Tor Browser 6.0.8 released

Tor Browser 6.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Besides updating Firefox to 45.6.0esr which is fixing important security bugs we ship the latest Tor stable version, HTTPS-Everywhere is updated as well (to 5.2.8) and we make improvements to our default obfs4 bridges.

Here is the full changelog since 6.0.7:

  • All Platforms
    • Update Firefox to 45.6.0esr
    • Update Tor to
    • Update Torbutton to
    • Update HTTPS-Everywhere to 5.2.8
    • Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
    • Bug 20837: Activate iat-mode for certain obfs4 bridges
    • Bug 20838: Uncomment NX01 default obfs4 bridge
    • Bug 20840: Rotate ports a third time for default obfs4 bridges

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I'm still waiting for that "Resize Tor Browser to default size" feature, anyway great work guys!

Adding to that, if I mistakenly double-click on a youtube video... poof! I go to fullscreen mode.
I suppose this reveals my screen resolution?
If so, it would be nice to block the feature.

Maybe in the security slider itself? Maybe even a "no possible way to change the resolution" option in the high security slider?

"High" disables JavaScript, so at that point the screen resolution is irrelevant anyway; locking it would be counterproductive.

youtube is not javascript free, so using savedeo to download video for watching

Because I can do anything, It would be nothing for me to make youtube javascript free, not ensavefromnet

One can get the window resolution using only CSS

Interesting. Can it be done in a way that it can be communicated back to the server? Do you have a link to a proof of concept or more information?

> Interesting. Can it be done in a way that it can be communicated back to the server? Do you have a link to a proof of concept or more information?


See it in action here:

Thanks for the links! I wasn't aware of the @media (anti-)feature. It sounds like CSS is well on its way to becoming just as dangerous (at least in terms of fingerprinting) as JavaScript. Thanks also to the poster of the later reply for the link!

I hope the developers can work out a solution, assuming there is one. Does the X11 or Wayland API support any way of permanently locking a normal window's size? Is there any way for this to work properly under a non-floating window manager, e.g. tiling? Is the resolution affected by themes/skins (at the GTK+ level, I guess) that could alter the size of the UI components, or are we just talking about the size of the rendering pane itself (excluding the title/status/tab/address/search bars)? What if the default window size is too large to fit on the screen?

Furthermore, how many other attack vectors like this are out there? Would it be safer in the long run to disable @media and fall back to the simple old-fashioned rules (at least for a given notch on the security slider)?

How does this affect mobile devices, where the window resolution can't really be changed? in realtime


Unencrypted http= no way to authenticate via SSL/TLS cert= putting users at risk (tampering by malicious exit nodes, compromised host server of site, etc.)

Doesn't this make "" suspicious?

This feature is not only on tor everytime you doubleclick on a video on youtube it'll automatically go to fullscreen mode

it keeps saying "something went wrong, tor is not working in this browser how do i fix this problem?

Forcing constant updates on users is a tyranny of the majority. TOR needs to allow for an opt out of updates. A constant harassing flashing triangle is abuse. Offer an unobtrusive way of opting out of updates.

Alas, this won't happen anytime soon. Stop wanting to use a web browser, and then we'll be able to talk. Until then, you need your browser updates, and it's irresponsible of us to let you be on the Internet without them.

I also liked notification saying that resizing window size might deanonymize user with option to Restore back to Default Size. I think that is valuable information to inexperienced users.

I am not sure if that notification only shows once, or did I somehow close it in a way it doesn't pop back on, and I cant find where in options I could turn it back on.

I miss Restore back to original resolution button, without need to restart browser, since restarting browser closes tor service too and kills other connections via tor network in some cases.

Maybe include that button in Tor button or Menu, or make notification persistent, or at least reset "do not show anymore" for each new browser session.

RaspBerry PI configured to be a Tor router is much better than Tor Browser.

This make you immune from Firefox exploit, you can use Chrome and Adobe flash player, run malware under Tor in VM too. is this, is cheap only $50.

No, this is likely terrible advice -- first because Flash will screw you, and second because routing all your traffic into Tor can mess up your privacy.

For more details, you should read
and then

The right thing to do if you have a separate box for routing your traffic is to set it up to *drop* all traffic that isn't going through Tor properly, and then only correctly configured applications can reach the network at all.

The "here's a magic anonymity box, now you don't have to change any of your behavior and you're magically safe!" model is super dangerous. Be careful out there!

For a scenario where everything on the machine needs to stay anonymous.. you would say what I wrote is not better than Tor Browser?

Also.. this setup makes so even Flash uses Tor.. connection to internet without Tor is impossible.

UDP traffic simply dont work on my laptop.

If you send personally identifiable information out to the internet, just using Tor won't help you in the slightest.
Tor Browser isn't simply "a browser that uses Tor". It was designed in such a way to limit the amount of fingerprintable information that can be used to identify you (or, more specifically: your browser and system).
If you send out an information saying "My name is X" it doesn't matter what channel it travels through. What matters is it reveals who you are to anyone on the other side of that channel.
This is Tor 101.

Also it has different circuits for each website, which is impossible (anyone to confirm?) to achieve using that Anonabox.

This is wrong. The circuit isolation is triggered by the browser using a different socks username/password for different circuits. This works with a Tor running on a different box.

> For a scenario where everything on the machine needs to stay anonymous.. you would say what I wrote is not better than Tor Browser?

If you want all of your machine to stay anonymous then use: Tails (live system), Qubes OS with Whonix, or Subgraph OS.

Many thanks arma, for this informed answer.
Plus RPi is far from being free hardware.

Raspberry pi is not free but a better solution than forced to buy an expensive computer you cannot afford, just because some people dropped 32 bit support for a browser.
So a working anonymous browsing system on a raspberry pi or lookalike would be a good alternative solution for people that do not live in the great and rich western world.

I use faster Penryn (second generation laptop C2D) with 4gb pc2-6400. i have a heavy firewall running. Craigslist price is about $60 in large urban area. Less if beat up with weak battery.
T400 for less than $80.

XFCE Linux might run TBB faster.
TBB might run OK on faster Merom (first generation laptop C2D) with 3gb. (Latitude D830 or D630 with weak battery, $40 in large urban location)
Thinkpad T61 probably costs a little more.

An early Windows 7 AMD is probably as good.

If you want large display, then buy Conroe C2D such as Optiplex

TBB needs more power than regular Firefox, which runs OK on weak Yonah.

There are still some interesting use cases, if I want to route all my TV through Tor, or all of my iPhone through Tor, that's the way to go.

Can't speak for anyone else, but I really don't recommend routing HD video or other high bandwidth traffic over Tor without at least some indication that it is anonymous at all. Relays already generously provide bandwidth for those in need, and in the past have had trouble keeping up with demand. And hogging all that bandwidth for TV is pointless if it is, e.g. sending its serial number, MAC address to the server anyway. But if you do, please consider running a relay to give back some of the bandwidth.

Tails on pi raspbery.

The answer should be.

I hear Tails people are working on ARM port.

Tails needs Ricochet include asp

doesn't tails require money

Tails does not charge anything to download and use or even for support ( )

Of course, all of this does cost money, so Tails does ask that all who are able to donate whatever they can:

SERIOUS PROBLEM WITH TAILS DONATE PAGE- I hope someone will forward to Tails devs:

In latest Tails 2.9.1
From page at
clicking-on "donate" button, goes to:
with message:
>Access Denied
>You don't have permission to access "" on this server.

Here your approach is to use hardware isolation and always force the traffic to go trough Tor. While it seems a good approach at first, the devil is in the details.

Since the Firefox exploits work on Firefox and not on the tor daemon that is in your SBC(RaspBerry PI) an exploit would compromise your laptop.

Once the laptop is compromised, the traffic still goes trough Tor but:
- Since the attacker controls your laptop, the attacker can identify uniquely, at the exit node the traffic. At this point the attacker still doesn't know where you are located.
- An attacker can monitor all your traffic and access all your files, and with that knowledge try to find your name and position.
- To compute your position, the attacker can use all the laptop's hardware (WiFi, Bluetooth, etc), all the serial numbers (MAC Address, BIOS or UEFI DMI information, various serial number)
- An attacker can use the camera and microphone(s) to gather information on the environment of the laptop.
- An attacker can install persistent malware at the BIOS level or even with higher privileges than that.
- An attacker can try to compromise all the devices you connect to the computer.
- An attacker can try to compromise all accounts you connect to from the computer.

Using physical separation effectively probably requires you do fabricate your own hardware, to avoid all the serial number issues.
Even with that they might not be avoidable entirely:
- CPU might have serial numbers or at least have a way to identify the revision.
- Almost all storage devices uses serial number.

Then if you are the only one using that hardware, you have an issue since you will be deanonymized easily.
You then need to mass produce such hardware, and ensure that it doesn't get compromised at fabrication or shipping.

If some common hardware meet the requirements, and maybe some SBC do(to replace your laptop, not the tor-router ), it would probably work.

The first thing to do, in order to work in this direction, would probably be to:
- Draft precise requirements/specifications
- Review existing hardware, to see if they can meet the specifications.

Actually, it doesn't make you immune to the Firefox exploit, it would just prevent the payload from getting your real IP. Your computer's serial number, MAC address, hostname, etc. would still be sent to home base over Tor.

Except invizibox is a terribly designed "Tor router" which is effectively a scam. It has too many problems to name, both in implementation, and fundamental design. If you actually need a Tor router, you should patch OpenWRT as The Grugq's PORTAL. Or better yet, don't use something crappy like that at all, and use Whonix with a hardware gateway (rather than a VM gateway).

you can use Chrome

You mean Google WebSpy? Did you know that Google WebSpy has built-in personal tracking id token?

thanks for another incredibly timely release!

Thanks for all the great work!

Just a small feature suggestion: make the Torbutton icon display the current security level in some way (e.g. through different coloring or emblems). That way the user is immediately aware of their current security setting before visiting some webpage. I think this would also encourage users to set the security level higher more often.

Good idea, thanks. I created for it.

Security Level - Colour
Medium high -Yellow
Medium low- Orange?

Maybe a triangle symbol for low and medium-low.

Or maybe just the inward layers of the onion icon would be colored?

In Tor Browser 6.5a6 there are only three levels: Low (default) Medium and High.

I think complete recoloring, particularity the red icon, would confuse users too much, it would make them think that something is wrong. And the green onion icon is pretty... iconic.

I have in mind something like this:

  • Low: the green onion as it is now
  • Medium-low: add bronze outline around the green onion
  • Medium-high: silver outline
  • High: gold outline

What about "Stealth Mode"? Hide torbutton and restore default Firefox icon to make TBB visually indistinguishable from Firefox?

thanks all over you

Dear Ladys and Sirs,
I try to install 'onion sites' and 'hidden net' but I'm sorry, I'm not able to do this. Please can you help me with instructions in German language or even can you install this for me?

I'm curious of your reply and say many thanks!

Kind regards
Jörg Hager


Have you had any other reports of upgrade difficulties with this release?

I cannot manage to upgrade from 6.0.7 to 6.0.8 on Win XP (Yes, I know!)

What happens is... After I download the 4.8 MB update and restart the browser, it loads the old version and gives a pop-up saying:

"Software Update Failed - The update could not be installed. Please make sure there are no other copies of Firefox running on your computer, and then restart Firefox to try again."

Tor Browser then works normally but it's the old version, 6.0.7.

There is no other Firefox process running in Windows Task Manager.

When I check for updates again, it downloads the same 4.8 MB package and the process starts over.

My antivirus is turned off and I've rebooted the computer several times.

I've been using Tor for years and have not had any other problems updating the Tor Browser in recent memory.

Thanks for your help.

No. that is the first report we got. Which locale are you using? I tested en-US on a Windows 7 machine and the incremental update from 6.0.7 to 6.0.8 worked for me.

Thanks for checking and replying!

I eventually solved the installation problem on my XP by moving the Tor Browser security slider from High to Low.

(I keep the TB in High mode most of the time.)

After I lowered the security setting, the update package changed from 4.8 MB to 60.8 MB and it installed perfectly.

Maybe only XPs are prone to this glitch?

Thanks again for your help and for developing the fantastic Tor Browser, an incredible and indispensable program.

Make sure you have plenty of free disk space (>400MB according to some sources). This has been a very common problem lately, because TB doesn't warn the user. It's worth a try.



Thanks for the kind words, really appreciated.


Can I get any more information about CVE-2016-9899 and CVE-2016-9893 (fixed in this release)? The bug pages on say I am not authorized to view the details, and the mfsa description is very vague. I'm curious what exploit vectors they use. I imagine the former can be blocked by noscript, because it says it involves a UAF for audio, which can be blocked, but the latter is just a collection of general memory-related bugs, which may or may not be related to javascript.

Thank you, for deploying Tor.

When I keep Tor button to High the update size is about 5 MB but when it is kept medium-high or low it first downloads 5 MB then installs and next it downloads 85.8 MB .

Works fine for me on all security levels. How can I reproduce what you found? Which operating system and which locale are you using?

Debian and en-US

And this is reproducible with a clean 6.0.7? I guess you are using a 64bit system?

Debian 8.6 64-bit LXDE

Thanks. Could you test with a clean 6.0.7? You can find it here:

I am currently downloading 6.0.7 let me verify the download and test it.

Yes it happened again.

After trying it the third time evreything went okay. Sorry, maybe it was a problem with my network.

Hi there, can’t you install TorBrowser launcher from Debian repos? This works fine for me.

Meanwhile, is the case that Updater downloads update ~10 times before exposing it to user on Windows "works fine" for you?

I did not say this. But there is not much we can do if the download got corrupted or tampered with. When I say "works fine for me" I mean I tested it on different machines with different locales and different operating systems and the update got downloaded once and applied cleanly.

It's a minor issue, but it happens always on different OSes with all recent versions, so it's strange that you say "got downloaded ONCE".

Well, that's what I experiencing both while quickly testing after enabling the updates and during updating my own Tor Browser instances. With one exception: On OS X stable if you started with a newer Tor Browser on OS X, one that supports code-signing, and are updating you are currently downloading the incremental one first and need to download the full update afterwards. We realized this bug after we shipped the code-signed bundles and it took us quite some time to get the fix right. See: for the details.

This is fixed in the alpha series and should work with Tor Browser 6.5 which is supposed to be the next stable release.


I experience this same issue since 6.0.5. If I download from TBB's about box:
FIrst downloads 5 MB. then it downloads 8x.x MB and fails to install it.
IF I download from Torbutton, fail again with message: Can't install update (fail applying patch).

I then download clean, unpack and use. Next update, same problem. Ubuntu 64, es lang, highest security settings.

Hard to say what goes wrong in your case. Could you share some log output? One thing that would probably be helpful is looking at the log you get after setting "app.update.log" on about:config in your Tor Browser to "true" before doing the update. The console (Ctrl + Shift + J) should get the output which might already help. Then there should be a UpdateInfo folder in your tor-browser_es-ES/Browser/TorBrowser after you tried to update. There updates/last.update.log should be interesting as well.

we live in Iran .Iran does not support international cards because of sanctions imposed by America,Is there another way we can Donate tor ?

See: for all the options available.

It is SAFE to add some dictionary from others localized versions of Tor Browser?

I have two tor-browser_en-US folder
one in /documents/ (first)
other in /desktop/ (second)
I wanted to put first one to high security level and the second to medium-high
After I put the first to high then turn second to medium-high and return to the first it would be at medium high.
Then I put first back to high and then go to second the second goes to high(I had put it at Medium-high)
Debian 8.6 64-bit tor browser 6.0.8

I had upgraded tor browser at /documents/ from 6.0.7 to 6.0.8
After putting the tor browser(the one at /documents/) at high I copied the folder to /desktop/(second). then opened second and changed it to medium-high this somehow made the first ( the one at /documents/) to medium high

I downloaded a fresh file, deleted the two old ones , extracted 6.0.8 to /desktop/ and /documents/ . Now everything is okay.

I get Tbb tunnel through a local proxy software which is NSA friendly, and Tbb cannot choose any kind of bridges for the connection to the network, so does it mean is it NSA be able or easier to crack Tor without bridges?

maybe no call tunnel through, it's set up a proxy in Tor launcher

NSA friendly so how do you measure this friendliness ? sound like you could potentially speculating and misleading

Tor doesn't work anymore:
"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."

I would try this:
Copy your places.sqlite (bookmarks) from directory/folder of TBB that doesn't work.

Extract and run the full current TBB.
Replace the new TBB's places.sqlite with your old places.sqlite

What operating system are you on?

OS X 10.11.6 El capitan
How to extract bookmark if I can not enter TB.
Where is places.sqlite file
May be erase bookmark and start from a brand new browser?
(thank you for your help guys)

Is it the first time you are using Tor Browser or the first time you have this trouble? I guess you have installed Tor Browser into /Applications. What happens if you take a fresh new Tor Browser and install it to your Desktop instead. Does that work?

Never had problem to use it
First time I have trouble. Yes I install it in applications folder. I tried on desktop but the same problem happened. I broke it

On desktop the message is different:
Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system, or faulty hardware. etc

When i try to copy the log it doesnt work.

I also get this, on XP

The 2.8.x executables are messed up, it's been this way for several releases.

And cookies are STILL broken in tor Browser (only been what like 3 years now and no fix from Tor Project)

It seems this is a different issue as you are on Windows and the behavior the user reported started recently on OS X? That said please file a bug for your problem at so we can investigate it? We would need additional information in order to reproduce it (if you are customizing your Tor Browser etc.).

Keep up the good work guys!

Great work guys!

I´m having lots of troubles running Tor on Kali Linux 2.0.

I only can run it from a terminal window and changing my clock to UTC, it rarely opens as a browser itself. I´ve tried with bridges, but connection proccess seems to last forever: it stays the whole night without changes.

Your help will be welcome. Thank you.

Give us at least log file, something like /var/log/tor/notices.log

I like more this apps since i have started to use it.
thankfully for your work guys. much love to you


hello torproject,
i have a question:

in tor-talk Sebastian Hahn is saying:
"Tor has full support for x86_64 (it's the preferred platform, even).".

If i'm using TBB on windows64, taskmanager is saying
32-bit. What is true?

Your task manager is correct. For Windows we only have 32bit builds yet mainly as Mozilla introduced 64bit Firefox builds for Windows not that long ago and we wanted to see that platform stabilized first before supporting it as well. That said we plan to work on a 64bit Tor Browser for Windows next year, after we switched to the new long-term support version, ESR52.

But Sebastian was correct as well. He was talking about tor the network program that Tor Browser ships.

ESR 52
That is 2017-06-12 for ESR Firefox 52.2 .

Are you dropping support for Mac again then?
For Mac OS X 10.6, 10.7 and 10.8 ?

Only supporting Mac 64bit systems on OS X 10.12, 10.11, 10.10?

We'll probably drop support for 10.6, 10.7 and 10.8, yes, see:

"He was talking about tor the network program that Tor Browser ships."

tor.exe on windows is 32-bit, too.?

Really cool portable bundles ship both 32- and 64-bit executables in a bundle and use auto-detection during startup.

Every Tor Binary since Tor Browser 5.0.7 release has caused the following error on XP:

"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."

Same bug on OSX 10.11.6

Two bugs

1 bug inherited from firefox that is more than highly annoying.
When printing and saving Torbrowser is not remembering the printing settings anymore which means every time adjusting 4,5,6,7, settings while the older ESRs (38) were remembering these settings.
Highly annoying if you have to print articles a lot and do the setting thing over and over and over again.

It also does not make sense for example that in the 'page header' section first the title is chosen and 3rd the page url.
In this order you will almost never get the full url on your print and then it is wasted information anyway.
It makes more sense tot reverse these two (or delete the page title) and start with the full url only.

For the page footer and I already remarked that on this site a long while ago, printing data and time is not always helpful because you cannot visually remove this while you can remove the creation dates in you want to.
Keep it blank as a standard setting gives more privacy.

2, other bug, when javascript is turned off the redirection of the ddgo search engine is not redirecting to the non-javascript search engine page.


Re 1) Could you file an upstream bug at Mozilla:
Re 2) I just retested it and it works fine with a clean, vanilla 6.0.8 on a 32bit Linux system. How can I reproduce you problem?

For 1 & 2, test it on a Mac OS X system. and compare it with any 5 version of Torbrowser.

I just tested setting the security slider to "High" which disables JavaScript and I got redirected to the non-JS DDG page on an old 10.6.8 system.

I also just tested the setting and picked up also a very good working 10.6.8 system and the redirect is not working at all.

It is stuck wit this message
"You are being redirected to the non-JavaScript site.
Click here if it doesn't happen automatically."

So, No, it does not redirect to duckduckgo to the javascriptfree site automatically.

I think it is NoScript again.
I do not use the security slider but manual security settings in NoScript.

With these higher security settings Torbrowser is also still (for several browser versions now (6, 5, 4?) completely crashing (!) when trying to print as pdf web content on some websites as mentioned before (long ago).

When I have time, I'll consider finally to look for the procedure making a (or a list of) bug report(s) on Torproject, but will not also go for the 'account' hassle on mosilla over there for reporting other browser things.
I do not believe they will pickup Mac bug things anyway because they are on this (in my opinion negative) ignoring old userbase track of making support for mac's smaller and smaller and smaller as a practical solution for their problems with making a stable browser for the Mac OS X platform (which they did not really succeed from Australis versions from around 28 or so for 32 bit systems and also even 64 bit mac systems).

Torbrowser 5 works relatively fine on older Mac systems (better than FF38 itself) and also some 4 versions do well by the way.
For Torbrowser version 6 I highly dislike that the browser profile is stored in the local library instead of within itself, this solution is against mobile and clean usage, leaving traces everywhere.
I like the 5 version still more because of less bugs.

But, it has to be said,
thanks for the good work on this browser anyway.

The browser that says "-Nan:Nan"

This error is showing up on youtube.
Probably because you disabled this setting in about:config?;false

Now I was already wondering why I could not open that nice Tor image from the about:tor page in a new window in Torbrowser.
It's an svg and thats disabled.

Therefor I knew that playing youtube content would be a problem because the play-button-bar has something to do with svg.
Enabling "" is fixing the playing choices and does let disapperar the magic "-Nan:Nan" (any rabbits around?) language.

Didn't mozilla solve the svg issue?

O, and please consider to change the Torbrowser icon in that lovely nice hearted onion! It's far more beautiful and positive looking then that (not so nice) green world icon.

good,I like it.

is tor used google dns? or tor had own self dns? am I anonymous when I use tor?

Problem: Mac OSx running Yosemite

-When a find is initiated in Torbrowser it is copied to Firefox 50.02 demonstrating some sort of link between the 2 applications.

-Meek Asure transport type does not work.

Yes that is a strange problem already mentioned here long time ago.
It is a General Mac OS X problem with mozilla browsers.

See why-where this is happening
Make a search attempt in one of your mozilla browsers, with 'cmd' 'f' .
Open your TextEdit program from the applications folder.
Open find-replace function (with 'cmd' 'f') in TextEdit and you will see exactly the word you used in your mozilla browser is filled in in the "Find:" space.

As long as the word is over there it will be shown in the search field of mozilla browsers. Even if you close the browsers and open them again it will be there!

The only user solution is to remove that particular word or phrase from the "Find:" space in TextEdit program or don't use the 'find' function in your browser at all if that is a privacy concern to you.
No workaround, unlles Torbrowser (or mozilla) devs are fixing this and break the relationship of the find function in Torbrowser and Mac OS X.

We will see, or not.

Re your first issue: Yes, this is a bug and in our bug tracker I believe (I can't seem to find the ticket right now, though :/ ).
Re your second issue: Albeit slow it works for me. I just tested it on a Linux machine. Do you get errors you could paste somewhere?

I always get "the connection has timed out" from Canada.

Privacy security concern ?

Why is local file browsing in Torbrowser enabled?
One can browse local files via Torbrowser with these url's


Would it be possible (thinking from an attackers point of view) that this would be embedded as a (hidden) file path on a website and stealing one way or another that local file directory displayed information?
Like, or even an url file:///followed by a standard path to a local documents directory/

Is it possible to steal local directory information (with the help of standard enabled javascripts) from some sort of cache-history directory in a current session?
I really hope not.

Now, I do not think people use this function on a regular basis or even a lot, probably almost never.
Can you consider, will you do, or tell us how to disable this function to prevent privacy and security related issues and accidents?

Thank you in advance for looking at this possible privacy security concern

Content is not supposed to have access to file:/// URLs. (Although there have been path traversal bugs in the past in Firefox) Being able to view local files (e.g.PDFs in the Tor Browser PDF viewer) is a neat feature to have actually.

In-browser pdf viewing is still standard enabled by the way. From a security point of view I should think, just download pdf files, use a local pdf viewer application and make sure that pdf viewer has no access to internet and or disable embedded pdf javascripts. But maybe in-browser viewing has a better security management perspective from Torproject point of view.

Is Google search in Tor Browser completely broken for anyone else now, or just me?

For the last few days, if the Privacy and Security slider is set to any level other than High, any Google searches I attempt in Tor Browser seem to trigger the Robots test by default, resulting in a series of "Select all images with X" and/or "Select all squares with X" type reCaptcha puzzles that must be solved first, instead of the usual "To continue, please type the characters below:" reCaptcha prompt. And if I manage to pass this significantly more laborious reCaptcha test and get the tick in the box signifying that "I'm not a robot", clicking the "Submit" button just redirects me to a Google error page with a picture of a robot, broken and in pieces, with the following text:

"400. That’s an error.

Your client has issued a malformed or illegal request. That’s all we know."

If the Privacy and Security slider is set to High, any Google searches I attempt in Tor Browser also seem to trigger the Robots test by default now, causing the "To continue, please type the characters below:" reCaptcha prompt to appear. And if the correct "characters" are submitted, I get a brief wait a moment while we redirect you notification, then get taken to my Google search results, then immediately after the tab with my Google search results has finished "Connecting" and loaded completely, I get dumped on a Google error page with the same picture of a robot, broken and in pieces, with the following text:

"403. That’s an error.

Your client does not have permission to get URL /sorry..."

Not exactly anonymous that Torbrowser?

I always wondered why I was exactly landing on the mac part of the Tor download page when I clicked on a Torbrowserlink for updating Torbrowser.
I forgot it some time ago.
But now it happened again when I was checking an insecurity warning near de lock in the url bar.
I clicked on the lock, clicked on the right arrow and the clicked at the 'Learn more' link.
Then I was redirected to a Mozilla page in two steps.
This was the final landing page

But for a very short moment I first saw another page in the url bar, that was this one
A surprising accurate link.

Apparently all the measures of changing the useragent string and some more values in about:config does not make my Torbrowser anonymous.
This link is telling the accurate version of my Torbrowser and the system I was on, Darwin is referring to the Mac OS X version of Torbrowser and is far from what the useragent string is telling
general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

Now my question is,
apparently there is code in Torbrowser active that can tell someone else the right information about the exact kind of Torbrowser version I am on.
Information that my Torbrowser is trying to hide.

If Torproject can read this information and Mozilla can, who else can detect this browser information?
No-one? Any-one? Only Smart 'web developers'?
And if they can, is changing the useragent string a half privacy solution then?

I am very curious for the privacy answer
Thank you in advance

The browser itself knows these things. Have a look at the value for "" in your about:config. There you'll find placeholders like %OS% which are filled in by your browser just before the request goes out. That does not mean that web content has the same capabilities. In fact, that would be a severe bug if that were the case.

feature or bug?

in the past (dont know when exactly) when you change the security slider the website automatically load with the new settings. now you have to click reload. ty

Seems to be a bug to me. I've opened Thanks for reporting and help is welcome in fixing that one or narrowing the problem down.


محد يتكلم عربي هني؟

can you answer me why this browser is too slowly!!? and i cant search anything nothing in the page is just blank page what the fuck???

Do wish you all could find a way to spoof the window size, not a lot of real estate on a netbook. Great work though really.



how to view youtube videos without activating scripts?

Hi, i've been having this problem since the day i installed tor browser, all the other browser stop responding or the just crash..and my cam light

That sounds like bad news.

Are you sure you actually installed Tor Browser, as opposed to something else more dangerous?

Why not remove Disconnect from the Torbrowser search bar in the top right? It only defaults to Duckduckgo

Why should we remove that one?

Just started with you guys....
Hope to have a wonderful ride... :)

I am using the DuckDuck go thing. However I am using Torbrowser with its circuit. And if I try to go on a onion site, It says I cant get in the site.

Has the circuit info panel recently been removed? I'm using a system wide installation of Tor if that makes any difference, but a few days ago I also couldn't see it with the bundled Tor version. In both cases extensions.torbutton.display_circuit was set to true.

No, it has not. Is that reproducible for you with a clean, new Tor Browser? If so, how?

Nice job!!

TBB didn't work for me in the last days. no traffic a few moments
after start. i turned off OCSP cert vilidation.
now it works again.

how can i be member in this buissnes ? i mean darkweb hackers ?

You can start looking for things to fix in our bug tracker at A lot of us are hanging out on IRC in #tor-dev on in case you have questions or want to discuss development related things.* not

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content