New Release: Tor Browser 9.0.9
Tor Browser 9.0.9 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 68.7.0esr, NoScript to 11.0.23, and OpenSSL to 1.1.1f.
Also, this release features important security updates to Firefox.
The full changelog since Tor Browser 9.0.8 is:
- All Platforms
- Update Firefox to 68.7.0esr
- Bump NoScript to 11.0.23
- Bug 33630: Remove noisebridge01 default bridge
- Windows + OS X + Linux
- Bug 33771: Update some existing licenses and add Libevent license
- Bug 33723: Bump openssl version to 1.1.1f
- Windows
- Bug 33805: Remove escape-openssldir.patch
Comments
Please note that the comment area below has been archived.
Does using bridges increase…
Does using bridges increase privacy, or it is just tool to bypass censorship?
It's mainly for bypassing…
It's mainly for bypassing censorship.
With some pluggable transports it can also help hiding to your ISP the fact that you are using Tor.
Thank you for your response.
Thank you for your response.
Not Found The requested URL…
Not Found
The requested URL was not found on this server.
Apache Server at dist.torproject.org Port 443
One of our mirrors is having…
One of our mirrors (round-robin dns on dist.tpo) is having an issue (disk full) and not updating correctly. We are working to fix it.
If you try again you might reach an other mirror which was correctly updated.
https://blog.torproject.org…
https://blog.torproject.org/new-release-tor-browser-908
> You are not authorized to access this page.
Have not seen that before. Any ideas?
You still aren't posting to…
You still aren't posting to your social media as soon as there is an update. Please do.
https://mastodon.social/@torproject/
You are still not shipping…
You are still not shipping the latest version of extensions with the browser and still relying upon automatic updates.
How long does the first hop,…
How long does the first hop, Guard, stay the same? I've had the same Guard now for the past 7 or 8 months.
This single guard has persisted even through multiple Tor Browser version updates during that time. Only time the Guard changes is when I delete all the files in the settings files from Data-Tor directory. Then whichever Guard gets newly selected, once again persists forever.
My concern here is security; when the same Guard persists for so long, someone could target it, as the first hop in a chain, to break anonymity.
You can find more details…
You can find more details about the guard selection algorithm on this page:
https://gitweb.torproject.org/torspec.git/tree/proposals/271-another-gu…
@ boklm: Do you know…
@ boklm:
Do you know whether Tor Project still accepts donations by mail during the COVID-19 lock down? How about Riseup Networks? (I try to help Tails and Tor Project indirectly by donating to Riseup.)
Yes, Tor Project still…
Yes, Tor Project still accepts donations by mail.
I assume riseup probably does too, but you should ask them directly.
No they don't take donations…
No they don't take donations right now. torproject have donation lockdown online out of fear from the online spreading of Covid-19.
Just joking, they are hiding the virus thru several layers of encryption in your exist nodes and still accepting donations xD Merry Christmas!
Don't lick the envelope…
Don't lick the envelope. Wring out a sponge or cloth, and dab the envelope's seal on the sponge or cloth. https://www.kxly.com/whether-healthy-or-sick-please-dont-lick-warns-dep…
The link posted by @anon,…
The link posted by @anon, https://support.torproject.org/tbb/tbb-2/, states that guard IP changes every 2 to 3 months. But my guard IP has been the same for 7 to 8 months!
I'm thinking maybe your Tor…
I'm thinking maybe your Tor client actually is choosing a guard node every 2-3 months, but it just happens to have picked the same one three times in a row. As far as I know, the only reason for choosing a new one every 2-3 months is in case there is a guard available that has better uptime or bandwidth than the ones you already have. I don't think there are any anonymity concerns with using the same guards longer than the 2-3 month default, it's just that clients could miss out on higher-performance guards if they kept the same ones forever. So as long as your client is **checking** for a new guard every 2-3 months, it's okay if it chooses the same one it already has. I don't know for sure.
Can anyone confirm if this is correct?
> it just happens to have…
> it just happens to have picked the same one three times in a row.
Unlikely. There are about 3,400 guard relays. I question OP's memory of 7-8 months ago unless they wrote it down at the time.
https://metrics.torproject.org/relayflags.html
> So as long as your client is **checking** for a new guard every 2-3 months, it's okay if it chooses the same one it already has. I don't know for sure.
Sounds correct to me, but I don't know for sure either.
Purple pages at top ->…
Purple pages at top -> Support -> Why is the first IP address in my relay circuit always the same? https://support.torproject.org/tbb/tbb-2/
@anon Thanks for the link…
@anon
Thanks for the link. It just confirmed my suspicions; that link states guard IP changes every 2 to 3 months. But I've had the same guard IP now for 7 or 8 months.
> My concern here is…
> My concern here is security; when the same Guard persists for so long, someone could target it, as the first hop in a chain, to break anonymity.
Thought I'd add that anonymity-preserving characteristics of Tor circuits are not always very intuitive, and based upon what we know about how our enemies have been de-anonymizing Tor users, it seems that keeping the Guards persistent is actually much less dangerous than changing them constantly.
That is why Tails Project has been trying so hard (for several years) to find some way of ensuring that people who boot Tails from a live USB keep their guards the same way that people who use Tor Browser installed in their regular system (booted from a hard disk).
Currently i can set Guards…
Currently i can set Guards in a livebooting, DVD/USB, Tails EASILY?
Something like root->run GUI/script for setting Guards manually or automatically?
I don't see any benefit in…
I don't see any benefit in continuing to bundle Disconnect search into the browser. It uses DuckDuckGo anyway, and it redirects to duckduckgo.com's results pages, providing no layer of privacy.
What is Tor Project's opinion of SearX, MetaGer, and Gibiru?
Disconnect is not included…
Disconnect is not included in current releases, if you do a new install. However if you installed Tor Browser a long time ago, you might still have it as the update process does not remove search engines.
I don't know MetaGer and Gibiru, but for SearX I think it depends who is running the instance you are using, and whether you trust them.
> Disconnect is not included…
> Disconnect is not included in current releases, if you do a new install.
It shows up in my new install of 9.0.9.
Which OS are you using? If…
Which OS are you using? If on macOS, you need to remove the TorBrowser-data folder when doing a new install:
https://tb-manual.torproject.org/uninstalling/
Linux. Disconnect and the…
Linux. Disconnect and the other default search engines are defined in
/tor-browser_en-US/Browser/browser/omni.ja
--> /chrome/browser/search-extensions/list.json
Can I ask an open-ended…
Can I ask an open-ended question about an observation which has been worrying me?
Since many months I have noticed when surfing to sites such as Propublica multiple connections to very popular sites such as facebook.com which involve different Tor circuits, so the effect is that one user generates multiple streams to read one webpage:
user === entry1 === relay1 === exit2 -- OCSP.server (certificate lookup)
user === entry2 === relay2 === exit3 -- https.landing.page
user == entry2 === relay3 === exit4 ---https.landing.page
...
user == entry2 === relay5 === exit3 -- https.landing.page
As the above diagram suggests, often two or more of the circuits share an exit or relay node, and all have the same entry node. I often see five circuits just for one webpage. Doesn't this tend to enable deanonymization?
A related observation: when using the duckduckgo search site, I see separate circuits for OCSP lookup, icon download, and search query upload. Is this dangerous?
Any privacy researchers out there?
P.S. I see Facebook has teamed up with Carnegie Mellon Software Engineering Institute (SEI) to develop a digital contact tracing app for smart phone users who use FB (i.e. everyone?). Tor users are not likely to be happy about this partnership.
P.P.S.: am I wrong in guessing that Cloudflare runs about half of Tor exit servers?
What makes you say that…
What makes you say that Cloudflare runs about half of Tor exit servers? I don't think that's the case, and I'm not even sure that they run any.
Speaking of Cloudflare. I…
Speaking of Cloudflare. I have observed that during a reload of a Cloudflare page the circuits rapidly change several times until the reloaded page is finally displayed. This happens with each reload. Guard node remains the same.
Yes, I see that too.
Yes, I see that too.
@ boklm: It's a hunch based…
@ boklm:
It's a hunch based upon:
1. my guess that many sites I visit (US news sites and NGOs) are protected by Cloudflare from people abusing Tor to do DDOS against entities they dislike,
2. my observations that my Tor circuits to these sites almost always end with an exit node operated by a single large family of fast nodes,
My concern is not based upon the assumption that the OCSP server or even the website operator is knowingly collaborating with some entity hostile to Tor users (Carnegie-Mellon SEI perhaps?), but that said entity may have access to or influence over the family. My concern is that an entity which can control an exit node family (possibly without the knowledge of the putative operator) who has access to multiple circuits associated with a user accessing a specific webpage and who employs software engineers (e.g. SEI) can potentially deanonymize users.
Needless to say, I do not believe I am doing anything illegal or even wrong in attempting to read news articles (which to my knowledge are NOT behind paywalls). However, US law is extremely murky and as the USA continues to veer toward an ugly dystopian authoritarian kleptocratic style of "democratic government" [sic] (apparently modeled on Putinism), it may not be unreasonable to fear that hostile entities are plotting vicious actions against people who are not doing anything illegal, who are not even doing anything wrong.
Speaking of SEI, did you see that they are working with Facebook to develop a "digital contact tracing app" for smart phones, basically real-time geolocation which will share the details of all your physical contacts (and probably much much more) with government agencies? Further, did you see that local health authorities in the US have moved quickly to share "digital contact tracing" data on specific persons with local police? There is no indication that any US official (federal, state, county, municipal) plans to stop this dangerous information sharing after the first wave of the COVID-19 pandemic is declared "under control".
Your hard work and your feedback here are valued! Thank you and thanks to everyone who continues to make TP work during these difficult times.
> US law is extremely murky…
> US law is extremely murky and as the USA continues to veer toward an ugly dystopian authoritarian kleptocratic style of "democratic government" [sic]
wired.com
Signal Says It Will Leave the US Market If the EARN IT Act Passes Congress
11 Apr 2020
> The end-to-end encrypted messaging app Signal, which is respected and trusted for its transparent, open-source design, says that it will be one of the immediate casualties should the controversial EARN IT Act pass Congress.
Why is Tor Project silent?
Perfect forward secrecy is built into Tor. It will be illegal under the EARN-IT Act. Tor Project is based in the USA and immediately subject to US law.
@ Isa: Signal's plan is to leave. What is our plan?
> I don't think > I'm not…
> I don't think
> I'm not even sure
I'm someone else and also speculating, but it would hypothetically be in their interests to trigger their own defenses, attack new unprotected customers toward contracting with them, throw a wrench into Tor users' experience, and more all at the same time. Although, DoS and surveillance contractors are in the interests of many organizations.
I think you are saying that…
I think you are saying that Cloudflare clearly has an interest in promoting the possibly misleading notion that actual baddies are actually abusing Tor to mount DDOS attacks on legitimate news sites, when it is possible, maybe even probable, that many of those "attacks" are done by Cloudflare itself in order to drum up more business.
If so, yes, I agree. The US has made a terrible mistake in growing up a security industry instead of a privacy industry. Because the security industry has a vested interest in ensuring that cybersecurity and terrorism threats (as perceived by governments and businesses) only get even more dire, forcing entities with deep pockets to transfer more and more of their wealth to companies like Cloudflare.
That whole "China is stealing" narrative has a basis in fact, like any Big Lie, but it is essentially a magicians trick to divert attention from the far more serious home-grown kleptocracy.
Sit back and watch Big Bad Everyboy steal all that COVID rescue money which Congress says it intended to direct to small businesses who lost all their customers due to mandatory lockdown.
It appears that GOP and Democratic Party loyalists actually agree on this. Their disagreement is about whether or not such naked kleptocracy is something to be admired and enabled, or something to be denounced and prevented.
DuckDuckGo - 2 covert…
DuckDuckGo - 2 covert problems:
1. Seemingly excusable auto-fetchng of their icon if you are searching the DuckDuckGoOnion site (https://3g2upl4pq6kufc4m.onion over Tor Hidden Services), because they force your browser to download their icon over the clearnet from duckduckgo.com. So the browser always makes a semultaneous connection and leaves a connection record via the clearnet. Hence your hidden services connections may be tracked or deanonymized. Anyone to confirm the risk?
2. DuckDuckGo by default sends your search queries in the URL line ("GET" submission method), which makes your search words easy lo log. In the settings they do offer the "POST" method (hopefully embedding your search words within the encrypted portion of traffic), but it's not enabled by default (??!) as if it's not the best for privacy.
If enabled, the setting will not persist in TorBrowser, so it's a hassle to do in every session.
Could the two be accidental?
1. I don't see any…
1. I don't see any connection to duckduckgo.com when using their .onion address. But even if there was, it doesn't mean you get deanonymized.
2. I don't know why they use GET rather than POST but both encrypted in the same way. It seems POST is what is used if you search using the URL bar.
1. That's probably by design…
1. That's probably by design, otherwise many folks would have a problem. But DuckDuckGoOnion's cleartext connection to duckduckgo.com can be easily seen using some other tools (other than NoScript :-). Check it out by adding the uMatrix add-on, it's very informative. To block it in uMatrix, add a rule like this: 3g2upl4pq6kufc4m.onion duckduckgo.com * block
But of course, adding uMatrix is not recommended, and hence no one knows that this goes on?
Please create a ticket to address this privacy problem with DuckDuckGoOnion. If they really care about privacy, they should be able to serve their icon from the same .onion site.
2. GET vs. POST: no, they are not both encrypted in the same way :-)
Since the URL requests are not encrypted in the HTTPS traffic, then anything submitted via "GET", being attached to the requested URL, likewise is clearly observed and becomes a record in the webserver log.
Why DuckDuckGo uses GET by default is again a valid privacy concern. For example, StartPage offers encrypted POST by default.
Thanks for bringing these to your dev's attention.
URL requests are encrypted…
URL requests are encrypted in the HTTPS traffic.
Not fuly. While the GET…
Not fuly. While the GET submission in URLs is encrypted in HTTPS, it WILL LEAK in:
https://security.stackexchange.com/questions/176164/is-it-possible-to-s…
"... it is very poor practice to include such sensitive data as a password in a 'GET' request.":
https://stackoverflow.com/questions/893959/if-you-use-https-will-your-u…
Wake up, Tor people.
I think it makes sense to…
I think it makes sense to ask that POST requests are used instead of GET requests, but it doesn't help to make inaccurate claims about encryption of GET requests. But this looks like something to ask to duckduckgo people, as it seems the issue is when searching from their website, with any browser, and not from the Tor Browser URL bar.
1. No. In Tor Browser, when…
1. No. In Tor Browser, when you go from one origin (domain) to another, the browser only sends the domain part, not the path or query, as the referer. So when you click a search result, the site only sees "https://duckduckgo.com/" as the referer. The rest is cut off and discarded.
2. Yes, that's possible, but we don't know. For all we know, they log POST requests too.
3. TB is in permanent private browsing mode, so it doesn't keep any history.
4. This is just one more reason why you shouldn't install any addons/plugins/extensions in Tor Browser. And, if one of your plugins has a zero-day, you have much bigger problems already.
5. Can you give an example, where an application has access to GET data but not POST data?
Your links are irrelevant because TB never sends queries in the referer.
> Seemingly excusable auto…
> Seemingly excusable auto-fetchng of their icon if you are searching the DuckDuckGoOnion site (https://3g2upl4pq6kufc4m.onion over Tor Hidden Services), because they force your browser to download their icon over the clearnet from duckduckgo.com.
I sometimes see that too. More speculation: something goes wrong when the first circuit is overloaded, and the icon is somehow downloaded in a dangerous way.
Very annoying because of course the icon serves no useful purpose for us... but might serve a purpose for our many enemies.
https://www.torproject.org…
https://www.torproject.org/dist/torbrowser/9.0.9/ is missing! :(
Comments are closed on…
Comments are closed on Remote Work and Personal Safety, but I want to ask if anyone has been able to group chat (more than 2 people) by voice and video through Jitsi Meet or Nextcloud installed on an onion service. I read about Mumble's latency, but I wanted to know how badly voice and video in Jitsi Meet and Nextcloud are degraded if they can be hosted on an onion service and if Tor Browser allows voice or video.
Interesting question,…
Interesting question, Anonymous. I believe Jitsi Meet normally sends the audio/video streams over UDP, but I think it might have a fallback for using TCP instead?
I would hope and assume that Tor Browser disables the mechanisms that Jitsi and other WebRTC software uses to make peer-to-peer connections, but if the connections are all routed through the onion service then it should be safe. With some latency, I'm sure, and you'd probably want to reduce the resolution/bitrate to the minimum possible.
Since tor updated to 9.0.9…
Since tor updated to 9.0.9 on my Windows 10 64, tor connects but all tabs crash with the comment "Gah. Your tab just crashed." I reinstalled tor with antivirus disabled but still have this problem. I did not have the problem with previous versions.
I am not a computer expert so if someone can give an easily understandable solution that would be most appreciated
Why no backport of #32493…
Why no backporting of #32493 again?
me gustaria que tor…
me gustaria que tor incluyera una extension para traducir las paginas que estan en otro idioma, por preferencia. tambien me gustaria que el nivel de seguridad que optan ni no afectara, los video e imagenes osea que se puedas ver aunque haya cambiado de nivel de seguridad, cuando pongo mayor seguridad no pueod ver video ni imaganes. tambien me gustaria que lanzaran una aplicacion de chat de mensajeria igual que signal messenger fuera genial.
I tried to translate this…
I tried to translate this request and think I got the gist:
> I would like Tor to include an extension which translates webpages in another language; also I would like to ask for a security setting which fools websites into thinking the Tor user is using a lower security setting which would normally be required to watch daring videos and images; also I would like Tor to include a chat and messaging application competitive with Signal. That would be beyond brilliant!
Someone please correct me if I got anything wrong. I am particularly uncertain that I correctly translated "osea" as "daring", which I understand to refer to something like a video of a government action which violates human rights (unfortunately a common occurrence in many countries these days).
Tails (tails.boum.org) allows you to run a Linux distribution with Tor Browser and other anonymization and security enhancing tools built in from a "live USB". All running software and data exists only in volatile memory and any data is stored permanently only if you choose to store it in a data USB (which you can encrypt with LUKS, the Linux encryption which uses Rijndael, which is also called AES cipher). Further, you can choose to automatically install (from code stored in a LUKS encrypted "Persistent Volume"), when you boot your device from your Tails USB. In particular you can install apertium which provides reasonable machine translation between certain languages, including Spanish/English. I recommend also installing gocryptfs so that you can protect files stored in the encrypted Persistent Volume when you are using your Tails session to go on-line, because you need to unlock the Persistent Volume in order to use the Tails feature which loads additional software such as apertium, but for better security you should avoid exposing all your personal files (stored in the unlocked Persistent Volume) when you are connected to the Internet.
I have my own feature request for Tails: I would like future Tails to include gocryptfs without having to install it from the encrypted volume, for better security.
I second the request to restart the Tor Messenger project, which unfortunately failed the first time around. As some readers will recall, the official reason was that the technical challenges had proven insurmountable using the first approach to writing the needed software, which was intended to work on most devices (laptops, smart phones). I do not disbelieve the official version, but it seems clear that Tor Messenger is exactly the kind of desperately needed software which FBI insists "should" [sic] be illegal under US law (and hence illegal everywhere, since Tor Project and most Internet infrastructure effectively operates under US law). But a human rights organization must strongly resist attempts from FBI (or any other agency which is habitually oppressive to human rights) to bully Tor Project, volunteer Tor node operators, or Tor users.
@ people in Chile, Ecuador, Mexico, Venezuela, etc: please use Tor! I'd like to hear from you about political events in your country!
Monied interests in the US (and around the world) are eagerly declaring that the Bernie Sanders progressive revolution has been "defeated" [sic]. I say: balderdash! Let's make a progressive (political) revolution sweep both North and South America! Away with all these Bannonistas, Bidenistas, Bloombergians, and Bolsonarios! Down with Big Oil, Big Pharma, Big Banks, and Big Soda! Confusion to the alt-right racists and the Putinist trolls! Power to the People!
The reason for stopping Tor…
The reason for stopping Tor Messenger has nothing to do with FBI. The main reason was that Instantbird (on which Tor Messenger was based) was no longer maintained, and we don't have the resources to maintain a full messenger application ourselves. But there are other people developing instant messenger apps too. One of them is https://ricochetrefresh.net/ (although it seems to be still experimental and I have not tried it).
> The reason for stopping…
> The reason for stopping Tor Messenger has nothing to do with FBI.
I'm not saying that I believe the official reason was a lie, but everyone who works with TP needs to know that because of the way the feds use NSLs and other administrative subpoenas which come with eternal gag orders, only Isa (and possibly a lawyer) would know TP has received an order which can never be discussed.
Riseup users will no doubt recall that this is exactly what happened when Riseup was served. (It has never been explained why Riseup was served. Twice. So far. That we know of.) Most people never knew anything about it, and even when alert users started asking why the "warrant canary" had mysteriously not been renewed as had always happened in previous quarters, there was total silence. Which alert users interpreted (correctly as it turned out) to mean that Riseup was acting under compulsion against the best interests of its thousands of endangered users all over the world.
This is why the adamant refusal of Tor Project to discuss certain concerns is worrisome.
In particular, in the past, Tor Project has vowed (although not recently), "we will never insert a backdoor into Tor". This vow sounds good but it is essentially meaningless unless
A. TP explains what is the plan if the US Congress passes a law such as the EARN-IT Act which would appear to legally mandate some kind of "backdoor" in all encryption used in US jurisdictions,
B. a suitably broad definition of the word "backdoor" is stated.
If TP's definition of "backdoor" is "obviously malicious covert access code openly inserted into the source code of Tor client or server software", then the vow carries little weight because NSA is not likely to do something so idiotic as telling the people they want to spy upon that they are spying. (Some national spy agencies like do that kind of thing, but USIC traditionally cares very much that their victims not be aware of what the spooks are seeing/stealing.)
Rather, NSA (or FBI or other agencies with overbroad powers) is likely to quietly cripple some part of Tor infrastructure such as
(i) critical "upstream" code, e.g. by forcing developers of a pseudorandom number generator to change a parameter which nonobviously weakens the PRNG, with a gag order preventing them from telling anyone that they were forced to make a seemingly minor change which immediately would look very suspicious if the devs could only say "NSA made us do it; we don't know why",
(ii) forcing producers of operating systems to fail to fix something as dangerous as the Shellshock bug,
(iii) forcing chip manufacturers to include some microscopic undocumented feature which enables covert remote access by "the authorities" (similar to what some experts claim to believe the CN government does with Huawei hardware, and also similar to a massive up-scaling of the covert diversion of hardware to secret NSA sites where covert "implants" are inserted into a hardware device such as a server (the kind of deep intrusion which is impossible to remove, but which is thought to require physical access to the device).
In the same way, when TP appears to be uninterested in pursuing reports of what might be a serious problem, people worry that someone is ordering you to ignore the issue.
This fear is not in any way an imputation against the character of anyone associated with TP, since everyone needs to understand that it is hardly fair to ask any person to risk spending the rest of their life in prison (which is pretty much what the NSL statute says will happen to anyone who violates a gag order) just because they believe in a good cause.
That said, I continue to hope that if USG does attempt to bully key Tor people, that someone will show the kind of extraordinary courage which Snowden possessed. And I believe that if someone simply calls a press conference and displays the NSL in defiance of the gag order, the government will back down with a weak excuse (typically "the new guy made a mistake; it turns out we never needed the information asked for the NSL you received so forget the whole thing please"). This kind of excuse virtually begs for a class action lawsuit, but all such suits are tossed by a court system which is all to well aware that judges too can be spied upon by NSA, a thought which terrifies them into spinelessness.
Stay well, and please try hard to protect endangered users even if EARN-IT is enacted.
Some of the things we do to…
Some of the things we do to make it possible to check that there is no backdoors are:
- publishing all the source code of the software we distribute
- doing reproducible builds: https://blog.torproject.org/deterministic-builds-part-one-cyberwar-and-…
I know nothing about this EARN-IT Act you are mentioning, but maybe that's something you want to discuss with EFF.
> I know nothing about this…
> I know nothing about this EARN-IT Act you are mentioning
You should probably change that because it could make your work illegal:
https://www.wired.com/story/earn-it-act-sneak-attack-on-encryption/
https://www.wired.com/story/signal-earn-it-ransomware-security-news/
https://www.theregister.co.uk/2020/03/06/earn_it_bill_encryption/
https://www.eff.org/document/earn-it-act
https://www.eff.org/deeplinks/2020/03/graham-blumenthal-bill-attack-onl…
https://www.eff.org/deeplinks/2020/03/graham-blumenthal-bill-new-path-d…
https://www.eff.org/deeplinks/2020/01/congress-must-stop-graham-blument…
When I replied as above to…
When I replied as above to boklm, I did not yet know about the layoffs. Obviously, I am frustrated by the repeated refusal over years for Tor Project to engage in meaningful discussion of the challenge of preventing USG from quietly crippling Tor in some way which does not fit a too-narrow definition of "backdoor". To reiterate:
Publishing the source code has real value, and reproducible builds is an enormous advance. But these things are not enough to make it hard for USG to cripple Tor by crippling some essential part of the Tor infrastructure which is not part of the openly published Tor code at all. That's what I am worried about.
Further, if EARN IT Act becomes law in the USA, Tor may be forced to remain silent about some nonobvious critical flaw in the Tor code itself which it is not allowed to fix. I would hope indepedent researchers would notice any such flaw, but let's not kid ourselves.
All that said, many thanks to Tor people for continuing to provide Tor in the face of many obstacles. Stay safe, don't let the virus or the USG get you!
I am seeing circuits in…
I am seeing circuits in which two successive nodes are from the same large declared family. This would appear to break the anonymity concept behind Tor circuits. Is anyone else seeing this?
This does not break the…
This does not break the anonymity properties of Tor.
The following US caselaw…
The following US caselaw precedent will be critical for Tor Project because it concerns the question of how/whether USG can coerce an internet service provider or software provider into breaking its own encryption so that USG agents can spy on users:
https://www.eff.org/press/releases/hearing-tuesday-eff-aclu-and-cyberse…
Hearing Tuesday: EFF, ACLU, and Cybersecurity Expert Ask Court to Unseal Ruling Denying DOJ Effort to Break Encryption
Government Sought Facebook Messenger Voice Calls
Press Release
27 Apr 2020
> Seattle, Washington—On Tuesday, April 28, at 9 am, Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU), and Stanford cybersecurity scholar Riana Pfefferkorn will ask a federal appeals court to embrace the public’s First Amendment right to access judicial records and unseal a lower court’s ruling denying a government effort to force Facebook to break the encryption of its Messenger service.
>
> Media widely reported in 2018 that a federal court in Fresno, California, denied a government request that would have required Facebook to compromise the security and privacy promised to users of its Messenger application. But the court’s order and details about the legal dispute have been kept secret, preventing people from learning about how DOJ sought to break Facebook’s encryption, and why a federal judge rejected those efforts.
>
> ACLU Surveillance and Cybersecurity Counsel Jennifer Granick will argue on behalf of EFF, ACLU, and Pfefferkorn that the public has a right to know when and how law enforcement tries to compel a company—one that hosts millions of people’s private communications—to circumvent its own security features and hand over the contents of its users’ voice calls and other private conversations. This is especially important now, as the Justice Department has repeatedly said that it wants access to encrypted communications, a position that endangers people’s privacy and undermines the security of everyone’s information.
Thank you. We are very aware…
Thank you. We are very aware of the current political environment in the US. There isn't a need for a dozen comments about this on each blog post.
A thousand thanks to Wired…
A thousand thanks to Wired for having the courage to warming recommend Tor Browser and Tails for those seeking health, peace, security, and privacy in time of pandemic!
wired.com
How to Cover Your Tracks Every Time You Go Online
Online tracking can often feel downright invasive. From using VPNs to clearing browser histories, we've got your back.
12 Apr 2020
> If you need some serious privacy for your web browsing, you've got yet more options to turn to. For maximum protection, switch to the Tor browser, which works a little like a VPN: It bounces your browsing around different servers across the world, making it very hard for anyone to link your activity back to you.
> The Tor browser also keeps an extra eye out for plug-ins and other web code that can reveal your location; it can even be used to browse the web in a country where the internet is being censored. Your browsing will be a little slower as a result of all this extra protection, but you might well consider it worth it.
> If you want to go further, Tails OS is an entire operating system built around the Tor browser, which you can run from a USB stick. The idea is that you've got an incognito mode for your entire system—every time you boot it up, it's like you're booting it up for the first time. (Tails stands for The Amnesiac Incognito Live System.)
> There's a full guide to installing and using Tails OS here, and whenever you need that extra level of security, restart your computer and boot from the USB drive rather than your normal operating system. You can even use a Tails OS USB drive to work on other people's computers and leave no trace behind.
> Even with Tor and Tails OS, be cautious about what you do online. If you log into Facebook and then press Like on a local flower shop, Facebook and its advertisers are still going to know you like flowers, even if no record is left on your device.
> incluyera una extension…
> incluyera una extension para traducir
Las extensiones de traducción envían las URL completas y el texto de las páginas que está leyendo a un tercero. ¿Quieres dar copias automáticas de tu historial de navegación a Google? ¿Qué pasa con los idiomas asiáticos?
> cuando pongo mayor seguridad no pueod ver video ni imaganes.
Tor Browser viene con el complemento NoScript. El nivel de seguridad cambia los permisos del sitio web en la configuración de NoScript.
https://tb-manual.torproject.org/es/security-settings/
https://support.torproject.org/es/
Puede cambiar el idioma en la parte superior de la página.
Aquí hay un hilo de comentarios anterior que pregunta cómo ver videos. Esta en ingles.
https://blog.torproject.org/comment/286855#comment-286855
> me gustaria que lanzaran una aplicacion de chat de mensajeria igual que signal messenger
https://support.torproject.org/es/tormessenger/
tor download not found on…
tor download not found on this server.
update failed. download the…
update failed. download the latest version.
linux_x86 64
update works. linux_x86 64
update works. linux_x86 64
"Tor Browser 9.0.9 is now…
"Tor Browser 9.0.9 is now available from the Tor Browser download page"
No it's not. The link is broken.
When will whitelisted…
When will whitelisted scripts work on safest level?
Quoting the blog post for 9…
Quoting the blog post for 9.0.7, "We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability."
Doesn't seem to be up yet :(
Doesn't seem to be up yet :(
Not really: Found The…
Not really:
PDF links open empty in this…
PDF links open empty in this version and must be downloaded to view ? a bug ?
Are you using the Safest…
Are you using the Safest security level?
We have this ticket:
https://trac.torproject.org/projects/tor/ticket/33721
A minor tails bug (I know, I…
A minor tails bug (I know, I know, Tor is not Tails Project): when I download multiple PDFs, when I open the first one with a viewer, the app crashes. After that it works. Suspect something to do with mishandling those pesky un-needed but hard to expunge thumbnails.
Thought I'd mention it in case someone else has noticed this.
* Using TBB 9.0.8 * Help-…
* Using TBB 9.0.8 *
Help->About-> "Update failed." "Download the latest version"
Then in top/right hand corner of the screen I see a popup:
"Tor Browser can't update to the latest version."
"Download a fresh copy of Tor Browser and we'll help you to install it."
Why won't it auto update like it used to? This makes me a sad monkey.
One of your mirrors is…
One of your mirrors is having an issue. We are working to fix it soon.
> One of your mirrors is…
> One of your mirrors is having an issue. We are working to fix it soon.
Thanks for the response. After clicking and clicking and giving up, I launched Help->About once more and it said to restart to apply changes... so I did and the upgrade worked. There was no countdown to update like usual....I don't know how or why, but this pleases me because it finally upgraded!!
Sad monkey is now h/\ppy monkey!
The issue is now fixed.
The issue is now fixed.
Downloads for linux are not…
Downloads for linux are not working.
[geshifilter-code]curl: (22) The requested URL returned error: 404 Not Found
==> ERROR: Failure while downloading https://dist.torproject.org/torbrowser/9.0.9/tor-browser-linux64-9.0.9_…]
cant download and the tor…
cant download and the tor browser fails to update itself too
file not found
When will we get Sonowflake…
When will we get Sonowflake in the stable release?
Watch https://bugs…
Watch https://bugs.torproject.org/19001 and its child tickets to track progress towards a stable release of Snowflake.
Before this update, I was…
Before this update, I was using psiphon+Tor to bypass consership, but after this, it doesn't work anymore, is there a ticket for this?
I don't know any ticket…
I don't know any ticket about this. Do you have more details about the issue?
Just wanted to say a big…
Just wanted to say a big thanks to you all for the hard work keeping up with all the firefox security updates :)
Changelog skips over 9.0.8
Changelog skips over 9.0.8
Thanks, this is now fixed.
Thanks, this is now fixed.
Cannot torrent anymore. When…
Cannot torrent anymore.
When you click on 'Get this Torrent' on any site it opens a new blank tab that says: about:blank
Bittorrent over Tor isn't a…
Bittorrent over Tor isn't a good idea:
https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea
You can torrent over I2P but…
You can torrent over I2P but I am not sure of the status of this project, one of the few alternatives to Tor technology.
It works for me. It's likely…
It works for me. It's likely your site has a problem, or your security level is interfering. Try right click, Copy link location. Getting a .torrent meta file or information doesn't mean torrenting it.
Tor Browser is not a torrent…
Tor Browser is not a torrent client so it was never possible to torrent using it.
If you want to download torrents using torrent client then right click on 'Get this Torrent', click Copy Link Location, then open your Torrent Client and add a new download, paste the copied link.
If you want to download torrents using the Tor network, the recommended way is to use Whonix virtual machine https://whonix.org just start torrent client inside the virtual machine.
Hi There is a problem when…
Hi
There is a problem when watch a video on Youtube in this update .
A white page appear in the bottom of the video page . PLEASE fix it soon .
I'm seeing this, too, on…
I'm seeing this, too, on Youtube's player. Pause or hover the mouse on the video, and the bottom half becomes white. It started after I installed TB 9.0.9, but it could be something Youtube has done.
I know it's not a fix but…
I know it's not a fix but until Tor Browser gets fixed you can use youtube-dl software to watch videos
install this https://yt-dl.org/
then call it with option --proxy "socks5://127.0.0.1:9150"
youtube-dl --proxy "socks5://127.0.0.1:9150" HERE_LINK_TO_THE_VIDEO
this will download video to your disk, you can then use any video player to watch it
As long as you don't get hit…
As long as you don't get hit with a captcha. It usually takes me 4-6 new identities. I have a feeling youtube-dl is the reason that many of the exit nodes are capcha'd by Youtube/Google. The captcha page says something about "you or someone on your network is using an unoffical Youtube app. Unofficial apps may track you, contain malware, or wear down your battery, and use of unoffical apps violates our terms of service. Make sure you use only the official YouTube app from the Android/iOS app store, or the Youtube website in your browser." Sounds to me like they're blocking apps that people use to download or view videos without ads.
Or use https://invideo.us …
Or use https://invideo.us
It pulls videos from YouTube and directly embeds the .mp4 URL in the page. No captchas or ads. It even works without JavaScript!
Invidious is an alternative…
Invidious is an alternative front-end to YouTube https://invidio.us
Audio-only mode (and no need to keep window open on mobile)
Free software (AGPLv3 licensed)
No ads
No need to create a Google account to save subscriptions
Lightweight (homepage is ~4 KB compressed)
Tools for managing subscriptions:
Only show unseen videos
Only show latest (or latest unseen) video from each channel
Delivers notifications from all subscribed channels
Automatically redirect homepage to feed
Import subscriptions from YouTube
Dark mode
Embed support
Set default player options (speed, quality, autoplay, loop)
Does not require JS to play videos
Support for Reddit comments in place of YT comments
Import/Export subscriptions, watch history, preferences
Does not use any of the official YouTube APIs
See Invidious Instances for a full list of publicly available instances. https://github.com/omarroth/invidious/wiki/Invidious-Instances
Official Instances
https://invidio.us/
kgg2m7yk5aybusll.onion
axqzx4s6s54s32yentfqojs3x5i7faxza6xo3ehd4bzzsg2ii4fv2iid.onion
Update: Close issue…
Update: Close issue. Resolved. White box on Youtube disappeared about a week after.
Hi! I have ran into problems…
Hi! I have ran into problems with watching videos on (youtube), this should work out of the box with html5 but there seem to be an issue because it is hiding away half of the screen when scrolling up or pausing the video.
hope this can be fixed soon, thx in advance.
I will go back and continue…
I will go back and continue using the older version of tor browser until the issue with watching youtube videos have been fixed.
Hi again guys, so i went…
Hi again guys, so i went back to the 8.0.8 version to get rid of the youtube video issue where half the screen disapears and the problem is even in the old version. so i have no idea what is causing this to happen. i had no issues watching html5 videos on youtube until yesterday. could it be google screwing something up?
fk this is annoying. havent made any new updates on the distro, but it accured just a moment after my latest tor browser update. but if it is caused by a bug in 9.0.9 it shouldnt show up in older versions of tor. this is soo frustrating.
any idea on how to fix this or what might cause half the screen to go white when scrolling up or holding mouse arrow on the video? thx in advance
Hello from Win7 32bit -…
Hello from Win7 32bit - after upgrade to TBB 9.0.9 - YouTube plays video incorrectly - only top half is visible, bottom half is BLANK (also there is reaction on mouse-over\mouse-out - as the workaround - video view becomes ok). Please see the image - https://ibb.co/X5wm6Bk
Also the issue may be related to Google-Youtube scripts? I did not checked 9.0.8 TBB version.
https://file-examples.com/wp…
https://file-examples.com/wp-content/uploads/2017/04/file_example_MP4_1…
doesn't play at all.
TBB 909 - this MP4 works for…
TBB 909 - this MP4 works for me OK.
Javascript cannot be enabled…
Javascript cannot be enabled temporarily via NoScript anymore as long as the Tor security level is on safest. Has already been the case with version 9.0.8. And it really sucks !! The same holds true for viewing PDFs ...
You can TEMPORARILY set …
You can TEMPORARILY set "javascript.enabled" to "True" on "about:config" page. Then you allow javascript with NoScript.
Do not visit other sites while doing that, after you are done set "javascript.enabled" to "False"
But you could forget to turn it back to False, so maybe it's better to switch Security Level to lower to visit page where you want to enable javascript...
If it's worth doing all that…
If it's worth doing all that, you're better off moving the slider to Safer, loading the page you want, and moving it back to Safest. If you mess with NoScript whitelists or about:config options it will give your browser a unique fingerprint.
Hi. What is the difference…
Hi. What is the difference between the .APKs that have "-qa" and the ones without '-qa' at the end? Thank you.
The '-qa' ones are not…
The '-qa' ones are not signed with the Tor Browser key. So you should use the ones without '-qa' in the filename.
For the curious, "QA" in a…
For the curious, "QA" in a context like this usually means "quality assurance".
https://en.wikipedia.org/wiki/Quality_assurance
youtube - just wanted to…
youtube - just wanted to drop by and say this is now working normally again, no idea why since I havent any new updates. anyways I hope it stays this way.
instead I have now ran into something else, i sometimes use the (translate . com) and normally its able to translate full sentences but for some reason it only translate word by word now. not sure if this is related to the tor browser, however it did work properly before the 9.0.9 version. could you please check this up.
thanks in advance for all hard work guys, much appreciated.
This is our ticket for the…
This is our ticket for the youtube issue:
https://trac.torproject.org/projects/tor/ticket/33874
I had time to do a brief…
I had time to do a brief investigation - TBB908 (clean installation) was also affected (as well as TBB909) so - it looks like an issue on Google-YouTube side ("probably" - as I did not test direct connection without Tor-network). Now YT works fine.
Hello! - Sandboxie becomes…
Hello!
- Sandboxie becomes opensource GPLv3 - can we get benefits running Tor or TBB inside sandbox?
- https://www.opennet.ru/opennews/art.shtml?num=52707
- https://github.com/DavidXanatos/Sandboxie
STOP BLINDING US BY POPPING…
STOP BLINDING US BY POPPING OUT A HUGE WHITE WINDOW WHILE CONNECTING TO TOR!!! GO BACK TO THE OLD WAY... FIRST YOU CONNECT TO TOR. THEN OPEN A NORMAL LOOKING PURPLE COLORED WINDOW.
TAKE WHITE WINDOW BACK!!!
Did you change Preferences…
Did you change Preferences and forget that you did? Main menu -> Preferences -> Home in side column -> Homepage and new windows -> About Tor is the default unless you changed it to Blank Page.
When I am attempting to read…
When I am attempting to read this blog, it often happens that *all* my circuits share an exit node from the same large family of fast nodes. Could this be evidence that Tor users are once again under attack by a large family of fast nodes controlled by some "researcher" at an institution such as Carnegie Mellon's SEI?
Willing to name the family if it would help. I suspect others are seeing the same thing.
you can exclude nodes by…
you can exclude nodes by editing torrc-file.
DataDirectory ...
EntryNodes yourchoice1,yourchoice2
ExcludeNodes {us},badnode1,badnode2,{??}
ExcludeExitNodes badnode3,badnode4,{??}
GeoIPFile ...
GeoIPv6File ...
Can I pick which country I'm…
> your torrc file Where can…
> your torrc file
Where can I find it in Tails 4.5?
In Tails 4.5 where do I find…
In Tails 4.5 where do I find the torrc? Do I need to enable a root password to change it? What if I boot from live Tails DVD?
Can you check if this also…
Can you check if this also happens across different instances of the Tor client? Such as in different VMs or different physical devices, do they also share the same exit families?
+1
+1
Using a VM lies outside my…
Using a VM lies outside my skillset, but I will try checking with a second device and get back to you here. (If the moderator allows.)
Checked with a second device…
Checked with a second device and I still see the same large family in most of my circuits. When I try to connect to several large US news sites, I have to hit the "new circuit for this site" button several times to avoid it.
This problem (I see it as a potential danger to anonymity and as suggesting a cybersecurity flaw somewhere in how the Tor network actually works, a possible flaw which may or may not be addressable by TP) has noticeably eased somewhat in the past few days, but I have been tracking it for some months and I keep seeing it flare up again the point where almost all my circuits have this family in the relay or exit nodes.
[Second attempt to reply] …
[Second attempt to reply]
Yes, I tried using another laptop, with the same results.
During my visit today I had to hit the "new circuit for this site" button three times to obtain a circuit which did not use this particular large family.
[Third attempt to reply] …
[Third attempt to reply]
The problem is device independent.
What is the family?
What is the family?
After 9.0.9 was installed,…
After 9.0.9 was installed, my Norton Internet Security shows a warning message at startup that tor.exe does not have a valid digital signature. How do I solve that?
Basically stop using Norton…
Basically stop using Norton they and similar 'companies' only consider software valid if it's validated their 'way'.
I suggest also switching to Linux, the best way to validate Tor Browser is with gpg:
https://support.torproject.org/#how-to-verify-signature
the solution is to get rid…
the solution is to get rid of Norton!
windows offers 'a well embedded antivirus solution' for free. read about antivirus ranking.
Hello! Will we have builtin…
Hello! Will we have builtin protection against "CSS Exfil Vulnerability" in TBB? Is it serious vulnerability? Should we use extra extension for fix?
Information:
"CSS Exfil Vulnerability Tester" - https://www.mike-gualtieri.com/css-exfil-vulnerability-tester
"URL" - https://github.com/mlgualtieri/CSS-Exfil-Protection
+ https://www.bleepingcomputer.com/news/security/css-code-can-be-abused-t…
+ https://github.com/jbtronics/CrookedStyleSheets
+ https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-…
(There are both Chrome and FF extensions - "CSS Exfil Protection" at Mozilla's and Google's stores)
It doesn't sound like the…
It doesn't sound like the risk is any greater to Tor Browser users than regular Firefox users. If anything, less so, because TB is always in private browsing. As long as you're using basic hygiene, like restarting the browser between different activities and using only HTTPS, I don't see a significant risk. I wouldn't install the extension because it could give your browser a unique fingerprint. I imagine it'll be fixed in upstream Firefox soon, which will make its way to Tor Browser eventually.
I have visited a .onion…
I have visited a .onion website and the icon in the browser was not a green onion, but a grey one and when I pressed it was writing "Insecure Connection".
Is possible a .onion site to come without encryption?
Platform:Android
> Is possible a .onion site…
> Is possible a .onion site to come without encryption?
No, it's not possible, but the browser isn't aware of Tor's encryption. It's just telling you the site doesn't use an HTTPS certificate, but onion sites are always encrypted by Tor itself, behind the browser's back.
> No, it's not possible, but…
> No, it's not possible, but the browser isn't aware of Tor's encryption.
Misleading. It is not possible for the onion's direct resources to come without encryption, but it is possible for the onion's webpage to contain subresources served over HTTP. Tor Browser is aware of onion services' 6-relay circuits and indicates those with an onion icon rather than a padlock icon. Tor Browser does not indicate 3-relay Tor encryption by an icon in the address bar but does indicate it if you click on the icon to view the circuit. Tor's 3-relay circuits are always used, so it is redundant and unnecessary to indicate those unless you modify Tor Browser to make it not use Tor.
> It's just telling you the site doesn't use an HTTPS certificate
Incorrect. According to the Support FAQ, a grey onion icon means the site is an onion service that either has a self-signed HTTPS certificate or serves subresources over HTTP.
> onion sites are always encrypted by Tor itself
Correct for an onion page's direct resources but misleading for subresources loaded by the page.
https://support.torproject.org/#onionservices
https://community.torproject.org/onion-services/overview/
Did the grey onion have a…
Did the grey onion have a red slash?
https://support.torproject.org/onionservices/onionservices-5/
Since 9.09 tor-update, the…
Since 9.09 tor-update, the DuckDuckGo website has lost the menu icon. Also the url: duckduckgo.com/settings has been stripped to virtually a blank page, so I can't load my settings any more.
I've now restored my 9.07 backup just in case the new tor version has done even more damage without my knowing. There seems to be some contoversial discussion about DDG and privacy on this page as well. What's up?
Hi. Sir I Need Tor Browser…
Hi. Sir
I Need Tor Browser In KaiOS System
Thanks You...
KaiOS is a fork of Firefox…
KaiOS is a fork of Firefox OS, not Android, and is based on Linux. Tor Browser is available for Linux desktop and Android. You could try to install the Android or Linux versions of Tor Browser, but they probably won't work.
what is being done to…
what is being done to prevent sites from blocking tor? too many sites are unusable with tor.
Nothing. That's not even a…
Nothing. That's not even a goal of the Tor Project. Except for trying to convince them to willingly unblock Tor, which is obviously the best solution but doesn't usually work.
Here are some tips for getting around certain kinds of blocks:
1. in the URL bar, type "web.archive.org/save/" before the real URL, so "web.archive.org/save/https://torproject.org/blog" for example. This works great for non-interactive sites and doesn't require JS.
2. Use startpage.com's web proxy button. Unfortunately this only works on search results.
3. Use the "cached" link in Google search results.
4. Use a glype web-proxy. These can be used on interactive sites, although a lot of sites break. Just search for glype proxy lists.
5. Build an SSH tunnel or TCP-based VPN tunnel through Tor. In theory, any site should work with this configuration, but I've never been able to make this kind of tunnel work reliably. It also requires a VPS or shell account or VPN account, which are usually not free.
6. Mozilla recently came out with a browser extension that is supposed to provide the functionality of a VPN. I don't know how it works, but I highly doubt it uses a real UDP-based VPN (though they offer that as well). Most likely it runs over an HTTPS proxy of some sort. Maybe it could work within Tor Browser to unblock sites. https://fpn.firefox.com/browser
> what is being done to…
> what is being done to prevent sites from blocking tor?
https://support.torproject.org/censorship/censorship-2/
https://support.torproject.org/tbb/tbb-45/
https://support.torproject.org/tbb/tbb-44/
https://support.torproject.org/tbb/tbb-35/
https://support.torproject.org/tbb/tbb-30/
Bug. 9.0.9 (based on Mozilla…
Bug. 9.0.9 (based on Mozilla Firefox 68.7.0esr) (64-bit) can not open url, http://tdaily.ru/news/2020/04/13/operatory-svyazi-dolzhny-otchitatsya-r…
Why do I always get the…
Why do I always get the message 'Something has gone wrong!' with a red screen on Tor Browser start?
This has been happening intermittently for the entire 9x series of Tor Browser. After I see the scary red screen, I then proceed to do a browser check at check.torproject.org and Tor is indeed working with the message, " Congratulations. This browser is configured to use Tor. "
Why does the browser report Tor is not working, but the Tor website reports that it is?
Might want to get those two departments synchronized at some point. Just a thought.
Hello! This is the known …
Hello! This is the known "red bug" - it is not related to 9x versions. Bug is quite old and "hardly" reproducible (and has workaround - just do restart TBB). Bug can be observed on Windows.
I strongly suggest to use firewall to be on the safe side (in early days - with ****no firewall*** AND ***when happened*** mentioned bug - TBB WAS ABLE TO DO DIRECT NETWORK CONNECTION IMHIDING YOUR IP ADDRESS!!! + I did not tested current state)
- so you have only ALLOW "tor.exe" as program that may do network activities throw firewall.
* netsh advfirewall set allprofiles state on
* netsh advfirewall set allprofiles state off
* netsh advfirewall firewall add rule name="MYTOR" dir=out action=allow program="C:\*****\Tor Browser\Browser\TorBrowser\Tor\tor.exe" description="MYTOR" enable=yes profile=any localip=any remoteip=any interfacetype=any protocol=tcp
* netsh advfirewall firewall delete rule name="MYTOR"
Is it possible to disable…
Is it possible to disable DNT on android?
https://blog.torproject.org…
https://blog.torproject.org/comment/283701#comment-283701
Should Tracking Protection…
Should Tracking Protection on android be enabled or not?
Is it bad for my fingerprint?
Probably, yes. You shouldn't…
Probably, yes. You shouldn't change any options other than the security slider.
I cannot disable dnt. Even…
I cannot disable dnt.
Even if I disable it it cannot be disabled.
Whats happening?
When I am visit that blog…
When I am visit that blog page with cookies enable,the page is reloading constantly, so i cat browse.
I have to disable cookies to work.
This happens on android, with TOR browser.
Are you sure it's not…
Are you sure it's not because of Safest mode? Most people said it stops reloading if they switch to Safer or Standard mode. If you're confident it's because of cookies, please post information in ticket #22530.
https://blog.torproject.org/comment/277466#comment-277466
https://blog.torproject.org/comment/286736#comment-286736
gracias por su informacion
gracias por su informacion
If the TOR community starts…
If the TOR community starts sharing a single user's traffic data to the world, it's the beginning of the end. USA is not the only place where governors are tempted by dystopia, unfortunately. Plus, ISPs and big software companies are damn intrusive.
@developers: huge THANK YOU for your work. Just keep the project to its original spirit.
new to Tor.. I thought that…
new to Tor..
I thought that Tor will have a built in ad blocker but i still get them..
also, the Tor project FAQ recommends not installing add-ons including the ad blocker ones..
how do i safely get rid of ads?
Tor Browser does not…
Tor Browser does not currently includes any ad blocker by default, so adding one will make your fingerprint differ from most other Tor Browser users.
There has been some discussion on this topic on this ticket: https://trac.torproject.org/projects/tor/ticket/17569
If you still decide to install one, you might want to use the same that is included in Tails: ublock origin.
Just to clarify: Tails is a…
Just to clarify: Tails is a full Debian-based system you boot from a live DVD or live USB, which should not leave any traces on your physical device of what you read or said while using Tails. It includes the latest Tor Browser with a few extra privacy-enhancing tweaks including ublock origin. See tails.boum.org for more.
> how do i safely get rid of…
> how do i safely get rid of ads?
Change your security level to Safest. That will disable Javascript that would load most types of ads, but it may disable some functions on a webpage that you need and make pages look ugly. You can search for the many discussions in the past about ads and blockers on this blog, the bug tracker, and other development channels.
See https://www.arte.tv/fr…
See https://www.arte.tv/fr/videos/083970-000-A/un-monde-obese/
Is detecting I am not now in France !
Note : on many other channels this is not detected (like France4 live eg.)
A solution ?
How may I please start TBB…
How may I please start TBB every time to prefer ipv4 connections? By default it starts with prefer ipv6 and I have ipv6 disabled. Why? Because it's my preference. TIA.
Prefer IPv4 for which types…
Prefer IPv4 for which types of connections? "How do I use Tor from an IPv6 only host/computer?" https://2019.www.torproject.org/docs/faq.html.en#IPv6 "I'm supposed to "edit my torrc". What does that mean?" https://support.torproject.org/tbb/tbb-editing-torrc/
Start by reading about ClientUseIPv6 in the tor daemon manual. https://2019.www.torproject.org/docs/tor-manual.html.en#ClientUseIPv6 Next, Find every place the text "ipv" is on the page.
hey I wondered if the police…
hey I wondered if the police are still monitoring the tor browser
Tor tries to defend against…
Tor tries to defend against surveillance from anybody.
See also the question "Am I totally anonymous if I use Tor?" from our support portal:
https://support.torproject.org/faq/staying-anonymous/
Hi Torproject! Why did you…
Hi Torproject!
Why did you stop updating the "geoip", "geoip6" files? (torbrowser-install-9.0.9)
(# Last updated based on December 3 2019 Maxmind GeoLite2 Country)
Are you seriously? It's been 4 months already.
Please update the files in the next release!
MaxMind's GeoLite2 database…
MaxMind's GeoLite2 database is not available for download anymore:
https://trac.torproject.org/projects/tor/ticket/32978
Are there any plans to…
Are there any plans to remove the "Standard" security level. I have yet to find any site that works in standard mode and breaks in Safer mode. Nearly every website is HTTPS now, and you'd have to be nuts to enable JS over HTTP over Tor. I never use standard mode, because I haven't found a need for it, and the risks are high enough already on Safer mode. Besides WebGL/HTML5 related exploits and such, it is probably not hard to fingerprint physical hardware or perform side channel attacks when browsing with font rendering and JS optimizations etc. are enabled as they are in Standard mode. Also because each security level is a fingerprintable category of users, so the fewer the better.
if you don't need 'Standard'…
if you don't need 'Standard' level don't use it!
there are a lot of websites which don't work properly on 'Safer' or 'High'.
A possible short answer…
A possible short answer would be to suggest a name change:
(Standard, Safer, Safest) -> (YouTube, Standard, Safer)
> Nearly every website is…
> Nearly every website is HTTPS now, and you'd have to be nuts to enable JS over HTTP over Tor.
And websites in autocratic regimes? Sites in less wealthy nations? Sites in Africa? Old unmaintained sites? Prototype sites? I am opposed to removing Standard. I think it would be better if the default was Safer with just-in-time tutorials about the slider and media permissions. Some maps require WebGL as well. Adding more and more little exceptions to Safer, and it might as well be Standard.
Seen twice so far when…
Seen twice so far when trying to access this page using Tor Browser 9.0.9:
> Page Could Not Be Loaded
>
> The web page you were looking for could not be delivered.
Why? What does it mean?
Never seen this error before the past few days.
Very sorry to hear about the…
Very sorry to hear about the layoffs at Tor Project. I hope you will be able to rehire them very soon.
@ other Tor users: seems this would be a good time to make a donation if you are able.
OpenSSL Bug:https://www…
OpenSSL Bug:
https://www.openssl.org/news/secadv/20200421.txt
Segmentation fault in SSL_check_chain (CVE-2020-1967)
The OpenSSL crypto for tor looks completely insane, too? (-:
https://github.com/openssl/openssl/issues/11420
bernd-edlinger commented Apr 8, 2020
I think crypto/x509v3/v3_addr.c does probably not crash, but
the code looks completely insane, and should be rewritten.
@ other Tor users: what on…
@ other Tor users: what on Earth will we do if Tor suddenly vanishes? If we cannot access the internet (because we only use TB), how will we even get the official word from TP (in this blog?) that Tor Project has ceased all operations?
@ Tor Project employees: please stay strong and keep up all your good work, people need Tor!
I hope there is still some employee looking into possible issues with the Tor network.
In recent days while visiting this blog using TB 4.0.9 in Tails ("safer"), I have repeatedly seen:
o "page could not be loaded" error when trying to load this very page (an error message never seen before)
o on reloading, new circuit has exit node from the same large family of Tor nodes which I fear might be misbehaving
I don't know what is causing this but it seems that it could suggest that the Tor network is starting to break, possibly as the result of malicious actions by our many many state and corporate sponsored enemies.
now the tor is not warning…
now the tor is not warning about screen size so it it safe browsing in full screen.
Hi. Is there a way to…
Hi. Is there a way to disable the tor connection? I have a VPN and I need to be seen in certain countries but Tor randomly pics a country which isn't good for me. I recall in previous versions you could disable it? I am running Windows. Thanks
Every 32-bit version for…
Every 32-bit version for windows has only Arabic and Farsi - and nothing else - when I want to install the program. I wonder if anybody could help...
Hey ho, istn't there a…
Hey ho,
istn't there a dedicated support website? All I find is https://github.com/TheTorProject/gettorbrowser
Here is my issue: after updating torbrowser-launcher today from debian repositories, TorBrowser has been installed again. Now, all my bookmarks are gone.
Can I restore them with a backupped profile.default foldert? And if so, how?
Kind regards, Ronnya
I am having trouble…
I am having trouble connecting to the Internet. Why, why, why? It was working fine, now, nothing. I, just installed Tor with a VPN, after one day it says it cannot connect through the DNS. Something about an error. Help, please.
Can one tiny glimmer of…
Can one tiny glimmer of sunshine be glimpsed amidst the lowering storm clouds?
thehill.com
Lawmakers introduce legislation to combat global censorship, boost internet freedom
Maggie Miller
27 Apr 2020
> A bipartisan group of House lawmakers on Monday introduced legislation intended to expand global internet freedom and cut down on social media and news censorship by governments in countries such as China and Russia.
>
> The Open Technology Fund Authorization Act would authorize the existing nonprofit Open Technology Fund (OTF) as an independent group under the U.S. Agency for Global Media, which also includes media groups such as Voice of America and Radio Free Europe.
RFE is one of the entities which has funded Tor Project in the past. Advocates for human rights workers, vaccination workers, journalists, political dissidents, union organizers, and ordinary citizens need allies in the US Congress rather desperately.
I urge US voters to ask their Congressional representatives to support this bill--- assuming groups like FOTP, RSF, HRW, Amnesty do not spot some major problem I missed.
Regarding censorship, there…
Regarding censorship, there have been quite a few developments during the past week. Suddenly the political tide in the US seems to be running against the authoritarian onslaught, a trend which we must certainly hope continues.
The GOP has put forth a pro-privacy bill on digital contact tracing which on the basis of this story seems like a welcome protection:
thehill.com
Key Republican senators to introduce coronavirus-related data privacy legislation
Chris Mills Rodrigo
30 Apr 2020
> A group of key Republican senators announced Thursday they intend to introduce legislation aimed at protecting consumer data privacy during the coronavirus pandemic. The COVID-19 Consumer Data Protection Act would require companies to have consumers opt in before having their data used to track the spread of coronavirus and allow them to opt out at any point. The legislation would also direct companies to tell consumers how their data would be used, to whom it might be transferred and for how long it would be held.
And here's an intriguing revelation: turns out that back in 2015, current FBI Director Chris Wray, then working for a private law firm, *defended* WhatsApp encryption:
theguardian.com
Documents reveal FBI head defended encryption for WhatsApp before becoming fierce critic
Christopher Wray defended encryption in 2015 as a lawyer, contradicting his current opposition to the practice
Stephanie Kirchgaessner
30 Apr 2020
Former G.W. Bush administration OLC lawyer Jack Goldsmith coauthored an editorial praising CN government censorship during the pandemic, and Mike Masnick is not about to let him get away with that:
techdirt.com
How Can Anyone Argue With A Straight Face That China's Approach To Speech Online Is Better Than The US's During A Pandemic
Free Speech
from the authoritarian-nonsense dept
Mike Masnick
30 Apr 2020
One of the intriguing pieces of this puzzle is that the CN authorities actually arrested the doctor in Wuhan who first identified COVID-19 illness for "spreading rumors" when she tried to warn the public about the public health threat, then exonerated after she herself died from the illness. And there is a virology lab of Wuhan (a huge city so no surprise there) where researchers had been studying mammals such as bats in hope of preventing an epidemic analogous to SARS or MERS, a fact which American trolls have exploited to convince many that China actually engineered COVID-19 as a bioweapon and then accidently released it in their own country:
theatlantic.com
The Coronavirus Conspiracy Boom
Nearly a third of the people we polled believe that the virus was manufactured on purpose. Why?
Joseph E. Uscinski and Adam M. Enders
30 Apr 2020
Weird as it feels to agree with USIC, I tend to think their assessment that this rumor is without merit is probably good advice--- unfortunately, it does not fit with how Drump wants to shape public opinion about who is to blame for the pandemic:
theguardian.com
US intelligence agencies under pressure to link coronavirus to Chinese labs
Senior Trump administration figures said to be demanding evidence on virus’s origins
Patrick Wintour
30 Apr 2020
Mike Masnick also has high praise for this essay by a leading "fake news" researcher:
brookings.edu
How to cope with an infodemic
Kate Starbird
27 Apr 2020
Hi, the (startpage) search…
Hi, the (startpage) search engine have started to go nuts over tor. Why is that? cant even use it anymore because it keep spamming CHAPTCHA every times i try using it. would be much appreciated if this could be fixed somehow. i do have the latest updates from tor. however the version says 9.0.9 and not 9.5. could that be the issue? i rather not use unstable versions since ive had issues with that before. thanks in advance and thanks for all your hard work keeping us safe out there.
StartPage is responsible for…
StartPage is responsible for that. Use DuckDuckGo if StartPage is not usable (or contact StartPage directly).
Hi, I have downloaded the…
Hi, I have downloaded the TOR 9.0.9, so I can bypass the ISP block to many sites like Facebook, Twitter, YouTube and so on. When I go to YouTube and click on a video clip, the Tor prompts me with a warning message "
Our systems have detected unusual traffic from your computer network. Please try your request again later", hence, making access to any content on YouTube impossible. Any idea, how to get around this?
Thanks
Yes, that message is not…
Yes, that message is not from Tor. That error message is from Google. They are handling Tor traffic in a way that makes Youtube nearly useless, sometimes.
We have an open ticket for this issue:
https://trac.torproject.org/projects/tor/ticket/33292
In a welcome development…
In a welcome development well worth celebrating, one potential existential threat to TorProject.org (emphasis on dot org) has been eliminated:
eff.org
Victory! ICANN Rejects .ORG Sale to Private Equity Firm Ethos Capital
Karen Gullo and Mitch Stoltz
30 Apr 2020
> In a stunning victory for nonprofits and NGOs around the world working in the public interest, ICANN today roundly rejected Ethos Capital’s plan to transform the .ORG domain registry into a heavily indebted for-profit entity. This is an important victory that recognizes the registry’s long legacy as a mission-based, non-for-profit entity protecting the interests of thousands of organizations and the people they serve.
As shown in the figure, the…
As shown in the figure, the search engines were out of order. It was Tor 9.0.10, the latest version.
https://imgur.com/R45wJxD
Is 9.0.10 the first version…
Is 9.0.10 the first version containing this issue?
Yes.
Yes.
Any idea about this? Freshly…
Any idea about this? Freshly started Tor Browser, no other page visited, 'Temporarily allow all this page'. From where all these DNS servers are coming up in the Tor Browser's JavaScript context?
https://browserleaks.com/dns
---
Home Page
IP Address
JavaScript
WebRTC Leak Test
Canvas Fingerprint
WebGL Report
Font Fingerprinting
SSL Client Test
Geolocation API
Features Detection
Content Filters
Java Applet
Flash Player
Silverlight
More Tools
Settings
DNS Leak Test
With insufficient configuration, it is possible that the browser's DNS requests will be sent to the ISP DNS server directly, and not sent through the VPN or Proxy. Thus, a malicious website will be able to find out the name of your real ISP, and the ISP will know your endpoint IP and which sites you visit.
DNS Leak Test shows which DNS servers your browser uses to resolve domain names. This test attempts to resolve 100 randomly generated domain names asynchronously, 50 with A record (IPv4-only) and 50 with both A and AAAA records (IPv4+IPv6).
Your IP Address
IP Address
45.95.235.86
ISP Virtual Systems LLC
Location Russia
DNS Leak Test
Test Results Found 51 Servers, 1 ISP, 2 Locations
Your DNS Servers
IP Address : ISP : Location :
172.217.33.129 GOOGLE United States
172.217.33.130 GOOGLE United States
172.217.33.131 GOOGLE United States
172.217.33.132 GOOGLE United States
172.217.33.193 GOOGLE United States
172.217.33.194 GOOGLE United States
172.217.33.195 GOOGLE United States
172.217.33.196 GOOGLE United States
172.217.34.1 GOOGLE United States
172.217.34.2 GOOGLE United States
172.217.34.3 GOOGLE United States
172.217.34.4 GOOGLE United States
172.217.34.5 GOOGLE United States
172.253.194.1 GOOGLE United States
172.253.194.3 GOOGLE United States
172.253.194.5 GOOGLE United States
172.253.195.1 GOOGLE United States
172.253.195.3 GOOGLE United States
172.253.195.5 GOOGLE United States
172.253.197.1 GOOGLE United States
172.253.197.2 GOOGLE United States
172.253.197.3 GOOGLE United States
172.253.197.4 GOOGLE United States
172.253.197.5 GOOGLE United States
172.253.198.5 GOOGLE United States
172.253.199.1 GOOGLE United States
172.253.199.2 GOOGLE United States
172.253.199.3 GOOGLE United States
172.253.199.4 GOOGLE United States
172.253.199.5 GOOGLE United States
172.253.246.33 GOOGLE United States
172.253.246.34 GOOGLE United States
172.253.246.35 GOOGLE United States
172.253.246.36 GOOGLE United States
2a00:1450:4001:c00::101 GOOGLE Ireland
2a00:1450:4001:c00::104 GOOGLE Ireland
2a00:1450:4001:c00::105 GOOGLE Ireland
2a00:1450:4001:c01::102 GOOGLE Ireland
2a00:1450:4001:c01::103 GOOGLE Ireland
2a00:1450:4001:c01::104 GOOGLE Ireland
2a00:1450:4001:c02::102 GOOGLE Ireland
2a00:1450:4001:c02::104 GOOGLE Ireland
2a00:1450:4001:c03::101 GOOGLE Ireland
2a00:1450:4001:c03::102 GOOGLE Ireland
2a00:1450:4001:c03::103 GOOGLE Ireland
2a00:1450:4001:c03::104 GOOGLE Ireland
2a00:1450:4001:c03::105 GOOGLE Ireland
2a00:1450:4001:c04::103 GOOGLE Ireland
2a00:1450:4001:c04::104 GOOGLE Ireland
2a00:1450:4025:2::103 GOOGLE Ireland
2a00:1450:4025:2::104 GOOGLE Ireland
Leave a Comment (2)
BrowserLeaks © 2011-2020 All Right Reserved
moc.skaelresworb@nimda
Most likely those are the…
Most likely those are the DNS server used by the Tor Exit node.