Tor Browser 7.0a1 is released

by boklm | January 25, 2017

Tor Browser 7.0a1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Tor Browser 7.0a1 is the first alpha in the 7.0 series. Apart from the usual Firefox update (to 45.7.0 ESR) it contains the first alpha in the tor 0.3.0 series (0.3.0.1-alpha) and an updated HTTPS-Everywhere (5.2.9) + NoScript (2.9.5.3).

Tor Browser 7.0a1 is the first alpha allowing Linux users to test Snowflake, a new WebRTC-based pluggable transport. Additionally, we include bug fixes both to our sandboxing solutions for Linux (sandboxed-tor-browser 0.0.3) and macOS. For Windows users we plugged a timezone leak that got introduced by enabling ICU in Firefox when switching to ESR 45.

The full changelog since 6.5a6 is:

  • All Platforms
    • Update Firefox to 45.7.0esr
    • Tor to 0.3.0.2-alpha
    • Update Torbutton to 1.9.7
      • Bug 19898: Use DuckDuckGo on about:tor
      • Bug 21091: Hide the update check menu entry when running under the sandbox
      • Bug 21243: Add links to es, fr, and pt Tor Browser manual
      • Bug 21194: Show snowflake in the circuit display
      • Bug 21131: Remove 2016 donation banner
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.9
    • Update NoScript to 2.9.5.3
    • Bug 20471: Allow javascript: links from HTTPS first party pages
    • Bug 20651: DuckDuckGo does not work with JavaScript disabled
    • Bug 20589: Add new MAR signing key
  • Windows
    • Bug 20981: On Windows, check TZ for timezone first
  • OS X
    • Bug 20989: Browser sandbox profile is too restrictive on OSX 10.12.2
  • Linux
    • Update sandboxed-tor-browser to 0.0.3
    • Bug 20735: Add snowflake pluggable transport to alpha Linux builds
  • Build system
    • All platforms
    • Linux
      • Bug 21103: Update descriptors for sandboxed-tor-browser 0.0.3

Comments

Please note that the comment area below has been archived.

January 25, 2017

Permalink

Open this :)
http://fylvgu5r6gcdadeo.onion/test
and:
[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIHttpChannel.getResponseHeader]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: chrome://noscript/content/Main.js :: ns.mustBlockJS :: line 3742" data: no]ns.mustBlockJS@chrome://noscript/content/Main.js:3742:35
ns._onWindowCreatedReal@chrome://noscript/content/Main.js:3759:23
ns.observe@chrome://noscript/content/Main.js:131:9

January 25, 2017

Permalink

Seeing every 24 minutes during idle:
Torbutton INFO: Updated NoScript status for security settings

So, you are doing nothing (no preference changes, not opening the security slider...) and, though, there is a regular 24min interval where that message shows up?

January 25, 2017

In reply to gk

Permalink

Yes.

gk

January 25, 2017

In reply to by Anonymous (not verified)

Permalink

Okay, that's due to `noscript.subscription.lastCheck` changing and we are updating the icon when any NoScript related preference changes. We should fix that I guess. Oh, and there is no real subscription check in the background as there are no subscription URLs in Tor Browser available. Nevertheless, the timer gets updated every 24 minutes. I'll file a ticket for that later, thanks.

January 25, 2017

Permalink

Is there already a snowflake add-on for Firefox and Chrome that turns browser in to a bridge like flashbroxy badge for Firefox and Cupcake for Chrome ?

January 25, 2017

Permalink

So with snowflake Google acts as a directory server and a server hosted on Edutel as a bridge?

The model is very similar to Flashproxy, but s/WebSocket/WebRTC/
https://crypto.stanford.edu/flashproxy/

See https://trac.torproject.org/projects/tor/wiki/doc/Snowflake

There's nothing special about Google here, it's just the first CDN we chose,
https://github.com/keroserene/snowflake/issues/17

It's used to discover and exchange offer/answer between the client and proxies, so, yeah, something like a directory. But meek-like domain fronting is used so this rendez-vous isn't immediately blocked. After which, WebRTC takes over to shuttle the bits.

The bridge on Edutel just happens to be running the server component of the pt,
https://trac.torproject.org/projects/tor/ticket/18654
but that's configurable as well, and we'll eventually want more bridges as the need for capacity increases.

January 27, 2017

Permalink

Does snowflake look like WebRTC without actually enabling it in the browser? I think there are ways to use WebRTC to deanonymize people.

January 27, 2017

Permalink

I suspect this may be a major bug for 7.01alpha and possibly birdie related

With system based 6.5 things work great for me (deb stretch), 6.5 stand alone seem the same, but standalone 7.01a although functions as a browser just fine icedove-birdie can not connect. Leaving it offline and switching back to either of the first two and it regains connection. I am not knowledgeable enough to distinguish whether this is birdie or 7alpha related, I am more inclined to think of the 7a

Hardened still creates an enormous VMM of some TB and turns to a freezing slug.
Sandboxing the tor seems as a project that needs its own page of instructions of how it can be done. All efforts have failed and I am tired of guessing stuff

Regarding your Icedove issue: Yes, this is due to a bug in 7.0a1 (https://trac.torproject.org/projects/tor/ticket/20761). Resolving that one takes some time as we need a tor patch as well (which meanwhile landed on master). We hope to have that issue fixed in the next regular alpha release.

Sandboxing on Linux is nowadays relatively straightforward thanks to Yawning's work. We provide binaries for 64bit systems on our download page: https://decvnxytmk.oedi.net/projects/torbrowser.html.en#downloads-sandbox More information behind it and system requirements needed can be found on: https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Sandbox/Li…

January 27, 2017

In reply to gk

Permalink

I appreciate the information but some how this does not solve any issues. If an alpha edition will for sure break a major related package within the same family why release it then?

The on the sandbox riddle, the last time it was released I spent a couple of days trying to figure out how to make it work. I have no other interest in any of the necessay packages to sandbox anything else. bwrap flatpak firejail (I did eventually got a firefox working in firejail). Zero. Between this team and the debian team there are NO INSTRUCTIONS WHAT SO EVER than lead to make any of this work. This time I will end the effort after the first day. Why is that we need to do a 2 dissertation research for each and every single command line? Before our brain turns to a noodle between the 1001 open tabs of conflicting instructions or lack there of, to find 1 command line that actually returns a meaningful outcome or a interpretative error message.

For those of us that security may be a need to address but are neither programmers or developers some instructions in normal peoples' english (or even other languages) helps tremendously. I urge you to find the next person in random in your environment and ask them to check your suggested links and see what they say and whether they can make somthing work.

Is it only me?

No wonder people can not leave the windows/apple worlds as this other world is very hostile to non programmers and non-native-C speakers. And I go back to ultrix/unix years which many of you may only find in a museum.

> or even other languages

> The on the sandbox riddle, the last time it was released I spent a couple of days trying to figure out how to make it work.

1. 依存関係のパッケージをインストールする。詳細はブログポストからリンクしたWikiページに書いてあるけど、一般なシステムだとただbubblewrapをインストールすればいい。
2. sandboxed-tor-browserアーカイブを解凍する。
3. sandboxed-tor-browserバイナリを実行する。

注:Debianは古代的なパッケージしか安定版のリポジトリに入れないからbubblewrapはjessie-backportsリポジトリからインストールする必要がある。

I have made it work with firejail but do not trust it, I have not been able to find a proper command line with bwrap to make it work. If a user that has, can pass along an example command line that employs it, it would be kindness to us stupid folk

January 30, 2017

In reply to yawning

Permalink

$ ./sandboxed-tor-browser

Doesn't seem to do much alone. Firejail and tools seem to rely on bwrap and flatpak but it worked through it. You run the first time ./sandboxed-tor-browser --install and then you can run ./sandboxed-tor-browser --advanced config to configure it. Although I can only trust it is somehow sandboxed because from your browser you may only have access to the directories you specify in config, but it is hard to tell how sandboxed it really is. It seems as a good direction for experimentation.

I am sure the future is heading that direction

PS Can on use a disk based tor as a proxy for the sandboxed tor, and does this make any sense?

-castana

yawning

January 30, 2017

In reply to by Anonymous (not verified)

Permalink

> Doesn't seem to do much alone. Firejail and tools seem to rely on bwrap and flatpak but it worked through it. You run the first time ./sandboxed-tor-browser --install and then you can run ./sandboxed-tor-browser --advanced config to configure it.

What? The first time it runs, it will run the installer and configure step. Every time afterwards it skips those steps as long as Tor Browser successfully launches.

Behavior otherwise is a bug, though I haven't heard of any reports of that.

> Although I can only trust it is somehow sandboxed because from your browser you may only have access to the directories you specify in config, but it is hard to tell how sandboxed it really is.

Read the source code.

> and does this make any sense?

No.

February 25, 2017

In reply to yawning

Permalink

Help me

January 29, 2017

Permalink

Virus Total says that TOR 6.5a6 has a malware.
Versions 6.5 and 7.0 showed up as a virus on 360total security

SHA256: c473127c7e54d983af15f83da0c0c6098ac706889917545d9b1abe1e3fcb0ded

File name: torbrowser-install-6.5a6_en-US.exe

Detection ratio: 1 / 44

Analysis date: 2017-01-29 22:00:47 UTC ( 2 minutes ago )

Antivirus Result Update
Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen 20170129

January 30, 2017

Permalink

Admin and ToR staff, thanks for your hard work. I appreciate the TOR software and I was posting the above warning only to help others detect and fix bugs. I did not mean to be unappreciate, i will donate to the project and encourage all others reading this to also contribute to TOR to protect our freedom, especially in the face of what is to come in the next 4 years

January 31, 2017

Permalink

Is this true that now we can use alpha version and it is indistinguishable from stable when Tor replaced to stable?

If you are replacing the alpha tor with the stable one this still leaves all the browser patches that are new in the alpha unaddressed. And chances are non-null that any of those new patches changes the behavior of Tor Browser in a detectable way.

January 31, 2017

In reply to gk

Permalink

Sure. Thanks for the explanation. But is this true that Tor Browser stopped to expose settings which allowed to detect its version?

I think we did not expose anything that could be directly queried for getting the Tor Browser version. But there might still be some side-channels available to extract that information indirectly.

January 31, 2017

Permalink

Well, for me on Ubuntu 14.04 x64 this new tor browser failed to connect with snowflake. But then it managed to connect over obfs4 and switch to snowflake in tor network settings.

January 31, 2017

Permalink

you may have a a bug in Tor

can't open Tor browser today

keep getting message : Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start. Never happen before

February 08, 2017

Permalink

I can't get this particular version of tor browser to work.

The tor status window stuck at the last step 'establishing a tor circuit' forever, literally(waiting for hours and nothing changes).

I downloaded the installation file from tor browser 6.5, which I'm using now.

I'll try to download again or upgrade older 6.5 alpha version and see what happens next, anyone else encountering the same issue?

February 09, 2017

In reply to gk

Permalink

I'm using windows7, and yes this is a clean installation, downloaded using TBB 6.5.

BTW, since vidalia is long dead, is there anyway to tell TBB to generate a log file?

February 11, 2017

In reply to gk

Permalink

I think I got this one...

I edited the torrc file and removed some ancient bridge addresses, and BAM!

it worked...Sorry guys, problem seems on my end..

February 09, 2017

Permalink

I'm using TBB upgraded from previous versions so that search is being redirected from disconnect.me to ddg.com. But if I don't scroll my search results something appears after some time of inactivity:
You are being redirected to the non-JavaScript site.Click here if it doesn't happen automatically.
It looks like TBB forgets about JS-enabled for https (Medium settings).

February 21, 2017

In reply to gk

Permalink

Yes, it is. And when you move your mouse to the upper border TBB UI should be shown.

I tested this on Windows and you are right there is no menu shown. But this neither happens on Linux nor on Windows with a vanilla Firefox 45 ESR. So, I'd say this should be a feature request to Mozilla (I have not checked whether your feature request got already included in the upcoming Firefox 52 ESR release or in any version between ESR 45 and ESR 52).

February 19, 2017

Permalink

Re this:

"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."

This seemed to be caused, for me, by having a normal instance of Firefox (which also is configured to use my system Tor daemon as a SOCKS5 proxy) running alongside, while torbrowser-launcher was updating.

Closing "regular" Firefox solved this, in my case. This is Ubuntu 16.04 amd-64.

If you have a system installation of tor and tor-browser, instead of a standalone package, how is it that tor-browser can trigger an update without a root or sudo password being asked? Is this a system security violation?

It is using its own updater regardless at which place it is put. So, while this update gets triggered even if you put Tor Browser into directories only a privileged user can access I guess the update is failing if executed as non-privileged user.

February 22, 2017

Permalink

My Guard has Tor 0.2.9.9 on Linux and up-time 20+ days, but when I switch circuit for some site too often (f#%# captcha), my guard is changing to another one and back! WTF is going on?

So, now I have one site reloading through the new guard and another site reloading fine through the old guard right after the first one has just switched the guard!

February 24, 2017

Permalink

So, is there any evidence that the tor-project still exists, it is nice to hear from you guys once a week or so so we may know not to worry ... hello! hello hello hello .....

March 01, 2017

In reply to gk

Permalink

No no no, you should change circuit until find not blacklisted one and scroll userlist of chat and see traffic and CPU usage after some time.