Tor Browser 6.5.1 is released

by boklm | March 7, 2017

Tor Browser 6.5.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 6.5 series and it mainly contains updates to several of our Tor Browser components: Firefox got updated to 45.8.0esr, Tor to 0.2.9.10, OpenSSL to 1.0.2k, and HTTPS-Everywhere to 5.2.11.

Additionally, we updated the bridges we ship with Tor Browser and fixed some regressions that came with our last release.

In Tor Browser 6.5 we introduced filtering of content requests to resource:// and chrome:// URIs in order to neuter a fingerprinting vector. This change however breaks the Session Manager addon. Users who think having extensions like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting.

An other regression introduced in Tor Browser 6.5 is the resizing of the window. We are currently working on a fix for this issue.

Here is the full changelog since 6.5:

  • All Platforms
    • Update Firefox to 45.8.0esr
    • Tor to 0.2.9.10
    • OpenSSL to 1.0.2k
    • Update Torbutton to 1.9.6.14
      • Bug 21396: Allow leaking of resource/chrome URIs (off by default)
      • Bug 21574: Add link for zh manual and create manual links dynamically
      • Bug 21330: Non-usable scrollbar appears in tor browser security settings
      • Translation updates
    • Update HTTPS-Everywhere to 5.2.11
    • Bug 21514: Restore W^X JIT implementation removed from ESR45
    • Bug 21536: Remove scramblesuit bridge
    • Bug 21342: Move meek-azure to the meek.azureedge.net backend and cymrubridge02 bridge
  • Linux
    • Bug 21326: Update the "Using a system-installed Tor" section in start script

Comments

Please note that the comment area below has been archived.

March 07, 2017

Permalink

Good job . have a question . WikiLeaks says it has obtained over of CIA hacking tool .may this affect on the Tor security?

Somebody commenting here should know more.
I have read little, but it looks like the claims of exploitable devices are old claims.

If we search more, we should find a security site that outlines the initial exploit of ios or android.

I don't think anyone has leaked the actual infection tools.

I think android uses orfox as android version of Tor browser?

Ios has no Tor browser?

There will always be 0days in various programs. I haven't seen anything for Tor or Tor Browser in there, specifically, however I did see mentions of an exploit for the Android (and non-Android?) library for libxml2, which may be used in Tor Browser. Luckily Google is scrambling to find out what the cause of the bug is to get it fixed.

In general, the stuff in the CIA vault boiled down to:
1) Android and iOS exploits and bypasses
2) IoT exploits and spyware (the Samsung Smart TV)
3) Router exploits
4) FAQs and policies for how to write malware, etc
5) Random stuff like lists of Japanese emoticons and diatribes about text editors

I would imagine that anything they get to attack Firefox, they would buy from a contractor like Raytheon SI or Endgame. When it comes to the security of Tor itself, I wouldn't worry. They don't seem particularly invested in breaking the Tor network, from what I'm seeing in this leak.

"Luckily Google is scrambling to find out what the cause of the bug is to get it fixed"?
Oh my God, someone still trusts in Google. Do you really believe that Google is clean?

From tor-talk:

https://lists.torproject.org/pipermail/tor-talk/2017-March/042995.html
CIA Vault 7, Year Zero
krishna e bera
8 Mar 2017

>> ""Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products" [0]

> The good news is no mention of exploits against Tor, TorBrowser, TAILS,
Orbot. They also appear to have developed ways to hide their traffic at HTTPS
servers, which may be useful for bridge developers if the code is released.
>
> [0] https://wikileaks.org/ciav7p1/

For those who download the Tails ISO image, verify the cryptographic signature, and burn a R/O live DVD: the Vault 7 malware wiki does describe an exploit affecting Nero, so we should avoid that (until the vulnerability is fixed).

WL has stated that it has made the full malwares available to affected companies, and Apple has apparently already patched almost all of the ones affecting its own products.

March 07, 2017

Permalink

if i go to https://portal.dnb.de and search for a book, then close the tab, open a new one and click on 'new circuit' then go to https://portal.dnb.de again i get automatically redirected to the previous site. is this the intented behaviour?

March 07, 2017

In reply to by Anonymous (not verified)

Permalink

If I understand your comment, you did these steps:

1. Go to https://portal.dnb.de (js disabled by noscript)
2. Page redirects to url with sessionid https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?view=redire…
3. Search "security" (without quotation)
4. https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?query=secur…

I didn't do these following steps. Did you experience these?

5. Then you use TBB Torbutton "New Identity"
6. Go to https://portal.dnb.de (js disabled by noscript)
7. Page redirects to your search result https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?query=secur…

Try this:
21. Create bookmark https://portal.dnb.de/ by pasting that into bookmarks toolbar.
22. Use TBB Torbutton "New Identity"
23. Load the bookmark into TBB blank tab

I think you will see https://portal.dnb.de/opac.htm;jsessionid=XXXX.prod-worker1?view=redire…
with a new jsessionid value.

Redirecting to a new jsessionid url would how the page on that site is written to behave.

BTW, you have cookies disabled? As far as I know, "New Identity" flushes cookies, so I don't think allowing cookies setting should matter. But I disable cookies by default, so I don't know.

Note: I replaced the actual jsessionid that site gave me, with "XXXX"

no, the described behaviour is only if i click "new tor circuit for this site". in that case cookies will not be deleted? is this a good idea?

March 08, 2017

In reply to gk

Permalink

I've also noticed cookies persisting after using 'New Tor Circuit...' and it was (for me) unexpected behaviour. I think this is dangerous because people may assume it also resets the browser state for that site.

One solution is to make 'New Circuit...' delete cookies etc, so that it behaves as expected.

Another is to somehow make it clearer that sessions etc persist when using 'New Circuit..' so that people aren't getting a false sense of security.

Either is fine, but the status quo is unsafe.

im with the comment above, "new circuit" means a new IP, that means, youre in an unclear state if you dont know that all other browser information like cookies, are still there. maybe its the least problem, maybe not, i dont know, but for me it feels unsafe too.

IMO both "new circuit" and "new identity" are useful, but I agree that it is important that users should understand what these user commands do and do not accomplish.

I figured the 'New Tor Circuit' doesn't clear cookies etc. after a while. Up until that point however I used it with the expectation it made me safe.
What's the purpose of this feature anyway? Why would I care for a new circuit if a site can trivially identify me anyway?

March 07, 2017

Permalink

Resize issue, in Tails or in other OS Torbrowser versions there is a function that gets in the way a lot.
When having multiple windows opened and trying to rearrange those windows by moving he cursor to the top of the browser page and then moving the window it is really easy to release your fingers from a trackpad during moving. This results in a double click on that browser page that immediately is resizing full screen! I happens a lot and is really annoying.
How can I disable this double click full screen resizing function? I never do want a full screen size but I happen to end up with it anyway a lot of times.
Thanks

Some window managers allow you to lock a window's size. I don't think Tails' does. Tor Browser doesn't (yet?) provide any way to lock the window's size or reset it to default. The only way to correct it is to restart Tor Browser.

As a quick and dirty solution, hold the Alt key and click anywhere inside the window (not the title bar) and drag to move it. In some window managers, it's the Windows key, so try that if Alt doesn't work, otherwise consult the GNOME documentation.

In the upper right-hand corner of the Tor Browser window, the second button from right (the one with the arrow pointing upward): Clicking-on this maximizes the browser window and, when the window is maximized, reduces it back to its default size, no?

March 07, 2017

Permalink

nice

Mr. Chaker,

I'm Suggesting that TBB users are BEST to be commenting as "Anonymous" for there own good Anonymity :)

"Thank You" will still be (Thank You) from Anonymous users,
;)

March 07, 2017

Permalink

Great,
Thanks,,

This update didn't mess-up with (SessionManager .xpi) like previous 6.5; that which i replaced the (tor-launcher & torbutton .xpi's) from TBB 6.0.8..

OK. Thanks Again..

Negative!

Wrote upper comments, and UPDATING it now,

YES: Great & Thanks,
..and here comes BUT! :)

On the 2nd or(may be) 3rd restarting after updating TBB, The (SessionManager .xpi) seem to work without Icon-logo showing up in the sliding-bar, (so-called; hamburger Menu)

Did like before:
Exited, Replaced the (tor-launcher & torbutton .xpi's) from TBB 6.0.8, Started TBB 6.5.1,

Then: SessionManager Icon appeared & worked FiNE :)

Again : Great & Thanks

March 07, 2017

Permalink

anyway to use MPROTECT from grsec/pax and use Tor Browser at same time?
also anyplans to use new firefox container in Tor Browser?

> anyway to use MPROTECT from grsec/pax and use Tor Browser at same time?

Patch the Firefox JIT to not rely on being able to make executable pages writable again.

Not easily. In the past, Firefox would create RWX pages for JIT, put the bytecode into it, then execute it. In order to support W^X in OpenBSD and iOS, Firefox has changed how it behaves, so now it creates an RW page with mmap(), puts bytecode into it, then uses mprotect() to convert it to RX, so it can execute it. This works fine for the W^X implementation on OpenBSD and iOS, but PaX's MPROTECT implementation is much more aggressive, and additionally denies converting writable pages to executable pages.

I wrote a bit about this on the Tor bug tracker:
https://trac.torproject.org/projects/tor/ticket/21011#comment:10

When the mprotect() call fails, Firefox runs its OOM (Out Of Memory) subroutine, which occurs whenever any memory-related functionality fails (even if it's just for JIT, and JIT will be disabled at runtime). This causes Firefox to crash itself.

All the code is a tangled mess. It's rather sad, really. If you wanted to fix it, it'd be best probably just to get the browser to be able to stop trying to allocate RWX pages in the first place when the config is such that JIT will not be used at runtime.

March 07, 2017

Permalink

This version fails to run on debian stable (jessie 8.7) due to a glibc error:

  1. <br />
  2. ./firefox: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by ./firefox)<br />

This works fine for me on Debian Jessie.

It should work if you use the 'start-tor-browser.desktop' script at the root of the archive. This script adds the 'Browser/TorBrowser/Tor' directory to the LD_LIBRARY_PATH environment variable, so the libstdc++.so.6 from that directory should be used instead of the one from /usr/lib.

There is no problem for me; I use Jessie 8.7.1 amd64.

I just download, extract, and run as normal. Maybe you should do a distribution upgrade (apt-get dist-updrade) to get all the libraries updated. I used to experience the same kind of errors when running new updated programs, and in many of the cases it's because I hadn't upgrade my OS distribution then.

March 08, 2017

Permalink

I went to main onion page: http://expyuzz4wqqyqhjn.onion/projects/torbrowser.html.en
If I point mouse on the link, it shows it uses http://expyuzz4wqqyqhjn.onion/dist/torbrowser/6.5.1/tor-browser-linux64… for download. But when I click on it and see what location is used, it is not onion, but https://dist.torproject.org/torbrowser/6.5.1/tor-browser-linux64-6.5.1_… Why this happens? As I see from onion.torproject.org, the correct address is another: http://rqef5a5mebgq46y5.onion/torbrowser/6.5.1/ Should links on the page http://expyuzz4wqqyqhjn.onion/projects/torbrowser.html.en be fixed?

March 09, 2017

In reply to gk

Permalink

But we cannot assume James Comey is not lobbying hard to change that.

Comey stated in a recent speech that he intends to serve out his ten year term, which would carry him into the (barf) second DJT administration. But Comey is so diminished politically speaking that it could actually benefit the People if against expectation he manages to hang onto his job for another 6.5 years. Back in the Clinton administration, for better or worse, Freeh assured that FBI remained crippled by also hanging onto his job despite being "frozen" out of the rest of the administration. If Comey stays, this could buy us more time to use encryption to keep ourselves, our friends, our clients, and our families safer from our governments.

Thanks to all Tor and Tails people for your work!

@ GK:

This is more Debian than Tor relevant, but in view of the "evil maid" implications in the Vault7 leak, please help me convince Debian Project to fix the backdoor in LUKS encryption!

March 08, 2017

In reply to gk

Permalink

What would really be a nice addition would be an onion search engine that allows you view results in a proxy.

Sites that have the proxy but no onion address are https://searx.me and https://startpage.com

Thanks again. Keep up the good work.

Does anyone know if tails and subgraph have plans on collaborating ?

March 08, 2017

Permalink

Any chance the next version will have the flag privacy.trackingprotection.enabled set to true?

March 08, 2017

Permalink

Thanks for another great release. It's awesome how closely the TBB team has been tracking Firefox's release schedule lately!

March 08, 2017

Permalink

Why is Tor Browser signed with key id C3C07136

Where did this GPG key come from? It was never used prior to 6.5

How do we know this is actually the TOR Project in control of these releases now?

C3C07136 is a subkey of the Tor Browser key (4E2C6E8793298290). If you imported the Tor Browser key before it had this subkey, you can refresh it to get the new subkey:
$ gpg --refresh-keys 4E2C6E8793298290

March 08, 2017

Permalink

Once again the process of applying an update takes up a disproportionate amount of disk space.

Even with app.update.staging.enabled set to false I observed it consuming around 220MiB.

(I believe it takes up even more when this is set to true).

If it runs out of space before it's done applying the update, it breaks TBB completely ('3817 Bus error' on line 368 of Browser/start-tor-browser).

Maybe having staging.enabled set to true prevents the breakage, but I don't have enough disk space to apply updates that way (uses something ridiculous like 400-500MiB).

Anything you can do to apply updates in a way which doesn't use all the disk space at once would be great.

That would be a very interesting story to tell to a reporter, if you are able and willing to consider doing that! You could negotiate in advance how "anonymous" you want to be in the published story. Many of the better sort of news organizations now use SecureDrop.

March 08, 2017

Permalink

Since installing the latest version of tor my antivirus keeps blocking tor from running, and say that tor is infect by IDP.Generic virus

Thou, you didn't tell what AV u r using,

Suggesting to Temporary-disable AV until TBB installed

& then Run it,

Enable AV,

See what happens,

you might need to switch to other AV product like: AVAST..

free Avast visions are great too :)

Sadly, all too true. All persons everywhere are at risk from thousands of cyberwarriors working for various governments.

But both the Snowden and Vault7 leaks (which have provided the public with invaluable information about NSA and CIA spying respectively) suggest that USIC (and probably adversary services) have had considerable difficulty in spying on people who (correctly) use cyberprotection tools such as Tor.

March 08, 2017

Permalink

good

March 08, 2017

Permalink

thanks for release.

i logged in but tor didnt say i dont have the latest version. so i have to start it manually over browser help / about tor browser.

after the update i checked addons, update all. and there was an update for https everywhere. it installed and then restart.

shouldnt the update of tor browser and addons be automatically?

thanks

There is usually a delay before we deprecate the old version (12-24h) in order to the old browser time to download the update in the background. Not sure why you needed to do that manually. One explanation is Tor Browser checking only twice a day for new updates (+ after start-up). Similarly, Tor Browser is checking for updates extensions only once a day.

March 08, 2017

Permalink

OpenSSL to 1.0.1k
and
OpenSSL to 1.0.2k
are referred in article. Both can't be right.

March 08, 2017

Permalink

can anyone advise as to the best method of browsing i.e. duckduck etc with Tor? i dont know much about it all

Thank you

March 08, 2017

Permalink

Wow!

You fixed the print to pdf issue for OS X 10.6.
That is very nice to see and takes away some console stress!

Thanks, bye

March 10, 2017

In reply to gk

Permalink

Yes, Bug still there,
I did discover that shortly therafter too.

Wired did fix the issue, on their website

but the bug is still existing in Torbrowser on other websites.
So I guess that Wired devs know the answer to a guestion that was addressed at toredevs to look at and solve.

With a little help from the friends: Should I convice them to work for Torproject to really make things in Torbrowser better? :)

March 08, 2017

Permalink

When is Tor Browser going to FF 52ESR?
Another question I was wondering for quite some time:
Why is the TorBrowser not spoofing or disabling the referer header?

March 08, 2017

Permalink

Thanks FOR THE AWESOME WORK!!!!!!!!

Will TBB run on RPI RPI2 RPI3 or RPI0/W?
How do i do it?
Would Tails help HERE?

Thanks

By "RPI" you mean RaspberryPi? If so, you'll have to compile it yourself and see. There are no official Tor Browser builds for RaspberryPis.

> Would tor and Whonix work well together?

Yes. Why do you think that they don't work so well? :)

Whonix is all about isolating the Tor process from the Tor Browser, so to prevent any leaks in case your browser gets compromised (so they'll have to use even more sophisticated attacks such as VM escape).

You can read about it in this blog post: https://blog.torproject.org/blog/tor-heart-whonix

just tried Whonix .org but it seem not working,

instead, leme suggest trying Tails | >> https://tails.boum.org/

C&P:
( Tails is a live operating system that you can start on almost any computer from a DVD, USB stick, or SD card.

It aims at preserving your privacy and anonymity, and helps you to:

*use the Internet anonymously and circumvent censorship;
all connections to the Internet are forced to go through the Tor network;

*leave no trace on the computer you are using unless you ask it explicitly;

*use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.)

Read the post carefully. If you think having features "like that one working is much more important than avoiding the possible information leakage associated with that can now toggle the 'extensions.torbutton.resource_and_chrome_uri_fingerprinting' preference, setting it to 'true' to disable our defense against this type of fingerprinting."

March 09, 2017

Permalink

Uh oh!

Mozilla support for XP will end in September 2017.

Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

And how does Avast interact with TBB when used as a regular browser on the regular internet?

I use Mozilla with the identical TBB settings - except that my TBB browser bookmarks facility remains unused.

Tia

> Does this mean that TBB too - as from September 2017 - will no longer be available for the XP series?

Yes. XP is now a 17 years old OS riddled with security vulnerabilities, you can't expect developers to support it for a longer time. See https://trac.torproject.org/projects/tor/ticket/21080 "My guess is we're going to triage and decide not to try to rescue XP when Mozilla has decided to abandon it."

> XP is now a 17 years old OS riddled with security vulnerabilities

Just to support the point that cautious netizens tend to avoid using TBB under Windows, or at least very old versions of Windows:

The Vault 7 wiki of CIA malware just published by Wikileaks includes a long list of attacks on (often old versions of) Windows, but not very much on Linux (outside embedded platforms).

Not to imply that Linux users should rest easy, of course, just that all things considered, the preponderance of evidence available to the public would seem to encourage citizens concerned about privacy and data security to move to Linux (and to keep their systems up to date, to avoid installing unsigned software, to use TBB for browsing, to pay attention to valid security bulletins, and so on). Similar remarks hold for MacOS users (Vault 7 also lists some zerodays affecting Mac users).

March 10, 2017

Permalink

Hello Torproject,
2 issues:

1. 'Wrap Long Lines' with 'view_source.tab;false' isn't working reliable

2. Why tor.exe is 32-bit(Image Type) on an Win64? Should be 64-bit?
(firefox.exe(TBB) is 32-bit, too.)

March 10, 2017

Permalink

OOPS, have read:
"On March 8th, 2017 Anonymous said:
Thank you.
"wrap long lines" is still not fixed since TBB 6.5, but noone will die over it." .

Noone will die over it, i too. Second question, 32bit tor.exe, is open.

March 10, 2017

Permalink

"Tor is ready" does not appear every time i choose 'new identity'.
is it an evidence or a trace that something is wrong ?

March 15, 2017

In reply to gk

Permalink

nothing !
it does not work every time i click on "new identity" : sometimes (rarely) yes , sometimes not.
pff ... i wonder if the users are not the testers of an experimental manipulation in the goal that a subvention be given to a usa rotten team ...
pff ... i use tor for some app but too much bugs means untrust software ...
no comment.

March 17, 2017

In reply to gk

Permalink

ok : nice tip / i thank very much:i did not know it :
anyway that i try "new identity" or new circuit for this site" ; it could be written [Tor is ready ] ; it is rarely the case , something is wrong in your program or it is a hack very sophisticated.
Shift+Crtl+J
...
it opens a server tab and that is written with pink background:
...
ocsp.int-x3.letsencrypt.org:443 uses an invalid security certificate.
in blue
2 in red

The certificate is only valid for the following names:
*.akamaihd.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaized.net, a248.e.akamai.net

Error code: SSL_ERROR_BAD_CERT_DOMAIN
...
ocsp.digicert.com:443 uses an invalid security certificate.

The certificate is only valid for the following names:
www.digicert.com, content.digicert.com, edge1.digicert.com, edge2.digicert.com, edge3.digicert.com, edge4.digicert.com, cacerts.digicert.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN
in blue
2 in red
...
# i am connecting using tor bundle & vpn.
anyway that i try "new identity" or new circuit for this site" ; it could be written [Tor is ready ] ; it is rarely the case , something is wrong in your program or it is a hack very sophisticated.
maybe my vpn uses a weak encryption or i am yet a target but it does not explain why the banner is not shown : do i need to debug (how to do that pls?) or drop my vpn ?
i have chosen 443 port & not the default port does it matter ?
Thanks a lot for your help, your tip & your explanations.

March 23, 2017

In reply to gk

Permalink

Reason for confusion is that Tails has (until 2.11) posted release announcements in their account at this blog.

Can you help ensure that Tails users who use a 32 bit CPU machine know that the next edition of Tails will only be usable with 64 bit CPUs? I don't disagree with their decision to go 64 but the Tor community needs to get the word out well in advance that this change is coming soon.

In a related plea, can you help ensure that Debian users get a clear explanation of how the onion mirrors of the Debian repositories (as discussed elsewhere in this blog) will handle the change (perhaps in May or June) to the new stable distribution? Can I DL an iso image of the new stable, verify the key, install normally, then point synaptic at the same onion mirrors? Or will I need to use new onion mirrors?

March 10, 2017

Permalink

OP here.

Yes, I've read y'alls anon responses to my query but only gk's replies can be accepted as authentic by m'self.

Thanks, gk!

This simply means that I'm gonna hafta dl a GUI enabled Linux version to an external hdd and so use Linux as an additional OS for a Linux based TBB. Neva mind. I got 6 months to figger the how out.

As for XP now being " a 17 years old OS riddled with security vulnerabilities..." I guess that depends only on which sites one interacts with, not so?

The only hassle I can anticipate is spending more time backing up folders in the event of a system failure. In 2015 Verbatim was offering a 7 year warranty on its 1tb external hdd but sadly, such items are not permitted in my country.

@ gk

Just a passing thought... but both Mozilla and y'selves interact with a large (in the hundreds of millions) XP community. See

https://www.google.com/search?q=how+many+xp%27s+still+in+use%3F&ie=utf-…

for detail.

How will this issue affect y'alls collective futures?

I can go where I like onna www and my laptop - Japanese made- is soooo reliable. I reformatted it in early 2014 and I still don't see the need for any upgrades.

It's not like I'm a rocket scientist planning to put someone onto Mars an' I desperately need the latest doodads to so do. I have a monthly 2Gb data cap and I'm hard-pressed to utilize it all.

I jus' don't see the sense of upgrading to Win 10/11/12/13 whatever in order to accommodate a web browser.

Any marketing wonk thinking/hoping/praying I'm now gonna be compelled to embrace the latest Windows or Apple offering is vaping the wrong stuff!

I thankfully avoided all the hassles associated with Vista, Win7, 8 and 10. And when I eventually do upgrade, the new OS - personal computers and autos - will all be thought-controlled.

Until then, y'all, stay well...

Are you sure it works on the previous version? They are probably blocking Tor. It wouldn't surprise me one bit. The list of Tor-friendly email providers on the Whonix wiki says that once you have a Google account, you have to sign in without Tor and then enable Tor without deleting cookies and load a page while you're signed in. After that it says you should be able to connect through Tor, but I wouldn't get my hopes up.

March 15, 2017

Permalink

In WIN10 (in Chinese) running on a black square block of text, complete the configuration to scrape through memory, stop running after open the browser interface.

Reinstall the old version can be normal use.

Which old version do you mean? Do you have some antivirus software that could interfere with Tor Browser? If so, could you uninstall that one for testing and check whether things get better (disabling is often not enough)?

March 16, 2017

Permalink

Is the Tor network still relevant to the general public?

Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

The few others which use it for political activism against repressive regimes will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017.

XP has been the OS choice of activists almost since its inception due to its ubiquity, simplicity and reliability. Later MS systems (Win10, various handheld gadgets etc) sold in dictatorships such as China, Russia and many Asian and African nations must comply with governmental modifications- modifications not only to the newest devices but also monitor and censor of the network of their local isps.

Also, exchange rate issues in these tyrannical and despotic regimes militate against the acquisition of more modern equipment -whether over the counter or via a smugglers route.

I daresay this also applies to the USA and EU to some degree -but there the various democratic movements have ensured that such "modifications" are strictly controlled by legislative authorities to only combat global terrorism.

Mozilla stated that it could extend ESR with XP support if there would be a reason. And who as not the Tor Project is interested in spreading Tor Browser to countries with old computers?

> Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

I suppose that depends upon

1. your definition of the meaning of "mostly" ("more than 1%?" "more than 50%"?),

2. whether you can present some statistics and explain how we may independently verify them.

The few others which use it for political activism against repressive regimes will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017.

I suppose you simply forgot to present your evidence for these further dubious claims?

> XP has been the OS choice of activists

"Activists" is a pretty broad term. Maybe you should clarify what groups in what countries you are talking about.

I can't tell whether you are attacking/praising XP, or attacking Tor, or what. But it may be worth pointing out that activists who do not yet use Tails should perhaps consider switching, although this may not be the best choice for everyone.

> Far as I can see, [Tor is] mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

Yes, and I suspect you know it. Certainly over the past year, this blog has offered many posts explaining how ordinary people use Tor every day to circumvent censorship, engage in political speech, and perform research in the public interest.

> The few others which use it for political activism against repressive regimes

Care to back that up with some actual statistics?

> will soon be stymied as a consequence of Mozilla/TorBrowserBundle excluding Microsoft's venerable XP OS after September 2017. XP has been the OS choice of activists almost since its inception due to its ubiquity, simplicity and reliability

Interesting... you urge activists to continue to use an OS which has been successfully targeted by many zerodays exploited by the bad guys (see for example the Vault 7 leaks at wikileaks.org).

A much better choice which should work "out of the box" on almost any computer which uses a 64 bit CPU* is the free Linux based distribution Tails; see tail.boum.org. Tails enables you to boot an "amnesiac" system from a live DVD (or USB), browse with TorBrowser, email, produce videos, documents, etc., then shut down leaving no trace (we hope) on your usual OS on your computer. It is thought to be much more secure than almost any other OS; the Snowden leaks prove that as late as spring 2013 NSA was experiencing great difficulty finding exploitable vulnerabilities in Tails.

(It later turned out that they apparently missed some pretty bad holes, which have been closed. Tails isn't perfect but it's just about the best thing we've got.)

* Currently Tails works for 32 bit CPUs, but the next edition will no longer support 32 bit CPUs.

> Far as I can see, it's mostly used to shield the activities of drug dealers and paedophiles. Am I wrong?

This has been addressed extensively throughout the history of the Tor Project. I guess some debates never die. There is a "Who uses Tor?" link on the main page of the site. Edward Snowden is one example of a Tor user who is not a drug dealer nor a paedophile. There are many more, probably in the millions.

Dropping XP support is a good thing in my opinion. It doesn't get security updates anymore. There would really be no point in using Tor Browser on XP. You could use a random unpatched Linux distribution, and you'd still be better off. Tails is quickly becoming the de-facto OS of choice among Tor users, and Qubes is growing too. Both are far superior to XP, and arguably to any general purpose OS.

March 16, 2017

Permalink

Upload speed is limited to 3 Mb/s on 32-bit Windows. While download speed remains unaffected. Speedtest service was used to test the bandwidth.

March 17, 2017

Permalink

\(*c*)/

love you all
love your work \(*c*)/
stay strong

\(*c*)/

\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/\(*c*)/

March 21, 2017

Permalink

After connection is established, it reports an error on Win 7. Don't know why. Version 6.5.1.

March 22, 2017

Permalink

I have installed Tor. What is the best email program to use with it? I guess I should encrypt my emails. additionally what program is the best for a lay person?

March 23, 2017

Permalink

In WIN10 (in Chinese) running on a black square block of text, complete the configuration to scrape through memory, stop running after open the browser interface.
Reinstall the old version can be normal use.

I'm having this problem in Win 7.

March 27, 2017

Permalink

I have Torbrowser for the Mac sha256 :4155633dd51db9c805e8a81a9fd180e7235077f15023b5f002648f1c2a8bef92

It is incorrectly showing the web site https://sciex.com/ as not secure. I have tried several transports with the same results.

March 28, 2017

Permalink

I checked my Ubuntu workstation and it has transports FTE, Meek-Amazon, Meek azure, obfs3 and obfs4.

My Mac's torbrowser does not have the FTE transports ?

March 29, 2017

Permalink

I was running 6.5 fine but a few days ago it refused to connect to onion servers. So installed 7.2 and the same problem. I can get normal http sites but onion ones it just refuses. Does this mean my Win XP system is no longer supported? I have a Win 7 computer but hate the bloody thing because of all the logs it keeps as well as auto connections to MS.

I am in the UK

March 30, 2017

Permalink

does anyone know if the UK has found a way to block .onion sites? I cannot get any links despite checking all my phone system and computer, reloading tor several times and all i can get is http sites.

Found the problem. My computer clock had mysteriously jumped forward by one day. Why is it necessary for TOR to detect the time and date on someones computer?

April 03, 2017

Permalink

Thank you for Tor Browser :-) My question is:
As I run Tor to apt-get update my Debian (through the onion depositories), do I have to stop tor before using Tor Browser (installed manually from the torproject website)?

If I let Tor run and launch Tor Browser, is it a case of "Tor over Tor"?

And yet, if you install Tor Browser through the launcher package, Tor gets installed.

So I’m rather confused. Your help will be appreciated!

1. I also update my Debian stable systems using the onion mirrors for better security. I too have found that this does not always run smoothly. Typically I cold boot the machine and plug in an ethernet cable to my router. I have found that for some reason, restarting Tor using

sudo systemctl restart tor.service

is often necessary in order to connect to the Tor network. Only after connecting should one try to "reload" in Synaptic to obtain the list of packages to be updated. I find that it may be necessary to reload several times to get the list.

A particularly frustrating problem is that the critical file containing the gpg signatures is often hard to obtain from the onion mirror. It is critically important to *never* install any packages if one gets a warning that you are about to install unauthenticated packages. I do not know why this happens but I guess it may have something to do with the Debian mirrors becoming strained during updates to the repository itself. When I experience this problem, I wait a few hours and try again.

I would be happy to read a response from anyone who knows a better way of handling these difficulties!

2. Does anyone know what will happen when Debian rolls over to the new stable (perhaps by June)? Will the same onion addresses then point to the repositories needed to update a new stable system? Or will we need to obtain new onion addresses to add the APT sources list?

It seems that the onion mirrors may often be overloaded; unless I misunderstand, this is because there is only one server handling each onion mirror. Certainly my attempts to download upgrades often time out.

In my experience downloading the upgrades often requires considerable patience and care. Especially if the list of packages to be upgraded is lengthy, it can be best to try to break down the task into more manageable pieces.

Some hints, assuming you are using synaptic and have pointed your sources.list at the onion mirrors:

o don't be afraid to occasionally hit "reload" to refresh the current list of packages still to be upgraded, but be very careful about one thing--- if you see a message about "unauthenticated" packages occurring in the list, hit reload again (installing unauthenticated packages would be even worse than not using the onion mirrors)

o if you hit "mark all upgrades" and see a very long list, don't be afraid to write down the names of the packages, start over, and mark the upgrades in small bunches

o if your attempt to download the upgrades you marked times out, respond "don't continue" and start over (apt should not really start from scratch since it should have cached the packages you did succeed in downloading the first time)

o if anything appears to have gone wrong, try to use the "details" window to see if it contains any useful information, e.g. that you require a working python-glade-2 in which case you can try to install that first,

o if synaptic appears to have hung, try being patient; if after several hours it still appears to have hung, try (possibly dangerous!) "sudo killall synaptic" and start over.

In general, it seems that the onion mirrors are great idea and should be standard for all Debian users, but currently we need to figure out how to handle the load. At the very least this would seem to imply Debian Project would have to issue a cryptographically signed public file containing alternative onion addresses for the mirrors (probably one set for security upgrades and one for all the rest).

I think it would be useful for the maintainers of the onion mirrors to write a second blog post in this blog, seeking feedback about user experience. This might suggest ways in which the onion mirrors can be improved.

April 12, 2017

Permalink

Thanks tor for Your Best Services that you provide in a country that blocks / banned some sites :::::::))))))))))