Tor Browser 7.0.2 is released

by boklm | July 3, 2017

Tor Browser 7.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor.

We are updating Tor to version 0.3.0.9, fixing a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This release also updates HTTPS-Everywhere to 5.2.19.

Here is the full changelog since 7.0.1:

  • All Platforms
    • Update Tor to 0.3.0.9, fixing bug #22753
    • Update HTTPS-Everywhere to 5.2.19

Comments

Please note that the comment area below has been archived.

mike (not verified) said:

July 05, 2017

Permalink

with this update, tor browser is no longer connecting to onion sites (times out). i am using sierra 10.12.5. should i downgrade to tor browser 7.0.1?

Александр (not verified) said:

July 26, 2017

Permalink

Здравструйте, Уважаемые Администраторы и менеджеры! Я не очень хорошо знаю Английский язык, более 20 лет живу в России. Вы не могли бы по-русски написать мне, правильно ли я подключился к сети Tor ? Нужно ли выполнить еще какие=то действия? Могу ли я пользоваться почтой анонимно и как это делается?

С Уважением Александр.

Александр, люди, не знающие английский слишком похожи на сотрудников Роскомнадзора. Помощи не получишь. Учи язык международного общения и вливайся в международное сообщество. Может тогда и желание работать на РКН отпадёт.

I experienced (for the first time) difficulty to connect to Tor 'network'. I then try to configure it with the 'option' of if my isp is blocking Tor network,
and then I could connect very fast.

Anonymous (not verified) said:

July 05, 2017

Permalink

How is Tor (Tor Browser) working in China now?? It seems Tor faces the most serious problems with China and the Great Firewall, so I'm wondering how that is going on now: can people from within China use Tor now, how difficult to use Tor from China,...?

Anonymous (not verified) said:

July 05, 2017

Permalink

Thank you, pastly :)

I was being attracted so much by the information flow regarding "the Sino-Tor war over the Great Firewall"; I hope people from within China will be able to pass the obstacle(s). It sounds like they (the PRC Gov) did put huge efforts to block the people from using Tor (that struggle must cost them a huge amount of money and resources). I still want to dig in that war. xD

Every human being should have the right o all the benefits of technology such as using Tor because of the apparent costs. Open all channels...Ready to Recieve

yes,we can,but with a lot of connecting problem,and the speed is not good at all(for my instance,about 20-200k downloading speed over my 30M fiber broadband)
most pages need to be refreshed 2-3 times until it can fully loaded.
all Chinese ISP block Tor,if you are lucky enough,you can use obfs4 and link to tor network,but if you are not,seems you triggered something in GFW,then you cannot connect to tor for a while.meek also may work,but in a much lower possibility.and if you havn't use tor for a few days,you may need to manually add a new bridge...

sorry for my poor english,and thanks for all tor guys,you guys are awesome

Boby1 (not verified) said:

July 05, 2017

Permalink

Why is the entry relay is always the same? (same IP) even after I click on "new Tor Circuit for this site".

Anonymous (not verified) said:

July 05, 2017

Permalink

The OP hints at a common (and perfectly natural) misconception about keeping Tor circuits as hard as possible to deanonymize, one which I notice has come up here several times in the past few months. It would be nice to work towards keeping visible at decvnxytmk.oedi.net an up-to-date FAQ with short authoritative answers to the most frequently *recently* asked questions which have recently arisen in discussions with users here and in other help venues, written for ordinary users rather than for sophisticated techgeeks or other developers.

The community team (https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam) is currently working on the Tor Project support portal, which will serve this function. Currently we are compiling content on the wiki at https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam/S…, however we plan to migrate this to a proper support page in the near future.

Anonymous (not verified) said:

July 05, 2017

Permalink

About those weekly chats:

I know Tor Messenger is only beta, but the irony is that if you junked OFTC and used a chat room at Calyx Institute (for example), the weekly chats would be accessible to Tor Messenger users without endangering themselves by offering money and contact information. That would mean that more Tor users could participate. And you'd be able to explore large scale use of OTR chats, etc. And you could invite tech reporters to join the discussion, giving Tor users a chance to interact directly with reporters. Of course USIC would show up to, hence the need for strong anonymity.

Tor Messenger may be only beta, but it is the *only* chat I can use.

+100!!!
Wonderful post!
I've tired to explain Tor folks that they should provide anonymous access to their chats!
Tor Messenger needs more love!

Anonymous (not verified) said:

July 06, 2017

Permalink

Glad to see someone out there agrees with me!

I think Tor Messenger is without doubt one of the most promising projects from the Tor team. If it ever gets an impressive security audit and goes into "production", I think it could be the "killer ap" ordinary people all over the world so badly need--- even if they don't yet realize that they need it!

Jon (not verified) said:

July 05, 2017

Permalink

I started TOR and was told its out of date and clicked to update. So I just loaded the update and now I cant get TOR to start at all? Any help gratefully received

Jon (not verified) said:

July 06, 2017

Permalink

I dont get any thing show on screen at all. No error messages or anything. In Task manager in background tasks, it shows for a few seconds and uses up to 7% CPU but then just stops?

I guess you are on Windows? If so, which version? Do you have some antivirus/firewall software installed? If so, which? Could you uninstall it and check whether that solves your problem? Disabling it is often not enough.

Jon (not verified) said:

July 06, 2017

Permalink

Thanks for the suggestion. Its Windows 10, but I have upopdated TOR on many ocassions without any problems at all. The file downloads cleanly and seems to install OK, but just does not run. I have ever had an issue with either my antivirus or firewall previously. I have tried removing TOR and going back to 7.0.1, but now no difference?

Jon (not verified) said:

July 07, 2017

Permalink

Boklm, Thanks for the suggestion. I do have Trusteer installed but have not had any problems at all with either that or with TOR until I did the update to 7.0.2. I cant seem to uinstall TOR using the usual windows methods, but have deleted the TOR directory and reloaded 7.0.1 but no joy there. I then deleted the TOR folder again and downloaded 6.5 and that installs and runs OK, but of course with all the known problems up to 7.0.2!
Thanks for the help and suggestions
Jon

bgr (not verified) said:

July 08, 2017

Permalink

I had the same problem, but I know now that it is because I have
a private firewall in Windows, so when you disable this firewall I had no problems
anymore by downloading the new version.
Can I use TOR browser also in Linux; if so how to install?

Just get the respective Linux bundle from our website, extract it and change to the tor-browser_YOURLOCALE directory. Then either click on the Tor Browser setup or start it via command line ./start-tor-browser.desktop

Anonymous (not verified) said:

July 05, 2017

Permalink

"Are you seeing the same first node on multiple websites?"

Sorry, that's not what I meant.

When I use netstat (in Linux) I often see the same entry node connected to, twice. Not in the browser, I know about that and it's natural, but instead from my PC to the same entry node IP, but twice, two connections open. Now why would that be?

Intriguing!

What Tor version? If it's a recent one, and this is repeatable behavior, we want to know.

In particular, Tor 0.3.1.1-alpha has some fixes to reduce the chance of this situation happening, so it would be especially useful to know if you see these issues before 0.3.1.x but not after it.

nt_done (not verified) said:

July 05, 2017

Permalink

7.0.2 is not perfect & sometime i wonder who is lying or corrupted ... no comment.

about:config

https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
April 14, 2017
Firefox Phishing Attack Uses Domains Identical to Known Safe Sites
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.

It removes the “open with” option from the download dialog
Hands up! I’m not really sure why this is considered a vulnerability, but it is! To turn this feature on:
browser.download.forbid_open_with
Double-click anywhere on the parameter to change it to true.

*and of course for tor_sandbox :
*Toggle the following two preferences so that their value becomes true:
*extensions.torlauncher.control_port_use_ipc
*extensions.torlauncher.socks_port_use_ipc
*you must install bubblewrap on debian.

This seems to be a reliable source:

https://nakedsecurity.sophos.com/2017/04/19/phishing-with-punycode-when…
Phishing with ‘punycode’ – when foreign letters spell English words
19 Apr 2017
Paul Ducklin

From about:config in Tor Browser (in Tails 3.0.1, so should agree with TB 7.0.2):

network.IDN_show_punycode;false

So I agree this would seem to be a problem, unless someone knowledgeable has tested TB 7.0.2 against punycode redirection schemes and confirmed it is not vulnerable, and understands why the attacks fail (if they do fail).

Assuming the TB teram really did miss a vuln, however, I think you might be too harsh on them-- anyone who has tried to plow through the about:config options will have some sense of the frightful complexity of Firefox (or another major browser). What matter is not that they (mebbe) missed a hole but how quickly they fix it.

> *and of course for tor_sandbox :

Which is a separate download all together, but ok.

> *Toggle the following two preferences so that their value becomes true:
> *extensions.torlauncher.control_port_use_ipc
> *extensions.torlauncher.socks_port_use_ipc

Unneeded with the bubblewrap based sandbox, and instead will break everything.

Totally worthless for the standard Tor Browser because there is no policy enforcement of "Only use AF_LOCAL" sockets, and adding any enforcement will result in a browser that can't load pages due to a Firefox bug (See #22794).

> *you must install bubblewrap on debian.

Will do nothing for standard Tor Browser, but yes, that is required for the real sandboxed Tor Browser.

byproxy (not verified) said:

July 05, 2017

Permalink

It is very rare that I do this but while I had a few tabs open on 7.01 I decided to switch to off-line so I can open a non-secure connection with a different browser. Push come to shove, I left it idle for 30' and came back. The bugger had updated itself over tor and was asking me to restart WHILE IT WAS OFFLINE.

No good. If off-line does not mean off-line I recommend you take the mozilla button off or disable it altogether. I know it is better to shut-it-off and kill the tor daemon, but then why is there an offline button.
I strongly believe that simultaneous connections to tor and non-tor is a security weakness that I try to avoid.

Meanwhile, about 5 versions back I had written in the old blog about the "about" button/window staying on while the rest of the browser would shut-down and restart for a new tor circuit. A window is a window, whether browsing or displaying the about information. I was told then it was a bug meant to be looked at. It is still the same, isn't it?

AND, to top it all off, now we need to enable scripts to leave a comment?

> I strongly believe that simultaneous connections to tor and non-tor is a security weakness that I try to avoid.

I agree, and I am pretty sure TP will too.

> now we need to enable scripts to leave a comment?

Before trying the "new blog" I was afraid that would be the case, but it seems not to be. I have been able to post with javascript disabled. However, after hitting the post button, I have to hit the "new identity" button because otherwise TB will try to endlessly reload. This is awkward and probably somewhat dangerous (because it seems like it could perhaps make it too easy for an adversary with too much net presence to deanonymize and barrel bomb me) but it has not prevented me from commenting.

Another way would be to use a dedicated Tails session (boot from a live DVD burned from a verified ISO image) for each visit in which you anticipate trying to make even one post, to visit only vbdvexcmqi.oedi.net during the Tails session, and to leave javascript enabled in TB (security level medium in the slider). I don't recommend changing the security slider during a browsing session, because I have observed that this appears to lead to many suggestions of unanticipated and possibly dangerous behavior by the complicated (TP, Mozilla, OS) software systems involved. But this method would possibly also be too easily spotted by too many bad guys.

The safest way, as always, alas, is silence.

At least until TP acquires sufficient resources to devote adequate effort to make blogging here reasonably safe for wary endangered Tor users.

Until then people who feel less endangered can try to speak for those who are more endangered.

> The safest way, as always, alas, is silence. (lol)
if the safest way is silence you should avoid all tor & foss projects and to be involved or to feel concerned :
avoid tor & tor-sandbox
avoid onion
avoid tutanota
avoid otr & tox
avoid cryptocat
avoid ricochet
avoid onionshare
avoid pgp
avoid codecrypt
avoid onepad
avoid sks
avoid 443
avoid dns
avoid openvpn
avoid linux
avoid english
avoid walk on the right side
avoid all anonymous comments
avoid privacy & dignity
avoid to be a human being
> The safest way, as always, alas, is silence. (lol)

Hi, death,

I think we are actually saying the same thing: being on the Internet is dangerous, but necessary for life, so life is dangerous, but instinct demands that we try to prolong life, so... huzzah tor and all those other nice things you mentioned!

Some years ago a poster requested in this blog that Debian developers introduce quantum-cryptanalysis resistant crypto, and codecrypt (confusingly, man codecrypt doesn't give a man page, but the utility is ccr and man ccr gives a man page) tries to work toward that need. However, I wish it had more extensive documentation.

Keep the good stuff coming, please, FOSS people!

https://github.com/exaexa/codecrypt
it needs an audit (like most foss).
it needs practice and i have not found a site for that but pgp has several which this one :
https://www.reddit.com/r/GPGpractice/
or this one working only in pgp
https://keybase.io/tlikonen

eff is preparing a new guide :
https://www.eff.org/secure-messaging-scorecard

foss :
https://privacytoolsio.github.io/privacytools.io/
Never trust any company with your privacy, always encrypt (especially if you suspect some of them working on the bad side e.g protonmail).

> it needs an audit (like most foss).

And much better documentation (like too much FOSS).

But I don't want to sound harsh: at least some individuals out there are trying to help.

Still, it seems clear that what we need a concerted global cooperative effort to develop, code, audit, and promote post-quantum crypto. Such concerted cooperative efforts to make something everyone needs happen is best done by governments, but we have the special problem that all the world's governments now seem to hate anything which empowers citizens, such as strong crypto.

Describing the problem is easy; fixing it will not be. But fix it we must, somehow.

> https://www.eff.org/secure-messaging-scorecard

Very cool! I hope they at least mention Tor Messenger, maybe even urge readers to consider a donation to Tor Project.

zac (not verified) said:

July 05, 2017

Permalink

since the update i cannot connect to any onion sites, the connection just times out, however all other sites are fine... any info or help/advice?

In order of likelihood, my guesses are:

A) The onion sites you're trying are all down. Try http://duskgytldkxiuqc6.onion/ or https://www.facebookcorewwwi.onion/

B) Your time or date or timezone on your computer are set wrong.

C) You messed with your Tor Browser configuration a bunch and you broke the proxy settings or some other piece of the config.

Let us know which one it is. :)

If I might but… (not verified) said:

July 06, 2017

Permalink

I notice that Debian 9.0 installer is more aggressive about making everyone use NTP (Network Time Protocol) than Debian 8.0. Years ago users were warned that NTP is hopeless insecure. I hope that is no longer the case!

> Your time or date or timezone on your computer are set wrong.

Quick question about that: what is the approximate time scale where clock offsets can interfere with using onion services?

Another issue with strangely set system clocks is presumably that this can assist the bad guys in deanonymizing us.

Anonymous (not verified) said:

July 05, 2017

Permalink

thanks for update !!

i checked with http://ip-check.info/

with highest setting there are two points that the site mark bad:

- Authentication: unique ID
- Cache (E-Tags): unique ID

Is this ok so or what should I do?

thanks !!

both can read an

go into About:config and turn off memory cache to disable the -Cache(E-Tags) Unique ID's

as far as the Authentication unique ID. there is no way to do so in firefox/tor. (so the only way you can safely get a new Authentication ID is to restart Tor each time you want to revisit a site you already previously visited.

Anonymous (not verified) said:

July 07, 2017

Permalink

thx !!

CuriousUser (not verified) said:

July 05, 2017

Permalink

Cannot change listen and control ports using the TORRC file.

I tried switching ports to 9250 and 9251 however in Process Explorer it shows TOR listening on 9250, 9251 and the default 9150, 9151.

Also, I tried setting the SOCKS port in the browser network tab to 9250 and it crashes on startup.

I figured out why TOR crashes if you change the ports, there are invalid characters in the commandline, but I don't know how they get there.

If you change TORRC to use SocksPort 9250 and ControlPort 9251, you end up with this commandline:

+__ControlPort 9251 +__SocksPort

for some reason the Tor Browser adds those two plus signs which causes Tor.exe to crash. If you copy the entire commandline to a windows batch file and remove those plus signs, Tor starts and listens on the custom ports.

Could you get us a log file containing debug output so we can investigate the crash further? You could add a log entry to your torrc file like Log path\to\your\logfile\name. Or you could overwrite the tor.exe file in your bundle with the one from the expert bundle (https://archive.torproject.org/tor-package-archive/torbrowser/7.0.2/tor… for the current one). And starting Tor Browser afterwards should give you a console with tor log messages.

CuriousUser (not verified) said:

December 15, 2017

Permalink

Sorry for the late reply...

The crash still happens with TBB 7.0.11 and when adding the LOG option to torrc, no log is generated. Also, replacing TOR.exe with the one from the expert bundle doesn't help. The debug window closes almost immediately.

Anonymous (not verified) said:

July 05, 2017

Permalink

Question for arma or another knowledgeable Tor employee:

I used Debian 9.0 (stretch). I have installed Debian-tor to use apt-transport-tor so that I can access the repos using the onion mirrors, in hope of improving security (both anonymity and integrity) of sofware updates, as per

https://vbdvexcmqi.oedi.net/blog/tor-heart-apt-transport-tor-and-debian…

The configuration file is in /etc/tor/torrc and it seems that the default configuration might not be optimal for apt-transport-tor. (I can use Tor Browser for web-browsing, which has its own tor engine and configuration.)

What is the safest configuration for users of apt-transport-tor?

I think the default torrc that you get with the Tor deb should be fine for use with apt-transport-tor.

(There are indeed power users out there on the Internet who make guides about all the knobs that you should turn. Every time you turn a knob you risk standing out a bit more. That's why we try to make the defaults good enough for most people.)

alien abductio… (not verified) said:

July 06, 2017

Permalink

Thanks much for the prompt and authoritative answer to my question!

I try to always keep in mind the tradeoff between maximing anonmyity (e.g. by using the default settings) and attempting to minimize vulnerabilties to the latest known attacks. This always involves difficult choices made on the basis of too little or too unreliable information, yet the choices must be made, so...

BTW, I accept that while Tor people know much much more than I do, anyone can be wrong, a risk which I also accept, because I know you are doing the best you can under difficult circumstances.

tailfails (not verified) said:

July 05, 2017

Permalink

tails fails to start tor after update to 3.0.1
log says:
/var/lib/tor has wrong permissions
config file can not be read

Unable to use email (not verified) said:

July 06, 2017

Permalink

But no anonymous remailers are involved, correct? So that you still need to obtain an email account from an ISP, presumably using your real identity at some point? (Note that ecash is typically not anonymous when your adversaries include the governments of SY, RU, US, etc.)

Without an [desktop-based] email client (Thunderbird, Torbirdy,...) you can still use email in a safe way with https: by using the web-based email client of "quite trustable" providers like gmail (typing, sending, reading,... doing everything on the browsers, not on the desktop-based clients.

By using gmail that way (right on the browsers, not on desktop-based client), your LOCAL ISP will have no way to eavesdrop your email communication. Google themselves and NSA, however, may still be able to read your messages , so to cut through Google+NSA noise, use GPG to encrypt important information in the emails, only use plain text for unimportant information.

By using the two tactics (https emails like gmail and GPG to encrypt important information), all the third-parties (your local ISP, international ISP, NSA,...) will have ZERO chance to read your messages. Quite a bit more sophisticated, and require your partner to have to use GPG too, but using email will become "able" and safe for you.

Fyjybv (not verified) said:

July 06, 2017

Permalink

Hello!
How to make Tor traffic look like multiple file downloads over HTTP/XHR (not HTTPS)?
Will it ever be implemented?

Djoko (not verified) said:

July 06, 2017

Permalink

Hi!! Can a dev pls hlp me out? how u use bitcoin core with tor??? before you had vidalia... now u only have tor browser... how can u use just tor without open tor browser... so you can activate tor and bitcoin core to run over tor... u have to open ur tor browser at same time?

c14`` (not verified) said:

July 06, 2017

Permalink

Fuck this download!!! its fucking everything up for me. I can't log on to a certain site and never had a problem until this shitty update!!!! I HATE THIS SHIT, I'M LOSING STUPID MULAH!!!!!

Mr.Admin (not verified) said:

July 07, 2017

Permalink

While update....there is DETECTED:EE:Malwr.Heru.Graftor.369260
Why??????????????????????????????

Help wanted (not verified) said:

July 08, 2017

Permalink

As so many questions in this blog from understandably confused newbies constantly demonstrate, even experienced Tor Browser users often don't know things they need to know in order to use Tor (or their indeed their PC/laptop) in less dangerous ways, given the threat environment facing Debian+Tor users.

I appeal again to the Debian Project/Tor Project team which (thank you!!) authored the "Tor at the Heart" post popularizing the onion service mirrors for Debian to do more to help Debian users avoid making potentially harmful errors.

Example: can you publish an updated version of the original post

https://vbdvexcmqi.oedi.net/blog/tor-heart-apt-transport-tor-and-debian…

(and thanks for posting that!), taking account of the fact that the new Debian stable is stretch, and also of the fact that at some point contrib and non-free were quietly added to the onion mirrors (and thanks for doing that, it was badly needed!), please?

Example: can you publish a tutorial on how to use nftables (the replacement for iptables in Debian stretch)

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

to set up a personal firewall on our PC/laptop which

o plays nice with DHCP (for talking to a SOHO wired router),

o same for other common SOHO or internet cafe usage scenarios,

o doesn't inadvertently block other necessary and legitimate actions,

o plays nice with Debian-tor (for using apt-transport-tor),

o plays nice with Tor Browser (installed from the latest Tor Browser Bundle, so with its own stand-along Tor client),

please?

If you don't publish timely HOWTOs, your users will go the internet for advice, where they will find all manner of

o misinformation ("a fresh Debian install is firewalled by default"),

o terribly bad advice ("Debian users don't need firewalls"),

o dangerously inappropriate/outdated information (my search engine "helpfully" pointed at ten year old HOWTOs on using ipchains to set up a firewall for a LAN).

The likely result: not just suboptimal solutions to security problems, but dangerous "solutions" which solve nothing but create even more vulnerabilities for ordinary Tor users.

Please "Help wanted", ask to the appropriate blog/mailing-list :
https://lists.debian.org/debian-user/2017/07/maillist.html
https://wiki.debian.org/nftables
you could also contact a lug.
https://www.lifewire.com/soho-routers-and-networks-explained-3971344 (updated july 06 2017)
https://www.examcollection.com/certification-training/a-plus-how-to-sec…
# Debian users do not make 'potentially harmful errors' and do not follow dangerously inappropriate/outdated information.
take a look here for a better help :
https://sparkylinux.org/
or choose another distrib ,)
#time , patience & be involved needed
Thanks.

Anonymous (not verified) said:

July 09, 2017

Permalink

I've noticed recently that my entry relays for all my connections were from the same nation, only one that nation.

I read about https://decvnxytmk.oedi.net/docs/faq.html.en#EntryGuards, but I think it would be troublesome if my entry guards were from only one country all the time. This didn't happen before (my entry relays had been from various nations). Are there some things wrong with that??

(I use obsf4 bridges, and I have just changed to use a very few bridges I saved before to change the nation of my entry relays).

I used to create gmail accounts on Tor Browser. One thing I noticed is that they (Google) match our GeoIP nation with our phone number country code: when these don't match, they won't allow us to create an account.

I can't recall how I overcome this, but it's possible. However, they (Google) seemed to figure out where I'm really from (which country/nation) when they finally allowed me to create the accounts (can't recall this exactly; that was quite some time ago)!

Anon (not verified) said:

July 12, 2017

Permalink

First of all a big thank you to the Tor team for all their hard work.

Second, Mozilla decided to use Google Analytics on the about:addons page as a means to track the user's addon selection behavior.

See here https://twitter.com/NicolasPetton/status/884694176515936256 and here https://bugzilla.mozilla.org/show_bug.cgi?id=1302552#c1

I think this is absolutely underhanded and in case of Tor goes against everything you are trying to accomplish.

Maybe you could remove this in the upcoming releases since you are already heavily altering the FF code?

yawning

yawning said:

July 12, 2017

Permalink

> Users shouldn't be installing additional addons anyway.

Doesn't stop a lot of people from doing unwise things.

> So all Tor Browser users should look the same.

To a highly intrusive metrics package?

> So there shouldn't be any issue.

As a matter of principle, having analytics running in an `about:` page without being explicitly opt-in is scummy behavior at best.

Someone went and filed: https://trac.torproject.org/projects/tor/ticket/22900

I went and filed/fixed: https://trac.torproject.org/projects/tor/ticket/22899

> Maybe you could remove this in the upcoming releases since you are already heavily altering the FF code?

This is hard, because it's server side behavior. For what it's worth git master of the Linux sandbox now "solves" this by totally breaking the `about:addons` "Get Addons" pane unless users explicitly (and unwisely) choose to allow Tor Browser to write to the extensions directory.

Anonymous (not verified) said:

July 16, 2017

Permalink

Wow, absolutely appalling, Mozilla (and Google). Good catch by the OP in the cited discussion.

Yawning, thanks for taking prompt action to stop this.

Tor4Linux (not verified) said:

July 12, 2017

Permalink

Tor browser cannot be downloaded and installed from the Ubuntu store because of validation error. Is the best way to install Ubuntu torbrowser still from your site?

pastly

pastly said:

July 13, 2017

Permalink

> Tor browser cannot be downloaded and installed from the Ubuntu store because of validation error.

That sounds like the following very common issue. https://github.com/micahflee/torbrowser-launcher/issues/263

Note: tor-browser-launcher isn't maintained by the Tor Project, but it does seem to be a pretty good program. All it does is download the latest Tor Browser from torproject.org and install it for you.

> Is the best way to install Ubuntu torbrowser still from your site?

Yes.

Sebastion1 (not verified) said:

July 14, 2017

Permalink

Hi,
With the recent update on Tor, i noticed sites that used to be secure are now unsecure. Is there a setting i am missing?

Thanks

Anonymous (not verified) said:

July 14, 2017

Permalink

Since this update, Tor browser fails to launch on Windows 10. The Status window appears saying that it's connecting, and within a couple seconds, Windows reports that Tor Browser has stopped working. Deleting my custom torrc file seemed to help to actually get to the stage where the browser opens, but even so, tabs crash within seconds and display the tab has crashed message.

Do you have an antivirus/firewall software installed? If so, please uninstall it (disabling is often not enough) and check whether that fixes your issue. We have a bunch of reports matching yours of users having Trusteer products installed and the problem in this case is that Trusteer software is interfering with Tor Browser, crashing it.

Anonymous (not verified) said:

July 20, 2017

Permalink

Never heard of Trusteer and it's not installed. I have Comodo Firewall 10.0.1.6209, Malwarebytes 3.1.2 and Eset AV 10.0.390.0 installed. Tor Browser has functioned as expected with these products installed up until now. I tried disabling them, but no difference. The hassle of uninstalling them to test is too much for me. Is there something in particular that Trusteer is doing/modifying that you know is causing this?

Could you try whitelisting Tor Browser's firefox.exe and tor.exe in your firewall/antimaleware tools somehow?

What they do depends on the actual tool being used. Most of them are scanning and analyzing traffic in order to look for patterns they deem malicious. Others are injecting own code into the Tor Browser related processes often causing crashes.

Anonymous (not verified) said:

July 26, 2017

Permalink

Unfortunately, whitelisting Firefox/Tor or disabling the softwares made no difference. With every attempt to launch, Tor browser would crash as usual, sometimes offering to start in Safe Mode. I also tried renaming my torrc file again so Tor browser would create a new one, it too seemed to make no difference, so I reverted that change.

After having re-enabled the system protection and removed whitelists, I was attempting again and thought to try and get the Tor Status window's Open Settings button to press before it would normally crash and I succeeded. I then proceeded to click Configure and run through that wizard. After completing it, Tor browser opened and stayed open. Having closed and reopened Tor Browser many times now, it seems fixed. No more crashing, connecting every time.

Anonymous (not verified) said:

July 26, 2017

Permalink

Seems I spoke too soon. The browser is still crashing, but spamming the Open Settings button to get the Configure wizard option seems a pretty reliable way to actually get Tor browser to launch without it instantly crashing. I type my response via Tor right now, though the Firefox tabs still crash fairly often, but it's at least somewhat usable.

Anonymous (not verified) said:

August 13, 2017

Permalink

Things seem to be fixed now. Not sure if it was the recent update to Tor that fixed it or a change to whichever software was conflicting.

Catman (not verified) said:

July 14, 2017

Permalink

Am I able to change my identity in TBB 7.0.2 and if so, how? Thanks in advance for any feedback!

anon (not verified) said:

July 15, 2017

Permalink

Ver 7 requires the use of pulseaudio, which is not usable on my system. Perhaps this is the time to consider another browser for Tor-Browser? In order for me to use Tor-Browser I have to stay with an insecure 6.5 version, if I wish to have audio. The fact that the auto-update choice is "not-a-choice" does not help the situation, but that is
a bug that was not found and therefore did not get fixed. I have had to resort to editing the update ini files, and setting the sticky bit, on order to stop the auto-updating.

Hmm... pulseaudio has always seemed to me to be rather dangerous. At least on Debian systems it uses /dev/shm (shared memory) and as far as I can tell from the developer's blogs, it records everything by default, and one has to trust in systemd if one wants to disable it.

I notice that Tails 3.0.1 does not appear to run pulseaudio by default, which may or may not reflect similar security concerns from the Tails Project.

An audio daemon using shared memory by default for IPC is entirely unsurprising. If it bothers you that much, it's optional, though it will come at a performance/latency hit.

> enable-shm= Enable data transfer via POSIX or memfd shared memory. Takes a boolean argument, defaults to yes. The --disable-shm command line argument takes precedence.
>
> enable-memfd=. Enable memfd shared memory. Takes a boolean argument, defaults to yes.

Wojak (not verified) said:

July 16, 2017

Permalink

Since 7.0 was release, every saved image gets downloaded twice. Every time I click an image thumbnail to open it in a new tab, it downloads the image and displays it. Fine and good. But starting with 7.0 if I choose to save the image while it's still open inside the tab, it downloads the file again again rather than just copying it from the local cache like it used to. This is a big deal for people like myself with very small data plans. Is this a bug or new feature? I'm seriously considering rolling back to a previous version. PLZ FIX.

Luann (not verified) said:

July 16, 2017

Permalink

I would like to know how to run Tor on the newest version of Adobe Flash Player (26.0.0.137). Because I need the newest version to play

mousa (not verified) said:

July 16, 2017

Permalink

thank sooooooooooooooooooooooooooooooooooooooooooooooooooooo

qqwas (not verified) said:

July 16, 2017

Permalink

I downloaded tor 7.0.2 (linux x32) and i can't connect to the tor network. It freezes at 'establishing a tor circuit' but when i launch old version 7.0.1 everything is ok. What's wrong? How to solve this issue?

Hm. There are no big changes between 7.0.1 and 7.0.2 (mainly a new tor got added containing security fixes). Could you show us the debug output you get when launching Tor Browser from the command line with ./start-tor-browser.desktop --debug?

Gazorpazorpfeild (not verified) said:

July 17, 2017

Permalink

my tor has problems loading URL sites, is this caused by an older version of tor being run when there is newer?

Alan Mintaka (not verified) said:

July 20, 2017

Permalink

I can't use Tor at all. No matter what site I try to access, I get the "Bad Gateway 502" message. I'm open to suggestion. What do I do? My internet connection is Comcast Broadband, I'm using Windows Firewall and Avast Free AV. Do I have to tell Windows Firewall to allow Tor to connect to the Internet? I didn't have to do that with Firefox, Chrome, or Windows Internet Explorer.

Anonymous (not verified) said:

July 21, 2017

Permalink

First of all, nice upgrade of the blog layout and design. However this light/white background makes my eyes hurt.
is there any way to make background dark?

Ok, let's get down to business! this is no big issue really but i still find it kinda annoying.
everytime i do pick (new identity) the window restarts on opposite side of the screen of where it was when was restarted. for example if it was on the right side it will jump to the left side and other way around.

why this sudden change? and is there a way to keep it still? lol

NathanFranky (not verified) said:

July 21, 2017

Permalink

If I get it correctly, if I watch a playlist on youtube, the path streams will change after each videos ? Which would explain why sometimes the first video is perfect and the next one is a hell beacuse of bad relays.
Can someone confirm please, thanks

> If I get it correctly, if I watch a playlist on youtube, the path streams will change after each videos ?

It's fixed by top level domain (eg: "youtube.com"), so the behavior you describe would be a severe bug.

Arfu (not verified) said:

July 22, 2017

Permalink

None of 7.0.1, 7.0.2 nor 7.5a2 (all en-US) launches on my Windows 10 system.

Faulting application name: firefox.exe, version: 52.2.0.6242, time stamp: 0x00000000
Faulting module name: KERNELBASE.dll, version: 10.0.14393.1378, time stamp: 0x594a13be
Exception code: 0xc06d007f
Fault offset: 0x000da9f2
Faulting process id: 0x1ddc
Faulting application start time: 0x01d302e83a892015
Faulting application path: C:\[MY-CUSTOM-PATH]\Tor Browser\Browser\firefox.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: a552d7dc-1f95-41ac-abb9-859ca7348a44
Faulting package full name:
Faulting package-relative application ID:

Thanks for all you do.

That looks like you have some Trusteer product installed that is interfering with Tor Browser. Unfortunately, there is currently no better solution than to uninstall that one in order to get Tor Browser running.

Anonymous (not verified) said:

July 26, 2017

Permalink

tor browser always switches to mobile. version instead of regular twi tter web page. browsing it is awful. other web browser stays in regular version

Anonymous (not verified) said:

July 28, 2017

Permalink

English

Billy Payer (not verified) said:

July 29, 2017

Permalink

This update is very bad. It demands Mac OS 10.9. My machine can't use 10.9!
Please give me a version which works on Mac OS 10.6.8

xakep14 (not verified) said:

July 29, 2017

Permalink

Hello, I have a problem with update. The last update that was installed is 7.0.0, 7.0.1 and 7.0.2 ask me to reset tor-browser for update but after reset update not installed and ask restart again and again. I have with firefox the same problem now, windows 10 x64 Home. How can I resolve this problem?

Anonymous (not verified) said:

July 31, 2017

Permalink

After the update, HTTPS Everywhere was gone.

Also, after browsing and exiting and restarting Tor Browser, there were some strange URLs in the address bar, that I didn't type. I had to re-install Tor Browser to get rid of them.

Anonymous (not verified) said:

August 03, 2017

Permalink

They had something like "track_id" in them.

There were a couple of days between those two events. I can't remember what happened first.

Anonymous (not verified) said:

August 17, 2017

Permalink

Any news on this?

The latest update of HTTPS Everywhere, 2017.8.15, caused problems too: the icon was moved from the menu to the toolbar and the extension was broken. Re-installing HTTPS Everywhere did NOT solve this.

Can an underlying cause affect other Tor Browser functionality?

Also, when typing "https" in the address bar, I sometimes get an ordinary HTTP connection, without any warning. Is this normal?

goftesh admin (not verified) said:

August 01, 2017

Permalink

Some followup feedback. I've noticed no matter what i try my (javascript/ajax-based) chat room does not load with Tor. It loads with all the other browsers I have tried, including Opera thru VPN
the site is at www.goftesh.com

thanks you!

Thanks for this report. I opened https://trac.torproject.org/projects/tor/ticket/23141. Unfortunately, there is not much we can do as Cloudflare is causing this. It is sitting between you and the website and denying the chat loading due to a bug in their system. We are currently trying to get hold on a Cloudflare engineer helping us with that but it is not easy it seems.

Edit: Oh, if you are indeed the admin then this should be fixable on your end as you are supposed to be in control of the Cloudflare settings you apply to your site. Let us know how it goes.

NowUcME (not verified) said:

August 03, 2017

Permalink

Hi TOR people, I was wondering if I cant run a TOR relay with the latest TAILS 3.0.1 Live usb key???

And if so, how to configure it?

Thanks a lot.