Tor Browser 7.0.4 is released

by boklm | August 8, 2017

Tor Browser 7.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

A lot of Tor Browser components have been updated in this release. Apart from the usual Firefox update (to 52.3.0esr) we include a new Tor stable release (0.3.0.10) + an updated HTTPS-Everywhere (5.2.21) and NoScript (5.0.8.1).

In this new release we continue to fix regressions that happened due to the transition to Firefox 52. Most notably, we avoid the scary warnings popping up when entering passwords on .onion sites without a TLS certificate (bug 21321). Handling of our default start page (about:tor) has improved, too, so that using the searchbox on it is working again and it does no longer need enhanced privileges in order to function.

The full changelog since Tor Browser 7.0.2 (for Linux since Tor Browser 7.0.3) is:

  • All Platforms
    • Update Firefox to 52.3.0esr
    • Update Tor to 0.3.0.10
    • Update Torbutton to 1.9.7.5
      • Bug 21999: Fix display of language prompt in non-en-US locales
      • Bug 18913: Don't let about:tor have chrome privileges
      • Bug 22535: Search on about:tor discards search query
      • Bug 21948: Going back to about:tor page gives "Address isn't valid" error
      • Code clean-up
      • Translations update
    • Update Tor Launcher to 0.2.12.3
      • Bug 22592: Default bridge settings are not removed
      • Translations update
    • Update HTTPS-Everywhere to 5.2.21
    • Update NoScript to 5.0.8.1
      • Bug 22362: Remove workaround for XSS related browser freezing
      • Bug 22067: NoScript Click-to-Play bypass with embedded videos and audio
    • Bug 21321: Exempt .onions from HTTP related security warnings
    • Bug 22073: Disable GetAddons option on addons page
    • Bug 22884: Fix broken about:tor page on higher security levels
  • Windows
    • Bug 22829: Remove default obfs4 bridge riemann.
    • Bug 21617: Fix single RWX page on Windows (included in 52.3.0esr)
  • OS X
    • Bug 22829: Remove default obfs4 bridge riemann.

Comments

Please note that the comment area below has been archived.

August 08, 2017

Permalink

Just wanted to share my gratitude for keeping with the Firefox release cycle. Over these past few years, I've deeply appreciated the team's sync to avoid TBB users using known-outdated firefox code!

August 08, 2017

Permalink

H0w d0 I c0nfigure Wget f0r use with the t0r br0wser bundle? please, i'm starving 0ut here and need s()me fast f00d via Wget!

It's much simpler to use system tor for that.
# apt-get install tor
# apt-get install torsocks
$ torsocks wget 'URL'
+ add iptables rules to block tor's bypassing and DNS.

yes, system tor is the way to go, but if you aren't on a system where it is easily installable (or you are, but you don't have root) you can easily tell programs that support SOCKS to use the Tor Browser Bundle's tor process (its SocksPort is listening on port 9150 instead of the 9050 that system tor uses).

Unfortunately wget doesn't seem to support SOCKS, so, if you can't use torsocks (which makes wget or most any other TCP program use socks automatically) maybe you can use curl instead of wget? Just tell curl --proxy socks5://localhost:9150 and it will use your tbb tor. HTH,HAND,LLAP

August 08, 2017

Permalink

Many heartfelt thanks to all the Tor devs! I shudder to think where we would be without all of you and all the great things you have since years now!!!

August 08, 2017

Permalink

Tor Browser 7.5a4 and Tor Browser 7.0.4 both released on Aug 8 2017. There is probably a simple answer to this which as yet I do not know. Why both and or what is the difference.

When I use https://www.torproject.org/download/download it shows 7.0.4 which I am using. Is this the stable, or whatever, version and 7.5a4 is not? Sorry if I do not know the basics. Thank you.

Regards

What most people want to use is version 7.0.4 which is the stable version.

The 7.5a4 version is an alpha version (as all versions which have an 'a' in their version number). It contains experimental features that have not yet been tested enough to be included in the stable release. You can use this version if you want to see new features earlier, or want to help us at finding bugs.

August 08, 2017

Permalink

Thanks for another release! Can I know when (roughly) will windows users get content sandboxing in TB? :)

August 08, 2017

Permalink

wäre schön das die Übersetzung auf deutsch ist wenn man schon eine deutsche Installation hat !

August 08, 2017

Permalink

Finally!I was beginning to wonder about the warning on pwrds on onion sites.Caused some very worrying searching for a reason.Figured it out,but still had that little nagging doubt.

August 08, 2017

Permalink

do you know why everytime the Atlas is used, this pops up?

"No Results found!

No Tor relays or bridges matched your query :("

Are you allowing (or temp allowing) scripts? Or, do you have 'bridge' enabled in Tor settings... but have invalid or outdated Bridges? those are the first two causes that come to mind...

August 08, 2017

Permalink

Hi

have involuntarily/automatically updated to 7.04

Now there is no more sound in webpages. Have tested it with various youtube and other sources. A very small bar in the top area of the browser content area tells 'to play audio you may need to install the required pulseaudio software'

???

my os is debian 7 32bit

August 09, 2017

In reply to gk

Permalink

It was already discussed in comments for previous 7.x TBB releases. It's quite simple solution, AFAIR. Namely, you need to recompile TBB enabling ALSA again. Mozilla didn't remove ALSA code, they just disabled ALSA flag. Why don't you recompile it with ALSA support? Instructions were posted in long discussion in Mozilla bugreport list.

Thanks for that hint. As a last resort I'll try that way.

A minute ago I wrote, that pulseaudio is installed and running.

ALSA is installed too but not running

(forgive: I'm an average 70% knowledge user and not so much into the details)

a.t.m. my quick n dirty solution would be to use tor browser 6.5.2 in case I 'have to' see a video

.. normally I do not see any videos at all :)

greetings

a.t.m. my quick n dirty solution would be to use tor browser 6.5.2 in case I 'have to' see a video

Well, this is my case too. I spent about 1 hour trying to get PA running on my customized Debian, but failed. Mozilla forces us to use vulnerable and outdated version of the browser. Since it runs in VM, it is relatively safe. However, it is still not good solution, at least, from the point of anonymity. Anybody using special version of outdated TBB is well seen among TBB users.

August 09, 2017

In reply to gk

Permalink

(I came up with this topic)

Yes, I've been reading a lot today about that topic.

BUT:
in my standaard debian 7 system (nothing tuned or experimented with)
pulseaudio is installed (have never cared about it) and has probably been installed since a year
pulseaudio is running (can see it in ps)

standard firefox esr (non-tor) which is 52.2.0 delivers video _with_sound

btw. my old torbrowser 6.5.2 (don't kill me, it's just my in_case backup) delivers video with sound

What I've read in various mozilla discussions people made it a hot topic alsa vs. pulseaudio
and the general hint was 'install pulseaudio and problems will be gone'

But I do have it installed and it's running...

Any ideas or help?

thanks and greetings

Are you getting the Firefox directly from Debian or have you been testing the one from Mozilla? I am asking because Debian compiles it with --enable-alsa. (You can check the build flags by opening about:buildflags in your browser)

August 10, 2017

In reply to gk

Permalink

So, Debian people don't afraid your argument:

Because that code is unmaintained and nobody is tracking security issues and providing bugfixes once they show up.

and recompiled it. I think user database behind Debian fork of Mozilla is much higher than amount of TBB users.

Well, I understand that it is simpler to take upstream version and do not care about sound issues, but the far perspectives of this approach are bad. What will be the next? Will I have to install systemd to get TBB working? Will I have to migrate to Ubuntu spyware to use tor browser? Tor Project has already forked firefox to apply special patches, so supporting of that ALSA code (it wasn't disabled because of bugs, but because of "make life easier for devs"!) would not be so exceptional thing in general.

August 10, 2017

In reply to gk

Permalink

The non tor firefox is directly from debian (deb 7 stable)

about:buildflags results in an error. have found elsewhere about:buildconfig which I think is what you meant.

FF ESR 52.2.0 32bit has the compile flag --enable-alsa
Tor Browser 7.0.4 (based on FF 52.3.0) (32-bit) does not

So probably the debian people had mercy/were friendly or how ever to name it.
The different behaviour of two 52.x firefoxes can be seen as solved.

Though strange that while FF playing sounds I do not see ALSA in processlist.

Still not clear, why no sound in tb 7.04 though pulseaudio installed and running.

For the secondbest solution, I have downloaded tb 7.03 (which played sounds) and will use that - forbidding it to update - til I find a way to make tb 7.04 produce sounds.

thanks and greetings

Wait are you saying that only 7.0.4 is affected but earlier 7.x versions are working? Looking at our changelog nothing comes to mind that could have caused this. Could you try whether the problems exists with Firefox versions provided from Mozilla as well?

https://ftp.mozilla.org/pub/firefox/releases/52.3.0esr/ has the one 7.0.4 is based on and
https://ftp.mozilla.org/pub/firefox/releases/52.2.0esr/ has the one 7.0.3 is based on.

August 15, 2017

In reply to gk

Permalink

>Wait are you saying that only 7.0.4 is affected but earlier 7.x versions are working?

Yes, exactly so - though it may not sound logical.

I had wathed a video clip with 7.03 the evening before without problems. Next day the update to 7.04 came up (I had used tb for just some minutes looking for a topic in the news, ending tb then.) So the update to 7.04 rushed in and since then no sound in videos.

Maybe an incomplete/faulty update? I'll try to download a virgin 7.04 installer and see. Will report back.

greetings

August 15, 2017

In reply to gk

Permalink

Problem is gone, don't know why ...

In tb 7.04 in about:config
search for 'media.decoder' (without quotes)
brought up 4 lines some days ago when I had no sound in videos.

Now the same procedure comes up with only 3 lines, which are identical in both cases.
media.decoder-doctor.notifications-allowed
media.decoder-doctor.verbose
media.decoder-doctor.wmf-disabled-is-failure

! The one line that doesn't exist anymore NOW was:
media.decoder-doctor.MediaCannotInitializePulseAudio.formats / user set / string / *

#-#-#-#

Now the big surprise: I do have sound now with tb 7.04 !

I have not knowingly changed anything.

I have not reinstalled a fresh tb 7.03 or tb 7.04 as I intended to before

#-#-#-#-#

A strange miracle

But I'm really happy because tb does behave now as it should.

Maybe deleting that variable can help others who have the same problem.

August 11, 2017

In reply to gk

Permalink

How will this affect users of Qubes/Whonix? From what I've been told, Qubes uses an ad-hoc vchan protocol to send audio to dom0. I assume it uses ALSA, so does this mean it will have to be updated to support PulseAudio? Or is it possible to make PA output to ALSA like a shim?

August 09, 2017

Permalink

The Tor projects guys are the best in the world! Thank God they exist!
What the world would be without the effort of these lovely people?

August 10, 2017

In reply to gk

Permalink

This is either a security issue or a false alert by Rising AV. Give it to your IT security staff or to your developers, so they can do some evaluation and introduce changes accordingly (if needed).

I don't think there is something need to be done by the Tor team. Tor is open-source, so it would be impossible that such malware could be placed inside the code. This should be dealt by Rising AV.

August 09, 2017

Permalink

Allow Bookmarklets?

For more than one version back from today's, possibly beginning with first 7.x release, bookmarklets do not respond.

I set the Tor Button Security Level to High, and leave Noscript extension to allow bookmarklets. I assume that by a change in TBB7, the High security level overrides Noscript extension option/setting that allows bookmarklets.

So I wonder how to initially set TBB at highest Security Level, then allow bookmarklets to run from Bookmarks Toolbar?

Thanks in advance...

August 09, 2017

Permalink

I don't suppose it matters much but...

It says in the changelog that "Bug 18193: Don't let about:tor have chrome privileges" has been fixed in 7.0.4.
Bug 18193 wasn't fixed in this release; bug 18913 was. The numbers got switched.

August 09, 2017

Permalink

They should make the icon and name of the Tor Browser more discrete and/or customizable, in case there may be more than one person using the computer it is installed on. It would be nice to be able to change the Icon to something else, and change the name associated with it to something else. Or maybe offer an alternative install option, just for "same computer privacy" issues. In which the installation of the Tor Browser is given a different name, install path, etc. Other local users may not be as responsible with its use if they found out about it.

What system are you on asking for this so someone can tell you how to do it? An onion on the desktop is an attention seeking conversation starter. I replaced mine with a great big A in a circle and labeled it FU! ;)

When Tor browser bundle is closed no browser history is retained. If any expert is able to view all the files on your device it would be trivial to determine that you have Tor browser bundle installed, even if the name and icon is changed. Using bridges with pluggible transports can make it very difficult for local users to determine that your using tor. You can get bridges with pluggable transports at bridges.torproject.org

August 09, 2017

Permalink

DownThemAll AddOn is installed but will not show in Tools or context menu, why?
In 7.0.2 it was working perfectly.

August 10, 2017

In reply to gk

Permalink

After a clean install on macOS the DownThemAll AddOn runs fine again.

It seems something gets broken on automatic upgrade of the TorBrowser bundle. I reinstalled a fesh 7.0.2, added the DTA, check it was working. Then waited for the automatic upgrade, restarted the Browser, checked again and DTA was not showing up in the menu anymore.
I deleted the TorBrowser-Data folder and restarted again, but nothing changed. Removed the AddOn, restarted, reinstalled DTA, checked: nothing, restarted, checked again: nothing.

Strange, but as long as the AddOn runs fine again after a clean install I am fine with it.

Hm. I tried to reproduce that on my Linux box but I can't. Could you set extensions.logging.enabled on your about:config page and check your browser console (with Ctrl+Shift+J) after this happens again and report back if there are any related error messages visible?

Never.

Something comparable could be built but is not something I have any plans of working on. If you wish to see it happen and have $250k US or so to fund such a project, e-mail me.

"looking at".

IIRC they made seatbelt profiles, I'm not sure if they're any good though.

Anyway, the original question is totally nonsensical because bubblewrap is a tool that relies entirely on Linux namespaces and seccomp-bpf, neither which are available on OSX.

August 09, 2017

Permalink

I'd like a PARANOID Security Level option added to the slider, right above the High setting.

Enabling this option would enable the most.. paranoid of configurations, blocking as much as possible and really locking things down. Because even at the High setting, there are too many things NOT locked down.

August 12, 2017

In reply to gk

Permalink

You probably lack the time, but I wish at least one Tor dev was regularly skimming the Wikileaks Vault 7 documents, Citizen Lab tech reports on reverse engineered state-sponsored malware, etc., trying to make sure that you are not missing any technical clues which could assist you in improving Tor Browser's resistance to state-sponsored malware. I suspect that you could skim several dozen such documents and find nothing relevant to Tor, but then the very next one would tell you something you really need to know. To find the interesting one you might have to read dozens of boring ones, that's the catch.

Many thanks to you and all the other devs for your hard work! I often feel that our very lives depend upon it.

August 09, 2017

Permalink

7.0.4 - set the security settings to high, notice globalscript icon isn't crossed out, check manually - allow scripts globally (dangerous) is still checked as enabled. wtf.

Does this happen with a clean Tor Browser 7.0.4? On which platform?

Edit: More importantly: on which page is this happening. Note that we exempted the Tor Browser startpage, about:tor, from those restrictions as it is a trusted page and it would be broken otherwise.

August 10, 2017

Permalink

Question: Is server-versions in cached-microdesc-consensus only a suggestion, 0.2.4.24&0.2.4.23 are routable too, or only torversions in server-versions are
routable?

August 10, 2017

Permalink

I cant open https websites in this version.
Returns:

Secure Connection Failed

An error occurred during a connection to www.google.com. SSL received an unexpected extension. Error code: SSL_ERROR_RX_UNEXPECTED_EXTENSION

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

August 10, 2017

Permalink

I have noticed some versions below, that updating over the TorBrowser itself caused my antivirus Avast to report an infection. In that case i've deleted my old version and installed the new archive from the website - without any problems. The last version without any founds was 7.0.1.

The newest update will acted the same but this time in the new version 7.0.4 and the fresh Alphaversion 7.5a4 will reported as virusses - not only from Avast - many other tools will do it too (Malwarebytes Antimalware, EEK). I think this is a false positive but what if it is not? TorBrowser Win7 32bit

This was found:
Avast: firefox.exe - IDP.ALEXA.51
torbrowser-install-7.0.4_en-US.exe - IDP.GENERIC
Malwarebytes-Free: firefox.exe - Trojan.Agent.E

Other Tools will found similar infections...

Using Linux now until this case is closed as save...

Is that the official Tor Browser binary, downloaded from our website? It should be signed with a digital signature from us. And verifying the GPG signature should show that it is signed by our signing key

Well, if it would not be a false positive then all our Linux build machines would need to be infected with the same viruses/trojans or better: would need to have tools installed that implant those trojans/viruses into the executables during build or after it. We use several different build machines to verify that we get bit-for-bit matching binaries before we release a new version which is a defense against compromising one build machine and infecting the resulting binaries with malware.

So given that, I still believe those reports are false positives.

I can't tell if your complaining avast is right or not. But I have even seen my avast stop the download of the avast antivirus update file some time ago. The file to be downloaded 100% sure came from the avast site. I was stunned :) The solution was to use the avast live updater on several machines in our classroom one after the other.

But in your case: asking is ok. Better safe than sorry

August 10, 2017

Permalink

Just wanted to suggest a "New Tor Circuit for this site" button be added to the toolbar since it would make things much easier than having to always press Ctrl+Shift+L

August 11, 2017

Permalink

Hi my friends.
thanks this program. this program is very excelent...
thank you.....thank you

August 11, 2017

Permalink

Sehr geehrte Damen und Herren

Ich bin begeistert von Ihrer Alternative.

Mit freundlichen Grüssen

Siegmar Koehler

August 12, 2017

In reply to gk

Permalink

By the way, the high CPU usage doesn't all happen at once but will increase more and more as I scroll down the news feed.

August 11, 2017

Permalink

UPDATER and FIREFOX - in Tor Browser\Browser both in capitals - were quarantined.

After the "update", all browser extensions were gone and the startpage was an ordinary Mozilla Firefox one, leaving me with a stripped Tor Browser.

What the hell happened?

It seems your antivirus/firewall tool thought the update is some malware and decided unilaterally to break Tor Browser. I guess one way you could try to work around that is installing Tor Browser new again. Or better: you could think about removing/replacing your antivirus/firewall tool.

August 11, 2017

Permalink

An error occurred when shutting down browser.

APPCRASH
firefox.exe
52.3.0.6242
00000000
nssckbi.dll_unloaded
0.0.0.0
00000000
c0000005
71b7da4c
6.1.7601.2.1.0.320.65
1042
0a9e
0a9e372d3b4ad19135b953a78882e789
0a9e
0a9e372d3b4ad19135b953a78882e789

August 12, 2017

Permalink

On a Mac should I not see the obfs4 bridge? On My Mac I still see the bridge but it looks like it should of been removed according to the update "Bug 22829: Remove default obfs4 bridge riemann."

August 12, 2017

Permalink

Please fix:
- start standalone tor;
- start torbrowser;
- all ok;
- close standalone tor;
- start standalone tor;
- all ok, but tor circuit become hidden in torbutton

and add onion version of blog.torproject.org (missing in https://onion.torproject.org)

August 12, 2017

Permalink

Hi, is it normal that the tor circuit network to be so slow ? Can't even watch a video on youtube correctly since some days :/
Takes me up to 30 mn to find a circuit able to load the videos :/

Do I have to check something in the settings ? Any suggestion ?

August 12, 2017

Permalink

How can I enable the function which re-establishes tabs of last session? I see it is grayed out. TY.

August 12, 2017

Permalink

When turn on Tor Browser 7.0.4 and previous versions, in Noscript recently blocked sites it says "aliexpress.com". Only Tor Browser does this not Firefox.

August 13, 2017

Permalink

about:config -> browser.chrome:

favicons and site icons should be disabled (toggled FALSE) for various reasons.

August 13, 2017

Permalink

The function for reestablishing tabs from a previous session is disabled (grayed). How can I enable it? TY

I'd suggest making sure there's a trac.torproject.org ticket about the topic, else it's likely to get lost. Keeping track of blog threads is not easy, and definitely not the right place for keeping track of potential bugs. :)

August 27, 2017

In reply to arma

Permalink

Ok, but then why did you guys ask me substantive questions in the original thread instead of directing me to create a ticket straight away?.. This gave the impression that this (the blog) was also a valid avenue to discuss bugs.

Often things can get solved without creating tickets in our bug tracker which is why I tried to get information that would help me reproducing your bug. But so far I don't see this behavior on any of my machines and you are the only one reporting it. I've opened https://trac.torproject.org/projects/tor/ticket/23342 for this issue with another question for you.

August 28, 2017

In reply to gk

Permalink

Well, that's what I thought! And that's why I kept commenting (and was surprised when my last comment had been left unanswered). And here I am being told that comments are not a proper venue for bug reporting... "Sad!" :)

August 29, 2017

In reply to gk

Permalink

(1) I tried re-installing Tor Browser 7.0.4 on my system again (as I had done here https://blog.torproject.org/comment/269931#comment-269931 with version 7.0.2), same result, AdBlock loses its settings.

BTW, how do I get rid of the annoying warning not to maximize my window?.. I tried pressing the "Ok" button, I tried pressing the cross next to the "Ok" button, same result - warning reappears. I know with previous reinstalls the warning would disappear after a while. But how do I get the browser to understand I am serious about keeping my window maximized? :) I mean, how many presses on those buttons does it take?

(2) I see the ticket, thank you. So you want me to install Firefox ESR, right? I already have regular Firefox (with uBlock Origin, not AdBlock Plus) and Tor Browser. How do I proceed to ensure installing Firefox ESR does not mess up my main Firefox profile, settings, etc?

Re (1) It takes 3. You can disable this early if you want by flipping the extensions.torbutton.resize_new_windows preference. (Thanks for testing again)

Re (2) if you run the installer you choose the custom installation where you can specify a path for the ESR to be installed. If you are starting with your old profile (not sure if you have more than one) then you can create a new one on about:profiles. After a restart you should get the option to choose between your main profile and the newly created testing one.

September 04, 2017

In reply to gk

Permalink

Yay!!! The last update (7.0.5) has fixed things! The filter lists no longer disappear after a restart!

September 05, 2017

In reply to gk

Permalink

Hm, interesting!

I do have the Security slider on Medium.

August 27, 2017

In reply to arma

Permalink

Also, surely, I CANNOT be the only one relying on a combination of Tor Browser + AdBlock Plus to protect my privacy and security!.. One simply HAS to use an adblocker (if not to block ads, then to block trackers) if one were to attempt to browse safely and privately. So this issue HAS to affect a lot of other people. Or am I the only one??? I don't think I have some unique configuration, pretty run-of-the-mill stuff...

August 28, 2017

In reply to gk

Permalink

Ok, then why does the Tor Browser in Tails come with a pre-installed uBlock Origin? :)

And even if you think adblockers and their ilk don't enhance one's privacy, how about security? Using adblockers is almost universally recommended by computer / IT security experts. Bruce Schneier, to name just one.

https://mailman.boum.org/pipermail/tails-dev/2014-November/007299.html ff. and the discussion on tails-dev in October 2014 has some more information about their stance. IIRC it was seen as a political statement.

Regarding security: I guess those blockers are recommended to "normal" browser users not having a specially crafted browser available. For the security part we have the security slider included into Tor Browser.

August 29, 2017

In reply to gk

Permalink

Ok, I guess you are mostly :) right on privacy and security. (However, suppose someone keeps the security slider on Low, for more convenient browsing. Wouldn't an adblocker still offer protection against, I don't know, stuff like malware being served in 1x1 transparent pixel ads?)

But, I mean, come on, I think you gotta concede on the sheer horrendousness of adblock-free browsing!.. I don't think I can add much to this:

>> Why give shitty ads to our users when it's easy to avoid them? I
>> think a good number of them are going to manually install and
>> persist adblock, which will be worse than having it by default
>> for everybody (I assure you, nobody ever complained that ads
>> are blocked).

September 15, 2017

In reply to gk

Permalink

Another thought, which hadn't occured to me earlier for some reason. :)

Browsing with adblockers is known to be significantly FASTER. I think it's a pretty important consideration for Tor Browser, which is, after all, known for being slow! (Not the browser itself, obviously, but the Tor network itself.)

August 28, 2017

In reply to gk

Permalink

Also, as you perfectly well know, browsing without adblockers is simply a horrible experience! :) I mean, from the visual point of view, from the point of view of usability, etc.

August 15, 2017

Permalink

https://trac.torproject.org/projects/tor/ticket/22981
JS in Medium over https: trusted key not key holder, minimize surface.

https://trac.torproject.org/projects/tor/ticket/23151
https://trac.torproject.org/projects/tor/ticket/22985
https://trac.torproject.org/projects/tor/ticket/22982
https://trac.torproject.org/projects/tor/ticket/22980
+others

Maintain largest user pool, diverge from default High only per component per tab.

Current High/Medium/Low option ensures each user signals a divide between themselves, splitting the largest pool based on subjective "feels" creating three separate identifiable pools. Implement as default "Your Tor Browser is at highest.." with option to "reduce security level for minimal *"
Per basic component: *Video, Audio, in browser Email Encryption etc per tab via click to play menu?

August 15, 2017

Permalink

On Ubuntu LTS 16.04 Tor browser is tied to Firefox 54. Is anyone else experiencing this issue?

August 15, 2017

Permalink

https-everywhere 2017.08.15 stable release doesn't work properly.
the small option window in toolbar is blank and there is no option menu in about:addons.

August 16, 2017

Permalink

What's with all of the France and Germany nodes? Often I'll see:

France
France
France

Germany
Germany
France

Germany
France
Germany

Germany
Germany
Germany

and so on.

There are a lot of relays at a couple of VPS hosting companies. That's somewhat unfortunate.

If you don't like it, help Tor by running a relay at an underrepresented provider :)

August 16, 2017

Permalink

New HTTPS Everywhere add-on (v.2017.8.15) is broken in current Linux, 64-bit, TBB version.

Manually/auto update(s) install the add-on, but when you click on the blue box it opens up a white box with no text and one check mark for some invisible option. Removed and reinstalled previous version (v.5.2.21).

I have the same problem. Did anyone even bother to test the updated addon before releasing it?

See, this is what concerns me. They say to update the included addons which ship with TBB but when something like this happens, couldn't it have other ripple effects including but not limited to potential security/privacy issues?

> See, this is what concerns me. They say to update the included addons which ship with TBB but when something like this happens, couldn't it have other ripple effects including but not limited to potential security/privacy issues?

Yes. The plan moving forward is to disable auto-updates for all built in addons.

See:
https://trac.torproject.org/projects/tor/ticket/22974
https://trac.torproject.org/projects/tor/ticket/10394

August 17, 2017

In reply to yawning

Permalink

Thanks for the details, links, and for bumping one of the tickets with recent info.

August 16, 2017

Permalink

I seem to not be able to run Tor v7 on my windows 7 enterprise laptop. Has anyone else had this problem? I have had to reload earlier versions of Tor (V6) in place of the upgraded Tor version.

August 16, 2017

Permalink

7.0.4 : bug /attack
noscript : removed 5 lines set on https tab vs https forced of course (cookies checked !)
noscript : permissions = no set vs proxy/tor
https everywhere : set unblocked vs https block all unencrypted requests of course (red)

x3 install until a clean install
sandbox not affected

interference of the user behavior using terminal or usual task ? i do not think so.
suspicion of a sophisticated attack/a very bad relay/a big bug lol

August 17, 2017

Permalink

'HTTPS EVERYWHERE" sort of corrupts itself after every few days of using "TB 7.0.4". All items/options from the drop down menu which appears after pressing the 'https everywhere' icon disappear. Only two checkboxes & the word "version" remain. Anyone with similar experience or info about the cause and its solution ? OS:- WIN 7

August 17, 2017

In reply to yawning

Permalink

Thanks for the quick response. Question:- Can't we just remove 'https everywhere' from addons and then reinstall it from mozilla's addons in tor browser itself only ? FYI:- I did this once it seemed to work well enough as far as all the items/options, etc got back into there former (active & being there) state.Is doing this allright ? Although one thing seems obvious, that this will be a shortlasting solution.Untill there is a sure fix. (Wanted to keep 'noscript' enabled globally) If i am making a mistake by acting on the procedure mentioned above, please 'warn' me ! Please reply !

This may break incremental updating. Since this issue is a browser bug at the core, I don't expect fetching the addon from a different source to give different results, assuming the versions are the same.

As an alternative, you can selectively disable automatic updates for addons under `about:addons`, which should prevent

August 21, 2017

Permalink

Is the maximize-window-warning handling a bad joke??

Site is loading, WRONG click, browserwindow pops maximizing, site seeing
monitor size, THEN maximize-warning pops up.
What? Are you kidding me?

Warning must popup/asking before browser maximize.

August 23, 2017

Permalink

dear tor, i found this surfing the deepweb and wanted you to know. don't know if its fake or real but you might know...

http://yjrb5bvdgbrs2rhi.onion

Experiments on realistic conditions
This contains the code we used for our paper, "On Realistically Attacking Tor with Website Fingerprinting."

We wrote "notes" for each of the following, which describes how to run and use the files:

Training update. For testing a training set updating scheme.
Splitting. For split finding, split decision, and pre-splitting. About 100 MB.
Classifier. Takes packet sequences collected in the wild as input, and performs time-based splitting, classification-based splitting, and kNN classification on them. About 700 MB.
Tor Logging. Implementation of Tor logging for the above. This is necessary for the file format required by the classifier. Note that the classifier is only allowed to look at time and direction; other information is not available to the website fingerprinting attacker.

August 23, 2017

Permalink

Just to mirror what everyone else has said about this fantastic Tor browser and the work done keeping it going...thank you very much

August 23, 2017

Permalink

Hi. Can't browse instagram through tor now. It shows:

Error

Please wait a few minutes before you try again.

August 24, 2017

Permalink

do you recomend useing ublockO in Tor? and second i had it installed now it is no longer working

We do not recommend it. See for a broader discussion about the filtering topic https://www.torproject.org/projects/torbrowser/design/#philosophy section 5: No filters.

That said it should work if you really want that. What security slider level are you on (did you change it from the default) and on what operating system does this happen? Do you get an error or how else do you know it is not working?

August 28, 2017

Permalink

I'm still new to this and truly trying to understand the benefits and how it works. I saw something regarding Tor on Viceland and that is what led me here in the first place. I have downloaded the browser and am ready to use but am hoping someone in this thread will help me understand a little further.

August 28, 2017

Permalink

Can you tell me if its normal for the tor circuit to show "bridge OBFS4 (United States)" and other times it just shows "bridge OBFS4"

You mean you are using the same obfs4 bridge? That would be strange but I can imagine that the IP address of a different bridge can't properly be mapped to a country by the ip-country-database used for that and then nothing is added in parentheses.

August 30, 2017

Permalink

no way to get tor7 to work on debian wheezy. Not the downloadable packaged stand alone torbrowser, nor the installed tor and torbrowser launcher. The packaged just does not connect and does not give any errors, v6.5 works fine. The installed tor after updating and installing cannot connect with error: cannot reach host ipnumber:port. Disbaling the firewall makes no difference.

August 30, 2017

Permalink

I forgot to add that using obfs and bridges also made no difference, v7.04 cannot connect. v6.5 no problems whatsoever connects immediately and directly.

You downloaded Tor Browser from our website, right? Did you start it on the command line (in your tor-browser_en-US directory, assuming you have the en-US version) with something like ./start-tor-browser.desktop --debug --log? What output do you get?

August 31, 2017

Permalink

Just want to say thanks for all the hard work, however after the new version i can not long run tor on a windows 10 PC tyr to reinstall and disable the FW/AV but now luck appears task manager then disappears, any one elase had this issue? (note: older versions work)

September 01, 2017

Permalink

7.0.4 crashed with

  1. <br />
  2. Sep 01 21:50:35.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.<br />
  3. Extension error: TypeError: browser.ownerGlobal is null chrome://browser/content/ext-utils.js 800<br />
  4. [[Exception stack<br />
  5. <a href="mailto:getBrowserId@chrome" rel="nofollow">getBrowserId@chrome</a>://browser/content/ext-utils.js:800:9<br />
  6. @chrome://browser/content/ext-tabs.js:79:26<br />
  7. <a href="mailto:runSafeSyncWithoutClone@resource" rel="nofollow">runSafeSyncWithoutClone@resource</a>://gre/modules/ExtensionUtils.jsm:71:14<br />
  8. emit/promises<@resource://gre/modules/ExtensionUtils.jsm:384:55<br />
  9. <a href="mailto:emit@resource" rel="nofollow">emit@resource</a>://gre/modules/ExtensionUtils.jsm:383:20<br />
  10. WebRequestEventManager/register/<a href="mailto:listener@chrome" rel="nofollow">listener@chrome</a>://extensions/content/ext-webRequest.js:51:7<br />
  11. <a href="mailto:runChannelListener@resource" rel="nofollow">runChannelListener@resource</a>://gre/modules/WebRequest.jsm:721:24<br />
  12. <a href="mailto:observe@resource" rel="nofollow">observe@resource</a>://gre/modules/WebRequest.jsm:504:9<br />
  13. Current stack<br />
  14. <a href="mailto:runSafeSyncWithoutClone@resource" rel="nofollow">runSafeSyncWithoutClone@resource</a>://gre/modules/ExtensionUtils.jsm:73:129<br />
  15. emit/promises<@resource://gre/modules/ExtensionUtils.jsm:384:55<br />
  16. <a href="mailto:emit@resource" rel="nofollow">emit@resource</a>://gre/modules/ExtensionUtils.jsm:383:20<br />
  17. WebRequestEventManager/register/<a href="mailto:listener@chrome" rel="nofollow">listener@chrome</a>://extensions/content/ext-webRequest.js:51:7<br />
  18. <a href="mailto:runChannelListener@resource" rel="nofollow">runChannelListener@resource</a>://gre/modules/WebRequest.jsm:721:24<br />
  19. <a href="mailto:observe@resource" rel="nofollow">observe@resource</a>://gre/modules/WebRequest.jsm:504:9<br />
  20. ]]<br />
  21. Sep 01 21:57:42.000 [notice] Owning controller connection has closed -- exiting now.<br />
  22. Sep 01 21:57:42.000 [notice] Catching signal TERM, exiting cleanly.<br />
  23. windows.onRemoved event fired after context unloaded.<br />
  24. [Parent 20315] WARNING: waitpid failed pid:20398 errno:10: file /home/debian/build/tor-browser/ipc/chromium/src/base/process_util_posix.cc, line 268ng on Linux with Libevent

September 01, 2017

Permalink

there are still some problems with loading, idk if it's with my internet or international servers, but i'm just letting you know that it's abnormal compared to other ways of browsing. this usually occurs when entering links presented on search engines. thank you

September 08, 2017

Permalink

i get the same error
in the mac disk image mounter
for tor dmgs since half a year:

image could no be mounted

no mountable file system

all other dmgs work fine

osx 10.9

i have completly unistalled tor and wanted to reinstall it.

i downloaded and unzipped wit various browsers languages programs

September 18, 2017

Permalink

I have downloaded Tor-Browser 7.0.4 and discovered right after installing this browser
in Resource Monitor - a tool in map system 32 of Windows - that more then 30 ip-addresses
were connected with Tor.exe.
These ip-addresses don't appear after installing Tor-Browser and I wonder if this is a security shortcoming .
These ip-addresses can connect to Tor.exe any time and overlook coonection tot he internet.

November 03, 2017

Permalink

I just wanted to say Thank You So Much. I wish I had money to help out, but the best I can do is offer my computer as a guinea pig and try out the beta version.
Thanks again, and so far everything is working great!