Tor Browser 4.5.1 is released
A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.
Tor Browser 4.5.1 is based on Firefox ESR 31.7.0, which features important security updates to Firefox.
The 4.5.1 release also addresses several regressions and usability issues discovered during the 4.5 release. The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name. This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.
We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well.
With this release, 4.0 users will now be updated automatically to the 4.5 series.
Note to MacOS users: The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic. You will be instructed to perform a manual download instead. Moreover, as of this release, 32 bit Macs are now officially unsupported. For more information, see the original end-of-life blog post.
Here is the list of changes since 4.5:
- All Platforms
- Update Firefox to 31.7.0esr
- Update meek to 0.18
- Update Tor Launcher to 0.2.7.5
- Translation updates only
- Update Torbutton to 1.9.2.3
- Bug 15837: Show descriptions if unchecking custom mode
- Bug 15927: Force update of the NoScript UI when changing security level
- Bug 15915: Hide circuit display if it is disabled.
- Translation updates
- Bug 15945: Disable NoScript's ClearClick protection for now
- Bug 15933: Isolate by base (top-level) domain name instead of FQDN
- Bug 15857: Fix file descriptor leak in updater that caused update failures
- Bug 15899: Fix errors with downloading and displaying PDFs
- Windows
- Bug 15872: Fix meek pluggable transport startup issue with Windows 7
- Build System
- Bug 15947: Support Ubuntu 14.04 LXC hosts via LXC_EXECUTE=lxc-execute env var
- Bugs 15921+15922: Fix build errors during Mozilla Tryserver builds
Comments
Please note that the comment area below has been archived.
Thank you.
Thank you.
I wanna thank anyone and
I wanna thank anyone and everyone involved in help provided to keep what we say and do private. From regular Joe's like me to other's who must be incognitoI once again thank everyone for what do.
This happened also on
This happened also on previous updates.
When tor is updated, timestamp on log output wrap
to UTC time (I assume)
[geshifilter-code]
May 13 06:28:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
ERROR: Error verifying signature.
ERROR: Not all signatures were verified.
May 13 07:37:27.000 [notice] Owning controller connection has closed -- exiting now.
1431491849254 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849255 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849255 addons.update-checker WARN HTTP Request failed for an unknown reason
1431491849256 addons.update-checker WARN HTTP Request failed for an unknown reason
May 13 04:37:30.136 [notice] Tor v0.2.6.7 (git-ac600bec40c14864) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1m and Zlib 1.2.3.3.
May 13 04:37:30.136 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[/geshifilter-code]
Are you concerned about the
Are you concerned about the errors? They are essentially false positives as the MAR files are not signed with the first key that is included in the source but the second one in these cases. See: https://bugs.torproject.org/15532.
Are you concerned about the
Are you concerned about the errors? They are essentially false positives
You mean that
OK.
When tor is updated,
When tor is updated, timestamp on log output wrap to UTC time (I assume)
Of couse log output timestamp return to correct when tor is manually restarted.
Seems that tor does not preserve timezone information when it restarts itself?
There is no TZ variable in the environment (when tor is started from command line).
Also seems that tor browser
Also seems that tor browser (that version and previous version) also crashes sometimes.
This is not a only case.
Jondonym's anonymity test on
Jondonym's anonymity test on http://ip-check.info/index.php?lang=en shows a red field marked "bad": window.name is traceable. Your unique ID: ###### (the same number as the "local storage" ID which is marked orange (medium risk)).
With the "Smart Referer" Firefox extension installed and configured as follows:
Mode > send nothing as referer
Strict (treat subdomains as different domains) > unchecked
the test shows a green field marked "good": window.name has been anonymized.
So Tor Browser really needs an additional extension to prevent tracking???
Well, that depends. See:
Well, that depends. See: https://www.torproject.org/projects/torbrowser/design/#identifier-linka… section 12 for what we are doing.
You don't need an additional
You don't need an additional extension. If you move the security slider under Onion -> "Privacy and Security Settings" to high, JavaScript gets disabled, and window.name disappears.
32bit Debian Wheezy user
32bit Debian Wheezy user here. I successfully auto-updated from TBB 4.0.8 to 4.5.1 . Auto-update worked perfectly for me! Thank you.
13.05.2015 11:19:56.100
13.05.2015 11:19:56.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
13.05.2015 11:19:56.779 [NOTICE] Bootstrapped 80%: Connecting to the Tor network
13.05.2015 11:20:05.776 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 10; recommendation warn; host 5C69846F6B71D1C55475987FEAD2F96D62A4CD92 at 89.163.227.28:9001)
13.05.2015 11:20:07.320 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 11; recommendation warn; host 3018E8B182E44AA4AEFA19972BA71B34E4A183C2 at 188.230.91.135:9001)
13.05.2015 11:20:07.775 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Permission denied [WSAEACCES ]; RESOURCELIMIT; count 12; recommendation warn; host E2BD5F4F366DB494EA1FAD785CFA53F9439BB110 at 162.248.94.205:5277)
"The update process for Mac
"The update process for Mac OS 10.6 and 10.7 users will unfortunately not be automatic." Why is that?
https://blog.torproject.org/b
https://blog.torproject.org/blog/end-life-plan-tor-browser-32-bit-macs has an explanation.
My default search engine was
My default search engine was changed to disconnect.me in this update, instead of the ol' Startpage. Can anyone offer a comparison of the privacy they guarantee to help me choose?
Thanks Tor Team for this update, by the way!
I hadn't seen that
I hadn't seen that additional search engine.
I tried a search. The site creates a unique url that omits search terms. the unique part looks like about 20 hex characters plus dash characters,
i reloaded the url and the page showed the same results and search terms. But assuming this url is a "permalink", a bookmark would need manually added information, because the url doesn't give a clue.
According to Tails' blog
According to Tails' blog posted a few hours earlier than mikeperry's post, it's stated "We disabled in Tails the new circuit view of Tor Browser 4.5 for security reasons. You can still use the network map of Vidalia to inspect your circuits."
If Tails' developers are correct, why do Tor developers not disable it in the Tor Browser Bundle 4.5.1?
Would mikeperry, erinn or arma wish to clarify?
This is **exactly** what I
This is **exactly** what I wanted to ask in the Tails blog post, but they don't allow asking questions in their blog here (which is pretty lame, IMO!). Also, Tails doesn't have their own blog at their site, or easy way to contact them :(
I would really like to get a response on this, as well.
Looking at the tails
Looking at the tails changelog I see this:
"Unfortunately its per-tab circuit view did not make it into Tails yet since it requires exposing more Tor state to the user running the Tor Browser than we are currently comfortable with. (Closes: #9031, #9369)"
But it looks like this issue is about #9333?
https://labs.riseup.net/code/issues/9333
I don't see why allowing it via. Vadalia is better, or more conformable? And what exit node would Vadalia show, considering each website may use a different exit node with current TorButton?
And I don't see why it's a security risk to have the per-tab circuit view.
Comments from experts would be very welcome.
I really think if Tails has a blog here they should allow comments for each post. Or if not, they should include info on how best to contact them regarding blog post xyz.
Tails has a different threat
Tails has a different threat model, in that they need to account for other application's traffic going out over a system-wide Tor instance, vs just Tor Browser's traffic (the bulk of the Tor Browser users).
I'm not particularly convinced that allowing Vidalia (long since unmaintained) full control port access is any better than allowing Tor Browser (which is maintained but presents a much larger attack surface) control port access, but I am not a Tor Browser developer, and can be quite paranoid at times.
See: https://trac.torproject.org/projects/tor/ticket/8369
Please read Tails ticket
Please read Tails ticket about the issue before jumping to conclusions:
https://labs.riseup.net/code/issues/9298
Thank, but less snark next
Thank, but less snark next time would be nice. Even better, would be Tails blog post adding a little context next time they claims something isn't secure.
These security reasons don't
These security reasons don't apply to Tor Browser outside of Tails, since it has full access to the Tor control port anyway. We at Tails plan to improve our documentation on this topic: https://labs.riseup.net/code/issues/9391#note-3. Sorry for the communication mess :/
Thank you very much. Your
Thank you very much. Your work on Tails is appreciated. Tails is great.
ip-check.info couldn't
ip-check.info couldn't detect or display computer time here, is it being protected by TBB or just a trick?
Your timezone is set to UTC.
Your timezone is set to UTC.
is Tor still safe while
is Tor still safe while Running via a Local Proxy ? (For example :Freegate )
Yes.
Yes.
FreeGate is not an open
FreeGate is not an open source project and is developed by US government, be care.
FreeGate is indeed not open
FreeGate is indeed not open source, and is probably bad news for a variety of reasons. But I know some of the FreeGate developers, and as far as I know they are not "the US government".
Sticking to facts on critiques of closed-source systems will help people learn to reason about them better. :)
You might also enjoy
https://svn.torproject.org/svn/projects/articles/circumvention-features…
Could I please direct gk's
Could I please direct gk's attention to (the last two) my posts under 4.5 regarding a possible problem with DNS lookup?
Since the above changes to 4.5.1 do not mention any change to dns look up, presumably the problem will still affect 4.5.1.
Thank you
There is no bug with respect
There is no bug with respect to DNS lookups that we know of. Not sure what your setup is like but Vidalia is not included anymore in Tor Browser for a while now as it is unmaintained. We strongly recommend using Tor Browser instead of some home-grown setups.
GK thank you for your
GK thank you for your response:
a - I use Tor Browser, plus Vidalia since, disappointingly, the new TOR versions do not give as much information as Vidalia did/does.
b- Just because Vidalia is no longer maintained does not mean that it no longer works.
c- I still feel that there is a problem re DNS (but due to the indecipherable catchas on Trac Tor I cannot report it) or else why would I see the warning: ""Potentially Dangerous Connection! - One of your applications established a connection through Tor to "XXX:XXX" using a protocol that may leak information about your destination. Please ensure you configure your applications to use only SOCKS4a or SOCKS5 with remote hostname resolution." ??
Thank you
I wanted to congratulate the
I wanted to congratulate the team again for closing the window between Firefox releases and TBB releases. I believe this has a real, positive impact on user security and comfort with TBB, and I appreciate the work it's taken to orchestrate everything to make this possible.
here, here
here, here
"Tor Circuit use and
"Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name."
Updated from 4.0.x. This doesn't work. Worse, I used to fix it with a new circuit using Vidalia. Now that doesn't work either.
Can it be disabled?
"Tor Circuit use and
"Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name."
Isn't that like .com and .org?
More like .torproject.org
More like .torproject.org .torproject.co.uk which is why we used "base domain" and in included "(top-level)" implying that there are no subdomains involved anymore.
What is an "unsigned build"?
What is an "unsigned build"? Your sha256sums are incorrect.
"unsigned build" means that
"unsigned build" means that the SHA 256 sums are taken before the .exe files got signed with the help on an authenticcode certificate which changes the SHA 256 sum. To have the hash sums from the unsigned build is important for the advanced verification of Tor Browser. See: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…
Your sha256sums are
Your sha256sums are incorrect.
Some file hosting sites are
Some file hosting sites are still unable to use. Is there a way to fix?
Do you have an example (URL)?
Do you have an example (URL)?
1. What is the latest
1. What is the latest stable Tor version?
2. Is the website tor standalone for windows up to date?
3. Why would the tor included in windows browser downloads be a newer version ever then the stand alone offered?
4. Why does the windows stand alone use Libevent 2.0.21-stable when .22 is available?
5. For security best practices, why are there so many different webpages, with inconsitant changelogs, varying from OS to OS, using confusing to the masses unix style presentation?
6. Why discontinue vidalia without a replacement? Isnt bringing tor to the attention of the masses a good thing? Where is the windows ease and understanding?
you guys do some VERY good things, but then you do some VERY dumb things. Every month you should approach your project as if a complete outsider! How does it appear/function communicate/empower someone with no knowledge whatsoever. etc. Clear concise transperentcy, with expected routine standardize practices would do you so well!
Instead we have different keys signing, different amounts of info released depending on whom does it, a mailing list from 1994 AOL, etc. I know this sounds like a rant, but THANK GOD for the tor blog. at least theere is some kind of modern interaction with the people.
tor blog (here) is OK,
tor blog (here) is OK, except I must enable images to see text. To repair this, I could import a stylesheet in usercontent.css, but it seems easier is to make blog.torproject.org readable with images disabled.
really,this is a minor complaint, but also very easily fixed.
and thanks for tor, tbb, and the necessary backing projects.
As for 5. here you can find
As for 5. here you can find the reason:
https://tor.stackexchange.com/questions/1075/what-happened-to-vidalia
https://trac.torproject.org/projects/tor/wiki/doc/TorBrowserBundle3FAQ#…
The short answer is: Tor Browser Button (TBB) replaced Vidalia (and it's features), because Vidalia because has no active developer who is working on it and it's source is some years old.
And as you can see at the first link there is also another way where you can get information about Tor - Tor stackexchange.
i get failure from drain FD,
i get failure from drain FD, with latest tor, any ideas? it seems to work ok, but sometimes i get massive numbers of them, supressing 7200 in last etc.. ....
I get this error too. Jun 13
I get this error too.
Jun 13 11:29:24.000 [notice] Self-testing indicates your DirPort is reachable from the outside. Excellent.
Jun 13 11:29:24.000 [warn] Failure from drain_fd
Jun 13 11:29:24.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 13 11:29:28.000 [notice] Performing bandwidth self-test...done.
Jun 13 17:29:23.000 [notice] Heartbeat: Tor's uptime is 6:00 hours, with 2 circuits open. I've sent 3.30 MB and received 9.70 MB.
Jun 13 17:29:23.000 [notice] Average packaged cell fullness: 98.818%. TLS write overhead: 21%
Jun 13 17:29:23.000 [notice] Circuit handshake stats since last time: 0/0 TAP, 4/4 NTor.
Jun 13 17:29:23.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 0 v3 connections, and 23 v4 connections; and received 0 v1 connections, 12 v2 connections, 30 v3 connections, and 499 v4 connections.
Jun 13 18:08:58.000 [warn] Failure from drain_fd [3 similar message(s) suppressed in last 7200 seconds]
Jun 13 20:10:36.000 [warn] Failure from drain_fd [10 similar message(s) suppressed in last 7200 seconds]
Jun 13 22:15:03.000 [warn] Failure from drain_fd [12 similar message(s) suppressed in last 7200 seconds]
The problems with Google
The problems with Google recaptcha system still continue.
It is important to remember that Google has changed the old text verification system to a images verification system. Now the images of recaptcha system are not displayed via the TOR browser and apparently this is a unique Tor browser problem.
Even completely disabling HTTPS Everywhere and Noscript extensions to leave it as close to the Firefox the problem still occurs.
Please take a close look at this because Google recaptcha is used in many many sites.
I am having the same problem
I am having the same problem with Google's new multi-image reCAPTHCA puzzles that have replaced the old "twisted and distorted letters," making it impossible for me to access a number of websites using Tor Browser. The images necessary to solve the puzzle are not displayed. I can confirm that the problem is NOT solved by disabling plugins (HTTPS-Everywhere, NoScript) and/or enabling third-party cookies (but even if these steps did solve the problem, it wouldn't be a good thing).
The select-images reCAPTCHA
The select-images reCAPTCHA is rolling out across every site on the web. I am now locked-out from every site I want to use. I can only use Firefox which has no privacy at all.
I can confirm it doesn't work even when you disable the add-ons. I can select the images. But I can't see the images I am selecting.
Is this a problem with Tor using different circuit for images and main reCAPTCHA frame?
Is Google doing deliberately to damage anonymity?
Maybe disconnect.me gives
Maybe disconnect.me gives good search results, but it do not have proxy service as startpage.com does. The latter provides an alternative link for each search result. If the destination server requires a captcha for Tor users, one can follow the link to proxy request and avoid the captcha. This is frequent situation.
I noticed this too. I use
I noticed this too.
I use the ixquick/startpage proxy to avoid captcha and access sites that block tor exit relays hundreds of times per day. I find it very useful.
US$.02
I use it all the time. Many
I use it all the time. Many sites block Tor completely with no captcha.
Being in Europe I can trust StartPage more than Disconnect.me.
There is a bug in Tor browser home page. When I change my search engine in the drop-down to StartPage. I can search in the search box on the "congratulations" page and uses disconnect.me. If I open a new tab and search in the box on the blank tab, it uses my choice StartPage.
Sounds like a great thing to
Sounds like a great thing to open a ticket about (https://bugs.torproject.org/)
There seems to be a problem
There seems to be a problem with 4.5.1 and Chatzilla, socket problem
Could you be a bit more
Could you be a bit more specific? Filing a bug at https://bugs.torproject.org might be a good idea as well.
"We also have temporarily
"We also have temporarily disabled the NoScript ClearClick clickjacking protection, as it was experiencing false positives due to changes in Tor Browser that cause errors in NoScript's evaluation of the content window. These issues were most commonly experienced with ReCaptcha captcha input, but occurred elsewhere as well."
If the problem is false positives, is there any harm in a user enabling ClearClick protection? I'd rather be safe than sorry, so false positives are fine with me as long as Tor + NoScript catch 100% of true positives.
But I'm not a technical person, so I'd greatly appeciate a simplified explanation if enabling ClearClick protection is not advised.
Thank you for your hard work!
for a few seconds, I had an
for a few seconds, I had an idea that instead of temporarily disabling, add temporary note to clearclick option. but users wouldn't know to look in clearclick option when they experienced the unpredicted new (temporary) behavior caused by clearclick complication.
bah.
I don't know if the problem
I don't know if the problem lies with TorBrowser or Chatzilla, but since the update, I get a "error creating socket" message when launching Chatzilla.
You can try editing
You can try editing torrc-defaults and adding a new SocksPort as such:
SocksPort 8150 NoIsolateSOCKSAuth
Then edit the proxy settings in Chatzilla to use Socks port 8150. The 'NoIsolateSOCKSAuth' means no username and password is required in Chatzilla's proxy settings.
torrc-defaults is located at 'tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults'
I have OPs problem; "error
I have OPs problem; "error creating socket".
I've added SocksPort 8150 NoIsolateSOCKSAuth below SocksPort 9150.
What do i put in Chatzilla >> Preferences >> Global Settings >> Proxy Type: ?
Neither of http://chatzilla.hacksrus.com/faq/#proxy settins works, where can I chose the new port?
Thx so far!
I downloaded the new Tor
I downloaded the new Tor browser bundle 4.5.1. It put a new shortcut icon on my desktop when it hadn't before on previous updates. It's just a globe (slightly larger than the older icon) instead of the previous globe inside a folder icon. Before I would have to click open the older folder icon, then click the globe to start running Tor. Can I delete the older shortcut icon which was a globe inside a folder icon?
Updated yesterday to
Updated yesterday to 4.5.1
Now I cannot use youtube videos.
Tried global allow noscript, still would not work. I managed to get one youtube video to play that was embedded on another site by clicking in the blank area and receiving a message from noscript and temporarily allowing what it asked.
Am I doing something wrong, or is youtube now completely blocked by torbrowser >4.5.1?
You have to set security to
You have to set security to low; youtube doesn't seem to like the video & audio click to play feature.
I'm using Tails and don't
I'm using Tails and don't understand something:
https://blog.torproject.org/blog/tails-14-out
"In Tor Browser 4.5, all such content, from the main website as well as the third-party websites, goes through the same Tor circuits."
"Tor Browser 4.5 now keeps using the same Tor circuit while you are visiting a website."
Tails1.4 is using TBB4.5.1.
https://blog.torproject.org/blog/tor-browser-451-released
"Isolate by base (top-level) domain name instead of FQDN"
While browsing, i have 2 circuits or more in same time for same domain.
Circuits are changing periodically like? all TBBs before.
TBB 4.5.1 -in Tails- seems
TBB 4.5.1 -in Tails- seems to have a lot of circuit changing with Javascript ON; with not allowed in NoScript, too?
Why 2 circuits on blog.torproject.org, too? Cookies?.
"New identity" a little bit delayed? ~1/2 second
No automatic update for
No automatic update for 4.5.1 on Win 32.
You have to download the whole 34 mb package then delete old ver and install the new.
In your
In your https://dist.torproject.org/torbrowser/4.5.1/ site, there is no sha256sums.txt listed. There is, however, a file named
sha256-unsigned-build.txt. In it, the checksum listed for torbrowser-install-4.5.1_en-US.exe does not match the checksum you get
you run sha256sum.exe on the torbrowser-install-4.5.1_en-US.exe download.
W.T.F.?!?
See:
See: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…
Is it safe to use a VPN then
Is it safe to use a VPN then run TOR?
I would like to know the
I would like to know the official answer to this too. If you watch some of the videos from "The Grugq", he says NO it isn't. He said Tor over VPN = go to jail, use Tor to a VPN. I am not sure how to do that and doubt you could use the Tor Browser Bundle in this way. It seems very complicated and a lot of users do not understand all this. All VPNs keep logs, no matter what they claim and we now know VPN traffic is recorded by GCHQ in the UK and NSA is the USA.
It probably depends what you are doing, but if any of the experts can give us an answer it would be good. We are all here to learn and we all had to start somewhere!
The file
The file sha256sums-unsigned-build.incrementals.txt from https://dist.torproject.org/torbrowser/4.5.1/ contains SHA256 a0627fa49687142a8d2b21efd32b60fc334948528845a48721de8a6e988d6c60 but when downloading the file the SHA256 is bf4f0141752aac07a0a6a76ad9e237e5be24d238c35ac4694df62b0493707702 for file tor-browser-win32-4.5-4.5.1_en-US.incremental.mar
What is wrong?
Hey, me too. Great question.
Hey, me too. Great question. I'll point the TB folks to this one.
[Edit: Ah, I wonder it has to do with this:
https://blog.torproject.org/blog/tor-browser-45-released#Security -- the windows packages are now signed the Windows way too, which modifies them from the original build.]
[Edit later: Here is your answer: https://trac.torproject.org/projects/tor/ticket/15864 ]
https://www.torproject.org/do
https://www.torproject.org/docs/verifying-signatures.html.en#MARVerific… explains things.
Thanks to TBB developers for
Thanks to TBB developers for the long-awaited security slider! Still testing it.
What is the latest advice on whether or not to choose the "disable all scripts (recommended)" option in NoScript?
Don't use that one. If you
Don't use that one. If you really want to disable all scripts set the security slider to "High".
Since TBB 4.5.1 update, Tor
Since TBB 4.5.1 update, Tor remains disabled (on TorButton) and can't find a way to enable it, main TBB page says it is configured to use tor, but can't connect to onion sites.
I'm using Privoxy chained with TBB, on previous versions didn't had any issues with that.
I am having the same issue.
I am having the same issue. Has anyone solved this ?
How do you enable and
How do you enable and disable the circuit display on Torbutton?
By flipping
By flipping "extensions.torbutton.display_circuit" in about:config.
Hey, after I installed the
Hey, after I installed the update, I got a runtime error trying to open tor.
It says:
Microsoft Visual C++ Runtime Library
Runtime Error
Program: C:/ Users/Admin/Desktop/TorBrowser/Browser/TorBrowser/Tor/tor.exe
This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.
Any ideas? I'm not so good with technical jargon. All I know is that the browser worked before the update, but now it doesn't.
I am having the exact same
I am having the exact same issue. Even tried reinstalling Visual C++ runtime library, tried the experimental version, even tried reverting to 4.5, not working. Empty log too.
Any ideas are appreciated... I was running fine through many updates until this happened.
I'm having the same issue
I'm having the same issue here, I'm on WIn7 64x
Try deleting the directory
Try deleting the directory where the Tor browser is located then reinstall.
Something changed. Not sure
Something changed. Not sure what, and I had to redo my Debian config, using TBB as my default-for-everything browser. I note with immense approbation that the *start-tor-browser* script now passes along all user-supplied command-line arguments to *firefox*, including --allow-remote. This allows me to decommit my own cobbled-together script, which I'm calling progress.
In grateful return and in humble support of herd immunity from surveillance, I've decided not to maximize my browser window, anymore.
Is it safe to allow saving
Is it safe to allow saving of web history in TBB or no?
That depends on your threat
That depends on your threat model. If someone gets access to your computer and goes through your browsing history, then no.
I noticed some changes in
I noticed some changes in the start-tor-browser script (new options supported) and a brand new file: start-tor-browser.desktop, but neither of these are mentioned in the changelog, or on the blog.
In the future, please provide some documentation when you make changes to such important files!
If other users are interested, you can find some info in the following tickets:
https://trac.torproject.org/projects/tor/ticket/13375
https://trac.torproject.org/projects/tor/ticket/15747
(and probably some other tickets?)
I also noticed the startup script doesn't log messages to the terminal window anymore, which was the default behaviour (and useful); can you please document a way to get that back working?
>I also noticed the startup
>I also noticed the startup script doesn't log messages to the terminal window anymore
Type this in the terminal window :
./start-tor-browser.desktop --verbose
or
./start-tor-browser.desktop --help
i have several problems
i have several problems since the update. websites does not load, the new search field does not show any result.
connection seems to timeout, "new identity" solve this
but before i did not have such problem
on my linux vm, these problems are not happening
Comodo Firewall: firefox.exe
Comodo Firewall: firefox.exe could not be recognized and it is about to modify the protected registry key HKUS\Software\Microsoft\CurrentVersion\Internet Settings\ProxyEnable. You must be sure firefox.exe is a safe application before allowing this request.
Starting from version 4.5.1,
Starting from version 4.5.1, I can't chain Tor with Privoxy, I have configured Privoxy config file to forward socks5t and in TorbButton's network preferences have configured properly the socks proxy to use (127.0.0.1:9150).
In the browsers network options whenever I configure the HTTP proxy for (127.0.0.1:8118 -Privoxy's listen port), Tor gets disabled on the browser (TorButton marked with a red cross), and can't make any connections (http, https or onion).
On previous version I used (4.0.8), I was able to configure the HTTP/HTTPS proxy for Privoxy, but not on this version.
Can anyone give advice as how can I accomplish this? Thanks in advance.
Maybe your Privoxy problem
Maybe your Privoxy problem has something to do with The Tor Browser (TBB) isolating Tor circuits based on the Top Level Domain Name your trying to visit. Tor's Socks port 9150 accomplishes this isolation using a unique proxy username/passwords for each Top Level Domain Name (I believe).
Try creating a new Socks port that doesn't require a username/password. Seeing as your proxy chaining Tor through Privoxy, chances are you're not going to be able to take advantage of Tor's new Top Level Domain Name circuit isolation feature anyway.
Instructions on how to create a new Tor Socks Port that doesn't require a username/password:
1. Go to 'tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults'
2. Open 'torrc-defaults' file
3. Add the below text to 'torrc-defaults' file
SocksPort 8150 NoIsolateSOCKSAuth
4. Then edit the privoxy settings to point to 8150 instead of 9150.
The 'NoIsolateSOCKSAuth' means no username and password is required to connect to Tor Socks Port 8150.
Bump
Bump
This version of the Tor
This version of the Tor Browser for GNU/Linux does not allow the connection to proceed when you use obfs3 bridges. It displays an error as if the bridges did not work even if you use perfectly valid bridges.
Why do I sometimes get 2
Why do I sometimes get 2 different guard (first IP of tor circuit). Example I get a guard from US and from 5 open tabs then suddenly 1 of them will change to a Russian guard. But when I restart the browser or start a new circuit on that tab it will return to US. It's really weird this didn't happen in previous version.
Hi. TB 4.5.1 user here. I
Hi. TB 4.5.1 user here.
I used to switch “javascript.enabled” to “false” before. With the new security slider I've noticed that even the highest security setting leaves this preference in its default “true”. Granted, javascript is blocked (through noscript?) but PDF.js is fully capable of loading as far as I can see. Should it be accepted that the browser loads complex files in js if the user has opted for the highest security setting?
As always, great work.
Yes, JavaScript gets blocked
Yes, JavaScript gets blocked via NoScript. The whole browser UI is written using JavaScript and XUL you can't disable that as you won't have a browser then. With respect to PDF.js, yes, we could think about disabling PDF.js in the highest setting although it is by far not as risky as using Adobe's product.
Sorry for the noob question
Sorry for the noob question in advance..
Have tbb 4.51 updated from 4.08 under debian wheezy
I have tried to login to a googlemail (web) account from tor
ok, ok, not a great idea in general, but this google account is a throwaway one with no traces to me
In the login screen gmail came up with some complications, simply said, gmail didn'T 'believe' me to be the real allowed user
I killed that browser, hadn't even logged in.
Later I logged in from another PC at a friend (no TOR) and in the inbox there was a mail from google ala "linux station tried to login into your account"
I think, I triggered an event, as I usually work somewhere in middler europe and the login came from a tor exit node in asia or elsewhere.
So why can googlemail be aware of the fact that I'm running a linux machine? I Thought that tor browser is masked as one of the zillions of windows 7 browsers?
Thanks
Try visiting
Try visiting https://panopticlick.eff.org/ . Run the test while using Tor. It should show you the "User Agent" (Browser ID) being displayed to the website.
I'm also on Linux, and this is my Tor Browser User Agent.
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
the test at that location
the test at that location NOW gives a
User Agent
6.6
37.32
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
so it should be some windwos sort.
I'll have a look at that mail from google support and give more info if I can provide useful info from that.
thanks!
Another option is that they
Another option is that they fingerprinted the exit relay that your traffic came from.
thanks to you and the other
thanks to you and the other helpful user.
the browser test gave win ...nt (see above)
your idea is very likely.
gmail sent a second mail with some more specific info, in short:
### 1st email:
Hi john,
Your Google Account john@gmail.com was just used to sign in on Linux.
john doe
john@gmail.com
Linux
Friday, May 15, 2015 xxxx PM (Central European Summer Time)
### 2nd email:
We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:
Saturday, May 16, x:xx PM GMT
IP Address: 188.138.1.229 (ncc-1701-a.tor-exit.network)
Location: Unknown
-->nothing happened, but I have to memorize new pw, gmail forced me to choose a new one.
thanks
Some issues here. Tor
Some issues here.
Tor browser is useless if don't work with google recaptcha.
Actually there are thousands of websites using recaptcha
This issue is not confined
This issue is not confined to Tor. Actually, the current problem with google recaptcha happens with non Tor traffic as well. It used to work okay until a few days ago. If you typed the two words correctly it would validate, and you could have Javascript disabled. Now, with Javascript Disabled, even if you type the two words correctly letter by letter it does not recognize them. Google should fix things so that we could use recaptcha with Javascript disabled. I hope this is not an attempt to exploit a vector attack by enabling people to enable Javascript.
Bridges and PT_MISSING Tor
Bridges and PT_MISSING
Tor 4.5.1 for GNU/Linux can't connect to any bridges. Working obfs3 bridges, which work perfectly if you use them with the previous Tor version or with Tails, do not work with Tor 4.5.1. The default bridges provided do not work either. Could you fix this?
[warn] We were supposed to connect to bridge 'x.x.x.x:x' using pluggable transport 'obfs3', but we can't find a pluggable transport proxy supporting 'obfs3'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
[warn] Problem bootstrapping. Stuck at %: Connecting to directory server. (Can't connect to bridge; PT_MISSING;
I would like to ask a
I would like to ask a question about Tor Exit Nodes and the end user. I always thought that all traffic between the Exit Node and a User was encrypted. I now know it is if you use a HTTPS site, but not if you use a normal site. It appears everything can be monitored by your ISP. I only know as UK police requested records from my ISP when I was accused falsely of something. That matter was dropped, but it exposed what people can see and what ISPs are also recording!
Are there any plans for the future to try and incorporate a system to encrypt traffic between the Exit Node and End User?
I do realise it's probably a hugely complex task.
Traffic is indeed encrypted
Traffic is indeed encrypted between the user and the exit relay.
You might enjoy
https://svn.torproject.org/svn/projects/articles/circumvention-features…
and then playing with
https://www.eff.org/pages/tor-and-https
I'm not the man of
I'm not the man of knowledge, but I had trouble with a website that shall stay incognito here. with 4.18 and earlier no probs, with tbb live update from 4.18 to 4.51 on debian Linux that led to recaptchas thrown at me in the login phase after supplying pw and username.correctly.
Setting noscript to allow_all didn't change anything
Disabling noscript in tb - tools - addons cured the plague (login without recaptcha)
But that wasn't completely satisfying.
I started to 'play with various options inside the noscript 'options' complex and it was the advanced - https - cookies tab
enabled (after update) -- trouble
disabled manually -- > all fine
hth
another anon here: I've come
another anon here:
I've come across websites where this alarm pops up:
this website (...) attempted to extract html5 canvas image data
which may be used to uniquely identify your computer
should tor browser allow this website to extract html5 canvas image data?
# not now
# never for the future (recommended)
# allow in the future
not now isn't a miracle, but never and always don't work for me,
at every new login to the site (with pc off between it or tb closed) the old question
or is never/always meant for the actual browser session?
tia
It is meant for the actual
It is meant for the actual browser session.
Thanks for your info! I'd
Thanks for your info!
I'd propose to rename the options to
# never in this session (rec'd)
# always in this session
Opening TBB on Tails is
Opening TBB on Tails is distinguishable?
New TBB4.5.1 opens at least 2 different circuits(you-as-as-as-URL) or more. check.torproject.org is opening 1 circuit -with 2 connections- only.
Trying to use Tails 1.4 with
Trying to use Tails 1.4 with some obs4 bridges, but can't get them to work. I suspect my LAN router is blocking the outbound connections. If that sounds plausible, could someone explain what outbound ports I might need to block? Or should it work if I allow outbound 443?
Great software. But where
Great software. But where is the option to show the "Tor circuit for this site" in 4.5.1?
Click on the green onion
Click on the green onion next to the URL bar (on the left side). Then it should show up if you surf to a non-local website.
Thanks for your reply.
Thanks for your reply. Sometimes the "Tor circuit for this site" information will not show next to the Onion drop down list. This happens intermittently. Could this be a bug?
Yes. If you have steps to
Yes. If you have steps to reproduce that behavior we'd really love to hear them.
When left-clicking on the
When left-clicking on the green onion button the Tor circuit information *sometimes* does not show (even though I am successfully connected to an external site in the current tab). It can be difficult to reproduce, but the issue does happen quite often. I am using Windows XP Home SP 3.
> The most notable change is
> The most notable change is that we have slightly relaxed the first party isolation privacy property, due to issues encountered on several file hosting sites as well as other sites that host content on multiple subdomains. Tor Circuit use and tracking identifiers are now all isolated to the base (top-level) domain only, as opposed to the full domain name.
What if some sites host contents on multiple domains instead of subdomain, you reject per-domain isolation at all? On the other hand, each user of many social networks, like livejournal.com etc, has theirs own subdomain (user.livejournal.com), so observer can track and profile Tor clients by their graphs of social links. You can make this default behaviour, but there should be an option to switch so that stream isolation would be provided to domains of any level.
> This change is also consistent with the browser URL bar - isolation is now performed based on the bold portion of the website address in the URL bar.
This argument is inconsistent and ridiculous.
No, we don't reject per
No, we don't reject per domain isolation. In the livejournal (or wordpress, or...) case there is already the problem that the user can get tracked by the host with the help of cookies. So, there is not much win to isolate to user.livejournal.com while we would break quite some things following this path.
Each subdomain has its own
Each subdomain has its own cookies which are not accessible by others. For example, domain user2.livejournal.com can not access cookies of user.livejournal.com, and vice versa. If one comments journals on different subdomains anonymously, all their activity can be profiled as belonging to the same person, so anonymity degradates to pseudonymity.
While I'm at school (not
While I'm at school (not circumvention), I use Tor on my own personal laptop and have setup a firewall to only allow Tor traffic. Now that MacBooks are exploding in education, there's a *lot* of account that we have to make, or that are assigned to us, and, pretty typical of school systems, they don't take security into consideration at all, so most of these websites that we have to sign in to don't have SSL on any webpages, including the login transmissions. Because my goal isn't to hide from mass surveillance, in this specific scenario (especially since I have to *login* to things, defeating the purpose of hiding from mass surveillance), I decided to setup the Tor browser with a configuration similar to the system installed Tor instructions in the start-tor-browser Linux script. I would make the Tor Browser not start a background instance of Tor, and then I'd make Firefox use a SOCKS port from an SSH tunnel to route insecure website traffic back home, so Tor exit nodes couldn't capture my password and abuse my accounts. This has been working perfectly for me (aside from history being kept, since I didn't disable the control port checks and such, at the time). I have attempted the same setup with Tor Browser 4.5.1, and I have discovered that it will only connect to SOCKS ports that Tor instances (such as my real system installed Tor instance, that I use for another Tor browser) have kept open. When I, instead, connect that port to my SSH SOCKS tunnel, it acts like the website doesn't exist, and if I disable the SOCKS setting entirely, as if I was setting up transparent Torrification, Firefox says, "Unable to find the proxy server" despite having disabled all proxy settings, even the now-hidden ones in the Tor Button and Launcher with about:config.
Is there a new SOCKS connection test to see if the port is hosted by a Tor instance, and if so, how can I disable it for the purpose of transparent Torrification/other proxies? I don't want to have to remove/disable the Tor Button (because that fixes the proxy problem), because doing so would remove a bunch of features, and more importantly, it breaks about:addons with some XML error about "block-disable-button" or something similar to that.
https://weakdh.org/ Warning!
https://weakdh.org/
Warning! Your web browser is vulnerable to Logjam and can be tricked into using weak encryption. You should update your browser.
Logjam attack workaround you
Logjam attack workaround
you could edit some ssl3 settings in the about:config
http://forums.mozillazine.org/viewtopic.php?f=38&t=2935955
Maybe some sites won't work till a fix is present
I'm actually running into
I'm actually running into problems just starting TBB. I updated to 4.5.1 on a windows XP computer, but when Tor tries to connect to a relay it just closes and fails to load. I have to manually Ctl-Alt-Del to shut down Tor and Firefox in order to try again. The logfile has "creating log file" twice, then nothing.
https://dhe512.zmap.io/
https://dhe512.zmap.io/
yeah 'Technical Details
yeah 'Technical Details Connection Encrypted' is visible again(-:
Especially cause of govshit like LogJam. Hardware/Firmware you cant trust is evil enough.
Last comment for the
Last comment for the disconnect search add-on on on mozillas add-on pages does not sound good.
https://addons.mozilla.org/en-us/firefox/addon/disconnect-search/review…
>This plugin should enhance security, but in fact is doing quite opposite.
Disconnect-search is regularly uploading plugin settings and usage data, along with unique user ID, browser Agent string and IP address not only to the developers website, but to third parties as well (amazon servers of unknown account and adobe stats servers).
That is confirmed in the discussion about a different bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1166692#c1
Good find, Startpage ;) Does
Good find, Startpage ;)
Does the privacy policy at their web search site also apply to their search add-on?
ref: https://disconnect.me/privacy
Hi, anyone can explain why
Hi,
anyone can explain why Google CAPTCHAS -on google search- with TBB4.5.1 isn't working?
Recently the "why ....." on google search CAPTCHAS needs javascript......*F$%$*
Necessary?Really?
Here's something that Tor
Here's something that Tor users may find interesting: I tested www.torproject.org encryption strength on Qualys SSL Labs and it awarded this website an A.
The highest score that Qualys SSl Labs will give is an A+.
i downloaded tor and it's
i downloaded tor and it's signature from "https://www.torservers.net/mirrors/torproject.org/" ( as u can guess why ) and when i tried to check it with gpg4win i get the following massage "NO PUBLIC KEY FOUND" why i get this massage ? do i do something wrong or maybe there is something wrong with mirror site? pls help me i am new to all this, what i type in cmd is as below:
gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x63FEE659
gpg --fingerprint 0x63FEE659
gpg --verify torbrowser-install-4.5.1_en-US.exe.asc torbrowser-install-4.5.1_en-US.exe
i also tried this bcs i thought Erinn Clark no longer sign bundles but i got same answer
gpg --keyserver x-hkp://pgp.mit.edu --recv-keys 0x0E3A92E4
gpg --fingerprint 0x0E3A92E4
gpg --verify torbrowser-install-4.5.1_en-US.exe.asc torbrowser-install-4.5.1_en-US.exe
$ gpg --verify
Great software overall and
Great software overall and highly recommended. Just a little bug I noticed and wanted to share with you. The bottom strip of the Tor Browser window does not render correctly, showing through the desktop contents underneath. I am using Windows XP Home SP 3.
"tor circuit for this site"
"tor circuit for this site" in the tbb is a great feature, simple and informative.
well done
no-java Anon
What's the difference
What's the difference between the "New identity" and "New Tor Circuit for this site" option?
Bug with Wordpress 4.2
Bug with Wordpress 4.2 ?
There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2 code.
It seems to trigger the Torbrowser warning on code that seems to have something to do with emoticon functionality using canvas code.
Example website : https://wordpress.org/news/2015/05/wordpress-4-2-2/
Could it be that this is not correct warning behavior?
Or is it? Why?
Hi. I have already installed
Hi. I have already installed several Tor Browser releases without any problem. But I downloaded torbrowser-install-4.5.1_en-US.exe (Windows XP) and when I double-click on it nothing happens. No error messages, no window, nothing. I have also tried with the french version. Same thing.
Can anyone help me ?
I have the same problem too,
I have the same problem too, windows vista!
Hello, Finally I bypassed
Hello,
Finally I bypassed the problem by launching the installation program directly within a CMD window.
Hope it will help you.
Bye
(2nd time question attempt
(2nd time question attempt for a relevant question)
Canvas Warning Bug with Wordpress 4.2 sites?
There seems to be a general problem with the Canvas fingerprinting warning on websites that have implemented the new Wordpress april version 4.2(.2) code.
It seems to trigger the Tor Browser Canvas warning on some Wordpresscode that seems to have something to do with emoticon functionality using canvas functionality.
See for example this webpage : https://Wordpress.org/news/2015/05/Wordpress-4-2-2/
While there apparently already for some time has been a discussion going on in the Wordpress community, nobody (?) seems to have asked Torproject about it's point of view in this matter (to be sure).
https://reflets.info/wordpress-4-2-tor-browsers-and-canvas-privacy-warn…
https://wordpress.org/support/topic/42-admin-canvas-tracking?replies=10
https://core.trac.wordpress.org/ticket/32138
I, and probably a lot of other Tor Browser users and/or website owners too, am still curious if the Warning of Tor Browser on Wordpress 4.2 (and later) sites is legitimate in these cases or that it is a possible bug/technical false positive.
An answer from Torproject would help at least to clear that out because there are quite some Wordpress sites out there.
Does anybody have an answer regarding this issue?
(this is happening with Tor Browsers 4.5.1 and the beta 5 version as well)
I have the same problem than
I have the same problem than the posted on
On May 15th, 2015
would someone convey to me how the solution is ? , also thanks in advance
Problem on windows 7.0 prof
Starting from version 4.5.1, I can't chain Tor with Privoxy, I have
configured Privoxy config file to forward socks5t and in TorbButton's
network preferences have configured properly the socks proxy to use (127.0.0.1:9150).
In the browsers network options whenever I configure the HTTP proxy for (127.0.0.1:8118 -Privoxy's listen port),
Tor gets disabled on the browser (TorButton marked with a red cross), and can't make any connections (http, https or onion).
On previous version I used (4.0.8), I was able to configure the HTTP/HTTPS proxy for Privoxy, but not on this version.
Can anyone give advice as how can I accomplish this? Thanks in advance