Tor Browser 3.5.3 is released
The 3.5.3 stable release of the Tor Browser Bundle is now available on the Download page. You can also download the bundles directly from the distribution directory.
This release also includes important security updates to Firefox.
As a reminder, this is the stable series of the Tor Browser Bundle. It does not include the Pluggable Transport support mentioned in the 3.6 release post, and in this release MacOS archives are still in zip format. If you would like those features, we encourage you to use 3.6-beta-1 instead, and report any issues you encounter.
Here is the complete changelog for 3.5.3:
- All Platforms
- Update Firefox to 24.4.0esr
- Update Torbutton to 1.6.7.0:
- Update NoScript to 2.6.8.17
- Update Tor to 0.2.4.21
- Bug 10237: Disable the media cache to prevent disk leaks for videos
- Bug 10703: Force the default charset to avoid locale fingerprinting
- Bug 10104: Update gitian to fix LXC build issues (for non-KVM/VT builders)
- Linux:
A list of frequently encountered known issues with the Tor Browser can be found on our bugtracker. Please check that list and help us diagnose and arrive at solutions for those issues before contacting support.
Comments
Please note that the comment area below has been archived.
Why don't you make a
Why don't you make a distribution in zip format for windows?
Because they're all working
Because they're all working on other bugs.
Maybe you will do it?
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD…
You don't need a zip
You don't need a zip package, the installer doesn't write anything to registry.
I've checked it with RegShot before and after running the installer.
why has this update still
why has this update still saying need update ? is there some sort of spoofing attack in progress ?
Did you unpack your new one
Did you unpack your new one over your old one? If you do that (to be clear, you shouldn't) then it might get confused and try to remind you about needing an update.
https://trac.torproject.org/projects/tor/ticket/11242
thank for reply... i did
thank for reply... i did remove the old version and install new version as i always have done for years with no problem... btw i used the new tor browser bundle today after my reported experience and it seem the issue has gone away :D
Why don't you turn on TLS
Why don't you turn on TLS 1.1 and 1.2 in the browser?
TBB uses Firefox ESR.
TBB uses Firefox ESR. Current version is 24.4.0.
TLS 1.1 and TLS 1.2 were not enabled by default until Firefox 27.
Next Firefox ESR release will be 31.
Yep. See also
Yep. See also https://bugs.torproject.org/11253
Thanks for TBB!
Thanks for TBB!
Whats wrong with you? We
Whats wrong with you?
We dont want install TBB like a program.
We need an portable TBB!
It is portable -- the
It is portable -- the location you install to is a portable TBB. Move it around however you like.
"What's wrong with you?" I'm
"What's wrong with you?"
I'm afraid that the question, more appropriately, appears to be:
What's wrong with you?
This might be a total noob
This might be a total noob question, but what's the difference between exporting bookmarks to an HTML file, versus backing up bookmarks to a JSON file?
I ask because everytime I download a newer version of the TBB, I have to re-populate the bookmarks menu.
Thanks for all the work you guys do.
From what I could find,
From what I could find, restoring from JSON will replace your bookmarks with only what is in the backup file. Using a HTML backup will just add to your existing bookmarks. (source: https://support.mozilla.org/en-US/questions/950445)
It sounds like you know how to do so, but just in case: restoring bookmarks can be done the Show All Bookmarks window (Ctrl+Shift+O). To restore from JSON, use the "Import and Backup" -> "restore" -> "Choose File" and to restore bookmarks from HTML, use "Import and Backup" -> "Import Bookmarks from HTML."
Can I just overwrite the
Can I just overwrite the Pluggabe-TBB with this TBB?
Overwriting TBBs will have
Overwriting TBBs will have unpredictable effects currently. See the same question farther down this page.
Yeah, overwriting TBB's will
Yeah, overwriting TBB's will cause issues ranging from wrong version of X extension to just not wanting to boot up.
I've pretty much resigned myself to "Have to go the clean installation in a new directory and just import bookmarks!" route when I am updating to a new TBB.
I download the
I download the files:
https://www.torproject.org/dist/torbrowser/3.5.3/sha256sums.txt
https://www.torproject.org/dist/torbrowser/3.5.3/sha256sums.txt-mikeper…
https://www.torproject.org/dist/torbrowser/3.5.3/tor-browser-linux64-3…
https://www.torproject.org/dist/torbrowser/3.5.3/tor-browser-linux64-3…
Previous version files are missing:
sha256sums.txt-erinn.asc
sha256sums.txt-linus.asc
I run the script:
########
#! /bin/bash
echo "" | cat - > file.txt
sha256sum -c sha256sums.txt 2>&1 | grep OK >> file.txt
echo >> file.txt
for a in sha256*.asc ; do
gpg --verify $a sha256sums.txt >> file.txt 2>&1 ;
echo >> file.txt
done
echo >> file.txt
gpg --verify tor-browser-linux64*.asc >> file.txt 2>&1
echo >> file.txt
#########
Running less file.txt I can see a singnatures mess:
gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
gpg: Signature made Wed 19 Mar 2014 09:26:01 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE E659
I check "mikeperry" signature manually:
gpg --verify sha256sums.txt-mikeperry.asc sha256sums.txt
gpg: Signature made Wed 19 Mar 2014 09:25:30 PM MSK using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: aka "Erinn Clark "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8738 A680 B84B 3031 A630 F2DB 416F 0610 63FE
E659
Why Mike Perry signature displayed as Erinn?
Where is the other signatures?
:( I think you're
:( I think you're right.
https://trac.torproject.org/projects/tor/ticket/11256
what does it mean "Couldn't
what does it mean "Couldn't load XPCOM."
Sounds like you're using
Sounds like you're using "WebRoot Internet Security" or some similarly broken antivirus thing and it is preventing your Tor from working right.
Yes, I use "WebRoot Internet
Yes, I use "WebRoot Internet Security", I just turn it off webroot and Tor is working right now. Thank you very much.
Thanks guys!
Thanks guys!
Cool :)
Cool :)
so the workaround for
so the workaround for webroot?
Option 1, complain to
Option 1, complain to webroot that their thing is flagging Tor when it shouldn't. Then wait for them to fix it. Apparently this worked once in the past.
Option 2, whitelist Tor in your webroot config. I don't use Windows, so I don't know what you need to click.
Option 3, stop using webroot (and optionally replace it with something else from the same protection racket genre).
Please feel free to chip in with a good option 4 here. :)
im sort of out of it but is
im sort of out of it but is tor able to have torrent used yet and or pirate bay
Still not a good
Still not a good idea.
https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea
http://tor.stackexchange.com/questions/64/how-can-bittorrent-traffic-be…
(See my answer there, not alas the one with the green checkmark by it.)
Please DO NOT use Tor for
Please DO NOT use Tor for torrenting!
It does not let me update my
It does not let me update my Tor bundle when I try to write over the same directory. Why is this? It can't extract anything and I have to abort the install.
At this point you will end
At this point you will end up with unpredictable effects if you try to overwrite your current install. The better answer is to unpack the new TBB into a fresh location.
http://tor.stackexchange.com/questions/54/how-can-i-switch-from-one-tor…
can not open tor in google
can not open tor in google
What?
What?
Windows 7 - Services Could
Windows 7 - Services
Could someone from Tor please advise if there are any 'Services' that start up automatically which, for the sake of security, users should either change to 'manual' or even 'disable'. Equally, are there any that we should not change to 'manual' or 'disable'?
Thanks
I'm on Windows XP and found
I'm on Windows XP and found that this issue of Tor has repeatedly either made my PC crash and/or can't be opened at all that I have to resort to 'nude' browsing with Firefox. Is it something to do with the software? This is something very abnormal, never experienced something like this before after some 8 years and I've checked that everything else should be normal.
I'm download a file from
I'm download a file from hyperspeeds.com at 1.2 MB/s using the latest version of Tor. That doesn't seem possible. Is there something wrong with my program?
1MByte or 1Mbit?
1MByte or 1Mbit?
Either of them are plausible
Either of them are plausible speeds to get over Tor at times these days.
That speed is unlikely, but
That speed is unlikely, but not impossible.
Go to the below URL to verify that Tor is working as it should:
https://check.torproject.org/
I can't open .onion
I can't open .onion websites, only "regular" websites. Why? It's a security problem?
Check clock, date, timezone
Check clock, date, timezone settings.
Possibly. Check if Tor is
Possibly. Check if Tor is working as it should:
https://check.torproject.org/
If it says you are not running Tor, when you most likely aren't.
Just got to the new TBB but
Just got to the new TBB but every time I try to open it, I repeatedly get "Tor Unexpectedly Exited-Please Restart This Application" with a mini window saying "Tor Launcher-Tor Unexpectedly Exited". Sorry for the noobie question, but this is the first TBB that has done this and I want to get back to my browsing!
What OS?
What OS?
OS X version 10.9.2
OS X version 10.9.2
Does
Does https://www.torproject.org/docs/faq#SophosOnMac help you?
I can run Tor-browser-2.3 on
I can run Tor-browser-2.3 on very old hardware: AMD K6-2 @ 500 Mhz - RAM: 384 MB.
Starting with version 3.5, Tor will not run on this old computer, it fails when trying to install it, and if I install it on a newer PC and create a zip package to extract in the old one, it also fails when launching "Start Tor Browser.exe"
I have Firefox 28 installed and running in this old machine, so the problem is with Tor.
Is this new version using SSE2 instructions?
Any chance to fix Tor to work again with old hardware?
Wow, I haven't seen mention
Wow, I haven't seen mention of that processor family in years.
A few things:
a) The Mozilla Firefox binaries are built with Visual Studio not GCC, which does code generation differently. It is worth noting that the official binaries for Linux built with gcc target i686 and will also not execute on your processor family.
b) There is more that is lacking in K6-2 versus what is expected of a modern ia32 processor than just SSE2. The relevant instructions in this case would be CMOV/FCMOV, introduced for the Pentium Pro.
If you can convince the developers that building the bundle with an i586 target is worth the time, then it should work (for now), though it is unlikely that they can spare build engineer time for that task.
Thanks for the info., but
Thanks for the info., but according to this my AMD K6-2 is i686, not i586:
i386 - Intel i386/80386 (in 1985) or AMD386 / AM386 (in 1991)
i486 - Intel i486/80486 (in 1989) or AMD486 / AM486 (in 1993)
i586 - Intel Pentium (in 1993) or AMD-K5 (in 1996)
i686 - Intel Pentium Pro (in 1995) or AMD-K6 (in 1997)
i786 - Intel Pentium 4 (in 2000) or AMD-K7 (in 1999)
So, Tor Browser 3.5.3 shouldn't fail with this processor if compiled with i686 target.
Checking in about:buildconfig I see they changed the compiler from "cl 15.00.30729.01" to "gcc v. 4.6.3" since Tor-Browser 3.0.
The last TBB version I can run with this old machine is Tor-Browser 2.4.18-rc-1
No matter what Pentium
No matter what Pentium family AMD K6-2 is closer, it doesn't support all i686 instructions. Compiling for i686 platform means using of CMOV instruction.
https://www.mozilla.org/en-US/firefox/28.0/system-requirements/
Mozilla claims needs of Pentium 4 or newer processor that supports SSE2.
It's probably bug that it's still works for AMD K6-2, in result.
Problem with AMD K6-2 began
Problem with AMD K6-2 began when TBB developers started building with gcc instead of cl (Visual Studio).
Up to TBB 2.4.18-rc-1 they used cl as Mozilla developers, but target never changed, also was i686 with cl, so the "bug" is due to gcc.
I've checked with "about:buildconfig" that up to Firefox 2-0-0-x target is i586, and starting with Firefox 3-0-x target is i686.
From Firefox 3.0.x to 3.6.x Minimum Hardware Requirements are the same:
[geshifilter-code]Pentium 233 MHz (Recommended: Pentium 500MHz or greater)
64 MB RAM (Recommended: 128 MB RAM or greater) ...
https://www.mozilla.org/en-US/firefox/3.0/system-requirements/
https://…]
So, if it is a bug that Firefox 28 runs perfectly with AMD K6, this bug is seven years old. ;)
Starting with Firefox 4, they only listed "Recommended" Hardware (not Minimum)
[geshifilter-code]https://www.mozilla.org/en-US/firefox/4.0/system-requirements/[/geshifi…]
By the way, SeaMonkey still has a "Minimum" Hardware requirements page...
[geshifilter-code]Pentium 233 MHz (Recommended: Pentium 500MHz or greater)...
http://www.seamonkey-project.org/releases/seamonkey2.25/#install[/geshi…]
Now I've tested latest TBB 3-5-3 with a Pentium III @ 450 Mhz and it works fine!
It's no brain to use tor
It's no brain to use tor with WinXP even if AMD K6, at least it's possible to find some another browser and to compile all for i586.
Try to use with i486 with almost zero ram and win98 if you want extremal experience.
"at least it's possible to
"at least it's possible to find some another browser"
Using Tor with any other browser besides Firefox/Iceweasel is explicitly NOT supported and not recommended.
"win98"
Windows 98 (as well as Windows 2000 and very soon Windows XP as well) has not been supported with critical security updates for years now. Using any unsupported OS is downright dangerous. (with the possible exception of a strictly NON-NETWORKED box).
win98 most usable and
win98 most usable and securest OS ever!!!!!!!!!!!
"Firefox/Iceweasel is
"Firefox/Iceweasel is explicitly NOT supported and not recommended."
Firefox dropped 32bit platforms actually. You need to have more than 4GB of virtual memory to build browser.
It's wrong that such browser only supported, overbloated software with kludges and security holes by design.
This is documented in
This is documented in http://gcc.gnu.org/bugzilla/show_bug.cgi?id=8243
The bug in question is discussing pre-Nehemiah VIA C3, but the brain damage is the same in the K6-2. Code generated with -march=i686 by gcc will use CMOV, and will fail on your processor.
I doubt the tor build people would ever use cl (Visual Studio) to build TBB again as well, given all of the work that has been done on deterministic builds.
Interesting details about
Interesting details about CMOV
http://ondioline.org/mail/cmov-a-bad-idea-on-out-of-order-cpus
Then why GCC so hardly tries to use CMOV? Without option to selectively disable it even.
Discuss.
This is orthogonal to "AMD
This is orthogonal to "AMD K6-2 is a potato and is unsupported by TBB binary packages", but ok, I'll bite.
For what it's worth on Ivy Bridge Linus' synthetic benchmark is faster with CMOV, so there's that (I did increase the iteration count up since the code as is was fairly inconclusive).
There are certainly cases where CMOV would be a bad idea, and the Intel 64 and IA-32 Architectures Optimization Reference Manual has a detailed description of the tradeoffs. There's also at least one GCC bug open regarding cases where CMOV is used when it should not http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56309
There was a patch back in the 2.4.x kernel days (when not-quite Pentium Pro "i686" processors were relevant) that trapped illegal instructions and emulated CMOV in software to allow binaries to run with *terrible* performance for situations like "oh god, fsck on my rescue image is i686 targeted and I have a dinky AMD processor", but it didn't get mainlined AFAIK.
So no profit to use CMOV for
So no profit to use CMOV for such apps like Firefox.
CMOV is optional extension, after all.
Try to use
Try to use Tails
https://tails.boum.org/
It's better than no nothing, if it will work for you.
Run Tails with only 384 MB
Run Tails with only 384 MB of RAM?
I don't think so.
Yeah. https://tails.boum.org/
Yeah.
https://tails.boum.org/doc/about/requirements/index.en.html
1 GB of RAM to work smoothly. Tails is known to work with less memory but you might experience strange behaviours or crashes.
But why not to try.
If to stop no need services
If to stop no need services while to keep tor. Then possible to surf some pages even.
amnesia@amnesia:~$ free
total used free shared buffers cached
Mem: 384652 369220 15432 0 38244 137200
-/+ buffers/cache: 193776 190876
Swap: 0 0 0
If you need Tor enough to
If you need Tor enough to consider a change of operating system, I'd recommend Puppy Linux. Its designed for getting the best performance out of old hardware with very limited RAM and the new Tor Browser bundles work on it. Warning: default user is root - you may want to downgrade to user "spot" via command line for security.
"Warning: default user is
"Warning: default user is root - you may want to downgrade to user "spot" via command line for security."
Most important warning indeed.
Have you had success running TBB as 'spot'?
>.exe You're running Windows
>.exe
You're running Windows on those specs?
Any version of Windows able to run on such old hardware, with only 384 MB RAM would be an old one that hasn't been supported with security updates for a long time.
I can only hope that your use of this box and certainly your running Tor on it, is for nothing more than testing/playing purposes.
The minimum hardware
The minimum hardware requirements for Windows XP Professional include:
At least 64 megabytes (MB) of RAM (128 MB is recommended)
WinXP supported with security updates till April 2014.
If this is correct, then I
If this is correct, then I stand corrected.
But since April 2014 is mere days away, the correction is largely moot.
With an old pc windows 7
With an old pc windows 7 date/time, I can't connect with this bundle!
Bug?
Do you mean your clock is
Do you mean your clock is wrong and Tor no longer works for you?
Tor needs a roughly accurate clock to work. This has been the case for years.
Are you on Daylight Savings
Are you on Daylight Savings Time?
TAILS seems have the same
TAILS seems have the same Browser(TBB) configuration? .Have questions:
WHY new(er) Browser version use WEAKER crypto? **WTF**
On lot off https://..........sites OLDER Browser: camellia_256 / aes_256 etc. .
NEW Browser version: max. aes_128 .............*WTF* again.
TLS 1.0 only activated? Why?
And who is responsible for that? I don't really like to now,but please change it.
Plus someone can make 'Connection Encrypted' info useable.Like Seamonkey.Or
why not?
If i would like browsing with thoughtless lollypolly Disney fastfood feeling,IE/Chrome would be my fav.
The new Firefox 30 look is......funny(-:,too
Re screen-size Under 3.5.2.1
Re screen-size
Under 3.5.2.1 I posted the following reply on the 17th:
"GK
Thanks for your response. I read the bug report you mentioned. Since I am a relative newcomer to this and I am not very knowledgeable about the workings of computers/browsers/Tor I didn't follow what was said very well.
All I can say is that I have used Tor for about 18 months and have always used ip-check.info as a test, The screen-size (ip-check calls it Browser Window - inner size) has NEVER been rounded to 100.
For Tor versions 3.5.2 and 3.5.2.1 I have also checked it with Panopticlick and (with Javascript enabled) Panopticlick gives the same screen-size as ip-check. IP Check gets the screen size whether JS is enabled or disabled.
Sorry, the above may not be much help but if you can tell me what else to check or which settings to change, if any, I will.
Thanks for your help."
I have just carried out the same tests with 3.5.3 and, guess what, exactly the same results as with 3.5.2 and 3.5.2.1.
If other people are getting 'rounded to 100' screen sizes it is possible that one of my settings is wrong, but I don't know what to do.
Please help.
Thanks
ip-check.info ? Still plain,
ip-check.info ?
Still plain, unencrypted http. That means an exit node can tamper with the results.
If the JonDo folks behind ip-check can't or won't even bother to make the site HTTPS-encrypted and authenticated, then how can they be trusted?
As you obviously know more
As you obviously know more about these things than I do, I understand what you say.
However, as I have said, Panopticlick (with JS enabled) gets exactly the same screen-size as ip-check.info, so I think there must be more to it than tampering.
Also, ip-check can get the screen-size without JS.
Personally, I don't trust
Personally, I don't trust ip-check. Not that I think it's malicious, but aside from it's obvious commercial purpose, it makes up the unsubstantiated claim that a longer stream sessions such as the 10 minute one Tor uses is bad for anonymity, and encourages naive users to switch from Tor to JohnDonym as a solution, calling itself "stateless". In reality, a fully stateless anonymity system like that results in *less* anonymity, as it gives a passive adversary more opportunities to surveil and a greater chance of mounting a successful traffic correlation attack. If I recall, there are even several acedemic studies that show the reason why rapidly changing circuits is harmful to anonymity. JohnDonym doesn't even think to look this up before shouting to the naive masses that their commercial product is superior. It's not just problematic because it's dishonest, but because it gives that company a larger profit at the *expense* of the innocent user's anonymity. That's not all they've done to harm people. Who could forget that backdoor JohnDonym added to it's software at the request of the German government. With these points in mind, I urge people not to link to services such as ip-check because it lies to people in an attempt to sway them from a more secure alternative. Now, they aren't as bad as some companies (I'm looking at you, HMA), but they still don't deserve the extra traffic that comes to them when there are already plenty of less biased anonymity-checking websites.
/end rant
All valid
All valid points.
Additionally, the failure of JonDoNym to use HTTPS authentication by default for ip-check.info (and any other sites of theirs) should give pause to anyone.
I did not mean to suggest
I did not mean to suggest that the results you reported were the result of tampering. Nor that I had knowledge of any evidence of such tampering having ever occurred with ip-check.info.
Rather, I was merely pointing-out that the risk exists. And even if it would be determined to be relatively low, the mere failure, whatever the reason, of the JonDoNym folks to implement SSL/TLS across all of their WWW properties seems cause for concern to me.
screensize-problem the same
screensize-problem the same with me too. so no false settings with your tbb.
What OS?
What OS?
Are you resizing your window
Are you resizing your window (this is not working properly at the moment)? If not, you may run into https://bugs.torproject.org/9268. If that is not plausible either, feel free to open a ticket in our bugtracker at https://trac.torproject.org/projects/tor. We'd need to take a closer look at your issue then.
GK As I have said, I have
GK
As I have said, I have read the bug report but don't really understand it. All I can say is that with Windows 7 and Tor 3.5.2 , 3.5.2.1 and 3.5.3 I NEVER get a rounded widow size - Panopticlick (with JS enabled) gets exactly the same window size as ip-check (with and without JS enabled).
To answer your specific question: No, I am not resizing my window. I don't know how to.
GK As you have suggested, I
GK
As you have suggested, I have just tried to create a new ticket but when I go to the page that you have stated I just get:
"TICKET_CREATE privileges are required to perform this operation. You don't have the required permissions."
Pls let me know what I have to do.
Thanks
>it is possible that one of
>it is possible that one of my settings is wrong
What your settings, do you know how to reproduce never rounded widow size?
Sorry, I don't know what you
Sorry, I don't know what you mean by: "do you know how to reproduce never rounded widow size?".
If, in fact, I do understand what you mean, I don't have to "reproduce" a 'never rounded" window size, I just have to check it via ip-check.info with or without JS enabled and via Panopticlick with JS enabled.
If I haven't understood you correctly, could you please explain what you mea. Thanks.
Sometimes when I start the
Sometimes when I start the program it just refuses to open. I have to kill it ctrl+shift+esc and restart. This happens on all 3 of my computers. Has been happening since the first 3.x version. What's wrong?
Might be
Might be https://bugs.torproject.org/9531. Does this happen randomly? Or only once? Or...?
It happens randomly. It
It happens randomly. It rarely/never happens with 3.5.3, but it happens often with every other version. Might be coincidental, either way it stinks.
What happened to the stable
What happened to the stable and unstable Expert Bundles for Windows? Are we supposed to build our own now? And please don't waste my time by telling me I *should* be using the browser bundle...
The captchas in
The captchas in https://bridges.torproject.org/bridges?transport=obfs3 are way too hard and frustrating, please find another solution for it!
I agree 100%! I HATE
I agree 100%! I HATE difficult captchas.
Keep an eye on
Keep an eye on https://trac.torproject.org/projects/tor/ticket/10809 and the tickets it links to.
There is a bug in TBB
There is a bug in TBB 3.5.3.
I am using OpenVPN to connect to one of the VPN gateways/servers, the protocol is TCP.
Next in a terminal window -I am using Debian- I launched TBB.
When I surf to a website, for example, Tails, I launch a root terminal window and type in the command netstat -rn
The results are:
Notice that on eth0 and gateway 192.168.1.1, the destination corresponds to the IP address of the OpenVPN gateway/server.
The above did not happen with earlier versions of TBB.
I hope Tor developers can look into the above issue.
What? TBB is an application.
What? TBB is an application. It just uses your network. It has nothing to do with (that is, no influence on) what your netstat says your gateways are.
It has nothing to do with
It has nothing to do with (that is, no influence on) what your netstat says your gateways are.
Thanks arma for your reply.
About the steps that I undertook in my earlier post: what IP address will the destination website see? Tor's exit node IP address? or the IP address of my OpenVPN gateway/server? or both?
Would you be able to offer some suggestions on why some websites and forums recommend Tor users to use Tor over VPN or VPN over Tor?
Bring back expert bundles
Bring back expert bundles for windows please
I was wondering if I need
I was wondering if I need start page and Ixquick which provide proxy and encryption. I noticed in this version of TOR bundle, HTTPS Anywhere is provided. Should I just get rid of start page and Ixquick?
HTTPS Everywhere have been
HTTPS Everywhere have been bundled with the Tor Browser for a long time.
You are already using Tor, so you do not need to use ixquicks/startpages proxy service. Tor provides all the anonymity you need.
If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you).
Startpage is still a good alternative to use as a search engine.
Thanks for the reply. I just
Thanks for the reply. I just noticed HTTPS Everywhere does not encrypt some sites, and what is strange is that ixquicks does allow me to encrypt the same sites that HTTPS does not encrypt, and I can see in the URL address starts with https when I get connected. Can I trust this connection?
That is because that site
That is because that site does not support HTTPS. Your connection to ixquicks proxy is encrypted using HTTPS, but the connection between ixquick and the actual site is not.
"If the remote website you
"If the remote website you visit does not support end-to-end encryption (HTTPS), when it doesn't matter if you are using yet another proxy (ixquick/startpage), an attacker can still inject and observe data at some point (even if they cannot trace you)."
Let's see if we can unpack this...
A web proxy, such as the one ixquick/startpage offers, could indeed tamper with any content it fetches before returning it to you. This is just as an exit node could. But ixquick is far more trusted than a random exit node that could be rogue.
True, sort of. Also anywhere
True, sort of.
Also anywhere in the network between ixquick and the destination website could mess with the traffic (just as, without ixquick, anywhere in the network between the exit relay and the destination website can mess with it).
If you trust ixquick more than your exit relay, and also your destination doesn't support https, then it may make sense. This is similar to using Tor to reach your VPN, and then accessing all the destination websites via the VPN provider.
One downside though is that you're centralizing your outbound traffic, such that an adversary who watches ixquick's network gets to see all your traffic, where before maybe they wouldn't get to see it at all. Seeing the outbound side of your circuits is not the end of the world (they need to see the inbound side too in order to win), but it does get them halfway there.
Why is torrc blank??? I
Why is torrc blank??? I tried writing in it and tor doesn't open...
I overwrote 3.5.2 and running in a Trucrypt encrypted drive...
Thanks
torrc is blank because it
torrc is blank because it uses both torrc and torrc-defaults. Only new modifications go into torrc.
As for "I added lines to torrc and now Tor doesn't open", it sounds like you added bad lines. :)
As for overwriting, be aware that this may or may not work for you. If you get weird behavior, try doing a fresh install.
same
same adds---
---------------------------------
ExitNodes {US}
StrictNodes 1
------------------------------
works on 3.5.2 which I am on now... I will try 3.5.3 again but please confirm this is the right ditty...
I just want to save my settings and avoid a fresh install but if I have to I will...
Thank you for your help,,, I am not a complainer just lazy :)
I'm still using
I'm still using tor-browser-2.3.25-1
Please fix the cookie problem...it's been old.
https://trac.torproject.org/projects/tor/ticket/10353
The last Tor version that
The last Tor version that works with cookies for me is 2.5
How do I know if the data
How do I know if the data between my server and the onion site is actually encrypted? We are told it is but how can that be proved?
Been having lots of problems with Noscript and no longer trust it.
As for how it can be proved,
As for how it can be proved, the whole thing is open source, and we give you a design document and spec too:
https://www.torproject.org/docs/documentation#DesignDoc
So you could look at everything and decide for yourself. Or if it's too complicated for you, you could ask anybody in the world to do it for you.
With HTTPS, one can verify
With HTTPS, one can verify the fingerprints of the certificate.
Is there anything comparable when it comes to .onion sites?
(A means of authenticating that is comparably simple and quick?)
Tor does it for you. For
Tor does it for you.
For normal https, checking the certificate makes sense, because it's signed by one of 300 or more certificate authorities, most or all of which have nothing to do with the website you're trying to reach. The traditional CA model is a disaster.
But for Tor hidden services, the addresses are self-authenticating. Tor will verify, for sure (unless the crypto is broken), that you really are reaching the site whose address you told Tor to go to.
Of course, you have to make sure to be trying to go to the right address. If you click on one from a random website that *looks* like your intended hidden service address but actually it's one letter off, then all bets are off.
disregard last comment,,,
disregard last comment,,, This is Trucrypt weirdness the overwrite and addition of
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------
in torrc worked outside of the trucrypt container...
I then added the lines
--------------------------------------------
ExitNodes {US}
StrickNodes 1
-------------------------------------------
to the torrc-default in the truecrypt drive and FF did not open but when I pulled the lines out of torrc-default the torrc addition worked as you noted...
Thanks!!!
"strick"?
"strick"?
Seems bizarre that an app
Seems bizarre that an app that needs to be kept up to date requires manual uninstallation and reinstallation (plus bookmark migration) on every upgrade. Could the installer not handle this, hopefully including bookmark migration? Preferably via transparent automatic / approved update within the app itself, per normal browser updates.
Thanks to the team for their invaluable work!
Haven't there been comments
Haven't there been comments from Tor devs stating that they are indeed working on implementing the very type of functionality that you describe?
Yes. Keep an eye on
Yes. Keep an eye on https://trac.torproject.org/projects/tor/ticket/4234
It's gotten easier now that we've gotten Vidalia out of the way, since now it really is just a browser with some extensions. But there's still a lot of work involved in doing it right, and a lot of downside involved in doing it wrong.
"Also see EFF's interactive
"Also see EFF's interactive page explaining how Tor and HTTPS relate."
The above sentence appears on following page:
https://www.torproject.org/download/download.html.en
It doesn't appear on this page though:
https://www.torproject.org/download/download-easy.html
Is this intentional?
Good catch. Should be fixed
Good catch. Should be fixed now. Thanks!
A question to TAILS. =TBB
A question to TAILS. =TBB ?
Everytime you open new browser,
connections to check.torproject.org:443 (customs here ! ?) AND
Wikipedia , Google ! Whats that?
"Wikipedia , Google" have
"Wikipedia , Google"
have seen this,too.
anyone can explain?
Thank you
My bet is that the favicons
My bet is that the favicons for those two sites is not bundled with the browser for some reason, but is required by the search bar. So they are downloaded on first startup.
But that is just a guess.
TTB is tor plus browser etc
TTB is tor plus browser etc that you install on your HD.
Tails is a linux live disk that includes tor and much else. It is set up so it never writes anything to your HD
@ Arma, My system date and
@ Arma,
My system date and time were old(but I didn't know that) due system problems.
But I saw this after a while, when trying to connect with Tor on the internet.
After changing the system date and time, the problem with Tor was over.
Great.
Great.
When do you release 0.2.4.21
When do you release 0.2.4.21 expert bundle?
when right click on the
when right click on the -"Start Tor Browser" (exe) icon- in windows, it says "Date Modified: Saturday, January 01, 2000, 2:00:00 AM" -.... IS IT NORMAL?
https://trac.torproject.org/p
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…
but MINE DOESN'T SHOW
but MINE DOESN'T SHOW 1999... It shows 2000!!!!!!!! HAS IT BEEN TAMPERED WITH????
Read the faq entry. It's
Read the faq entry. It's because of time zones. It's fine.
Arma is saying that the
Arma is saying that the time/date stamp in question (Saturday, January 01, 2000, 2:00:00 AM) is not evidence of tampering.
But, for any download, the only way to actually answer the question,
"HAS IT BEEN TAMPERED WITH????", with any degree of certainty, is through proper verification of the downloaded file. In the case of TBB, this means following the instructions for verifying the digital signature.
Right.
Right.
A Tor Browser Bundle
A Tor Browser Bundle repository for linux would be nice. That way updates are handled automatically.
But what would be involved
But what would be involved in implementing a sufficient degree of authentication for anything and everything obtained through said repo?
startpage.com is not safe!!.
startpage.com is not safe!!. i cant believe you guys are using it as standard search engine on tor browser. startpage tracks your IP adress and sends it on to google. want to see the proof??? go search for a normal word. for instance you can search for a company name. then look at the top results. look at the sponsored results AND the top non sponsor results too. they are based on your IP adress. if you search from SPAIN IP adress first couple of results will be from SPAIN sites. search for same term from US IP adress. results will be from US sites. THIS DOESN'T HAPPEN FOR ALL KEYWORD. TRY IT WITHOUT USING TOR then it will be more clear. the results will be specific to your country
WTF! It's true. Startpage
WTF! It's true. Startpage and ixquick show country specific results. Never using startpage or ixquick searches again.
Do you mean startpage sends
Do you mean startpage sends a Tor IP to google or the actual IP where I am connected to my ISP?
startpage and ixquick SUCKS.
startpage and ixquick SUCKS. They send your IP address to Google. They are the biggest online marketing fraud Ive seen. If you use TOR you should be protected. Many people dont use tor and trust them
Wait... Are you sure that
Wait...
Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?
"Are you sure that startpage
"Are you sure that startpage doesn't first deduce the location from the IP address and then forward only the location to Google?"
they only deduce the location.... then disregard the IP.... hahaha sure.... Trust them with your data
Even if thats all they do with your ip...they are still a fraud and lie in their privacy policy
A Tor exit node IP, if you
A Tor exit node IP, if you are using Tor.
Startpage (or any other site for that sake) cannot learn your real IP while using Tor.
I think you are right
I think you are right regardless of what startpage says re/ their sending anonymous requests to google. What browser do you use with Tor bundle?
"What browser do you use
"What browser do you use with Tor bundle?"
Did you, perhaps, mean to write, 'Which search engine do you use with Tor Bundle?"
Right. Be sure to read
Right. Be sure to read https://www.torproject.org/docs/faq#TBBOtherBrowser
Hello I just wonder; What
Hello
I just wonder;
What happen if I use "vpn gate" and "tor browser" together? I always use vpn gate and than I connect with the tor browser, is it ok? or I could get some security connection problem? Thanks for help.
I love you guys! thanks!
I love you guys! thanks!
"and a way to prevent disk
"and a way to prevent disk leaks when watching videos." Does this help fix https://trac.torproject.org/projects/tor/ticket/7449 which is titled: "TorBrowser creates temp files in Linux /tmp & Windows %temp% and OSX(various places) during the file downloads dialog & when using internal browser video player"
Seems to be a problem with
Seems to be a problem with the latest TOR and using flickr . If Javascript is enabled to sign on and view albums, with this version the comments do not show up. Tried everything with No Script to fix it but even if noscript is disabled when clicking on 'comments' it just reverts to the image. Could be a no script error or maybe a change with flickr scripts? Any ideas?
Perhaps you had disabled
Perhaps you had disabled JavaScript via about:config and then forgotten that you had done so?
Another possibility: scripts from other domains than just flickr.com likely need to be enabled for comment functionality.
(Knowing which domains one must enable scripts from in order to get a give function, such as comments, etc., can be quite a challenge.)
Finally, do you have an Ad Blocker enabled?
Downloaded the new beta
Downloaded the new beta version and suddenly flickr is working again.
>do you have an Ad Blocker enabled?
Not an independent program, just as part of my firewall. Anyway the beta seems to have fixed it. Thanks for response.
Hello, Just installed the
Hello,
Just installed the latest version of Tor Browser version 3.5.3 and looking at Firefox Addons found two addons that sound interesting. I am not sure if I need them with Tor so any input is appreciated
RequestPolicy: Block images not from site you are on ( advanced privacy ) addons . mozilla . org/en-US/firefox/addon/requestpolicy/
RefControl: Customize or block referrers per site
addons . mozilla . org/en-US/firefox/addon/refcontrol/
Noscript is the only addon I am using, but I did change the value in about:config from https://secure.informaction.com/ipecho/ to http://127.0.0.1/
Thanks
Is adding more bridges adds
Is adding more bridges adds more anonymity to my Tor session, or not?
By the way thank you for changing the captchas in the bridges page on bridges.torproject.org
Adding more bridges probably
Adding more bridges probably hurts your anonymity if anything. The more bridges you have, the greater the chances that one of the bridges is observable by your adversary. The ideal case would be to use one very safe (i.e. well located with respect to your location and the parts of the Internet your adversary can see, and also not operated by your adversary) and very stable bridge. The tradeoff of course is that maybe you don't have one.
This question is very related to the question of how many guards you should have:
https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…
I run an hidden service
I run an hidden service using non-https connections, what are the advantages and disadvangates of switching to https (like duckduckgo's https://3g2upl4pq6kufc4m.onion)?
when i tried this link, Tor
when i tried this link, Tor browser displayed a man in the middle warning??
If you click the warning
If you click the warning you'll see that the certificate belongs to DuckDuckGo, verifying the connection's security and not the opposite: the server does belong to DDG and so does the ceritificate.
Copy and paste
Copy and paste https://3g2upl4pq6kufc4m.onion and maybe you'll get the same message?
This is the message I get when trying https. I have tried a few times and the result was the same. I have tried many other https sites and all were fine except this site.
MESSAGE------------------------------------------------------------------------------
This Connection is Untrusted
You have asked TorBrowser to connect securely to 3g2upl4pq6kufc4m.onion, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
Prblby, you will coerce your
Prblby, you will coerce your user push one more button when the will come. Because you cert scarcely will be signed by roots.
See, there is already
See, there is already complete answer for your question: https://security.stackexchange.com/questions/1172/does-tor-hidden-servi…
Are you sure that's the
Are you sure that's the correct link? it's not even remotely related to op's question
Win 7 64 Fresh clean install
Win 7 64
Fresh clean install of Tor bundle 3 5 3 (tried multiple times)
Message from Tor:
Congratulations!
This browser is configured to use Tor.
Test Tor Network Settings
HOWEVER, this browser is out of date.
Click on the onion and then choose Download Tor Browser Bundle Update.
Umm I am not out of date as I've downloaded and installed the latest bundle.
Any fix to this?
Sounds related to
Sounds related to https://trac.torproject.org/projects/tor/ticket/11242 ?
Did you install over an old TBB, or to a new (empty) location?
Please make add-on updates
Please make add-on updates disabled by default in clean TBB installs. I made clean install and as soon as I launched TBB it connected to Tor and updated HTTPS-Everywhere to version 3.4.5 even before I managed to open add-ons and disable automatic updates.
It is known danger that exit nodes can supply tampered add-ons. Even HTTPS is not a solution because powerful enemies can have target server private keys. Lavabit is example how they request SSL key copies.
Disabling automatic updates
Disabling automatic updates in TBB leads to a huge amount of users never updating their extensions which is bad. That said you should not have encountered the problem you describe in the first place as we a) ship TBBs with the latest extensions installed. Thus, if you update your old TBB in a timely fashion everything should be fine. And b) HTTPS-Everywhere is already shipped in version 3.4.5 since TBB 3.5.1.
Probably better solutions to
Probably better solutions to add-on auto updates a) When updating TBB make installer install latest add-ons
b) encourage users to make clean installs (with backing up and later restoring bookmarks) as I do.
Updating TBB by writing over older versions can lead to various unexpected problems in addition to easier browser fingerprinting (various custom settings accumulated from previous versions that cold distinguish from clean install of latest TBB).
I can't see the saved
I can't see the saved cookies in Browser.
How can i change this odd Browser behaviour??
extensions.torbutton.cookie_protections;false
extensions.torbutton.dual_cookie_jars;false
doesn't help.
Alas, there is not much we
Alas, there is not much we can do currently besides fixing the Mozilla bug mentioned in https://bugs.torproject.org/10353. But this will definitely take a while.
On all tor 3.5 versions, if
On all tor 3.5 versions, if choose option "use hardware acceleration", tor crushes (exit with error message) at next restart. Such behavior is detected on windows 7/8.
I suspect that the video
I suspect that the video driver is bad. Install best driver from video card manufacturer website and see what happens. If the crush (lol!) still exists then come back here.
noscript.global;true pdfjs.di
noscript.global;true
pdfjs.disabled;false
Looks like you have a rat. Would you please track it down?
Hi, I'm getting: gpg:
Hi, I'm getting:
gpg: Signature made Wed 19 Mar 17:25:31 2014 GMT using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "
for the Mac version
Sounds like you might have
Sounds like you might have not downloaded it fully, or it got corrupted, or you're checking the signature on the wrong one, or something.
no return to connect screen
no return to connect screen after hitting "open settings" button at start.
i miss the message log from vidalia control panel. it was very helpful if u ve a very slow inet connection.
I miss it too. Maybe
I miss it too. Maybe somebody here will help add something like it to Tor Launcher?
I just installed TBB 3.5.3
I just installed TBB 3.5.3 on a WIn 7 box by clicking on the downloaded file. However, the installer (1) didn't place anything in the START menu; (2) did not make any type of shortcut on the desktop; and most importantly (3) is not listed as being "installed" in the Windows Control Panel. Is TBB 3.5.3 some sort of a stand-alone product that isn't subject to a normal installation process? If this is the case, where and what executable do I click in order to start the TBB?
Thank you.
SLG
Correct, TBB is a standalone
Correct, TBB is a standalone program. The installer helps you choose where to put it. You run it by going into whatever folder you installed it to, and running "Start Tor Browser".
https://www.torproject.org/projects/torbrowser.html.en#windows
update but still say
update but still say HOWEVER, this browser is out of date.
https://lists.torproject.org/
https://lists.torproject.org/pipermail/tor-talk/2014-April/032619.html
I have two issues I
I have two issues I frequently run into when installing TBB, as I did today on Mac OS X 10.9.2: First, TBB ignores the "normal" OS X way of installing as admin only (possibly additionally permitting them for others, too, as I was sometimes asked), but later using the applications as non-admin user, too. This doesn't work with TBB, but it forces me to install while logged in as the non-admin, who later wants to run TBB, but of course only with admin pass. Just weird.
Second: I have a local Apache webserver at
http://127.0.0.1/some-symlink-directory/
which serves for local development, and it is defined as homepage in all my browsers, but every new TBB refuses to connect.
Hi dear Tor Team, You're SO
Hi dear Tor Team, You're SO great. Thank You, I mean it.
I would want to run two instances of Tor in the same system at the same time, because: I got running some music online flash sound site under Tor in my Linux Mint, but of course, using flash is only good for visual content and so mostly for video and or audio sites, and flash has "low security" in that sense, that in can betray one's IP adress. I would want to run another instance of Tor, where I blog. I already realized, that Tor starts slowly to maybe not at all, if the with mostly "US" ending directory, to which Tor is extracted under Linux, is renamed to anything else. But, the directory can be anywhere. So, I put the "Tor2", as I call it, by desktop link merely, into another directory, and if Tor1 from my normal Tor directory is not running, all is well, Tor2 works, and I can have two (or nor so many) sets of "profiles", so to speak, simply by cloning the first normal directory, copying it, into other directories, and always running, which as of now is only so possible, always only running ONE instance at a time. Because: I tried it out just before. It said, "Tor exited in an abnormal fashion", and it EVEN disturbed fundamentally the running Tor(2, as I call it) sound session with that flash site. Though, that the sound, the next playlist item running, on that flash sound site, did not ensue, can be another reason also, since it just now again stopped. Under Tor, okay, I do take some, well, A LOT of respect to Tor, AND I do hope, that loading youtube vids over Tor does not disturb the Tor servers, by the way, since that soundsite is accessing youtube vids, but of course, by going on that other site, I don't have to go directly on youtube. But, also a bug on that other site, which loads no playlist items anymore after any error occured like "not allowed in your country" (not funny I hate it as we all do!) is displayed, so I'll have to bug the maker of that sound site. What I would find great, is, if we could run at least two sessions, instances of Tor, at the same time, and those two Tor sessions being able to have fully different settings, different activated, installed plugins and all settings. Would be GREAT. Also, do tell people if the Tor Team does not wish people, Tor surfers, to use Tor for youtube-videos accessed by non-youtube sites, since the traffic amount stays the same. I'd say, there are at least 1000 Tor servers worldwide, and Tor MUST announce it BIGTIME on the FIRST upper part of their website, if people should not overload the Tor servers by accessing youtube or other video sites. Thank You, Tor Team, like Assange, we who are for him and You too in a different, technical way, we are the good Ones. Skol. Cheers.
If getting "can't load XPCOM
If getting "can't load XPCOM and you are using Webroot --
You just need to 'allow' xul.dll
In Webroot go to:
Identity Protection
Application protection
Allow - xul.dll
See more here:https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/tor-sh…