To Toggle, or not to Toggle: The End of Torbutton

In a random bar about two years ago, a Google Chrome developer asked me why Torbutton didn't just launch a new, clean Firefox profile/instance to deal with the tremendous number of state separation issues. Simply by virtue of him asking me this question, I realized how much better off Chrome was by implementing Incognito Mode this way and how much simpler it must have been for them overall (though they did not/do not deal with anywhere near as many issues as Torbutton does)...

So I took a deep breath, and explained how the original use model of Torbutton and my initial ignorance at the size of the problem had led me through a series of incremental improvements to address the state isolation issue one item at a time. Since the toggle model was present at the beginning of this vision quest, it was present at the end.

I realized at that same instant that in hindsight, this decision was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to use their standard issue Firefoxes easily and painlessly with Tor.

I now no longer believe even this much. I think we should completely do away with the toggle model, as well as the entire idea of Torbutton as a separate piece of user-facing software, and rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators.

The Tor Browser Bundles will include Torbutton, but we will no longer recommend that people use Torbutton without Tor Browser. Torbutton will be removed from addons.mozilla.org, and the Torbutton download page will clearly state that it is for experts only. If serious unfixed security issues begin to accumulate against the toggle model, we will stop providing Torbutton xpis at all.

I believe this shift must be done for a few reasons: some usability, some technical. Since I feel the usability issues trump the technical ones, I'll discuss them first.

Unfortunately, the Tor Project doesn't really have funding to conduct official usability studies to help us make the best choice, but I think that even without them, it is pretty clear that this migration is what we must do to improve the status quo.

I think the average user is horribly confused by both the toggle model and the need to install additional software into Firefox (or conversely, the need to *also* install Tor software onto their computers after they install Torbutton). I also think that the average user is not likely to use this software safely. They are likely to log in to sites over Tor that they shouldn't, forget which tor mode they are in, and forget which mode certain tabs were opened under. These are all nightmare situations for anonymity and privacy.

On the technical side, several factors are forcing us in the direction of a short-term fork of Firefox. The over-arching issue is that the set of bugfixes required to maintain the toggle model is a superset of those required to maintain the browser model. Trac report #39 lists the bugs we must fix for the browser model, where as to maintain the toggle model, we must fix bugs from trac report #14 in addition to the bugs in report #39.

A similar issue exists with bugs that must be fixed in Firefox. The Firefox API bugs that need to be addressed to properly support the toggle model include rather esoteric and complicated issues that few groups other than Tor will find useful.

This means more resistance from Mozilla to get the toggle mode bugs fixed or even merged, less likelihood the fixes will be used elsewhere, and more danger they will succumb to bitrot. As a result, the lag time between fix and deployment for low-priority Firefox bugs can be as long as 3 years. See Bug 280661 for an example.

The Tor Browser bugs on the other hand are more directly usable by Firefox in its own Private Browsing Mode, which makes them more likely to merge quicker, and be maintained long-term. Also, because we are releasing our own Firefox-based browser, we will also have more control over experimenting with them and deploying these fixes to our users rapidly, as opposed to waiting for the next major Firefox release.

So, we can either invest effort in improving the UI of Torbutton to better educate users to understand our particular rabbit-hole tunnel-vision of design choices, and also solving crazier Firefox bugs; or we can reconsider our user model and try to simplify our software.

We don't have the manpower (ie: enough me) to do both. This means we should go with the simpler, easier option.

We do face a small number of barriers and downsides associated with this plan. We are collecting the issues we need to address ASAP as child tickets of this bug:
https://trac.torproject.org/projects/tor/ticket/2880

Overall, the downsides seem to mostly apply to expert users and how they will adapt the custom Tor setups they have built. We don't anticipate a lot of long term issues with this group, as most of the configuration options of Torbutton will remain available, and users should still be able to install custom addons and configure their Tor Browser profile however they need (even to the point of running it side-by-side to a system tor instance that is used for non-web applications).

Additional discussion about this issue has occurred on the tor-talk mailinglist.

Hopefully this announcement doesn't ruin your day!

Please don't do it :S Tor button is an easy way to use Tor, without it using Tor will be a bit painful..

http://ohinternet.com/File:Haters.gif

Torbutton will continue to exist as an independent XPI until we deem it totally unsafe due to serious vulnerabilities against the toggle model that can deanonymize users.

Note that currently the TorButton extension is reported to leak like crazy (increase memory usage by a factor of 3) even if you never enable Tor.

https://bugzilla.mozilla.org/show_bug.cgi?id=719329

Looks both interesting and viable to me. My understanding of Tor Browser Bundle is that it includes several apps like proxy, tor, tor-browser (aka Firefox), Vidalia, Torbutton, etc: How does that affect distros like Debian? I mean, they wouldn't package TBB, but Vidalia, browser, etc. separately. Will it be possible to package TBB separately in distros?

See https://lists.torproject.org/pipermail/tor-talk/2011-April/020105.html for this reply.

The short answer is we're already providing our own repos for Ubuntu, Debian and Fedora for the core tor package: https://www.torproject.org/download/download-unix.html.en. The plan is to add Tor Browser Bundle to these repos:
https://trac.torproject.org/projects/tor/ticket/2879

However, we'd love for our patches against Firefox to be picked up by distros. We will be making the features controllable by about:config options, so with the patches applied, it should be possible to turn the existing torbutton package into a torbrowser-like Firefox profile that you can also apt-get, if the distros take our Firefox patches.

These repos don't include a tor browser, do they? I don't see one. Is the only option for now to just use the browser bundles available on the site? A shame, but I understand it.

The repos are for installable software. Technically, tbb isn't installed, just extracted. And most people extract it to their homedir and then run it. Not much of an installation. Plus they are gzipped tar archives, not sure what the point of converting them into a deb package would be. What are your thoughts on 'installing' tor browser from a deb repo?

Probably a good choice to drop it, although creating a separate firefox profile used exclusively with tor works pretty well. This might be outside the scope of the "average" user but who is an "average" user anyway? Just finding out about tor and installing it makes you an above-average user by itself. I think that catering to the illusive "average" user has been a mistake that a lot of security developers have made in the past with no real success in adoption percentages.

However, torbutton does have problems and I would be fully behind a firefox fork that would plug all leaking holes, block plugins, delete cache and cookies etc. The only reason that I did not just plug firefox directly to the proxy and used torbutton as an intermediary is that it provided more security against leakage and decloaking attempts. Good luck with this move.

Agreed. Averaging users makes average solutions. Good luck in forking FF.

I find that most people use anonymizing software to a) access country restricted media, hulu.com for example and b) access sites blocked by government, porn for example, and these people simply google search "how to bypass web filter" and they get all these instructions to use proxies and anonymizer like tor. The most popular I know is hotshield (because a lot of blogs recommend it). So its possible for any type of user to be introduced to tor, and get confused at how tor works (they usually expect one-click-to-solve-my-problem), and finally get fedup.

I've been browsing with Tor on a separate Firefox profile anyway, so the Toggle button is not so important for me. However, I don't like the idea of having to run 2 Tor instances, one for the Browser bundle and another instance for other applications. It would be great to have a package that both installs stuff permanently (Tor, Vidalia etc) and configures the selected Firefox profile to be safe (ie. all the settings, JS hooks etc.). I also hope you sort out your issues with Mozilla and maintain a common distribution -- running 2 different versions of Firefox is another example of redundancy that begs to be avoided.

Of course. It is in everybody's interest to get patches merged upstream. The hope is that experimenting with patches on our end under a more sane UI model will result in more attractive patches for Mozilla.

My opinion, as a somewhat technical users, is that this is only good news for users. Having to figure out which browser I'm using is a lot easier than having to figure out whether the browser is in Tor mode and the Tor mode is working correctly. Plus now we can look at getting rid of Vidalia, embed the entire UI into the browser, and turn our attention to user fingerprinting defenses.

I completely understand your decision to discontinue Tor Button if it's easier and more secure to use your own web browser version. I agree it helps lower the entry barrier for new users.

"...rely solely on the Tor Browser Bundles, except perhaps with the addition of standalone Tor+Vidalia binaries for use by experts and relay operators."

Well that's good to know. I like to proxy rss feeds in FeedDemon.

hey mike i have a windows 7 machine running Tor with firefox 3.5 browser bundle. is it safer than using the new Tor browser bundle with firefox 4?

This is hard to say. We definitely don't expect anything major like proxy bypass from any of the Tor Browser Bundles. Fingerprinting issues are the major concern, and Firefox 4 may have more fingerprinting issues than Firefox 3.5, due to new HTML5, WebGL, and CSS features, but we don't have measurements on how much fingerprintability these new features provide... We do intend on doing our best to improve these issues as fast as we can, though.

Please tell us in simple and plain English what you are planning to do how will affect everyday users of Tor in troubled parts of the world in which we heavily rely upon Tor to protect us from being identified and live under heavily censored Internet filtering.
Are we going to loose Tor safety ?
Anonymous.

We expect the safety of the average user to be vastly increased through use of the Tor Browser Bundles. That's why we're doing this. Use the Tor Browser Bundles.

You guys are really crazy. In a fell swoop you managed to make it impossible to (a) Use Tor for the average user without the TorButton (b) Eliminated all vestiges of the app from everywhere (c) Provided a browser which is impossible to find once you install it in Os X (show me where it (Aurora) went ? I have to unpack it from the dmg every time to use it. Yet Aurora has a Tor button - which can't be toggled, but you can certainly use a proxy switcher to do this

You are just not thinking beyond the confines of your own world of programming and expertise. Even for some average Joe like myself you just wiped yourself off the map. Is that because you are are really not the programmers who are trying to provide anonymity, but you actually work for someone else ? Get real. Sure I am going to get a flood of arguments explaining what a fool I am. Well tell you what, I may be a fool, but I sure as hell can't get this thing (TorBrowser) to work properly in Os X
Do you even CHECK what you are producing?

And as a codicil. I am sure someone is going to tell me how ungrateful I am. Yes, I am. But its you guys who built the software and want people to use it. I am your customer albeit a non paying customer. If you don't want to build solid software then don't bother building anything. Drop the pretense.

But frankly I am really tired of trying stuff that works erratically and unreliably. FIX IT or DROP IT. This is so amateur hour.

Dude, they do it for free, I was a bit annoyed by the change at first too, but they did not do it to be dicks, they did it because they provide a safe product and could no longer do so with the latest versions of firefox. Using TOR is a hastle, even with the software to make it easier. IE torbutton. It's not easy to be no one on the internet. I am a network admin by trade, and I was a comp sci major in college, who had to take many programming classes - I still don't have the knowledge to make something like this by myself. I am only reaching this post at this time because I don't read up on TOR and the update on hit me as I run a little behind as I use ubuntu, and I just got the update.

I for one am greatful I live on a planet where people make me software I am not smart enough to write myself, and give it to me for free. Sure I come accross a lot of free software that sucks, but I simply choose to not use it. I sure as hell don't blast people if I dislike the software that took them hundreds to make it and give it to me for free. Instead I like to send emails voicing issues I have with using it and how I think the product would be improved if this or that feature were added. You would be amazed at the number of open source developers reply back with something like "OMG, I never considered that, thanks for the idea!" and then you get an email a month later saying "I think I did what you wanted, install this version, let me know what you think"

Open source developers litteraly give up thier lives to make cool things for people. They sure as hell don't make money off thier projects. They have real world jobs for $$. What they do for the world is just a hobby. So yes, I think you are ungreatfull when you expect perfection out of a person who likely works a real job and likely stays home on Saturday nights writing code to improve a product he or she will never see a dime for, and gives it and it's source code away for free!!! The Code is available, if the product sucks so bad and you are so upset, take the code and run with it yourself. You are not a customer, you have the ability to change it how ever you want, just get to work.

That's extremely sad to read...because of usability problems.

The biggest thing is redundancy of configuration - I have Firefox heavily customised, spend a lot of time on managing it and *really* don't want to do it twice. It's a killer, makes me want to fork Torbutton, but I don't know it's innards (or Firefox's) but I don't really have time to maintain it - so it would rot and silently become insecure w/out a warning. I really don't know what to do...

The second thing is USB-portability problems. You can't run 2 copies side by side.

And I find the switch to be a comfortable thing. Why have a separate window? Why wait 15 seconds for startup (yes, I have many addons) when a switch takes a moment?

This is an interesting point, and one that goes back to users shooting themselves in the foot unknowingly with the toggle model. Each addon you add to change your browsing experience alters your fingerprint in terms of the requests you make, and how things render. Arguably you should not be adding a whole bunch of strange addons to your anonymous browser, especially ones that alter request and rendering behavior... This just makes you stand out to exit nodes and websites, and having this same strange request and rendering fingerprint for non-tor use can technically be used to deanonymize you...

That said, we don't intend to disable the ability to install addons to the Tor Browser profile, and the future goal is to have it upgrade itself in-place using our secure updater called Thandy, which should preserve your settings.

We also envision the average user running both instances of Firefox simultaneously, but this may be problematic due to RAM consumption. We expect users tight on RAM to use a lighter browser as their primary one...

Of course, if we're lucky, our patches will all get merged upstream, no new security issues will appear against the toggle model, and you'll be able to keep running the Torbutton xpi and your tricked out combination of addons yourself for quite some time.

I'm protecting myself from ISP spying, so websites or exit nodes being able to identify me aren't a problem.

Still, doesn't Tor button protect from others reading addon information? At least Panopticlick fails with it.

Will the forked Tor browser be detectable and therefore blockable by a remote website or application, allowing people to disable the browser from using their sites/apps?

Yes. We make no attempt to conceal the public list of Tor Exit Nodes. While we do not encourage blanket bans, we do provide DNSRBLs to sites to make it easier to recognize Tor users to provide them with captchas, account creation limits, and to otherwise respond to urgent cases of abuse: https://www.torproject.org/docs/faq-abuse.html.en#Bans

This applies to all versions of our software, and all packages.

As such, the anti-fingerprinting measures we apply only serve to attempt to give all Tor users a uniform fingerprint, and not to make their fingerprint necessarily identical to a web "norm".

I agree with your decisions on all points. I use torbutton but it's not what I'd call "friendly" or "reliable". I'm a professional linux sysadmin and it still confused me at first...using it on Ubuntu on a laptop...so there you go.

I look forward to your fork! Also, thanks for all the hard work....I know people really appreciate it. I know I do.

The fork is not the primary reason for doing this. It is meant to be temporary, and to make everyone's lives easier. : )

I am very disappointed that you have not bothered to build the tor browser for PowerPC Mac OS, even if only as a nightly build.

We always need help because there are not enough people that can take care of all things regarding Tor. Will you help us and in turn help the community to port Tor to PowerPC on Mac OS?
Just offering to help is helpful. We need your help!

So is it possible to install both FireFox and the TOR browser bundle on the same computer? Or is it one or the other?

It is possible to install both. The Tor Browser keeps its Firefox profile in its installation directory, not in the standard mozilla path. Your normal Firefox will not see Tor Browser data.

Some bundle sounds nice for Windows users, but Linux uses like me won't be installing no bundle or anything. I use seperate browser profiles for different things and I always hated the whole toggle thing: What I would like is to just install the firefox extention on the firefox profile I use for tor and done. I would like "torbutton" to not have any on/off button, if it's installed then it should always be activated until I turn the extention off. this wouldn't be so hard. if something like this were to be "for experts only" then fine, as long as it's available. I really always hated the fact that torbutton allows you to turn the thing off when I have no reason to do that ever in the seperate Tor firefox profile and only a security risk.

Thank you! Keep up the good work

wow, finally somebody thinking about uniform fingerprint!

very good Mike, it is really out of control now with all those fingerprint options..

will you focus on all of them in your bundle?
same User Agent (even in javascript), headers, fonts, timezone, etc..?

refering paper here:
https://panopticlick.eff.org/browser-uniqueness.pdf

Like others commenting above me, I stopped using Torbutton's toggle a long time ago and instead use separate Firefox profiles for surfing with or without Torbutton.

I've got a ton of add-ons installed in every profile, but sites like Deanonymizer or Browserscope are never able to tell which ones. So I'm not sure that add-ons present a fingerprinting threat.

I realize that your mind is made up, but perhaps replacing the toggle with a profile switcher could have mitigated any concerns?

P.S.: I think the "preview" for comments here is new? Thanks for that!

Hey!

So Tor is pretty cool. We like it at Mozilla. If you're having problems with getting things fixed upstream, please reach out to me, as I drive a lot of bug priorities. My email is blizzard -@at@- mozilla.com.

(We get a lot a lot a lot of bugs and things just get missed from time to time.)

And there might be options for browser bundles, too, that might make your lives easier. It's worth talking about if you want to do your own browser distribution.

Thanks!

--Chris

Forking is stupid, Firefox is on rapid release now and you'll always be out of date and obsolete compared to Firefox. Don't be stupid and put users at risk because you can't keep up with the security fixes.

An exciting development indeed. I cannot wait to see how this turns out. So does this mean all traffic will be forced through Tor, or will end users have the option to turn it on and off. I am curious if I will be able to switch to different anonymization tools depending on situational constraints.

Either way, thanks for your work. I have used your stuff when traveling to some some very unfriendly places intertubes-wise, and I felt much safer doing things with the TorBundle.

I don't think this is good idea. You could keep both; developing Firefox add-on and fork your browser. Firefox is more powerful & has very big community. One thing more i like it too much is the Firefox Add-ons repository, so please keep add-on there.

We could, eh? Did you look at the number of tickets of those two trac reports mentioned in the article (#14 vs #39+#14)? Are you volunteering to fix the bugs in the toggle trac report (#14)?

You realize that otherwise, all of these tickets need to be solved by me, right? And Torbutton is not even the only thing I work on with Tor. I also work on 3 other pieces of the system..

I don't think there's necessarily "more resistance from Mozilla" for getting Tor fixes into Firefox.

Bug 280661 isn't really a great example... No one in that bug said we didn't want it; the difficulty in getting it reviewed was largely that the SOCKS code is crufty, unowned that no one is actively working on it. I'll be the first to admit that out review process can be confusing and slow, and the delay between the first patch appearing (Nov 2009) and getting a review (August 2010) really really sucks. But once that happened the patch author didn't update the patch (to fix problems found in review) for 4 more months. When it was, the updated patch got reviewed again -- within a week! -- but again wasn't updated to address review issues for another 2 months. Eventually the reviewer took over the patch, and it got wrapped up and landed in a few weeks.

So, yeah, the Mozilla review process failed for the the whole year the first patch was waiting. Terrible. But it wasn't at fault for the next 6 months of waiting. And those last 6 months were what caused it to miss Firefox 4.

Anyway, my intention isn't to cast blame (except for our admitted year of fail :), just to point out that things are more complicated than it taking "3 years to fix and deploy".

While I don't have the time to fix the Tor-priority bugs myself, I'm more than happy to help with process issues and poke people as needed to help move things along in a more timely manner. Let me know where I can help, we don't want things to be painful!

(Justin Dolske, Firefox developer)

You're right. Bug 280661 isn't a representative example for most of the bugs I'm talking about that apply to the toggle model either. It only exemplifies how the review process can make things painful in terms of forcing us to delay for months on something if we miss a deadline by a few days/weeks. If we have our own browser as our only recommended software, this problem goes away.

But, it is not the only problem with the toggle model, as I said in the post.

In addition to the disparity I mentioned in our own Trac Report bug lists, we also have had a whole bunch of Firefox bugs that only make sense to fix for Torbutton as a toggle model extension:
https://www.torproject.org/torbutton/en/design/#ToggleModelBugs

We've been trying to figure out how to even approach some of these for years, as they require expertise of someone who understands deep magic of the JS interpreter, network request paths, and TLS details. We get little feedback or help from Mozilla developers who are naturally busy with other things that are more important to Mozilla as a whole. There are also a ton of additional bugs that used to be on this list that we've since discovered hackish workarounds for (like clearing SSL Session ID state and OCSP state by toggling a pref) that probably should have been solved better. It is questionable if anyone else needs any of these things to be fixed, ever. At least this is the tenor of the responses we've gotten on the bug tracker in the past, and it does make sense.

If we just abandon the idea of the toggle model, all we need to do is prototype patches that are useful to Private Browsing Mode. These patches will naturally get way more attention than Tor-specific patches that only apply to the toggle model. Moreover, if we are building our own browser, we get to benefit immediately from writing these patches and testing them right away, as opposed to investing effort that may not be realized for unknown quantities of time, depending on release cycles and code freezes that are less visible to us than you may assume.

Nice.
But that's a lot more work as 'only' a Torbutton?

Have you enough programers for that?
It's really more complicated?

Please read the post and the comments.

This question has been answered 4 times now (once in the article, once in a previous comment, once wrt Firefox patches themselves in the above comment, and once here).

I like torbutton the way it is. Although I live in the USA and while paranoid I don't believe anyone is actively out to get me (at the moment :). I'm lucky enough to not live in a country were censorship is rampant. I still like to use tor when I need to but not all the time because here in America the network would be classified as slow. So when I don't need it I turn it off. I like the toggle model. It makes it easy. When I need it I turn it on and when I don't I turn it off.

Just my 2 cents. If I was in China or Lybia I might say just the opposite that I want the browser bundle but I'm not so I like the button.

I think this is a good idea, and will make things easier for non-technical users. One thing I would suggest is to make it easy to install to and run from a USB key. Thank you.

What about the support under Firefox 4. Tor button doesn't exist, can we expect that soon or not? (Windows 7 32bit , Firefox 4)

thx

Hmm, I'm not so sure this is the best way to go...
We'll know quantitatively down-the-track hopefully.

mike, am i completely anonymized if i log onto my facebook account? im using firefox 3.6 with tor and no script on windows 7 machine. thank you.

IMHO, a very bad idea.

Having a separate browser:
- makes it much more uncomfortable for users
- less likely to be used
- much more likely that new security holes are introduced in the fork
- much more likely that upstream security holes are not fixed in the fork

Forking (what you effectively do with Tor browser) is mostly a very bad idea.

- It will be much more difficult to use tor,... different user profiles,... bookmarks etc.
- Security updates get easily forgotten in the fork.
- etc. etc.

Scenario 1: I open FF, start Private Browsing, have NS and AdBlock + going, TorButton toggled Off, and bring up CNN.com

Scenario 2: Everything is the same as above but TorButton is toggled On.

Let's also assume that both these scenarios are isolated, in the sense that I do not have both going at the same time ( i.e. six different FF windows open )

These are two things the 'average' user ( hey, thanks for calling me 'average' up there! ;) might do who is new to Tor.

And let's also assume I'm not doing any heavy file downloading ( like BT ) and am not allowing any Java/Jax content to load.

What is the 'risk' to me, the average user, between both these scenarios? What is the gain? I haven't found this answer in anything written here.

With Tor button, I can switch between both scenarios *without* having to close FF and re-open it again. And I'm just an average user.

Please understand I'm an average idiot...erps, user....so may ask average questions.

But, I like playing with new browsers too, so am not worried about your decision so much as curious. I also think, given you have so few resources in terms of either paid or volunteer engineers, you must do what you must do. I hope everyone who follows your work will remember that and balance their critique against this knowledge or, if they're super-propellor heads, will help you get the work done if they have the better solution.

I hope the new UI just stays the same with Firefox, not to showy - not identifiable on the first look. This is quite important when using tor in some public places.

The Fight Against Browser FingerPrinting & Creating New Firefox Release for
Non-Tor usage based on Tor Browser bundle

This post is cross-posted on tor-talk mailing list.

I don't understand what each setting does in Tor Button as it is too
complicated in the settings.

For example:

Resize windows to multiples of 50px during Tor usage etc.

All I know that the default settings that ship with the Browser bundle is
good, and that it stop Browser Fingerprinting, protects your privacy, and
more secure, and has better privacy features built in, compared to regular
versions of Firefox.

One thing that will help in the fight against browser fingerprinting, is
releasing the Firefox version as shipped in Tor Browser bundle, which can be
used without tor.

What I mean is, right now I use my regular ISP for browsing, because it is
fast.

If I decided to use the Tor Bundle, I will need to make changes so as to
satisfy my daily browsing needs, such as enabling Flash videos etc. And the
proxy settings to make it direct connection.

What I would like is for Tor Project to release a fork of the Tor Browser
bundle, which only contains the Firefox part.

When I ran some fingerprinting checks on https://panopticlick.eff.org/ , the
things I noticed most is that:

a. Time Zone = 0

in regular Firefox it reveals my Time Zone = 420

(probably too much resistance at Mozilla/Bugzilla to make it 0 for
everybody?)

b. Screen Size and Color Depth = 1000x400x24

in regular Firefox it reveals my real Resolution = 1024x600x24

(probably too much resistance at Mozilla/Bugzilla to remove this info for
everybody?)

Oh and I have still not figured out how to install Flash plugin in the Tor
Bundle.

If you go to Add-ons ==> Plugins, there is no flash, or other plugins.

There is however Google Talk Plugin. I wonder how it got into the Browser
Bundle.

But all other plugins in my regular Firefox, are not in the Browser Bundle.

I have not bothered with tinkering with any Tor Browser Button settings,
just so it can play flash videos, after all it is going to be a horrible
wait to stream Youtube, for example.

Oh and each time the Tor Browser Bundle is updated, I have to re-install
Ad-block plus and my other Add-ons.

I do NOT use No Script because it is too confusing.

Anyways the point I am trying to make here is that if Tor or EFF released a
Firefox version that helped with the fight against Browser Fingerprinting,
it would be great.

I see that the fight against Browser Fingerprinting is fought mainly when
using Tor Bundle.

The Firefox devs are probably hesitant to implement stuff required to fight
Browser Fingerprinting as according to them, it takes away for the "browsing
experience".

That attitude is wrong.

Say after you release a version of Firefox that has better techniques to
fight against Browser Fingerprinting, I would hope that the Firefox devs
would atleast consider adding a Check Box in the Options where a user can
say Yes I want to join the fight against Browser Fingerprinting. If everyone
has the same fingerprint (which will never happen due to various browsers
for one thing), you will have eradicated the thing that is browser
fingerprinting

I really like Tor Button, it's cool. But it's your baby, so do what you think is best! Now I'm already running two browsers at once (Opera to watch my mail accounts), so adding a third is no big deal to me. Tor Browser could be just as cool as the button if you added a link to your website showing us how to replace the Firefox logo with the Tor logo so that Tor Browser would pop out at me on the taskbar (for those of us who would like to; I see by the May 25th post some would not).

sounds like as ..."I like to ride, that's because I'm busy with the re-invent the wheel"... is it required?!

I never toggle Torbutton. I have a special user-account with newest Firefox + Torbutton + other Addons which i only use with Tor. I nned Torbutton for correct proxy- and security-settings.
I very much hope that Torbutton will developed in future!! If it will be no "button" anymore it´s ok for me.
Thanks a lot!

Tor and the bundle projects are deeply appreciated. But when Mike notes in this thread article, "Unfortunately, the Tor Project doesn't really have funding to conduct official usability studies to help us make the best choice.," one is left to wonder what is being done with the massive influx of dollars from US goverment money to Tor's project(s). Tor devs are bringing in at least $Two-million from government agencies according to this site's funding list. What, exactly, is Torproject doing with this money? By the way, the "anonymous NGO's" contributing over one million dollars th this project do not exist. NGO's NEVER make anonymous large donations. Both tax-law and the utility of fundraising for any NGO rely on openness.

Mafia content hates you lol

Like Jan. 3rd 2012 comment. I also have a special TOR only Firefox installed. I run it in Sandboxie with it's own install folder. Along with 3 other regular Firefox Sandboxie installs. Just use that -no-remote setting. I just started using the -no-remote so I can have 2-3 Firefox's running at the same time with many windows/tabs for each. It's been working great so far. You have to create shortcuts __from__ the Desktop, which in Sandboxie isn't straightforward right away (can't go to folder and click _send to desktop_ it does NOT work;
example (in Win Explorer, hit _Shift_ then Right Click and hit _Copy As Path_ and paste that in the first shortcut option:

"C:\Sandbox\WinUserName\SndBx_c010512\drive\C\Program Files_Sandboxed\FF_SndBxd_Main1_i010512\FF_SndBxd_Main1_i010512.exe" -p FF_SndBxd_Main1_i010512 -no-remote

I rarely use TOR, but when I do, I use the TOR Button one. Just name it FF_SndBxd_TOR-Main1_i010812.exe It makes it much easier to remember when you have multiple ones running. Just leaving them at firefox.exe is harder to keep track of.

I read with Firefox 10 and on they are making it easier for Add-ons to be compatible from the start.

Will this not make it easier for TOR Button to stay alive?

Like someone else said; "It will be much more difficult to use tor,... different user profiles,... bookmarks etc." with the Tor Browser Bundle. I've used it before, but someone also said when they update they loose all they're previous addons and bookmarks. I assume you can just copy your profile and then paste it back in, but since the Tor Browser Bundle is a custom fork, that may cause a security setting from your old profile to mess things up.

*** I however think the Tor Browser Bundle is a great idea for some people. I just highly prefer the TOR Button over it. ***

Thanks either way for the options. Also see you have Tails, that seems like a good addition to your offerings.

Keep up the good work.

PS I highly recommend Sandboxie to Windows users. Last 3 months two websites I go frequently have had they're Ad Networks hacked, which has caused virus's on peoples PC's, some had to reformat they were so bad. Luckily Avast stopped them anyways, let alone Sandboxie would have. It's just an extra layer of protection, as I sometime turn off AV since it slows down PC when I have so many programs (3.8GB of programs) running. As I'm sure others also turn off they're AV programs.

Bug-Report! Torbutton deletes all cookies, can not rearrange tabs

I am using on Win98SE with KernelEx Firefox 3.6.22 (last supported version). Torbutton makes a bad mess off it. Most annoying is that it ALWAYS deletes all cookies when exiting Firefox (ignoring my many manual exceptions for special websites) when I want to remove only of normal cookies at session end, which makes Torbutton useless to me.

The other severe bug is that I can not manually rearrange tabs or bookmarks anymore so long Torbutton is installed (even when off), thus it seems to mess up Firefox' inner working badly.

CYBERYOGI =CO=Windler

I'm not installing more stupid shit. It's official. You took out the toggle. As far as I'm concerned, Tor is dead.

Plugin..... DELETED!!!

I'll take my chances with being monitored. If it's not easy, it's not worth it. This isn't North Korea. Hopefully if enough people stop using this "browser bundle" shit they will get their shit sorted out and put the torbutton back to the way it was before, perfectly good for what we needed it to fucking do.

What you most want us to do is roll back the clock to the days when Firefox didn't put out a new release, packed with new privacy issues, every six weeks.

I wouldn't mind doing that either, actually. Let us know if you have a way.

(Maybe moving to Chrome will be the answer -- https://www.torproject.org/docs/faq#TBBOtherBrowser. But then again, maybe not.)

Recently, I noticed that single click is opening the folders or Windows randomly, instead of a doble click. It is like double clicking to open it instead of selecting it.

Yesterday( June 1,12), I noticed that the Torbutton toggle function in FF has gone and froze up all the programs. Then a message appeared to remove the torbutton. After removing it, the double-clicking problem is cleared.

I don’t want to use the browser bundle since that doesn’t work for VoIP calls, like Evaphone.

I wonder you would add that Torbutton again or any work around to use Evaphone through Tor.

ATTENTION PLEASE:

The tor project has long since begun to stink of black op government compromise.

The lawless military/police state that most of us unknowingly live in has been in the business of infiltrating opposing entities for a long, long time. They create bogus opposition that they control, they infiltrate existing organizations to influence their direction, they set up honeypot organizations to find out who opposes them, etc.

What stinks in the TOR world? Among other things I don't have time to go into now:

1. When I recently went to visit the internet, the torbutton that I had installed a long time ago into a standard Firefox browser suddenly stopped toggling, and gave me a long message saying so. Question is: HTF did you get an old piece of add-on code installed in my browser a long time ago to suddenly change its functionality??? What bizarre entree into my browser do you have, and how did you get into it? Did my old version of torbutton have some kind of remote control comms built into it so that you could fnck with it without my knowledge later on?

2. You push the browser bundle these days. Nice idea. But here's what you make the browser bundle do: when you start it up it is pre-set to automatically make contact with your start page: "It looks like TOR is working!" And there's no way to keep it from doing this without causing tor to not work thereafter. In any event, the average user wouldn't be able to figure out how. What's your interest in forcing all tor users to visit that page every time they begin browsing? For those of us who know that tor is just as liable to compromise by military/black op infiltration as any other group, how do you expect us to assume that this mandatory URL launch isn't intended to establish a starting point for tracking each of us when we go online? Why TF don't you get rid of this unwanted and potentially revealing mandatory first connection, especially when you take into account no. 3 below? This is way suspicious. And don't tell us that it "helps us dumb users know if tor is working or not": I can do that myself by visiting any site I want and looking at the bandwidth graph.

3. In adition to the above, look what you do: You make the NoScript add-on part of your browser bundle and ... get this ... YOU SET ITS DEFAULT SETTINGS TO "ALLOW ALL CONNECTIONS."!!! Do you see what we've got here, people? First, you're forced to connect to a particular web page, and you're forced to do so with SCRIPTING TURNED ON, which means that your real IP and other user agent data is potentially revealed to whoever can see your script-based traffic to that web page. Your friendly allies at torproject (and almost certainly the military intell and cointelpro entities that run them) all have the means to know your real IP, location, and user agent data when you first begin browsing. So smart. And so evil. And why do we not notice?

(Do you think you just use the "New Identity" command to get you safely lost again? Don't count on it. Apparently, that command doesn't set up a whole new, randomly selected set of 3 nodes for you. It only changes the exit node. And you do know, of course, that the number of nodes out there that are actually run by our friendly paternal surveillance state is likely to be near 100%. They have infinite money, so why wouldn't this be true? This is especially true for exit nodes. After all, which one of us average folk is REALLY likely to run an exit node and have our commercial ISP see all the "subversive" content come out of our little account? Can you imagine the sh1tstorm of attention you would draw to yourself if you ran an exit? Let's face it: none of us do it. The only ones who likely DO run exit nodes are either governments or government fronts or government-run assets. If the same is even mostly true of regular nodes, TOR is just one massive honeypot designed to give intel agencies the real down dirty goods on those of us who want to do, read, and communicate in secret. To which much use can eventually be put. ... Of course, by the way, don't think that just because no one gets arrested from doing illegal things on TOR that that means anything. Cops CAN'T be called for anything seen on tor, or the whole honeyput would come down and no one would come near it anymore. Bad people can do bad things on tor and not have the cops find out. That's not proof that it's actually successful. That's because it's not for cops. It's for higher order surveillance for higher order purposes. For the State to keep an eye on a certain kind of element. They're not going to blow the whole charade by busting some kid or some pervert for some merely criminal charge.)

A handful of open-source programmers have no money. Whereas the military industrial establishment has massive, effectively unlimited resources. Billions of off-sheet cash and everything it buys to get us all to slowly, subversively sell each other out without ever realizing how it happened until it's too late (which probably ain't gonna be long from now). In fact, to go further, how certain can we be that TOR hasn't been owned and betraying all of us for a long time now, if not even from the very beginning possibly?

Don't get me wrong: I will still use TOR because it is the only thing we have, but I will do so with the realization that everything I do using it MIGHT be going direct to our masters despite my efforts. And I will always try however I can to figure out how to thwart whatever bits of sabotage they've built into the tor system over time, like the first-start script-enabled contact with home base that I already talked about.

For sh1t's sake and your own too, ALWAYS assume that your favorite allies in the privacy and anonymity business are compromised. Because they have to be. The State is too rich by trillions of dollars for them to not have tried and for them not to have been successful. It's too easy for them to kill, cheat, bribe, outwit, and buy off absolutely anyone. (Look at Popular Mechanics magazine vis a vis 911 for one example among many.) The best and main tool we simple, innocent, naive folk have is to look at things with squinty eyes, be suspicious, and cry foul loudly at every turn. Look at the developers funny. Ask 'em "why" a lot. If they're privacy advocates, they HAVE TO UNDERSTAND that this is necessary. I don't care if it's free and they work for nothing. It doesn't matter. If anyone is to be able to trust that it works, the developers have to accept and EVEN ENCOURAGE suspicion verging on hostility on the part of the users and the public in general. Look at everything our friends and "allies" do, every change they make over time, with maximum suspicion. Connect a few dots every once in a while. Ponder. "How could this or that change screw with my actual privacy while continuing to appear protective?" Speak. Ask questions. Doubt the sincerity of the answers. Ask more questions. Express your doubts and theories. Look at the backgrounds of all key players and look for strange coincidences. Publish them in blog comments and elsewhere. Did developer X work for a military contractor 7 years ago? Is developer Y married to a former member of US Army intellilgence? You get the idea.

Regards, Ragnar

P.S. The tor project got rid of a brilliant piece of anonymizing software a long time ago, Privoxy. Why would they have done that that? This allowed us to change our user agent string on a per-site basis, among a hundred other things. This is a suspect move. (And I mean explain it without any pitifully childish excuses like "research found it was too difficult for users to understand" or "the original developers stopped upgrading it.")

Today at restart of my new FF version, I just suddenly got this lame pathetic box requiring me to uninstall Torbutton (because that's the very only option right ?). Like Ragnar above, I'd like to know how the fuck this piece of code got upgraded only today while this thread started in May 2011 and I have add-ons auto upgrades.

But anyway, the argument about making it easy for average lusers is bullshit. If you want to babysit lusers, tell them to never turn of the torbutton under any condition and that's it. Or lock it down with a user pref that beginners can't even find out by error. But for fuck's sake, GIVE A CHOICE to advanced users.

That's exactly the same shit from FF team with things like not allowing anymore the javascript:blah() directly in the URL window. Let the fucking advanced users a chance to do things the way they want and the way they are used to, if they know what they're doing. Make it just difficult for the lusers to turn it on accidentaly.

I'm pissed that not only the government forces me to do things "because they know what's best for me" but know even developers are getting a fucking ego and know what's "best for me".

Tor is dead for me, and uninstalled.
kthxbye

hello.
thank you for TOR.
when using it.onion i got the gold-rush feeling of early 90s internet back again : )
it is from community for community. no flashing expensive, tracking and ad weight-down web 2.0.
-
the bundle works very well. down-load! unzip! go!
but please don't dumb down everything.
please also provide tor-firefox standalone -and- tor-button for people who have TOR-service on seperate computer(*).
please keep tor-button for regular-firefox. it is the only way to override "smartness" of firefox by removing auto-add "www."to address and to not have it do dns lookups.
the tor-button makes regular firefox socks 4a!
Thank you!

(*) i have TOR installed as service on another computer. but i have 2 desktop computer i use. without tor-button i have to use "tor-bundle" on each one.
with tor-button i can just add ip:port of tor-server in the proxy-socks field in firefox.
All dns-lookup:53 are being hijacked (iptables) to the TOR-server, so no leak there, and dns-lookup always go thru tor!

Syndicate content Syndicate content