private browsing mode' is the Tor browser default, does this not mean that you are always allowing scripts?
This sounds ridiculous and so I may have got it all wrong, but could you please clarify this point for us all?
Thank you
Having private browsing mode
Having private browsing mode enabled is orthogonal to having scripts enabled. Both things are independent from each other.
What about RC4, why not
What about RC4, why not disable it by default?
RC4 is broken in real time by the #NSA - stop using it.
Jacob Appelbaum
https://twitter.com/ioerror/status/398059565947699200
And yes i know some servers use RC4 as fallback, but is it worth it? I just don't think so.
I am using a Mac 10.6.8
I am using a Mac 10.6.8 32-bit system and I am glad that I can still use Tor Browser 4.0.3. But as far as I know the end will come soon. Is an exact date already fixed?
No, as soon as the 4.5
No, as soon as the 4.5 series will be the next stable one.
Tor does work more or less
Tor does work more or less on Windows 7(with often 100 % CPU usage),crashes and very slow on Windows XP,does not start at all on certain popular Linuxes I have tried.For me Tor 4 is almost useless,I have to use 3.6.6 and sick and tired of the "update needed" exclamation mark.Terrible modern programming...
If you could give us steps
If you could give us steps of reproducing your issues we might be able to fix them assuming they are caused by Tor Browser.
Still using Windows XP for
Still using Windows XP for any networking (e.g., the Internet)?
Seriously?
Tor 4.0.3 works normally on
Tor 4.0.3 works normally on Debian 7.8,Altlinux Starter Kits.
On older distros like Mint 16 or Centos 6.3 there are problems
(errors) when I extract tar.xz.If I extract it in Mint 16 only
terminal and tar -xfJz works.In Centos 6.3 extraction in terminal fails.
As far as Windows XP users concerned I advise to disable Web Client service.
After that you can use Tor 4.0.3 with only very rare crashes.
Windows XP SP3 behind a firewall is as safe as Windows 7 and Linux or safer than Linux(with firewalls too).
First of all, you're
First of all, you're probably having trouble with Tor Browser, not tor itself. Second, "certain popular Linuxes" doesn't really help troubleshooters; be specific. In fact, give the error in detail. The Windows XP error might not have anything to do with WinXP but the hardware. Does normal Firefox run on it well?
Dude, There's a tweak to
Dude, There's a tweak to keep XPsp3 updated well into June 2019.
https://www.google.co.za/search?client=firefox-a&hs=fP9&rls=org.mozilla…
Note: I reformatted an' reinstalled XP in Jan 2014 to ensure a "clean" system. I've been using this tweak on XP auto updates since June 2014 with zero issues.
So why not keep using it? I
So why not keep using it? I do. Don't upgrade if there are no problems. And yes I believe winxp(x64) os is fine for many purposes. Just have some structural security in your local network.
For both Windows and Tor
For both Windows and Tor Browser, you're opening yourself up to known security flaws with using unsupported versions. DON'T use an outdated browser! You shouldn't use Windows XP for anything that connects to the internet (unless you're still on corporate support. If you don't know what that means, you're not.) In general, it's a bad idea that can lead to an attacker easily compromising your computer. In terms of maintaining anonymity, it makes it impossible; an attacker can compromise your system and easily gain access to your identity before doing whatever else they want. Yes, there are ways to mitigate some of these attacks, but by and large the mitigations are complicated solutions the average user isn't going to want to try.
Agreed.
Agreed.
This is not a complaint but
This is not a complaint but rather a suggestion. I get fed up keep having to redo all my settings every time there is a new TOR version. Main reason is because of all the crap that Mozilla carries with it such as unwanted search engines, google links in about:config, https settings that I am still puzzled about, changing the Mozilla home page and suchlike. Could the developers not create a really stripped down version for those of us who do not want bells and whistles, but just a basic secure browser?
You don't have to redo all
You don't have to redo all your settings with each new Tor Browser version. Download it once, configure it as you please and just use the internal updater. It won't touch your modifications (if so, then this is a bug that needs to get fixed).
My point is why do you still
My point is why do you still retain the automatic google links that firefox browser has. This alone is a security issue let alone all the other things such as 'network.http.sendRefererHeader ' and other settings which can be disabled?
TOR may be great but there still remains the need for a basic version stripped of every potential security leak that firefox creates.
Not sure what you meant with
Not sure what you meant with security leak but I guess you find at least some answers in our design documentation: https://decvnxytmk.oedi.net/projects/torbrowser/design/
I guess this sounds weird, I
I guess this sounds weird, I felt weird too. When I installed the new 4.0.3, I installed it in a new folder instead of the default folder which will overwrite my 4.0.2. After I installed 4.0.3, I ran it and went to bridge setting, to my surprise, it didn't show obfs3, instead there is a line under "enter custom bridges", this surprised me, I do not understand how did it come? feels like all my connections will go through that "I am not aware of" relay, which means it captures all my connection information. Can someone help to give me some information how could this happen? thanks.
Hi, what does it mean by
Hi,
what does it mean by permanent "Allow" commands in the command in private window???
IS THIS SAFE?
You'll have to provide some
You'll have to provide some more context before anybody can guess what you're talking about.
The test of
The test of http://ip-check.info/ with "Allow Script Globally" on NoScript says Local storage is enabled and should be disabled.
It recommends to open about:config and set dom.storage.enabled to "false".
Is this recommended or not? Thanks.
"ip-check.info"? Last I
"ip-check.info"?
Last I checked, site was a plain, unencrypted, unauthenticated http; not httpS SSL/TLS.
That means when you visit the site, you are at the mercy of your exit node, which can tamper with and manipulate the content.
And yet people continue to take this "ip-check.info" seriously?
Am I missing something here?
True. But it is still the
True. But it is still the best test for Tor-browser-anonymity. When you are unsure, then don't turn off your script settings.
i believe the question was
i believe the question was "Is this recommended or not?" but not about personal opinion to believe or not. and no need to check when it was clearly typed http://...
Why does the Tor Browser
Why does the Tor Browser included with Tails not have all the pluggable transports offered in the non-Tails Tor Browser?
Would love to know the
Would love to know the reasoning behind this epic fail
I downloaded Tor on it's own
I downloaded Tor on it's own and I use Tor with Google Chrome, is that safe?
No,
No, https://decvnxytmk.oedi.net/docs/faq.html.en#TBBOtherBrowser
No.
No.
No. Use the Tor browser.
No. Use the Tor browser.
and do not forget to do much
and do not forget to do much handwork to disable google, rc4, useragent, js etc.
Update on this attack from
Update on this attack from 2014: https://vbdvexcmqi.oedi.net/blog/tor-security-advisory-relay-early-traf…
https://nakedsecurity.sophos.com/2015/01/23/silk-road-2-0-deputy-arrest…
"A 6-month infiltration of Tor
According to Larson's search warrant, the Silk Road 2.0 investigation has been based on a six-month infiltration attack launched against Tor, the anonymizing service that kept Silk Road 2.0 users anonymous.
From January 2014 to July 2014, agents managed to get what Larson described as "reliable" IP addresses for Tor and for services hidden behind its layers, including Silk Road 2.0. That included its main marketplace URL, its vendor URL, and its forum URL.
Agents used this data to track down Silk Road 2.0's servers, which resulted in the site's takedown in November 2014.
The data was also used to identify another 17 black markets hidden on Tor. Larson didn't give details on these other Tor-hidden markets."
Please share
Re Mozilla corp. It's about
Re Mozilla corp. It's about time they were investigated as to how they can afford to give the whole world a free browser without ads paying them. Who pays I wonder? Yet TOR is based on this flawed browser?
$earch engine referral
$earch engine referral revenue. Same for all major browsers.
This is no secret.
And, yes, the fact that
And, yes, the fact that Mozilla makes their money* from the likes of Google and Yahoo, should warrant wariness about any claims made concerning "protecting your privacy", etc.
(*enough to pay pretty generous salaries to their top-cats, like most "non-profits")
Why is active mixed content
Why is active mixed content not blocked in Tor Browser when it is the default setting in Firefox.
https://developer.mozilla.org/en-US/docs/Security/MixedContent
https://bugs.torproject.org/8
https://bugs.torproject.org/8774 has some arguments and https://bugs.torproject.org/9196#comment:5, too.
Tor is still has security
Tor is still has security problems, big ones.
I’ve noticed since using Vidalia to see all my connections, that the first connection is always the same one, even if the second and exit IPs change. Even if I log off for days, when I connect again, it always uses the same first IP as before. The only way to change this is to delete the whole installation, and reinstall again, which is a big pain.
If it were not for Vidalia, I would not be able to see this problem, and this problem has been around for about a year now. This never used to happen prior to that time with other versions, and is the same regardless of the PC I use, or which ‘updated’ installation I use.
Has anyone else seen this if they use Vidalia to see which connection is first? No matter how many new IP exits are made, the first connection remains the same, unless I delete the installation, and re-install, then there is a new one, but again, this new one locks again, and never changes, so the problem remains.
This surely must be a major security fault if you always get the same first connection? Are Tor developers even aware of this issue or do they not see it because not many people use Vidalia to see all their connections?
I've also re-installed Vidalia, and it does not influence the first IP, so it is not the problem, the problem is with Tor. Is there a log file that I can delete each session to erase any logs of the first IP?
This is a feature and not a
This is a feature and not a bug as it prevents or makes some nasty attacks harder. See: https://decvnxytmk.oedi.net/docs/faq.html.en#EntryGuards
Problem loading page on
Problem loading page on 99,9% of the time.
Should be renamed to Crap Network.
sth. strange... i
sth. strange...
i downloaded, verified(ok) and extracted 4.0.3.
the last-modified-date of the newly created folder is 01/01/2000, same with "start-tor-browser"-file, whereas the "browser"-folder has got the actual date...
does it mean the dl is corrupted-although verification was ok???
You're probably
You're probably fine:
https://decvnxytmk.oedi.net/docs/faq#Timestamps
hi is chat step safe with
hi is chat step safe with tor?i tried chat step with tor but i cannot join or create a room bcz the buttons are unresponsive.
also i get a untrustworthy site message .
Regarding all the problems
Regarding all the problems with Firefox I wanted to suggest you to move to Pale Moon as a base (www.palemoon.org).
Pale Moon is a more conservative, stripped down, security concerned Firefox fork finely tuned for performance and without the much hated Australis UI. The developers already made a lot of tweaks you are doing to Firefox to make browsing more secure (and even some you don't - for example http://forum.palemoon.org/viewtopic.php?f=24&t=6262), so you could forget about re-doing them yourself and concentrate more on other aspects. They base their browser on older and thoroughly tested versions of Firefox, but still integrate last FF security fixes themselves.
There is a Windows and a Linux version available - both have 32 and 64bit optimized variants but dropped Windows XP support. There is also an ARM processor variant which will continue to support Windows XP and works also on all later versions of Windows, so you could just use this one to cover it all! And there is an Android version too!
Is there anything I'm missing in terms of this not being a suitable browser for Tor?
I would also like to ask you if it is OK to use HTTP nowhere add-on with Tor Browser and the reason you don't include it by default? Same question goes for http://convergence.io.
I have heard that allowing
I have heard that allowing Frames (about config: Browser. Frames. Enabled true) is a threat to anonymity.
Is this true?
I am sure that we would all welsome your thoughts.
Thanks for all you work.
If you are using Tor Browser
If you are using Tor Browser then this is false I think.
I need to use Twitter and it
I need to use Twitter and it is necessary to enable Javascript. Will this compromise my Tor 4.0.3 Anonymity?
Many Tor Browser users have
Many Tor Browser users have JavaScript enabled and are doing fine.
There are no known ways currently to use JavaScript to deanonymize you. It does increase the surface area (exposing more security vulnerabilities in the browser), but things like image rendering are bad news there too, and we don't hear about people trying to turn those off.
https://decvnxytmk.oedi.net/docs/faq#TBBJavaScriptEnabled
OK, I also use a 256
OK, I also use a 256 encryption VPN and then open Tor. Does this increase protect and can a VPN of this type be hacked?
I'm pretty sure Tor Browser
I'm pretty sure Tor Browser users are uniquely identifiable!
I found this bugtracker https://trac.torproject.org/projects/tor/ticket/11949 where developers say it's by design, but to me it seems a pretty bad leak...
The fingerprinting test http://fingerprint.pet-portal.eu knows it's me every time, even if I click on New Identity! And after restarting the browser or even reinstalling it's still me! So as the OP says it looks like my PC is uniquely identifiable even through Tor Browser.
Developers say Tor users are supposed to look the same, but this test shows exactly the opposite! If I run the test on another machine the test generates a different identifier, which of course again persists even when reinstalling Tor Browser. So PC1 has always one identifier and PC2 always the second!
I invite anybody who doesn't believe this to take the test and compare the identifier. Mine is c7ddf2f2639f4af5df92105cadef88d9, is yours the same? Please post your results if possible.
I don't know how the hash is
I don't know how the hash is getting generated. They collect the IP address they say.. So, if it goes into the hash as well it is not surprising that you get a different one after you clicked "New Identity" or tested on a different computer.
And no, making Tor Browser users ideally uniform leaks nothing besides the fact that they are using a Tor exit relay which is public information anyway.
The hash is being generated
The hash is being generated according to the fingerprint the browser leaks. Clicking on the "Details" tab gives you an overview of what info did they get from you (tests I ran on other similar pages got even some more info).
Apparently I got misunderstood. Actually I wanted to expose the fact, that I DON'T get a different hash, even if I click on New Identity (so the hash doesn't take the IP in consideration at all). And even after restarting the browser or reinstalling Tor Browser it's still me, meaning I get the same hash - let's say hash1. That would be OK if I got the same hash using the same browser on another PC, but no there I get a different hash - let's say hash2, which is again always the same no matter what I do. This way the testing page always knows which PC I'm on. I didn't change any other settings or installed any plug-in/add-on in neither of browsers, so I suspect it's something hardware related.
Maybe I don't understand something, but I still think Tor Browser users should always get the same hash, no matter what PC they are on.
why was this file added to
why was this file added to tor "terminateprocess-buffer.exe*32*? I noticed in task manager when deleted it closes tor browser, it takes forever now to go on websites.
Hello, I would like to setup
Hello,
I would like to setup Tor Browser 4.0.3 to pick an IP address in France. It was easy to do with vidalia, but I don't know how to proceed with the new tor. Could someone help?
Best
I thought Tor got taken and
I thought Tor got taken and was not safe anymore, is it safe?
"Taken"? No, it sounds like
"Taken"? No, it sounds like you've been reading bad media articles.
You might enjoy watching our 31c3 video ("state of the onion") from this past December.