Tor Browser 5.5.4 is released
Tor Browser 5.5.4 is now available from the Tor Browser Project page and also from our distribution directory.
This release updates firefox to 38.7.1. Mozilla decided to disable the Graphite library in this release and we are taking the same action: irrespective of the security slider settings the Graphite library won't be used for rendering fonts in Tor Browser 5.5.4. The Graphite font rendering library was already disabled for users on the security level "High" or "Medium-High".
The full changelog since 5.5.3 is:
Tor Browser 5.5.4 -- March 18 2016
Comments
Please note that the comment area below has been archived.
Whats Mosaddegh and
Whats Mosaddegh and MaBishomarim?
It is the name of two obfs4
It is the name of two obfs4 bridges which are included in the list of default bridges in Tor Browser.
درود بر مصدق
درود بر مصدق کبیر، او راه آزادی و استقلال را به مردم ايران نشان داد. او در تاریخ ایران مانند ستاره ای میدرخشد.
درود بر مصدق
درود بر مصدق کبیر، او راه آزادی و استقلال را به مردم ايران نشان داد. او در تاریخ ایران مانند ستاره ای میدرخشد
بت سازی نکنید
بت سازی نکنید دوست گرامی. مصدق هم مثل هر سیاستمدار دیگر یک انسان بود و پر از تصمیمات درست و نادرست.پیشنهاد میکنم پیش از شعتر دادن، کتاب خاطرات دکتر مصدق و و نوشته های مهدی شمشیری و علی میرفطروس رو هم بخوانید. با سپاس
شازده مصدق
شازده مصدق السلطنه را می گویی
همانی که مجلس را منحل کرد
همانی که حکومت نظامی اعلام کرد
همانی که قاتلین شادروان کسروی را از زندان آزاد کرد
همانی که از دستور قانونی شخص اول مملکت (با توجه به قانون اساسی آن زمان)برای واگذاری پست نخست وزیری خودداری کرد
رهبر جبهه ملی های که این بلا را سر ما آوردند
یه کمی بجای شعار دادن فکر کنید
عقل برای تفکر اسنت
Mossadegh was the Persian
Mossadegh was the Persian president (Iran) assassinated to make way for the Shah, supposedly by the British Secret Service and the CIA. The reasons were, supposedly, that he was an independent freedom loving democrat but the West wanted an autocrat it could control. Not much of this is true. But someone had to make a political statement, didn't he?
The next name: Jacobo Arbenz.
The next name: Jacobo Arbenz.
" independent freedom loving
" independent freedom loving democrat ... Not much of this is true"
but probably the best possible, then.
Mr.Mossadegh was a
Mr.Mossadegh was a nationalist prime minster and believed the benefits of Iranian oil resources should be allocated to Iranian in order to make a prosperous life to his nation and along with this believed democratic procedures to govern the community and owing to these believe he opposed to the interferences of foreigners especially great Britain in our oil industry and triumphed to nationalize the oil industries eventually ,but unfortunately the US& the UK. overthrew his legal government and returned the ex Shah which escaped in consequent of people revolution to the throne it should be added that Dr.Mossadegh is a loving character for most of Iranian ,
"Not much of this is
"Not much of this is true."
According to you and your "supposed" belief.
Mossadegh was not
Mossadegh was not assassinated. He lived to the ripe old age of 84, happily ensconced on his ancestral estate.
sad to say, but ur theory is
sad to say, but ur theory is all bullshit. the CIA and maybe the British did oust the ruling parting, but the cia certainly did. they did want a puppet they could control. was great for big oil in the US.
There's little doubt about
There's little doubt about the WEST assassinating Mossadegh to install the SHAH, who was virtually a servant to the CIA and the BSS. I would imagine the KGB was close at hand, considering their prey was a freedom loving democrat.
Should the previous writer have more detailed information, for it to be divulged, might help to burst the bubble which is causing so much havoc in the Middle East.
save
save
Hi, happy Iranian New Year
Hi, happy Iranian New Year to all TOR officials who do their best to let us leap thru the barriers created by our molla and semi-molla-driven regime here in Iran and go to blocked sites, which wouldn't havve happened if it weren't for your big help. By the way Mosdegh was an Iranian Prime minister overthrown by British and American agents of intelligence of my birth and has to be forgotten to build a better world but it gives our present so-called rulers to drive us to MIDDLE AGES.
I appreciate your favors on part of me, my family , and many many friends known or unknown in Iran with lots of difficulty and reduced speed of the net to communicate with other humans thinking differently from mollas and semi-mollas who have be-theft our so-called revolution of 1979 and 80s for a better western or libro-democratic way of governing. We are at the bottom of a bg ditch dug by ourselves.
BYE>
Posts like yours make me
Posts like yours make me even happier to be a Tor supporter. Stay safe!
Hey! :) Has ANYBODY from
Hey! :) Has ANYBODY from America ever just said that WE...as a PEOPLE>>>KNOW that YOU GUYS...the real people, the ones that see and live all of this...are held as hostages to your situation. WE...as a PEOPLE...although glad that we don't suffer your circumstance...realize that on any given day, should you fall into peril in front of us, the real American...You would be swarmed with love and help and understanding so fast it would make a King's EYES twirl in its head. WE...ALL OF US...ARE THE PEOPLE! :)
I KNOW that the very same would happen should I ever need your help. This is the comfort that will allow us to carry on, but never fail to let others run what you inherently know to be right...weigh all with the measures of the multitude, do the math, and then spring from your heart to cause the change. Don't try it alone. There is more than one way to skin a CAT! Take heart, and good luck over there. The universe is watching US! :) TOMMY TUNES...FLORIDA USA
MaBishomarim is Farsi
MaBishomarim is Farsi (Persian) for "We are without number".
this tor could be a back
this tor could be a back door for the miler-try
The Tor icon is gone on
The Tor icon is gone on Windows 7
The Tor icon in the top left
The Tor icon in the top left corner of your Tor Browser? Does it also happen with a new install of Tor Browser?
The icon at the botton, but
The icon at the botton, but it works now thanks
strange combination windows
strange combination windows and Tor
I second this.
I second this.
linux with tor is better
linux with tor is better combination
бро
бро
Cheers.... Tor forever!!.. =]
Cheers.... Tor forever!!.. =]
... just to add... wish
... just to add... wish there was a way to encrypt bookmarks, like a bookmark locker - password protected ... would be nice.
youporn
youporn
Thank you for that
Thank you for that thoughtful and insightful comment. Your contribution to this blog is much appreciated.
cool
cool
great software and
great software and constantly kept up to date by a small dedicated group of folk who are passionate about privacy and security on the WWW.
We all appreciate your hard work !!!
For the first time
For the first time yesterday, as I was reading Twitter while using Tor & Ghostery, an advertisement appeared on Twitter that should have been blocked. Hopefully this Tor update will stop this happening again.
Tor Browser does not include
Tor Browser does not include any ad filter by default:
https://decvnxytmk.oedi.net/projects/torbrowser/design/#philosophy
Tor Browser in Tails has
Tor Browser in Tails has Adblock Plus as an extension.
Doh! I think it's far way
Doh! I think it's far way better "ublock origin".
https://github.com/gorhill/uBlock
Maybe. Ghostery is a no-no
Maybe. Ghostery is a no-no because it is non-free potential malware. (Check out the license)
Yeah, and in doing so they
Yeah, and in doing so they give Tails users a different fingerprint from non-Tails Tor Browser users.
1. most sites use javascript
1. most sites use javascript in some manner, to put ads on a web page.
2. unless the javascript domain is whitelisted, those ads are usually blocked by noscript extension.
3. So, I think you should check if you have twitter in noscript > options > whitelist (tab)
4. if you allow javascript on twitter, then check that untrusted menu while on a twitter pag. And if you rely on ghostery, check the ghostery settings?
Noscript Untrusted domains menu:
(A search found screen capture on http://www.addictivetips.com/internet-tips/noscript-provides-enhanced-s…)
I use the noscript button to access untrusted list. This screen capture shows the list by using firefox orange thing menu?
http://cloud.addictivetips.com/wp-content/uploads/2011/11/context-menu-…
you can see that many domains have not yet been marked untrusted.
I trend toward restricting javascript. So i don't know if I would need to allow javascript on addictivetips.com, but if I did allow addictivetips.com, I would untrust all others in that screen capture list.
Using Tor Browser with
Using Tor Browser with Ghostery is likely to make you fingerprintable; depending on your settings in Ghostery you might present a unique fingerprint. Depending on your threat model, this can be a bad thing.
Sorry - I appreciate TOR -
Sorry - I appreciate TOR - But last month all Web pages display squares instead of symbols
This does not happen on other browsers -
I tried everything - update programs, cleaning the computer - Nothing
I do not know what to do
Any solution?
birdland.birdland@laposte.net
Where does this happen? On
Where does this happen? On which operating system? Which browser locale are you using?
I am unable to access
I am unable to access https://vbdvexcmqi.oedi.net/archive it responds with forbidden.
I am using a Mac OS 10.10.5
Really, confirmed. Maybe an
Really, confirmed. Maybe an unused link? There must be something though, because it responds with 403, not 404.
It doesn't work on windows
It doesn't work on windows os or tails or android for some time.
I'm guessing this is
I'm guessing this is referring to symbols getting replaced with the unicode number in a square if you have font downloads disabled with a high security level.
thank for all help to person
thank for all help to person .
1. This is not related to
1. This is not related to language? (search shows that la poste is french)
2. http://www.utf8-chartable.de/unicode-utf8-table.pl?utf8=oct&unicodeinht… scroll down to less common characters, such as ¶ and to þ and to ×
Does TBB show the character in the second column?
I am guessing...
that should have
that should have been:
scroll down to less common characters, such as ¶ and to þ and to ×
Works for me. However,
Works for me. However, https://trac.torproject.org/projects/tor/ticket/18364 has things that do not work.
Klass!
Klass!
When you click n the
When you click n the archives tab from the home screen it responds with Forbidden.
What do you mean?
What do you mean?
hi gk, he/she is referring
hi gk, he/she is referring to https://vbdvexcmqi.oedi.net/archive as it was mentioned some paragraphs above...
keep up the great work!
"ARCHIVES" link at the top
"ARCHIVES" link at the top of this blog always returns "Forbidden."
This is confusing to many and some fixes/clarification will be needed.
This link (the archives tab
This link (the archives tab at the top of the blog) returns 403: https://vbdvexcmqi.oedi.net/archive
Maybe some users are clicking here hoping to download updates?!
Same happens to me using OS
Same happens to me using OS X 10.6.8. Just letting you know it's not a one-off problem.
Comment is about violet
Comment is about violet colored "tabs" near the top of https://vbdvexcmqi.oedi.net/ ("home page"). Link is https://vbdvexcmqi.oedi.net/archive
The same observation as
https://vbdvexcmqi.oedi.net/blog/tor-browser-554-released#comment-164363
a web search found longer https://vbdvexcmqi.oedi.net/archive... link, which also comes back as 403
https://vbdvexcmqi.oedi.net/archive/all/2013/8/4
very good
very good
A little bit 1/8off-topic
A little bit 1/8off-topic but important -- i burst:
Where is Vidalia in new Tails gone?
With Vidalia you has a relay list overview, can stop circuits, edit the torcc(NORMAL Guard security! NO bridge).
Now you get nearly nothing -WTF- they call it Onion Circuits.
Why they do it? Security without PRACTICALITY is really great sh*T -sorry, it's true. More than true.
As a normal user you have no right to say in a matter?
And in https://labs.riseup.net/code/projects/tails/roadmap
they talk to oneself only..... . Great ..... -a lot of nothing you don't need.
Please bring the practicality of Vidalia back.
If you -Tails developers- won't, describe why an why no practical replacement.
With Linux i hope it's not like talking to microsoft, lol.
Or is using tor controller software like Vidalia being in a super secret nerd society?
Hello torproject can you help Tails users?
This is about Tor Browser.
This is about Tor Browser. Vidalia atm is discontinued/unmaintained. For Tails: https://tails.boum.org/
developer = god there is no
developer = god
there is no democracy.
take it or leave it!
True Democracy is Godly.
True Democracy is Godly. Many cells, one body, duh...
If you want something
If you want something politely suggest it or just fork it. That's how you talk to linux.
Awesome release guys, keep rolling.
Vidalia development hasn't
Vidalia development hasn't been active for years; Tails has been using it despite it being unsupported and depreciated. We have no clue what security related bugs are in there and no one is looking for them. Tails should have dropped it after shortly after The Torproject stopped developing it.
You've got no reason to trust the information that the relays supply that you can see through Vidalia. Vidalia has a very nice pretty interface, but it doesn't prove many more features than say, Arm.
If you can't figure out how to edit torcc without assistance, you probably don't know enough to not shoot yourself in the foot with your edits.
Onion Circuits is new software; give it time to age and it may gain the features you desire.
"If you can't figure out how
"If you can't figure out how to edit torcc without assistance, you probably don't know enough ... shoot yourself in the foot ...."
It's not helpful in any way to assume only hypothetical things about Tails users.
Please explain how interested Tails users can edit the torcc in an effective and secure way.
Simple editing torcc as root doesn't work?
"give it time to age and it may gain..."
Weeks, years, likely never?
Using tor secure is the main reason to use Tails and Vidalia was a HIGHLIGHT. Arm and his GUI is disabled -to old or usable only for the super secret nerd society?
Anyway, in Tails there is NO SIMPLE proper way to set a STATIC set of Entry Guard / Directory Guards like ALL TBBs do.
THAT'S the real problem. It has nothing to do with setting bridges.
The prompt action of the
The prompt action of the security/privacy communities and the appreciative responses from the users constantly reminds me that I'm not on my own island of thought and beliefs. I give back in the ways I'm able. It infinitely bugs me there are armies of people trying to dismantle these efforts in return for a government paycheck... so I run a dedicated relay with extremely tight security and poke around the implementations/code to see if I can spot vulnerabilities/weaknesses early. Anything to help hold the hill.
Thanks for doing this and
Thanks for doing this and for running a relay!
I only use add-ons bundled
I only use add-ons bundled with torbrowser, but is it safe to update the addons via the "check for update" option in the extension drop down menu? are man in the middle attacks or other compromises a concern? I notice even with brand new versions of torbrowser, sometimes the addons included are not the latest versions and updates to the add-ons get installed when I do this. Is it not recommended?
Ideally, we would review
Ideally, we would review every change of NoScript and HTTPS-Everywhere before we allow new versions of them in Tor Browser but that is currently not possible engineering-wise. So, updating them over the in-browser update mechanism is currently the recommended way of getting newer versions of them. Yes, compromises are a concern and we are thinking about possible mitigations in this regard.
Answer unclear to me (like
Answer unclear to me (like other times the question has been asked).
Because there are apparently TWO "in-browser update mechanisms".
For NoScript and HTTPS-Everywhere, are you recommending:
the __extension (add-on) __
"in-browser update mechanism",
that the questioner wants for quicker updates,
or
the __whole-Torbrowser__
"in-browser update mechansim"
that is less frequent but presumably Tor-reviewed a bit.
Thank you.
Currently, the first option
Currently, the first option should be the one to be used.
thanks for your great work.
thanks for your great work. When TOR for Iphone?
TOR for mobile is a
TOR for mobile is a lie....or any OS that is so very willing to collect location data (Windows 10).
With ORBOT for Android, you're given the choice of 'proxy all traffic' with '(recommended)' next to it, or just specific apps. Why don't you want to proxy all traffic though it? Well, google, linkedin, facebook and every other location data hungry apps know where you are, and that you came from a TOR exit node. If you're google they have your Device ID with that location data. The following post had me within 2 meters of my exact location, and my GPS was not on - just cell-tower triangulation.
POST /userlocation/v1/reports/1605150082?devicePrettyName=SAMSUNG-SM-N900A&nlpVersion=2015&osLevel=18&platform=android%2Fsamsung%2Fhlteuc%2Fhlteatt%3A4.3%2FJSS15J%2FN90xxxxxxxJ5%3Auser%2Frelease-keys HTTP/1.1
Content-Type: application/json; charset=utf-8
Accept-Encoding: gzip
X-Goog-Spatula: CjYKFmNvbS5nb29nbGUuYW5kcm9pZC5nbXMaHE9KR0tSVDBIR1pOVStMR2E4RjdHVml6dFY0Zz0SIxxxxxxxxxxxxxxxxxxxxxxxgOw1E/6wkVsdB223JZlCQ94FH9GMWSuLGZuOKdMyCcicielKiY35AB
Authorization: OAuth ya29.fQHM6zZH33xRlsyPX6WI7NJoo7FFNxd52-dJn89bkAq68xMFtxxxxxxxxxxxxxxxxxxxewxBKOiZjy-Lygp7RNjLmxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
User-Agent: unused/0 (hlteatt JSS15J); gzip
Host: www.googleapis.com
Connection: Keep-Alive
Content-Length: 13904
{"batch":{"activityReadings":[{"activities":[{"confidence":85,"type":"still"},{"confidence":15,"type":"inVehicle"}],"readingInfo":{},"timestampMs":1432433587998},{"activities":[{"confidence":100,"type":"still"}],"readingInfo":{},"timestampMs":1432433769103},----------SNIP---------{"description":"stationary","newRequest":false,"samplePeriodMs":1080000,"sampleReason":"stationary","sampleSource":"internal","timestampMs":1432434129998},"timestampMs":1432434129998}],"locationReadings":[{"location":{"approximatelyStationary":true,"horizontalAccuracyMeters":146,"latitudeE7":377144316,"longitudeE7":-xxxxxxxxxx},"longitudeE7":-xxxxxxxxxx},"readingInfo":{"batteryCondition":{"charging":"usb","level":75,"scale":100,"voltage":4056},"source":"wifi","wifiScans":[{"mac":163309631168576,"strength":-48},{"isConnected":true,"mac":66064160513366,"strength":-48,"wifiAuthType":"wpaPsk"},{"mac":172444063773272,"strength":-78},{"mac":172444063773273,"strength":-78},{"mac":172444063773264,"strength":-77},{"mac":273699571546912,"strength":-85},{"mac":66206466797504,"strength":-90},{"mac":163021170350512,"strength":-90},{"mac":35344975904280,"strength":-90},--------SNIP---------
"readingInfo":{"batteryCondition":{"charging":"usb","level":76,"scale":100,"voltage":4060}
iPhone does the same thing. You should man-in-the-middle it sometime.
Thanks for your hard work,
Thanks for your hard work, love your browser, tor in general and your talks :)
Next time I see you guyes a have to buy you a beer (or a mate)!
Mate.
Mate.
Yes, cool browser.
Yes, cool browser.
I've heard rumors that the
I've heard rumors that the 2015 FBI Tor Browser attack exploited a font rendering bug.
Was the security slider around to disable web fonts at that time?
Which attack are you talking
Which attack are you talking about? And the security slider got introduced end of April 2015 in Tor Browser 4.5.
Where did you hear those
Where did you hear those rumors?
Are you referring to the
Are you referring to the playpen attack?
https://motherboard.vice.com/read/how-the-fbi-identified-suspects-behin…
According to this, the FBI operated the site from February 20 to March 4 in 2015, so this was before the security slider was introduced.
Transport type scramble suit
Transport type scramble suit no longer works with this version
Thanks for reporting, the VM
Thanks for reporting, the VM with the scramblesuit bridge was down. Should be fixed by now.
scramblesuit is down again
scramblesuit is down again March-27
TOR !
TOR !
GOOD JOB
GOOD JOB
i'm getting the following
i'm getting the following when using transport scramblesuit.
19-03-2016, 11:04:52.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
19-03-2016, 11:04:52.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
19-03-2016, 11:04:53.800 [NOTICE] Bootstrapped 5%: Connecting to directory server
19-03-2016, 11:04:53.800 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
19-03-2016, 11:04:54.000 [WARN] Proxy Client: unable to connect to 83.212.101.3:443 ("Connection refused")
19-03-2016, 11:08:43.600 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
19-03-2016, 11:08:43.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
19-03-2016, 11:08:43.600 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
Should be fixed now, thanks.
Should be fixed now, thanks.
Long time ago youtube videos
Long time ago youtube videos in TBB stopped playing up to the end. Playing always finished few seconds before the end, so each time I need to reload the page and point to last seconds of video to get them played. Why this is happening? Is there any bugticket on this issue?
Not yet. Do you have an
Not yet. Do you have an example to test?
Not the original poster, but
Not the original poster, but surely you've noticed that ALL YouTube videos no longer work properly in Tor. This started with 5.5.3.
very good
very good
the bridge is unstable
the bridge is unstable others are ok
live browser!
live browser!
Tor everywhere Tor partout
Tor everywhere
Tor partout
显示中文不正常 Some
显示中文不正常
Some chinese characters can not display normally.
Do you have an example URL?
Do you have an example URL? Which bundle are you using? The zh-CN one?
Maybe this is a minor
Maybe this is a minor concern for some TBB users?
Firefox 44 (I think) removed the "Ask me every time" under "Accept cookies from site" on about:preferences#privacy the privacy tab
As a temporary setting, "Ask me every time" is most useful on sites with many "hidden" domains. Ebay may be most notorious for excessive domains, many of which do not need cookies allowed. (ebay is only an example, because i don't think people should do ebay stuff on TBB)
Search easily finds complaints (to mozilla, of course). Maybe mozilla will restore the setting.
TOR + ghostery add ons =
TOR + ghostery add ons = very good !!!!
Tor + ghostery = a nightmare
Tor + ghostery = a nightmare for fingerprinting and security.
Ghostery will give you a different fingerprint which, depending on your settings, might be unique. In addition, every addon increases attack surface, so using the fewest addons is optimal. To make matters worse, Ghostery's developers seem to be moving in a problematic direction recently. I might trust them to stop websites from spying on me, but I don't trust them to not spy on me. I used to use it for my non-Tor browsing, but I've moved to other more trustworthy options.
Ghostery is proprietary,
Ghostery is proprietary, which means it cannot be truly secure. Anyone with a serious safety need should avoid it.
GOOD JOB.......THANK YOU
GOOD JOB.......THANK YOU
супер
супер
uygulamı mı yükseltin
uygulamı mı yükseltin hemen
Tor is most convenient one.
Tor is most convenient one. Very trusted.
Would the recent font
Would the recent font rendering exploits have been averted by having "forbid @font-face" enabled in the embeddings section of Noscript's preferences, even if one's security slider settings were set to low?
It seems like you would need to craft a malicious font and embed it in a page in order to exploit font rendering bugs, and "forbid @font-face" prevents this, right? Shouldn't it also prevent other potential font related exploits, whether to do with rendering or not?
очень хорошо
очень хорошо
Is Privoxy already inside
Is Privoxy already inside the Tor Bundle? Or, should be downloaded separate/manually to get even better privacy?
http://netforbeginners.about.com/od/internet101/f/anonymous_surf.htm
No, it is not included in
No, it is not included in Tor Browser, but it is not needed. Adding privoxy might also make your fingerprint more unique as most users do not do this.
Why does this site give you
Why does this site give you two IP addresses? One that is yours? And another one that is a proxy? Doesn't make sense.
https://www.proofpoint.com/sites/default/files/documents/bnt_download/p…
Snowden files : NSA can
Snowden files : NSA can crack almost any Encryption including Tor anonymity network
https://thehackernews.com/2013/09/NSA-can-crack-TOR-Encryptio-Snowden-f…
ALL HARDWARE HAS BACKDOORS ALL DEVICES HAVE BACKDOORS AND TOR IS NOT REALLY THE PROBLEM EVEN THOUGH IT HAS BEEN CRACKED BY THE NSA BUT ITS THE DEVICES YOU ARE USING THAT IS ALSO THE PROBLEM.
WE ARE ALL DOOMED!
thanks for the info
thanks for the info
So very true (the part where
So very true (the part where your caps lock key got stuck at least).
Don't forget the advances in quantum computers. In about 5-10 years max imho at least the NSA and Google will be able to decrypt all captured and stored traffic regardless of the used encryption (except maybe for quantum resistant curves) or the ever so hailed forward secrecy.
It's sufficient to watch only 2 talks of the last CCC (the one about quantum computers and Joanna's talk) to come to the "we really are doomed, aren't we?" conclusion.
Just my 2 cents.
actually, according to
actually, according to trusted USG inside sources, and Glenn Greenwald, Edward Snowden, and Wikileaks, the NSA have only been proven to have full, 100% permanent transparent backdoors installed, and completely broken encryption to the highest known degrees of sophistication, in cases where users host specific errors in keyboard functionality - namely impaired caps lock integration (aka 'shouting')
Everyone else is safe
TBB changes it's size very
TBB changes it's size very subtly, is it a hidden fingerprinting feature???
I use an add-on called "Browsizer" to keep a track on the window size, when I install TBB and when starting first time TBB is according to this addon 1008x1025, but when TBB is restarted it changes its size and becomes 1008x1029.
My question, does these 4 extra pixels tell I am using a certain OS, so if I install it on another OS which I haven tried yet, maybe it changes its size by 3 or 5 pixels revealing users OS?
So far I have tested on Windows XP, will check other OS later.
EVERYONE, I would like to know what sizes you guys get, please add
https://addons.mozilla.org/en-US/firefox/addon/browsizer/
to your TBB and report your size here, both from first start after install, and restart of TBB, and if you are conmfortable please also tell what OS you are using.
The good part with this addon is one can add and save their own window sizes and positions, and I have of course 1008x1025 stored so I can reset that "fingerprinting" bug.
Also, I would like to know from the TBB team, what is the exact size of TBB browser window supposed to be?
NOTE: Browsizer seems to report a different size than many online browser tests such as:
https://www.browserleaks.com/
http://browserspy.dk/
https://panopticlick.eff.org/
but that doesn't matter as the relative difference is constant.
What are the online tests
What are the online tests reporting? They should show you the width being a multiple of 200 and height being a multiple of 100.
Correction, I made a
Correction, I made a mistyping:
1008x1025 should be 1008x1125
and...
1008x1029 should be 1008x1129
Here are the following results from:
https://www.browserleaks.com/javascript
Screen Resolution 1000×1019 24-bit TrueColor (working area: 984×1003)
and...
http://browserspy.dk/window.php
innerWidth 1000
innerHeight 1019
outerWidth 1000
outerHeight 1019
With Javascript disabled (in
With Javascript disabled (in about:config) I don't get any of the readings from Browserleaks or Browserspy that you quote.
To check my 'Browser window' size, I use ip-check.info and this size always matches up with the figures I get from https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html.
Sure we can toggle the
Sure we can toggle the Javascript on/off which is a no brainer, I too turn it on only for the purpose to read out the window and screen size, and there are web sites that are pretty useless without some Javascript.
Anyhow, I got the same results as before on these sites:
ip-check.info
https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
Window and Screen W x H = 1000 x 1019
and 1019 is not a multiple of 100 or 200.
Every time I restart TBB it becomes 4 pixel higher and a black bar appears in the bottom, I can see it flickering quickly, until Browsizer addon catches up and sets it back to previous size.
Would you mind tell your size so we can compare?
Mine is 1000 x 600. You can
Mine is 1000 x 600.
You can physically resize the window by moving the right edge to the left and the bottom one up.
You can use CSS to detect
You can use CSS to detect screen sizes remotely. (No JavaScript needed)
A lot of @media queries and background images
ip-check.info reports same
ip-check.info reports same height, width as arthuredelstein.github.io/tordemos/media-query-fingerprint.html
the sizes aren't multiples of 100 px. the last digit of size can be 1, 7, 9, or other odd numbers, or nonzero even numbers.
what is tbb pref? i tend to use high security setting, so i must have set the slider to maximum when that feature was introduced.
extensions.torbutton.security_slider user set value is 1
Hello torproject, can you
Hello torproject,
can you explain how to DOWNLOAD a .xpi file/extension from
https://addons.mozilla.org without getting a 0 byte file?
Strange and annoying.
I use an add-on called Down
I use an add-on called Down Them All, or for short DTL
https://addons.mozilla.org/en-US/firefox/addon/downthemall/
Add it to your rbowser and right click on any addon and chose DTL, some times the dowload fails, but clicking on resume button seems to handle it.
Also, you could install all your addons into your browser, then go to the .../profile.feault/extension folder and copy the XPI file from there, but keep in mind the browser renamed the XPI file during the installation process, often to some random looking file name such as:
{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
which in this case is the NoScript addon.
security.csp.enable;true to
security.csp.enable;true to false.
I assume the entry for
I assume the entry for Graphite font rendering under about:config is:
gfx.font_rendering.graphite.enabled (true = default)
Hopefully those other gfx.font_rendering.* aren't vulnerable... :(
No, with 5.5.4 that
No, with 5.5.4 that preference is set to false. This is the default starting with Firefox ESR 38.7.1.
TTB Team, can't we turn OFF
TTB Team, can't we turn OFF the pipelining network function under about:config?
network.http.pipelining; (default = true)
If I disable it in the prefs.js, TBB crashes during start up.
Pipelining is an ancient thing used in the old days when phone line modems were common, pipelining means the browser sends several requests to the server in advance instead of sending one request and waiting for the return, that was good back then with slow lines and returns, but from a privacy and security point of view it has its drawbacks.
At least I would like to be able to turn it off even if it wont become standard in future TBBs.
If it's not possible to turn it off, can you describe briefly why it's needed in TBB.
Regards the curious geek :)
It is part of our
It is part of our experimental defense against website traffic fingerprinting: https://vbdvexcmqi.oedi.net/blog/experimental-defense-website-traffic-f…
That blog post explains an
That blog post explains an idea on how to utilize the pipelining with some added randomization which is indeed an appealing idea, but I wonder how effective it is the way it is implemented in the current TBB, is it the browser itself that handles the randomization or is it the Torbutton that handles it?
Under about:config the "network.http.pipelining.maxrequests" is set by default value to 12, if it is set to 0 or 1 it crashes, I guess it is the same as disabling the pipelining, and 2 is the lowest value without causing TBB to crash on start up, now the question is, how much of "randomization" is going on if the lowest value is only 2 without TBB protesting, I never experienced any problems surfing around the net when trying with that value.
But request A before B, or B before A is not much of a randomization?
Further..
https://trac.torproject.org/projects/tor/ticket/3914
one of the comments mentions about "minrequest" to be set to 4, but such entry doesn't exist in TBB 5.5.3, but perhaps I could create under about:config a:
"network.http.pipelining.minrequests" and set the value to 4?
Tor Browser handles it not
Tor Browser handles it not Torbutton. How much noise this randomization adds (even if one tunes it as you did) is still not sufficiently answered. More research is needed.
"Change details that
"Change details that distinguish you from other Tor users" what does this mean in the security??? please more details
That's one heck of a
That's one heck of a Chinglish I cannot fathom either... ahem, do I want to be distinguished when using TBB? :)
For privacy, not computer
For privacy, not computer security.
Do not increase uniqueness of your browser: makes it easier for servers to fingerprint yours versus Tor browsers being used by others.
In what way? TBB devs need
In what way? TBB devs need to explain this somewhere
Thanks for the strong
Thanks for the strong discussion and feedback, everyone
Happy Nowruz to Iranians and the Farsi speaking community everywhere
RE: risk of fingerprinting in using ad on software not including in the Tor Browser project.
The question I have is regarding Disconnect search
While yes I was very pleased when you made this the default search engine, is this a point of failure?
Is Disconnect open source (I am guessing it is not)
Edward Snowden papers discuss NSA breaking VPN's as a rule - this is the primary functionality of Disconnect I understand?
Tor, or others, are you able to comment upon the safety or lack there of regarding Disconnect fitting inside the Tor software - what is essentially a third party installation
Hugs and love to all
I don't believe they mean
I don't believe they mean Disconnect the ad-on
they mean the use of Disconnect as a search engine
is it simply a web page that Tor visits - maybe not as it is accessible from the address bar
but even it is is 'just' a web page that Tor visits - is disconnect
vulnerable to state sponsored targeted attacks (leaking of content like the search string, or leaking of IP ) if the VPN they use to link to google is vulnerable or broken?
Is there a keyboard shortcut
Is there a keyboard shortcut for "New Tor Circuit for this Site?"
It shows Underscore "C" but pressing C or ALT+C won't work
tons of websites block Tor traffic and it's getting just unusable
thanks
Not yet, but there is
Not yet, but there is https://trac.torproject.org/projects/tor/ticket/17599 suggesting we implement it. :)
Hej folks - you are doing a
Hej folks - you are doing a great job. Keep on running. A searchengine project is might be of interest "MetaGer"...
obsf4 bridge is no longer
obsf4 bridge is no longer loading / working straight off... I'm having to use obsf3 first, then when the browser has loaded, I can switch to obsf4 using Tor Network Settings.
Trying to load obsf4 bridge at browser start gives error:
25/03/2016 01:32:48.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:48.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
25/03/2016 01:32:50.100 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
25/03/2016 01:32:50.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:50.100 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
25/03/2016 01:32:57.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:57.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:57.900 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:32:57.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
25/03/2016 01:33:05.000 [NOTICE] Bootstrapped 5%: Connecting to directory server
25/03/2016 01:33:05.000 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
25/03/2016 01:33:06.300 [WARN] Proxy Client: unable to connect to 109.105.109.165:10527 ("general SOCKS server failure")
25/03/2016 01:33:06.400 [WARN] Proxy Client: unable to connect to 83.212.101.3:41213 ("general SOCKS server failure")
25/03/2016 01:33:06.400 [NOTICE] Ignoring directory request, since no bridge nodes are available yet.
25/03/2016 01:33:06.400 [WARN] Proxy Client: unable to connect to 109.105.109.147:13764 ("general SOCKS server failure")
25/03/2016 01:33:06.400 [WARN] Proxy Client: unable to connect to 104.131.108.182:56880 ("general SOCKS server failure")
25/03/2016 01:33:07.000 [NOTICE] Delaying directory fetches: No running bridges
25/03/2016 01:33:25.600 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
25/03/2016 01:33:25.600 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
25/03/2016 01:33:25.600 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
Any help much appreciated.
I have noticed a quite weird
I have noticed a quite weird phenomenom when visiting
https://www.browserleaks.com/whois
While clicking on the Tor button (the green onion icon) and hold the mouse courser on there while loading the browserleaks page, I notice that the middle and exit nodes changes very quickly 2-3 times, so browserleaks only shows the first exit country which was visible under tor button just before TBB changes all those nodes several times.
I can open browserleks in a new tab next to the old one, and it gives yet another result, it seems like browserleaks have a capability to cause the TBB doing these switches, meaning it is some kind of hack to fingerprint all the nodes I am using, for instance if I have only a few entry and exit nodes allowed in the torrc file they will find out quite quickly, this is Not good.
It happens both with Javascript on or off.
Also, I would strongly but respectfully urge the TBB team to change the code so the TBB really respects the function of
EnforceDistinctSubnets when set to '1', because I have seen too many times where 2 nodes are in the same country, and I regard that as if we don't have 3 nodes but only 2 nodes, and in a worst case scenario all 3 nodes appears in the same country.
Further, I am going to give you another horror example how TBB behaves, this I once experienced few weeks ago, we have 3 nodes, let's give them fictitious IP numbers
Entry = 11.11.11.11
Middle = 22.22.22.22
Exit = 33.33.33.33
So it would look like this from my browser to the exit
TBB => 11.11.11.11 => 22.22.22.22 => 33.33.33.33 => internet
Now.. after a while the EXACT same IP number for the Entry AND exit node changes place with each other, so it became
TBB => 33.33.33.33 => 22.22.22.22 => 11.11.11.11 => internet
How much of privacy and how much can we trust the Tor project when we encounter such sick example??
The entrance node is fixed
The entrance node is fixed to U.S.A adress (96.233.111.125). As you know, fixation of entrance node to one adress is very vulnerable for security. How can I settle it?
"As you know, fixation of
"As you know, fixation of entrance node to one adress is very vulnerable for security."
Not fixing the entrance node is objectively much worse, under the assumption that adversaries run relays. So no. You're wrong. It's a feature.
https://decvnxytmk.oedi.net/docs/faq.html.en#EntryGuards
This question comes up again
This question comes up again and again, and Tor people are just pointing to the FAQ, which does not answer the question. The FAQ talks about "Tor client selects a few relays at random to use as entry point", while what we observe in reality is that a single node is fixed. In fact, I'm not aware of any justification for the change for "a few" (which was correct in the past" to "a single one". Please clarify.
The move from 3 to 1 guard
The move from 3 to 1 guard happened a while ago, and there even was a blog post about it, and other related topics.
https://vbdvexcmqi.oedi.net/blog/improving-tors-anonymity-changing-guar…
https://trac.torproject.org/projects/tor/ticket/11480
"Not fixing the entrance
"Not fixing the entrance node is objectively much worse,...
https://decvnxytmk.oedi.net/docs/faq.html.en#EntryGuards"
Can you explain that to the Tails developers?
You use Tails on DVD, you get big problem )-: with fixing the Entry node permanent and the Tails programmers don't patch that. ....?
They know
They know already.
https://tails.boum.org/blueprint/persistent_Tor_state/
https://labs.riseup.net/code/issues/5462
"They know
"They know already."
.....yes. But WHEN they change it? A long time till 2017.
It's an decisive weak point of Tails.
In older versions of Tails you have had a alternative, Vidalia, in current version you have a problem.
Any one of: * Complaining
Any one of:
* Complaining about it where the people involved will actually read it (like in the ticket on their bug tracker that I linked).
* Contributing the development work required for the functionality.
Would be more productive than commenting here, since no one really reads the comments regularly.
Is there an obvious
Is there an obvious disadvantage to set dom.event.highrestimestamp.enabled to false - beside the ususal warning that one might stand out with a changed configuration?
Lets just hope Mosaddegh is
Lets just hope Mosaddegh is not cryptic term for Mossad.
When TBB 5.5.1 succesfully
When TBB 5.5.1 succesfully connects to tor network, I get the following entry in tor-log TWICE:
New control connection opened from 127.0.0.1.
New control connection opened from 127.0.0.1.
Should I be worried? (for earlier TBB versions, there used to be only one entry)
thanks
Firstly, thank you to all
Firstly, thank you to all the great folks that make Tor possible!
Bless You All
One problem though, maybe just my ignorance. I cannot view my saved passwords/usernames. I have plenty but they are just not visible!
Please help!
Much thanks....
Tor the best!
Tor the best!
Is it really worth upgrading
Is it really worth upgrading to "Tor Browser 5.5.4 release"? or, are there problems associated with it? and, if there are problems associated with it - what are they? Thanks.
If I upgrade to "Tor Browser
If I upgrade to "Tor Browser 5.5.4 release" will all my Bookmarks be transferred over to it and still existing and functioning as it is with the current version (older version) that I'm using? or, will all my Bookmarks be wiped clean and I will no longer be able to find my current Bookmarks anymore? Thank you.
hello, can someone tell me
hello,
can someone tell me how to fix this issue ... there is the log from browser console
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
about:blank : Unable to run script because scripts are blocked internally.
about:blank : Unable to run script because scripts are blocked internally.
[NoScript HTTPS] AUTOMATIC SECURE on https://bam.nr-data.net: JSESSIONID=e60d4164b8a2cce3; domain=.nr-data.net; path=/; Secure
NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIMIMEService.getTypeFromExtension] external-app-blocker.js line 131 > eval:1:0
"statusChangeCallback" index.php:325:4
Object { authResponse: undefined, status: "unknown" } index.php:326:4
getFirstPartyURI failed for about:blank: 0x80070057
getFirstPartyURI failed for unknown: 0x80070057
Please fix
Please fix passwords/usernames not showing.
Many praises for all your hard, tiring work you do for us all....
I read on the Tor Metrics
I read on the Tor Metrics Portal, a new pluggable transport named 'snowflake' is listed and has 1 user ( so far ). Comment from TP people as to what snowflake does as a pluggable transport and where can I download / install it would be helpful.
can anyone help me with this
can anyone help me with this issue ... i can't load ... this is what i get in browser console
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
getFirstPartyURI failed for unknown: 0x80070057
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
getFirstPartyURI failed for unknown: 0x80070057
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057
getFirstPartyURI failed for chrome://browser/content/browser.xul: 0x80070057spades.js:405:12
[NoScript HTTPS] AUTOMATIC SECURE on https://spadesplus-yahoo.peakgames.net: PHPSESSID=emfedfq98ke1ekcbs2fj9hrpo7; domain=spadesplus-yahoo.peakgames.net; path=/; Secure
If not ghostery with Tor
If not ghostery with Tor browser, which add on if any
ublock origin
ublock origin
great software browser
great software browser
i cant have acces in
i cant have acces in anything, i use bridges and nothing works, neither one website whats wrong?
I can't connect to onioni
I can't connect to onioni sites after having updated to Tor 5.5.4 - and the onion logo in the browser is greyed out with a red cross over it.
Anyone might have a suggestions as to what I'm doing wrong?
whats this all about/
whats this all about/
Can anyone tell why can't I
Can anyone tell why can't I use only a Swiss entry node, setting EntryNode {ch} doesn't work, no guard node will even pick up, or may it also have to do with which countries are under the ExcludeNodes list?
I get the following lg messages
[NOTICE] While fetching directory info, no running dirservers known. Will try again later. (purpose 14)
[WARN] You have asked to exclude certain relays from all positions in your circuits. Expect hidden services and other Tor features to be broken in unpredictable ways.
Flash STILL does not work.
Flash STILL does not work. Now before every starts screaming about not using flash, let me say this. IF we aren't supposed to use flash then WHY does it still have options built into the TOR browser to turn it on? Yes I FULLY understand the risks of using flash, all I want to do is unblock MY ip from a site, once TOR does that for me, the site doesn't suddenly start blocking me once flash is active, so I don't wanna hear "you shouldn't use flash" useless comments. I need flash to work, period. whatever settings I have to change to make that happen are fine.
tor is great, but not working
tor is great, but not working
I have lots of tabs open
I have lots of tabs open that I keep over restarts. I don't want them to reload when restarting. "Work Offline" solves this in Firefox. When I restart Tor Browser after updates, "Work Offline" is automatically deactivated. Not just annoying, but anonymity killer.
guys in our collage firewall
guys in our collage firewall everything is blocked pls help
بله درود بر
بله درود بر شازده مصدق السلطنه
شازده قاجار که بخاطر نفرت سقوط سلطنت کثیف قاجار می خواست شاه را سرنگون کند
از دستور قانونی برای ترک پست نسخت وزیری تمرد کرد و حامل پیغام را توقیف کرد
در تمام دنیا این معنی کودتا می دهد
حکومت نظامی اعلام کرد مجلس را منحل کرد
در تمام دنیا اینها معنی حکومت دیکتاتوری می هد
و آخرین کار کثیف جبهه ملی اینکه قیام مردم در 28 امرداد را کودتا اعلام کردند
مردم ساده لوح ایران نیز هنوز قرقره می کنند
I'm using version 5.5.4 for
I'm using version 5.5.4 for now and most Asian scripts are not shown. Instead are squares with codepoints like I have not installed the necessary fonts, but I have. This is thus on every site.
A test page:
http://www.ltg.ed.ac.uk/~richard/unicode-sample-3-2.html
Latin, Greek, Cyrillic, Armenian, Hebrew, Arabic, Thai and some others work, but Indic, CJK etc. do not.
I checked with version 4.5 and it has worked perfectly well with any exotic script.
I googled and found that there have been similar complains about the previous 5.5-ish versions.
чо за фигня???
чо за фигня??? соединиться с сервером не могу ни хрена