Tor Browser 4.5-alpha-1 is released
The first alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.
This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time. The Security Slider is also present in this release, and can be configured from the green Tor onion's Preferences menu, under the Privacy and Security settings tab. It also features HTTPS certificate pinning for selected sites (including our updater), which was backported from Firefox 32.
This release also features a rewrite of the obfs3 pluggable transport, and the introduction of the new obfs4 transport. Please test these transports and report any issues!
Note to Mac users: As part of our planned end-of-life for supporting 32 bit Macs, the Mac edition of this release is 64 bit only, which also means that the updater will not work for Mac users on the alpha series release channel for this release. Once you transition to this 64 bit release, the updater should function correctly after that.
Here is the complete changelog since 4.0.1:
- All Platforms
- Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
- Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
- Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
- Bug 13019: Make JS engine use English locale if a pref is set by Torbutton
- Bug 13301: Prevent extensions incompatibility error after upgrades
- Bug 13460: Fix MSVC compilation issue
- Bug 13504: Remove stale bridges from default bridge set
- Bug 13742: Fix domain isolation for content cache and disk-enabled browsing mode
- Update Tor to 0.2.6.1-alpha
- Update NoScript to 2.6.9.3
- Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
- Bug 12903: Include obfs4proxy pluggable transport
- Update Torbutton to 1.8.1.1
- Bug 9387: Provide a "Security Slider" for vulnerability surface reduction
- Bug 13019: Synchronize locale spoofing pref with our Firefox patch
- Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
- Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
- Bug 13651: Prevent circuit-status related UI hang.
- Bug 13666: Various circuit status UI fixes
- Bug 13742+13751: Remove cache isolation code in favor of direct C++ patch
- Bug 13746: Properly update third party isolation pref if disabled from UI
- Windows
- Bug 13443: Re-enable DirectShow; fix crash with mingw patch.
- Bug 13558: Fix crash on Windows XP during download folder changing
- Bug 13091: Make app name "Tor Browser" instead of "Tor"
- Bug 13594: Fix update failure for Windows XP users
- Mac
- Bug 10138: Switch to 64bit builds for MacOS
Comments
Please note that the comment area below has been archived.
我是第一个!
我是第一个!
I look forward to the early
I look forward to the early adopters and their insights...
This release features a
This release features a circuit status reporting UI (visible on the green Tor onion button menu), as well as isolation for circuit use. All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time.
I'm curious. How does/will this work when using a system-wide tor instance for the Tor Browser instead of TorLauncher?
It should work in this case
It should work in this case as well. The UI is dependent on the patch in https://bugs.torproject.org/8405 which has not landed on tor master yet, though.
Will the TorButton
Will the TorButton preferences have settings for the control port and password at some point?
Is it safer to use Tor
Is it safer to use Tor browser 4.5-alpha-1 than to use Tor browser 4.0.1?
Also when I go to the Download Tor page, I right click on my mouse and I click on "properties", and this is what it tells me,
Protocol: HyperText Transfer Protocol with Privacy
Type: Chrome HTML Document
Connection: Not Encrypted
Zone: Internet | Protected Mode: On
Address: Unknown
(URL)
Size: Not Available
So my point is, is their an encryption problem with the Tor browser download page?
Where are you clicking? I
Where are you clicking? I don't get a "Properties" menu entry. And I'd suggest using 4.0.1 as the alpha contains new stuff which is not so good tested yet that might break in interesting ways...
Looking forward to reading
Looking forward to reading more. Great article post. Keep writing.
There is also a free
There is also a free anonymous e-mail service at http://mail2tor2zyjdctd.onion for Tor users.
https://decvnxytmk.oedi.net/pr
https://decvnxytmk.oedi.net/projects/torbrowser.html.en#downloads-alpha
is only showing 32 bit versions for Mac and there's nothing to download.
Mac OS X (4.5-alpha-1), English (en-US), 32-bit (sig) :
Not Found
The requested URL /torbrowser/4.5-alpha-1/TorBrowser-4.5-alpha-1-osx32_en-US.dmg was not found on this server.
Apache Server at utuhewzcso.oedi.net Port 443
Should be fixed now. Thanks
Should be fixed now. Thanks for the report.
Hi, infos about Torbutton
Hi,
infos about Torbutton config are hard to find,however, can i set extensions.torbutton.debug to 'false' in Tails or is it a problem?Set extensions.torbutton.loglevel to 4 or 5 would be really nice,too?
Searching details about Torbutton config is like searching for Windows sourcecode(-:
Great news. If one uses
Great news.
If one uses Torsocks (or Torbidry for example) while running this version of TBB, which circuit will be used? The last one will be the "default one" or will the first one stay as "default one" until it rotates 10 minutes later?
Come to think of it, I will try this myself :P But would like to hear from you what is the "best option". Maybe Tor could use a "main circuit" for the proxy setup and just create new ones for the tabs and windows the user opens...
Running torsocks etc. with
Running torsocks etc. with the current alpha Tor Browser should not result in any change. The new isolation to the URL bar domain is a browser only feature.
$ curl -O
I seem to be not able to fix
I seem to be not able to fix that right now. Please, use the -gk.asc and/or -mikeperry.asc as a temporary workaround.
mean it's not yours?
mean it's not yours?
Great work! However, I would
Great work!
However, I would really suggest adding a text window that pops up when the slider is moved to give a short explanation of what each setting does, such as "disables JavaScript and cookies" or whatever.
Without that info I know I was left thinking "well, how do I know what level I want if I don't have a clue about what each level does?"
I will open a ticket for this feature request, unless it's already planned?
On second thought, there
On second thought, there seems to be lots of space next to the four slider setting terms (low, med-low, med-high, and high), maybe add a short description of each setting next to the setting on the slider?
Also, wouldn't these be better in terms of they're more accurate description of security?:
Weak (default)
Medium-Weak
Medium-Strong
Strong
Yes, there are some
Yes, there are some tooltips/help buttons planned explaining things. Whether "weak"/"strong" are better here I don't know. I think using "low"/"high" if one describes a certain level might be good (enough).
Yes, I agree, given your
Yes, I agree, given your going to explain what they mean. Cheers.
On Windows 7 this release
On Windows 7 this release seem MUCH faster to surf the 'net than previous releases. Page load times are very noticeably reduced! :) (using the highest security setting)
Was this intended? Or am I just the only one using Tor right now so that's why it's so fast?! :)
I guess that is due to the
I guess that is due to the JavaScript blocking which is on by default on that security level.
"81% of Tor users can be
"81% of Tor users can be de-anonymised by analysing router information, research indicates"
http://thestack.com/chakravarty-tor-traffic-analysis-141114
Stop telling lies! Another
Stop telling lies! Another fool that don`t read the research paper.Look at this:" Our method revealed
the actual sources of anonymous traffic with 100% accuracy for
the in-lab tests, and achieved an overall accuracy of about 81.4%
for the real-world experiments, with an average false positive rate
of 6.4%"
"the real-world experiments"is equal to "the actual wilds of the Tor network"?Are you kidding?
https://vbdvexcmqi.oedi.net/blog/traffic-correlation-using-netflows
Hi
I am here to myself clarify all misconceptions. Firslty, they have blow it a bit out of proportion by saying that "81% of Tor traffic", which is not true. It was only 81.4% of our experiments, and we have spoken about this upfront in our paper. Secondly, its only a case of experimental validation and the challenges involved in it that is the highlight of the paper. In my thesis I have also tried to address how to solve this particular attack, which might work for other attacks as well...
Regards
Sambuddho
no it's true. just ask your
no it's true. just ask your net admin - he can show you that there are several order of traffic amount difference in established connections for tor users compared to others short lived connections without reference to an entry guard address. and who say silly words about 100% accuracy in court decisions?
my system was crashed and
my system was crashed and shut down when i Run obfs4 transport!!!
also my antivirus acted (Bitdefender)
Hmm, that's odd. The code
Hmm, that's odd. The code doesn't do anything all that special, and I know that it works on Windows (tested on Win 8.1 64 bit/Win 7 32 bit). It certainly shouldn't be able to bring your whole system down since it's a extremely straight forward piece of software.
Anything special about your setup? What version of Windows is it? On what architecture?
As far as the antivirus goes, it's probably a false positive. Complain to your AV vendor.
win 7/ultimate 32
win 7/ultimate 32 bit
ofcourse as i said only when i Run obsf4
there are no problems when i connect directly or via bridges..
ISPs can figure out when we connect to tor?if Yes how we can prevent of it? by using VPN or Open DNS ( changing DNS )
i wonder does anyone know anything about security of Cyberghost VPN,Sumrand VPN and etc ? are they really encrypted?
also About Open DNS software ? is usefull?
an encrypted and safe Vpn
an encrypted and safe Vpn can be helpful!
But not in all countries
For Example :if you use An encrypted and strong Vpn in iran ..is just safe for first use !
Once the ISP was informed of user connecting to the vpn ,creates a Fake Locally server (or host name) With the same name ..so User connected to the Fake server after second connecting ...
indeed In a country like Iran.The most secure VPN is only safe for the first time ! not at all
I went and filed
I went and filed https://trac.torproject.org/projects/tor/ticket/13793 to track this issue. When I have time I'll grab the free version and try to reproduce this, but if it is solely a Bit Defender problem, there's not much we can do beyond reaching out to them.
I'm running Windows 7 using
I'm running Windows 7 using obfs4 works fine, here.
Running Wheezy. The Circuit
Running Wheezy. The Circuit UI does not work in the following tested bridge modes: obfs3 obfs4 scramblesuit. No Circuit UI ever comes up!!!
Yes, this is
Yes, this is https://bugs.torproject.org/13671 and should be fixed in the next release.
- NoScript NoScript Default
- NoScript
NoScript Default : "Scripts Globally Allowed (dangerous)"
When you put this off (as you should) it will be set back to "Scripts Globally Allowed (dangerous)" every time you open a new tab or window.
Do we now have to disallow this every time we open a new tab or window, instead of maybe allow once in a while?
- Page info ... Security (Media, Feeds) ... still missing
It is 64 bit indeed ..
You can take advantage of
You can take advantage of the new security slider: click on the green onion -> Preferences... -> Privacy and Security Settings and change the value to "High". This disables JavaScript and a bunch of other things (see: https://trac.torproject.org/projects/tor/ticket/9387#comment:43 for the details) and is saved across New Identity/Restart. That said it might make sense to save custom settings this way as well. Should be available in the next release.
Thank you, I did found out
Thank you, I did found out the influence of the new slider function on NoScript after my posting.
Nice / Good function that deserves the attention.
But and please consider also to change at least one NoScript pre-setting under "medium High".
One cannot consider the "Scripts Globally Allowed (dangerous)" activated as 'Security' (my opinion, you can discuss about it) but especially not associate it with High security settings (Medium High).
Deactivated under both 'High-labeled' settings would also be more balanced (2 times activated under Low, 2 times deactivated High).
Compliments for the new Torbutton function showing the connection path with countries (saves a lot of time searching for trusted exit node countries, do not understand the need for entry nodes in Torbrowser user's own country / and maybe even direct nabor countries as well)!
Hopefully that internetroute function can be activated with a blank starting page as well, so people can judge a connection before they visit a website (now you have to visit an 'excuse' page first).
I did try to import the new Torbutton in the 4.0.1 browser, did succeed a bit but did not get the wanted extra internet connection path window working.
Would it be an idea to make this Torbutton version available for non-alpha users right away as well?
I hope so.
Thank you for answering my questions
Best regards
Please provide a signature
Please provide a signature for https://utuhewzcso.oedi.net/torbrowser/4.5-alpha-1/sha256sums.increment…
I am curious: What are you
I am curious: What are you doing with that signature given that these mar files are not downloaded and applied "directly" by you?
In order to upgrade from 4.0
In order to upgrade from 4.0 to 4.0.1, I did download and apply MAR files directly using the instructions at https://wiki.mozilla.org/Software_Update:Manually_Installing_a_MAR_file ; and the signature https://utuhewzcso.oedi.net/torbrowser/4.0.1/sha256sums.incrementals.tx… exists.
My TOR browser keeps
My TOR browser keeps crashing, it show's a message saying, You are unable to connect to the TOR network. It is happening to me almost every time I try to use my TOR browser, can someone please tell me why my Tor browser 4.0.1 is crashing so often?
Great Post
Great Post
I'd like to have an option
I'd like to have an option for not closing the browser window upon changing identity.
There is already a preference "extensions.torbutton.close_newnym" for this in about:config, but it doesn't work because a "return" statement is missing after the preference test in chrome/content/torbutton.js:
https://bugs.torproject.org/9
https://bugs.torproject.org/9906 is your ticket.
Thanks, but I just wanted to
Thanks, but I just wanted to report this issue and a possible fix anonymously, without having to open a bugtracker account.
You can use their bug
You can use their bug tracker anon:
user: cypherpunks
pass: writecode
problem is, it seems not to
problem is, it seems not to be working
Tried to create a bug
Tried to create a bug report, but that needs an account, so I'm posting it here.
NoScript is always reset to allow all on startup. To reproduce:
- Download linux64 4.5-alpha-1 tor bundle and open
- Run addons update to get NoScript 2.6.9.4
- Turn off scripts globally allowed
- Close and reopen browser
* Scripts will again be globally allowed
I get why it's initially enabled, but I'm really hoping this is a bug. Thanks.
See my reply above. Yes,
See my reply above. Yes, this may indeed be a bug. We should save custom settings as well or better: we should not fall back to the currently selected security slider mode.
Here's the anon account
Here's the anon account access (as guest):
user: cypherpunks
pass: writecode
(To Tor folks: it's probably a good idea to make this guest pass wider known?...)
Hello and thank you so much
Hello and thank you so much for all the work on TBB and other associated projects.
I'm using Win 7 32 bit (don't laugh)
I always test my TBB using the ip-check.info site from JonDo to make sure all my settings haven't changed every time I open it to browse the web.
My 4.0.1 stable release only has 5 sections which are orange and therefore medium safe for tracking purposes:
Cookies
HTTP session
Referer
Do-not-track
Browser Window
I've just downloaded and successfully verified the new 4.5-alpha-1 TBB and everything on the ip-check.info site is the same except for one new area which went from green 'protected' (good) to angry red (danger):
Authentication
"This allows 3rd party tracking using HTTP authentication headers"
Is this a problem or should I not worry too much about it?
I'm so used to having all my sections green and orange, it would be a shame to lose that calming effect.
Loving the new TOR Circuit data btw, thank you whoever did that. :)
This is
This is https://bugs.torproject.org/13784 and should be fixed in the next release.
Thank you.
Thank you.
@ "...and different websites
@ "...and different websites should use different circuits, even when viewed at the same time..."
Unfortunately, they do not! 6tabs w/ diff sites open, but only 2 diff circuits for 6 of them. This would be a great feature, if it actually works.
How did you figure out that
How did you figure out that it were only 2 different circuits while it should have been 6?
can anyone Explain about mac
can anyone Explain about mac addresses:
i have heared Iran's cyber police does not need to IP addresses.they figures out and nabs Offenders By system MAC addresses(or modem mac addresses ).is it true?if Yes I'm curious to know how??
ISPs can collect MAC
ISPs can collect MAC addresses? But can websites? Curious about this too...
i think websites can see mac
i think websites can see mac of only exit? and that would be router mac of exit?
唉,还是不行,必须
唉,还是不行,必须双重代理,中国湖北联通网络。
opps,cannot work by meek-amazon/azure here, in China...
我这里行啊,江苏苏
我这里行啊,江苏苏州联通。
I think it is not new
I think it is not new censorship, but rather a packaging bug. Please see:
https://trac.torproject.org/projects/tor/ticket/13788
If you need meek, then you should continue to use the non-alpha release until the bug is fixed.
https://decvnxytmk.oedi.net/download/download-easy
MEEK doesn't work with
MEEK doesn't work with windows 7 OS,but it could work reluctantly under the GNU/Linux, eg. Ubuntu.BTW, Here's Hubei, in P.R.China
New identity "Tor circuit
New identity "Tor circuit for this site" function error ?
When you visit the page " https://check.torproject.org/ "
and follow the link "Atlas" to the page
https://atlas.torproject.org/#details/(a-Fingerprint-number-follows)
you will see the ip address as well as the country of the exit node.
Comparing the country and ip address of the 3rd 'station' before the 'internet' in the new Torbutton pane under "Identity" gives totally different results when compared to the results given on the Atlas page! (tested several times).
Which one gives the right country location of the exitnode?
And if the Torbutton is not giving the exitnode location in the 3rd 'station' during browsing, why not?
It seems to me that the exitnode country location information the info is what users want to see.
How do we know for sure that the new Torbutton pane is giving the right data?
The exit node you are seeing
The exit node you are seeing in the Torbutton pane is an exit node from ONE of Tor's (multiple) circuits but not necessarily the exit node you are exiting from; if you want to know your REAL exit node it would be best to use an IP checking service and just ignore whatever the Torbutton browser panel is saying.
it would be best to use an
it would be best to use an IP checking service
No I don't think so.
Some populair IP checking services do give a lot of times very different (or no) geo location/country results compared to the atlas results.
This experience is based on comparisons using Torbrowser 3.5 /3.6 versions and do not have anything to do with the new Torbutton function in Torbrowser 4.5.
I tended to believe the Atlas results.
Btw, A visible country flag (or Country code top-level domain extention like Us, Ca, Aq, ) of the exitnode next to the Torbutton and NoScript button would be even more awesome.
Thanks for answering anyway
IP checking services give
IP checking services give exactly the same result as https://check.torproject.org/
unfortunately a lot of times
unfortunately a lot of times not, especially country information
A lot of IP checking
A lot of IP checking services do give the (local) time but are unable to check the (system) time unless javascript is enabled.
The behavior you are seeing
The behavior you are seeing makes perfect sense. The circuit is made dependent on the domain in the URL bar. Thus, first the domain is check.torproject.org and the fingerprint you find in the link to atlas is for the exit relay used for this domain. Now you go to atlas.torproject.org which is a different domain. Atlas shows the exit relay you used to visit check.torproject.org but if you look at the circuit UI while being on atlas.torproject.org you see the circuit used for reaching atlas.torproject.org which is very likely a different one.
I see ;), checked and it
I see ;), checked and it works indeed very well.
Thanks for the answer.
I'm getting this error on
I'm getting this error on Mac OS "A copy of Firefox is already open. Only one copy of Firefox can be open at a time." even though FireFox is closed. I restarted my computer and still got the same error.
Some thoughts on this Mac
Some thoughts on this Mac (only?) problem
Sounds familiar, I think it could be the result of wrong file permissions on files and folders.
Although the security-concept of "Read only" permissions on files is an attracting idea, it is not working on all the files in your Torbrowser application.
What you could do, just check the permissions on this folder (and some of their enclosed items) within your Torbrowser.app (ctrl-klick on the app an choose "Show package contents).
- "TorBrowser" (directory within the Torbrowser.app)
Path: TorBrowser.app/TorBrowser/
When the user permissions on this folder and enclosed items are all set to "Read only" (select the folder and open the info pane with keys "cmd" "i") you will get the same FF warning while trying to start your Torbrowser.
At least one user in the permissions list (the .. local user/owner user, not "wheel" or "everyone") should have "Read & Write permissions (when changing permissions, in this case also use the "Apply to enclosed items" option to that "Torbrowser" folder).
I don't know if this is permission issue is directly related to your problem and if it's solving it. For me it did the trick.
But when it does, could it be that you did put your Torbrowser in a folder somewhere, set the permissions on read only for that folder while using the option "Apply to enclosed items"?
Then all the items within the enclosed application will get the "Read only" status as well and that won't work because Torbrowser has 'swallowed' a whole read & write directory with a lot of browser files you usually find in your local library, mozilla browser directory like (path) ~/Library/Application\ Support/Firefox.
These files change (at least some) while using your browser and therefore the permissions do need to have the status read and write.
Another possibility, from my experience is when you duplicate an already installed Torbrowser.app it sometimes will be (± 1 mb) smaller (files missing in the Torbrowser folder) and also not working.
In the end I think a reinstall of your Torbrowser app would be a better option than changing the read and write permissions within your app (but I could not resist to share some thoughts about this issue).
.. One last thing, Warning!
If you are experimenting with file permissions on your Mac ..
Be really really really careful with that, especially with the "Apply to enclosed items" option, extra especially with important (system)folders. Doing this on system directories or maybe on a whole hard disk can get you in deep trouble which will cost you a lot of work to get things working again, if so (disk utility won't help you with that, make sure you have at least a recent trustworthy back up of everything to replace the unfortunate results of too much experiment enthusiasm).
Good luck
what's the minimum speed
what's the minimum speed required to run a good non-exit node?
"circuit status reporting UI
"circuit status reporting UI (visible on the green Tor onion button menu)". Doesn't work with tor bridges tried obfs3, obfs4, scramblesuite. No circuit status UI comes up!!!!
This is
This is https://bugs.torproject.org/13671 which should be fixed in the next release.
The tor circuit satus UI is
The tor circuit satus UI is not working in Bridge mode. The following have been tested: obfs3 obfs4 scramblesuit
Is it feasible to add
Is it feasible to add support for more flexible proxy configuration with PAC scripts to Torbutton? Currently Torbutton only knows manual proxy setting (network.proxy.type 1) or direct connection (network.proxy.type 0) for transparent torification, but not network.proxy.type 2 for automatic proxy configuration with a PAC script (network.proxy.autoconfig_url with file:///... URL pointing to a local script).
With this feature and an appropriate PAC script it would be possible to connect to the open web and onion sites via Tor SOCKS and to other "darknets" via other proxies, e.g. connect to .i2p domains via the HTTP proxy port of the local I2P relay.
None of meeks and obfs3
None of meeks and obfs3 obfs4 scramblesu does not work in Iran .
indeed Tor works only directly and by suing custom bridges
Hmm, that's interesting.
Hmm, that's interesting. Lacking a vantage point in there to test things for myself, it's sort of hard to look into this further, though I'm surprised that they allow connections to the DirAuths and public relays, but explicitly block the default bridges and a bunch of cloud providers.
I assume if you obtain obfs3, obfs4 and ScrambleSuit bridges from BridgeDB that they work?
Good news:The obfs4 bridge
Good news:The obfs4 bridge can work normally in China.
Bad news:Where is the circuit status reporting UI?I can`t find it anywhere!(TBB 4.5.1a zh-cn windows version )
And I still can`t edit certs in TBB.Please fix it as soon as possible.
"All content elements for a
"All content elements for a website will use a single circuit, and different websites should use different circuits, even when viewed at the same time."
From a general point of view, without being privy to the Tor protocol details, it occurs to me that recent changes like only one entry guard and the aforementioned single circuit per website reduces complexity for an observer. Indeed I would have wished for this as an observer: With less elements involved and a clear separation of streams per site there is less doubt about who does what and correlation appears much easier to me.
Is there an objective analysis backing these design decisions? Because for me they are counterintuitive.
Exactly! Mixing circuits is
Exactly! Mixing circuits is like a built-in fuzzer! Now I understand it may be necessary for the implementation of the circuit status reporting.... but what exactly will that do? Hopefully it will be worth the tradeoff. And even more importantly, hopefully Tor soon implements some channel masking measures to thwart traffic correlation attacks.
after the actualization i
after the actualization i can't acess any .onion sites
I downloaded the mac version
I downloaded the mac version and when I tried to open it it gave me error "firefox is still running, close firefox..." even though firefox was not running.
same here
same here
Me too, was looking for
Me too, was looking for comments on this
I got that on Windows 7
I got that on Windows 7 today. I had to hard kill obs4 exe, it kept running after Tor and the Tor Browser (FF) were shutdown.
Does the per-site circuit
Does the per-site circuit isolation also isolate cookies, in-memory cache objects, etc.?
Cookies: Obvious concern.
Cache: Evercookie-style tracking via last-modified, etag, etc. using appropriate HTTP headers (If-Modified-Since/If-None-Match). Perfect for linking sessions loaded with "Like/Tweet/+1" buttons, and other assorted evil web bugs.
Local storage: (Does Tor Browser even allow this at all? It shouldn't.)
Separate questions:
* Do Security Slider's higher settings disable remotely-loaded webfonts? (CUT YOUR ATTACK SURFACE, always disable these when you disable script! Font rendering code is complicated, and often ignored from a security perspective; it has been subject of exploits before. Obviously, disabling HTML5 fonts while permitting script would be stupid, and allow some fingerprinting.)
* Do Security Slider's higher settings disable HTML5 audio/video, or at least make them require user action to play? (Same issue, codecs are complicated beasts...)
Thanks!
No, the per-site circuit
No, the per-site circuit isolation has no influence on the the cookie/cache etc. isolation. We are already binding e.g. the cache to the URL bar domain. Have a look at https://decvnxytmk.oedi.net/projects/torbrowser/design/#identifier-linka… for where we are now in this regard.
For the security slider related questions see:
https://bugs.torproject.org/9387#comment:43 Disabling MathML and SVG is still missing all the other things should be implemented accordingly.
How can I remove the
How can I remove the annoying search bar from a blank page?
A bug? If the open tab is
A bug? If the open tab is shut using the X the whole browser closes. This did not happen on the 3 series TOR. If you clicked on the tab to close it a new tab opened.
Bridge web notwork. Why?
Bridge web notwork. Why?
how should i get obf3
how should i get obf3 bridges for Tails?
why Tor Browser on tails does not support obf3 ??!!!
which one do you Recommend?
using my own windows and Tor Browser 4.5-alpha-1?(ofcourse with changing mac address)
or
Tails operating system??
i am not able to config bridges on Tails ! it connects directly
-"how should i get obf3
-"how should i get obf3 bridges for Tails?"
Copy pste them from bridges.torproject.org to a .txt file and move them to a usb/flash, and when you boot tails and asked for bridges copy paste the ones on the usb/flash stick
-" why Tor Browser on tails does not support obf3 ??!!!"
It does support obfs3, it even supports scramblesuit
-"using my own windows and Tor Browser 4.5-alpha-1?(ofcourse with changing mac address) or Tails operating system??"
Tails on a dvd (much better than on usb) is definitely recommended over any other operating system, even linux. I would have explained the reasons, but there's simply no enough space here for it.
-"i am not able to config bridges on Tails ! it connects directly "
that's because you have to choose "more options" after you boot it, then a new window will appear, at the bottom of this long window there's a box that begins with "my connection is censored..." click it and then click login. after you connect to a wifi connection it will ask you about bridges.
thanks so much ! it now
thanks so much ! it now works fine .
but when i verify tails.iso this messages appear: Bas signal
it means i should Redownload iso image ???
"...Tor Browser 4.5
"...Tor Browser 4.5 series...restoring one of the features most missed by users following the removal of the now-defunct Vidalia interface from Tor Browser — the ability to quickly visualize the Tor circuit that the current page is using."
(vbdvexcmqi.oedi.net/blog/tor-weekly-news-—-november-19th-2014)
A Vidalia main feature is 'Close Circuit' -for privacy highlights like US-US-US(-:.
I get this,too?
Thanks for listing obfs4 in
Thanks for listing obfs4 in the Tor Metrics> Users> Graph: Bridge users by transport.
Weird connection issue. I
Weird connection issue.
I noticed that after several 'new identity' reloads that if I then checked the 'tor circuit for this site' charts, the first hop was always 173.255.249.222 which seems to be a location in the USA. Looking up 'who is' it is not traceable. As I am not in the USA I find this peculiar as I thought the whole route was changed if the browser was reloaded. Incidentally i reloaded it about 20 times to check and used http://ipcim.com/hu/ to check.
https://decvnxytmk.oedi.net/do
https://decvnxytmk.oedi.net/docs/faq#EntryGuards
if i visit a malware website
if i visit a malware website with js disabled **using tor** would i get infected with malware?
It depends on the malware.
It depends on the malware. Disabling javascript is not a cure-all. Many attacks on browsers rely on javascript, but also many don't rely on it.
See https://decvnxytmk.oedi.net/docs/faq#TBBJavaScriptEnabled for more discussions on the balance.
"It depends on the malware.
"It depends on the malware. Disabling javascript is not a cure-all. Many attacks on browsers rely on javascript, but also many don't rely on it."
I just want to know if it can still download and run a virus/rat/rootkit/etc... can it?
"Bug 8641: Create browser UI
"Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs "
I can;t find this UI anywhere! (Yes, I clicked the tor button and still nothing)
Me too! Good thing it's an
Me too! Good thing it's an alpha. :)
Are you using bridges? If
Are you using bridges? If so, you'll see the circuit UI once the fix in https://bugs.torproject.org/13671 gets shipped.
Yes I am, obfs4
Yes I am, obfs4
I wanted to open the
I wanted to open the following ticket, but then I saw the "Register" button. So I'm just going to write it here:
Mention TAILS and OrBot in about:tor
The "Reset To Browser" in
The "Reset To Browser" in safe boot modus is still breaking the Torbrowser by throwing away the "profile.default" folder and replacing it with another having exotic names like this "3uizc0hnh.default-49752159205" (changed it a bit, don't know if its some kind of a code? It also looks like a nice, more unique, fingerprint).
After reset, Torbrowser will not connect to the Tor network anymore and looks like a normal Firefox without internet (still, you can use it as a local html page viewer then, very private and safe ;)
I don't know why you should use the reset function anyway. A fresh clean installation of Torbrowser seems anyhow a better idea to me, it's very easy (be sure that you backup first the necessary bookmarks, if you have, or other changes, if you have, for an easy import in the fresh Torbrowser).
I really like the new
I really like the new feature that allows us to see where the used relays are located.
That made me see a security threat - sometimes all three relays are based in the same country or the entry and exit. I think there should be additional code added to make sure this never happens, imagine the chaos when exit and entry node is from the USA and controlled by NSA. Overall the Tor Browser 4.5-alpha-1 is great.
I've
I've filed
https://trac.torproject.org/projects/tor/ticket/13843
to try to get a more thorough answer out there for everybody.
Torbutton - Entry Guards &
Torbutton - Entry Guards & Exitnodes
Would it be an idea to introduce a "New Entry Guard" option beside the "New Identity" option in the Torbutton menu, so people can change easily their (unwanted country) entry guard?
Now you have to reinstall a fresh Torbrowser copy or throw some files away from the app internals to accomplish getting rid of an entry guard you feel not comfortable with.
Regarding the eavesdropping lab experiments news
Would, could it be possible to avoid the possibility that the entry guard and the exit node are the same country?
It happens quite often, even 3 times the same country in the Tor Circuit list.
Avoiding this maybe would make it harder to accomplish eavesdropping by connecting data analysis from entry guards and exitnodes?
See https://trac.torproject.o
See
https://trac.torproject.org/13843
for more discussion on this topic.
The short answer is that you're right that it could help against certain attacks, but it also likely hurts against certain attacks. So it probably isn't wise to expose this sort of thing to users, who will all use whatever their intuition is and end up splintering the anonymity set. The better answer would be to write up the known upsides and known downsides so people can make more informed decisions. See (and help with!) the ticket.
Just set up TOR 45-alpha-1.
Just set up TOR 45-alpha-1. I have a problem with the tabs and wonder if anyone knows a fix? With the older 3 series if you shut down one tab a new one opened automatically so the program stayed open. With this new version if I close the only tab that is open the whole program shuts which is a real annoyance. Anything in the settings that I can change to avoid this?
Win XP pro3
I can't sign into Reddit
I can't sign into Reddit with this version. Might want to fix that.
I would like to run
I would like to run Torbrowser in read-only media, is this possible? I just extract the Torbrowser folder to read-only media and tried to run it, but the program broke when he tried to modify read-only files on it. Torbrowser works in live mode?
Mike Perry just told me it
Mike Perry just told me it probably doesn't work and it would be quite some effort to make it work correctly.
So, patches happily accepted! :)
That's what I also wrote in
That's what I also wrote in this (long) post
On November 25th, 2014 Anonymous said:
Some thoughts on this Mac (only?) problem ...
It won't work.
Besides, on usb fat formatted disks you can't even set filepermissions (or am I wrong?). Setting file permissions will work on Mac hfs formatted usb sticks or disks. But you can't set all the internal app files to read only (see post).
Startpage behaviour People
Startpage behaviour
People already mentioned Cloudfront is showing unacceptable behavior towards Torbrowser users.
We know Google (if you are using it) let's you fill in Capchas for simple services as well (quite dualistic behavior when they are part of the meek options in Torbrowser).
Now for a while Startpage has started asking you on a regular basis (a lot of times) to do the same thing, very annoying because you have to refresh the whole connection (there goes another open webpage besides your search) and it seems you sometimes even first have to start a renewed search attempt with another search term too ! (to avoid another captcha message)
Time for a constructive talk with Startpage company about this?
Or switch to another standard more 'legitimate' search engine for the best experience for Torbrowser users?
Their message in this very degrading service experience
Startpage
As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.
Thank you,
The StartPage Team
Please enter the text below to continue using StartPage.
Text in image is case-sensitive.
Having trouble reading the CAPTCHA?Please click here to view a new CAPTCHA.
You may do this as many times as you need.
Time remaining for this CAPTCHA : 02:00
..............
Submit
(I know the Manage Search options, btw)