Tor Browser 5.0.1 is released

by mikeperry | August 18, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

This release fixes a crash bug that caused Tor Browser to crash on certain sites (in particular, Google Maps and Tumblr). The crash bug was a NULL pointer dereference while handling blob URIs. The crash was not exploitable.

Here is the complete changelog since 5.0:

  • All Platforms
    • Bug 16771: Fix crash on some websites due to blob URIs

Comments

Please note that the comment area below has been archived.

HTML5 is new technology, "new" as compared to Adobe Flash. As such there may be countless of de-anonymizing bugs in HTML5.

The NSA is busy uncovering and exploiting bugs in HTML5 to their advantage.

Use HTML5 over Tor with extreme caution. You have been forewarned.

*sigh* look, HTML5 video does have some anonymity and especially fingerprinting concerns... however, it is part of the browser itself and therefore (in Firefox's case) open source. The problem in Flash is it isn't open source so we don't have a clue what it's doing.
Although Flash also doesn't use the browsers proxy settings and therefore deanonymizes you, while HTML5 uses the browsers settings because it is the browser.

*sigh* look, HTML5 video does have some anonymity and especially fingerprinting concerns... however, it is part of the browser itself and therefore (in Firefox's case) open source. The problem in Flash is it isn't open source so we don't have a clue what it's doing.

sigh..sigh..and..sigh

Are you suggesting that open source software is free of security vulnerabilities?

Please read the write-up "Shellshock proves open source's 'many eyes' can't see straight" (URL: http://www.infoworld.com/article/2689233/security/shellshock-proves-ope…)

I'm not saying it's free of security vulnerabilities; I'm saying that you can audit it to check if it's doing something undesirable. You don't have to trust some corporation/person/government that the software they provide doesn't spy on you, you can check it yourself.

I'm not saying it's free of security vulnerabilities; I'm saying that you can audit it to check if it's doing something undesirable.

Look here, my original post of August 19th is in response to a post of August 18th: "Why go to youtube, by using flash player you do compromise your location."

And your reply to mine is largely out of topic. In addition it may cause confusion in those who are not tech-savvy.

People who use Tor Browser Bundle are those who desire to remain anonymous on the internet and using HTML5 video may unmask them. They do not care much about whether HTML5 is open source or proprietary/closed source.

I hate when people say shit like this. Of course you can check it yourself, but who has the proper expertise to even spot a backdoor or vulnerability? Better than closed source but still needs more professional eyes and caution.

Why cannot I get access to Tor over my old iPhone? It keeps telling me something like "sorry, you cannot download " blah blah blah. I still think someone set up a bogus rumor-net to get people to attempt to get into a system the govt ostensibly doesn't want them to gain access to. However I could give a rat's patootie what the CIA thinks I'm up to. I don't access child porn, I don't kill endangered animals but I am looking for the creepy face in the mask who speaks to me if I order illegal drugs.

August 17, 2015

Permalink

Thanks, hopefully those experiencing this issue will now upgrade from 4.5.3 to 5.01.

Kaspersky Warning
Cannot guarantee authenticity of the domain to which encrypted connection is established

application oracle vm virtualbox

url www.omwfe772jto3cmnltm2pguujg.com

reason         invalid name of the certificate.either the name is not on the allowed list or was
explicitly excluded

issued to      www.r3m3yaiegd.net
issued by      www.qj33ncodj.com
valid from                    6/14/2015 to 11/25/2015

certification path     www.r3m3yaiegd.net

field                                            value
version                                         v3
serial number                                00 0e fa 53 fd c6 fa 67 f7
singnature algorithm                      sha1rsa
signature hash algorithm           sha1
issuer                                           www.qj33ncodj.com
valid from                                    Sunday, Jube 14, 2015 5:30:00 am
valid to                                     wednesday, november25, 2015 5:29:59am
subject                                        www.r3m3yaiegd.net
public key                                    rsa(1024bits)
thumbprint algorithm                        sha1
thumbprint                                    0d 89 09 0d 36 a6 5e de c6 2a b1 63 40 67 9e 61 67 d4 58 2d

August 17, 2015

Permalink

My browser just sent my a system notification of a pending update - please tell me, is my system knowing tor upgraded or is everything is downloaded and updated through tor+tor browser?

It's an important question and needs an answer. There is no way it could download the entire application in a few minutes of launching here...especially since the latest release has ballooned by another 30 or so MB (Mozilla's fault I guess). Unless it's just downloading a few patches and updated scripts. But I doubt it is, because it relies on Firefox's updater, right ?

It makes me think it's downloading in the clear. If it is it's a massive gaff.

We need some information.

The upgrade is downloaded through Tor.

Firefox, and hence Tor Browser, supports incremental updates, so the size of the download depends on how much has changed between versions; for the upgrade from 5.0 to 5.0.1 the corresponding .incremental.mar (Mozilla archive) file is smaller than 500K.
See https://wiki.mozilla.org/Software_Update
You can see the .mar upgrade files here: https://dist.torproject.org/torbrowser/5.0.1/

Do you also *need* to be spoon-fed the information? How about clicking the "Documentation" link and reading up yourself?

Yes, it's fetched over Tor. Yes, it downloads only a small delta (when updating consecutive releases, at least). And, at least on GNU/Linux, the package has certainly not "ballooned by another 30 or so MB" (maybe 9MB).

(I'm not a Tor developer btw.)

August 18, 2015

Permalink

Same bug again: once the "SocksListenAddress 0.0.0.0:9150" added into torrc , Tor Browser 5.0.1 will crashed at start, so as Tor Browser 5.0. I am a chinese user,so I cannot use whonix without "SocksListenAddress 0.0.0.0:9150".

It's worth noting that `SocksListenAddress` has been deprecated for quite a while, so the better thing to do is to alter the `SocksPort` entry.

> DEPRECATED: As of 0.2.3.x-alpha, you can now use multiple SOCKSPort
> entries, and provide addresses for SOCKSPort entries, so
> SOCKSListenAddress no longer has a purpose. For backward
> compatibility, SOCKSListenAddress is only allowed when SOCKSPort
> is just a port number.)

August 18, 2015

Permalink

Whenever i finish a download, instead of opening the file tor browser crashes, deletes the shortcut and then malware is detected immediately after.

August 18, 2015

Permalink

strange,
tried several attempts, but this blog seems to be closed for comments.

August 18, 2015

Permalink

Thank you very much for a speedy update. I did not ever use Tumbl or Google maps but the Linux version of 5.0 crashed repeatedly on Bruce Schneier's site (!) and usually crashed on almost any site within 5 minutes ... while the Windows version did not crash at all on the same sites. Version 5.0.1 now running for 20 minutes with 15 tabs open and all looks good. Again, thanks.

August 18, 2015

Permalink

Hi. I'm from Iran and I'm using obfs4 as obfs3 has stopped working in Iran, but it's so slow I'm often faced with the "connection has timed out" message and can't open any web pages most of the time, even when I restart Tor.

Also whenever I use Google, it just says I appear to be a bot and keeps asking me to enter a scrambled number correctly, but it never accepts the number even though I enter it correctly every time. Could you please kindly look into it, especially the extremely slow speed problem? Thank you for your kind efforts.

There's not much to look into regarding speed. The default obfs4 bridges service a lot of users, and are constantly overloaded. You may have better luck if you obtained different obfs4 bridges from BridgeDB.

August 22, 2015

In reply to yawning

Permalink

I'm using Custom Bridges on the Tor Browser in Tails. Can I have too many bridges or the more bridges the better? Tor Browser in Tails is supposed to use a different bridge each time I boot to Tails, isn't it?

recatcha used to work without js. there was a copy and paste routine.

maybe you can look in the untrusted submenu of noscript menu to see the url that needs temporary noscript allow?

August 18, 2015

Permalink

I'm sorry regarding my previous comment I noticed the reason why obfs4 suddenly magically started to work was that Hotspot Shield was running in the background without my knowledge. As soon as I disabled it I was again unable to open any webpages. It seems like Iran's government is using a new kind of censorship. While I can connect to the Tor Network using obfs4 fairly fast and see the "Congratulations" web page, I haven't been able to open a single web page for the past few days no matter how many times I restart Tor. It's always "The Connection Has Timed Out". Could you please look into it?

Hard to look into it without having a computer there, or knowing which bridges you use (if it's not the default, don't reply with them either). If they're throttling long lived connections again, that's the sort of behavior I'd expect, but I don't have a good solution to that for obfs4.

I'm sorry regarding my previous comment I noticed the reason why obfs4 suddenly magically started to work was that Hotspot Shield was running in the background without my knowledge.

As I had cautioned you in my earlier post, I will caution you now for your sake.

Avoid Hotspot Shield at all costs as it has been working closely with the United States' National Security Agency. Your online activities may be closely monitored by it.

But again, being monitored by the NSA does not present the same risks to you compared to being monitored by the Iranian authorities. The NSA will not throw you into jail but the Iranian authorities will. One of my Iranian contacts who was vocal in his support of the American-led Iranian non-proliferation nuclear arms deal has just been given a seven year jail sentence. Do you want to be next?

Sometimes when you see "connections is rimed out" means "it is impossible to open a connection for your security & safety" so , it is better to not have one.

Try another location/country from your vpn or another circuit/identity from tor..

*i do not like comment about vpn/nsa/interpol or good/bad people/country ; in fact, as soon as you live in a reverted republic (old monarchy) or a false democracy (European Union), every body can ask a sanction against someone else , no need to be in contract with a government or a military circle ...

August 18, 2015

Permalink

I'm a bit confused. Today TorBrowser "informed" me that there's an update available and I should restart TB to apply it. In the 4.XXX Versions, on my startpage (about:tor) there always was this info "however, this browser is out of date" and then I used to update it manually. Since I prefer to do this manually, after today's update message, I checked the options to turn off the auto update (which I did not turn on). Then I recognized, that I can no longer change the settings. When I click the relevant box, no check mark appears. Is this a bug?
-----
I just realized, it is the same with ALL the options. It seems that when I click unto something, my changes apply but the "box" is not marked, no check mark visible..

sorry for my bad english, hope you get me

It's a recent bug. Lower the slider in the "Privacy and Security Settings" to Medium-High (or lower) and restart the Tor Browser. You should be able to modify your settings after the restart. And then you can set that slider back to High.

August 18, 2015

Permalink

I got an update to 5.01 today my saved passwords are working but I can not find them. Options-Security-saved passwords-but the window is blank no saved sites and passwords...

Love the new updated # 5...

August 19, 2015

In reply to gk

Permalink

Oh, I'm so glad to hear that you are working on it! I have the same problem and it is bothering me too much!

August 18, 2015

Permalink

New browser is not working with Yahoo fantasy baseball, Daily Fantasy Contests.
For some reason, all of the functionality on the screen fails to work as it did in the past. I am not sure if that is javascript errors or blocking or what.
But it was working fine on Monday. It no longer works today, after the update.
Any suggestions?

August 19, 2015

In reply to gk

Permalink

I am using TOR Browser as it ships; no modifications.
Here is the URL having the issues:

https://sports.yahoo.com/dailyfantasy

If you go to the middle "main" section titled "Daily Fantasy Sports Contests", the links in that section are not functioning, except for the "Enter Contest" button.
You should be able to click on "MLB" or "NFL" or "NBA", and it would take you to specific pages for just those leagues. Additionally, the slider button "Entry Fee" range from "$0 to $500" does not respond. You should be able to slide either end left or right to narrow your range.
Once you do click on "Enter Contest", you should be able to add players to roster by clicking on the "+" sign. However, nothing happens.

I tried disabling "No Script"; I unblocked "Pop Ups"; I clicked on just about everything in the Firefox browser "settings", but to no avail. So I'm not sure if this is a Firefox issue or a TOR issue.

But thank you for looking in to this and thank you for your time. I will definitely keep using this if you can resolve this issue.

August 20, 2015

In reply to gk

Permalink

Windows 7 on a Dell Latitude 5440 w/ i5 processor. Windows is completely up-to-date.

August 21, 2015

In reply to gk

Permalink

No, thank you for the follow-up and follow-through.
I hope you can get it resolved.

August 20, 2015

In reply to gk

Permalink

I went back to the archives and downloaded TOR 4.5. The Yahoo Daily Fantasy website works perfectly fine with 4.5. So it's got to be in TOR 5.0.1 for MS-Windows 64-bit installs.

August 18, 2015

Permalink

I don't like this auto update thing, it removes user control. How can we disable it please ?

"Starting with this release, Tor Browser will now also download and apply upgrades in the background, to ensure that users upgrade quicker and with less interaction. This behavior is governed by the about:config pref app.update.auto, but we do not recommend disabling it unless you really know what you're doing."

August 18, 2015

Permalink

Each time the start-up page is the webpages last time I visited, it is set to show a blank page in my preferences

August 18, 2015

Permalink

Where does TOR save it's downloaded Software update before installing it?
Thank you

August 18, 2015

Permalink

Where does Tor browser save its download of software update before I restart it and it kills all my saved stuff please?

That is an excellent question. Plus I wonder if this whole thing was put together by the NSA to track weird or...I think the whole thing is a govt put on. It would be cool if it wasn't. Am I just perverse? I'm waiting for a spooky thing to happen.

August 19, 2015

Permalink

Thank you for your great work! Could you please tell me how to configure a fixed exitnode? I mean sometimes I need my IP address to show as in a specific country, how can I achieve that?

I'm not sure this is a use-case the Tor network is specifically supposed to serve. Also you would be hurting your anonymity. Also there's a difference between a fixed exit node and a fixed exit country. If you still want to do it, read the tor and torrc man pages.

August 19, 2015

Permalink

After auto-update to 5.0.1, tor browser is giving the following error instead of opening:

XML Parsing Error: undefined entity
Location: chrome://browser/content/browser.xul
Line Number 1401, Column 11:

In order to resolve this issue: delete (or stop using) the file "Start Tor Browser.exe" in the Tor Browser directory. This file was used to start past versions of the Tor Browser. Instead, use the shortcut "Start Tor Browser" (located in the same directory), which points to "\Browser\firefox.exe".

August 19, 2015

Permalink

Suppose one sets the security slider to High and then allows scripts for one page (not globally). In this scenario, what are the risks of compromising one's location?

Ha, that looks like a very simple question eh? Well, I don't think the answer could ever be simple. You'll have to be more specific, I'm afraid.

If you use Tor Browser to stay anonymous, just disable all javascript/plugins/etc., period.

August 19, 2015

Permalink

I'm unhappy to report that no bookmarks were saved from the session which included the update to v5.0.1, and as a result I turned off the automatic update option.

August 22, 2015

In reply to gk

Permalink

Updating to Tor Browser 5.0.1 using the "torbrowser-install-5.0.1_en-US.exe" installation file made all my bookmarks disappear. It seems that "bookmarks.html" was overwritten.

That is a different thing. The issue was that the auto-updater was supposed to overwrite bookmarks and other things. You don't use torbrowser-install-5.0.1_en-US.exe in this procedure.

August 19, 2015

Permalink

Is Tor Browser actually downloading its update over Tor ? It seemed to report its update had downloaded awfully quickly here after launching, and tor tends to be slow for me.

Please, I hope it is not downloading updates in the clearnet.

Can someone confirm ?

The update mechanism uses Mozilla's custom MAR format for incremental upgrades. In this case, the size of the incremental upgrade file from 5.0 to 5.0.1 is between 400 and 500 KB, depending on your locale, so that would explain the quick download.

August 19, 2015

Permalink

i really miss images-from-specific-site blocking feature (right click an image on any page, choose "View Image Info"). now pages are cluttered with images i dont wanna see and i have to resort to using adblock addon which requires more ram. i'm on atom netbook and ram is very limited. can tor browser use lighter browser like pale moon instead of boated firefox?

strangely enuf, the feature still exists in framed pages.

August 19, 2015

In reply to by Anonymous (not verified)

Permalink

Site specific blocking can be easily fingerprintable depending on implementation.
If you must, you can try NoScript's ABE.

August 20, 2015

Permalink

FYI: If no bugs other than the crash have been fixed I won't install it and stick to version 4.5 on OS X Mavericks.

I also don't like the auto update, could you please disable it by default.

I think the concept is that if you can't figure out how to disable the auto update even after instructions have been posted, you probably should be auto updating.
4.5 includes numerous vulnerabilities in the Firefox code. If you don't update, you're putting yourself at risk.

Sorry, but (1) every application has vulnerabilities, so this does not convince me to update, because (2) I had posted a but report be email immediately after release of 5.0 indicating that it is not possible to see in the preferences whether an option in Tor Browser 5 is active or not. Other users have also reported this problem. Under these circumstances, using Tor Browser 5 is like a blind flight in the fog. It is just not possible to configure it. And, of course, I have disabled auto-update in my instance, but with a version with such major problems I won't ever use it. Please note that I am not in the business of testing software all day, but I am used to WORK PRODUCTIVELY with my computer. Sorry, for the direct language, but I am under the impression this has to be said quite clearly to get it across.

August 20, 2015

Permalink

Guys, i'm not sure if this is gonna be helpful, or could be able to fix those kind of issues..but ip-check. info, kinda gives you some kind of a solution for "fonts" issue, if you do modify, in about:config settings, the followingl line "browser.display.use_document_fonts" from "1" to "0", you'll find out that the test gives you green "Fonts" line, instead of red and all your visible fonts, will became just 3. If this is gonna be helpful, i'm just glad of stating the obvious =)
P.S Does anyone have an idea, why ip check gives orange"medium" rating of language now? Would be glad to here some fix options.

kinda gives you some kind of a solution for "fonts" issue, if you do modify, in about:config settings, the followingl line "browser.display.use_document_fonts" from "1" to "0",

Thanks for your repeated suggestion on modifying the parameter browser.display.use_document_fonts = 0.

Shall we let Tor developers do their job? If they wish to include it in the next update, they will.

August 20, 2015

Permalink

Probably not related, but I just noticed this today when specifying exit nodes in switzerland {ch}:

"All routers are down or won't exit -- choosing a doomed exit at random"

Google gave some links to the same error message and interestingly the Torcc files posted there also had exitnodes in Switzerland.

Filtering/Censoring? Maybe Swiss is not so neutral after all???

Good signature
torbrowser-install-5.0.1_ru.exe + asc
sha 256 = 544d9e48035008cdcac873b88c0bfc0abd0b97cd237393

i do not know where you found "that" : sha256sums-unsigned-build.txt
sha 256 = e9e211a4864a089ba50fa38b48024d262e25fcdb0591a749a5f3cf4d23fd3961

it looks like a mistake maybe a sha 512

Why do not coincide sha256sums
https://dist.torproject.org/torbrowser/5.0.1/ (torbrowser-install-5.0.1_ru.exe 2015-08-17 13:05 42M)

Instead of relying on sha256sums for verification, may I suggest you do the following:

1. Download Gpg4win using the URL: http://www.gpg4win.org/

2. Once you have Gpg4win installed, import Erinn Clark's signing key

3. Download the corresponding armored key of torbrowser-install-5.0.1_ru.exe which should be torbrowser-install-5.0.1_ru.exe.asc

4. Verify torbrowser-install-5.0.1_ru.exe using Gpg4win

Note: Gpg4win is FOSS (free open-source software). Per good practice, always scan your downloads with your preferred anti-virus/malware software before installing the former.

August 21, 2015

Permalink

strange response when middle click a link.
the tab of current web page has a favicon. when middle click a link, a vertical "smear" appears. the smear is something like a narrow version of the current page, narrowed to the width of the tab. most obvious are the favicon and the vertical scroll bar.

I clear the smear easily by clicking another browser tab and can return to the original tab. the smear i gone.

I middle-clicked a "reply" link on this blog.torproject.org page. the 'bug' did not occur.

this might be a firefox esr bug.
using vista 64 bit.

August 21, 2015

Permalink

I am alone or anybode else experiencing tbb 5.0 /w disabled auto update no blinking onion icon with update?
Check for updates button shows 5.0.1 available.

I Can no longer use obfs3 as it allways time s out. obfs4 works.xp pro. Thanks 4 help.

Am I reading it right? You are still using Microsoft Windows XP Pro?

Microsoft has not been providing security updates for a long time for XP Pro at it has reached its product's end of life.

Please upgrade it to Microsoft Windows 10 if you insist on using Microsoft's products.

However I wish to take this opportunity to suggest that instead of using Microsoft Windows OS, in terms of security, you are better off using a Linux OS. You can start by installing Ubuntu if you have never used Linux before. Its community-support-style forum, https://askubuntu.com/, is one of the friendliest on the internet. Hundreds of Ubuntu experts are there to help beginners out.

August 22, 2015

Permalink

I did the update to Tor last week on windows 7 and now it crashes trying to open. I gtet:

"XML Parsing Error: undefined entity
Location: chrome://browser/content/browser.xul
Line Number 1401, Column 11:"

I don't see it in windows programs, so how do you uninstall and reinstall?

Same question was posted above, same answer here:
In order to resolve this issue: delete (or stop using) the file "Start Tor Browser.exe" in the Tor Browser directory. This file was used to start past versions of the Tor Browser. Instead, use the shortcut "Start Tor Browser" (located in the same directory), which points to "\Browser\firefox.exe".

This not a sensible answer. Wind 7 8 and 10 are much worse security because they send back data that it is hard to stop. If TOR no longer good for XP we should be told.

This is not a sensible answer. Win 7/8/10 may be worse for privacy due to tracking/phone home concerns, but WIn 7/8/10 are more secure as they receive security fixes.

XP is no longer good for anything, assuming you want security.

August 23, 2015

In reply to yawning

Permalink

Nope, preferred Windows OS if you still get updates. Which you can if you do a little searching.

> If TOR no longer good for XP we should be told.

Tor's security is only as good as the security of the user's system. I personally don't care if people continue to use ancient operating systems (and if they get compromised due to their choices).

It is worth noting that eventually support for pre-Vista Windows will be dropped (https://trac.torproject.org/projects/tor/ticket/11445), though there is no set timeline for this currently, and ironically I was one of the people arguing against it the last time it came up.

This not a sensible answer.

Spot on. But have you asked yourself why I gave a nonsensical answer in the first place?

Wind 7 8 and 10 are much worse security because they send back data that it is hard to stop.

And in your opinion, Window XP Pro offers better security....how? How does it accomplish that knowing that Microsoft ended its technical support for Windows XP a few years ago?

If TOR no longer good for XP we should be told.

No, don't wait for Tor developers to tell you the answer. Be proactive.

As you seem to be one of the rare few to use or advocate the continued use of Windows XP (a discontinued Microsoft product) and if you deem anonymity and security to be important issues, why don't you ask Tor developers directly and post their answer here? Their contact information is listed on https://www.torproject.org/about/contact.html.en

Alternatively you can post your question to Tor StackExchange (URL: https://tor.stackexchange.com/)

Hi fellow XP-user,
I'm as well using using XP, dont like win 7/8/10 (bloated, costly etc)
BUT
I'm using it only to access some hardware better supported by win. And for a game now and then :) And while using it, my lan is completely cut off from internet by my firewall.

I have switched to linux (debian) with a dual boot setup.
And it was a good decision. Some learning at the beginning, but after all it's absolutely great and secure. No problem to get to get used to it if you can work with XP.

I wouldn't have a good feeling to do just one step into internet with XP.

Maybe this could be a way to go for you too?

Thank you for suggestion, but I tried linux and most of my programs would not work with it. It is fine for those who can afford to buy all new programs but i can't.

August 22, 2015

Permalink

The Government says that anyone who uses privacy tools or encryption tools are deemed terrorists. What the heck?

The Government says that anyone who uses privacy tools or encryption tools are deemed terrorists. What the heck?

WHICH government says that? The American? The British? The Iranian? The Chinese? The Russian?

Please quote your source(s) with URLs.

Is the answer above ?
French government consider that every piece about privacy must be violate to be sold.
Terrorism is something like a trademark , a licensed manipulation "see etats voyou".

Cryptographic art allow you to be far , obfuscated , from outlaws research (government).
Using privacy tools or encryption tools will help you to not be a prey.

I read that 4 000 000 of persons are using tor ; how many are using pgp ?
Every terrorist can give you few millions of dollars so you should find the name and the address of the users of this blog and sold them ( they have friends in USA,UK Iran, Asia and Russia).

Is the answer above?

No.

French government consider that every piece about privacy must be violate to be sold.
Terrorism is something like a trademark , a licensed manipulation "see etats voyou".
Cryptographic art allow you to be far , obfuscated , from outlaws research (government).
Using privacy tools or encryption tools will help you to not be a prey.

We are lost here due to the differences in language.

Could you re-post your above statements in your native language?

https://www.laquadrature.net/en/instrumentalizing-fear-to-control-encry…
https://firstlook.org/theintercept/2015/03/17/whats-scarier-terrorism-g…

if it is true, (... using encryption tool are deemed terrorist..) ; banning encryption tool will decrease the value of your life , so they will buy more (slaves/information) with less money (yours) and sell it better : encryption tool are also a barrier against slavery ... and laundry money ... at the opposite that they claim.

if it is true, (... using encryption tool are deemed terrorist..) ; banning encryption tool will decrease the value of your life......

Your latest response contradicts your earlier one: French government consider that every piece about privacy must be violate to be sold.

Are you trolling here?

Did you know that financial institutions in any part of the world need encryption tools to protect financial transactions? When you pay your purchases with your VISA/Mastercard/JCB/Discover credit cards, details of your cards and purchase information are transmitted to the relevant parties (eg. VISA, Mastercard, bank) using encryption?

In the US, when Americans transact with certain US government agencies, the relevant US government websites use encryption?

I can only conclude that you are a troll. Enough said. I shan't be wasting my time on you.

The French government consider that every piece about privacy must be violated for be sold.
The Terrorism is something like a trademark , a licensed manipulation "see etats voyou".

The Cryptographic art allow you to be far , obfuscated , from outlaws (government).
The encryption tools help to not be a prey.

Es la respuesta más arriba?
El gobierno francés la posibilidad que cada pieza de la política de privacidad debe ser violado para ser vendidos.
El terrorismo es algo así como una marca comercial, una manipulación con licencia "etats voyou".

La criptografía arte le permiten ser mucho , ofuscado , de forajidos (el gobierno).
Las herramientas de cifrado ayuda a no ser una presa fácil.

هو الرد أعلاه ؟
الحكومة الفرنسية تعتبر أن كل قطعة عن خصوصية يجب أن تنتهك على بيعها.
الإرهاب هو شيء مثل علامة تجارية ، مرخص التلاعب " انظر الدول voyou".

الفن الترميز تسمح لك أن تكون ، غموض ، من الخارجين عن القانون (الحكومة).
أدوات التشفير مساعدة لا يكون ضحية.

是对上述问题的答案吗?
法国政府认为,每一件有关隐私的侵犯必须出售。
恐怖主义是一个商标,一个许可操纵“voyou又何其多”。

先进的加密使您能够进行到目前为止,变得模糊不清,从水浒传(政府)。
加密工具帮助不是猎物。

Is het antwoord dan?
De Franse regering ziet dat elk stuk over privacy moeten worden geschonden worden verkocht.
Het terrorisme is zoiets als een handelsmerk , een gediplomeerd manipulatie "etats voyou".

De Cryptografische art kunt u veel , echter , door bandieten (regering).
De codering tools helpen om niet te worden overheerst.

Ist die Antwort oben ?
Die französische Regierung berücksichtigen, dass jedes Stück über die Privatsphäre muss verletzt für verkauft werden.
Der Terrorismus ist so etwas wie eine Marke , eine lizenzierte Manipulation "siehe Etats voyou".

Die kryptografischen Kunst ermöglichen Ihnen zu weit , verschleiert , von Outlaws (Regierung).
Die Verschlüsselung Tools Hilfe nicht als Beute.

È la risposta qui sopra?
Il governo francese considera che ogni pezzo sulla privacy devono essere violati per essere venduti.
Il terrorismo è qualcosa di simile ad un marchio , una manipolazione licenza "etats voyou".

La tecnica crittografica consentono di essere lontano , offuscato , da fuorilegge (governo).
Gli strumenti di crittografia consentono di non essere una preda.

Este răspunsul de mai sus ?
Guvernul francez considera ca fiecare bucată trebuie să fie violate despre confidenţialitate pentru fi vândute.
Terorismul este ceva ca o marcă comercială , o manipulare licenţiate "vezi etats voyou".

Arta criptografică vă permit să fie departe , baza obfuscated , de haiduci (guvernului).
Instrumentele de criptare pentru a fi o prada.

Est la réponse ci-dessus ?
Le gouvernement français estiment que chaque morceau sur la vie privée doivent être violé pour être vendus.
Le terrorisme est quelque chose comme une marque , une manipulation sous licence "voir". voyou etats

L'art cryptographique vous permettent d'être loin , OBSCURCIE , de hors-la-loi (gouvernement).
Les outils de chiffrement aident à ne pas être une proie.

היא התשובה לעיל ?
ממשלת צרפת לשקול כי כל פיסה אודות פרטיות חייב להיות הפר עבור מכר.
את הטרור הוא משהו כמו סימן מסחרי , מניפולציה עם רישיון "ראה אטאט voyou".

את האמנות קריפטוגרפית מאפשרות לך להיות רחוק , מעורפל , החל נחשבים לפורעי חוק (הממשלה).
עזרה של כלי הצפנה כדי לא להיות טרף.

- Это ответ на выше ?
Правительство Франции считает, что каждый участок о конфиденциальности должны быть нарушены для продажи.
Терроризм - это товарный знак , лицензированный манипуляций "см. Этат voyou".

криптографического искусства позволяют быть далеко , скрытый , от преступников (правительство).
Шифрование средства помогают не быть жертвой.

Think about it...it is not that hard. NSA & FBI & other agencies, of course! Just do a search and you will find out that using privacy, encryption, or Tor will put you on a terrorist list. This is confirmed and verified, so just deal with it.

August 22, 2015

Permalink

I downloaded torbrowser-install-5.0.1_en-US.exe (for windows 8) three times on two machines having two versions of ubuntu and windows 8. Each time I check sha256, it does not match the hash in the unsigned build txt file. The ubuntu tor version I downloaded had the correct hash.
Is anyone else having a problem with the windows 8 sha256 hash not matching?

August 23, 2015

In reply to by Anonymous (not verified)

Permalink

Each time I check sha256, it does not match the hash in the unsigned build txt file. The ubuntu tor version I downloaded had the correct hash.
Is anyone else having a problem with the windows 8 sha256 hash not matching?

Below are the comments by gk posted on June 16th (URL: https://blog.torproject.org/blog/tor-browser-452-released#comments):

    ""As the name of the file implies this is the checksum of the *unsigned* .exe. Have you stripped the authenticode signature first, before comparing the SHA 256 sums? See: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…""

In addition the below comments taken from "How to verify signatures for packages" (URL: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…) are note-worthy:

    ""These "checksums" help you answer the question "Did I download this file correctly from whoever sent it to me?" They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from the attacker.. The better question to answer is: "Is this file that I just downloaded the file that Tor intended me to get?"""

August 22, 2015

Permalink

Am I the only one with German edition of TBB has problems with this:

- language is set to de,en-US;q=0.7,en;q=0.3, this is not the right thing according to ip-check.info.

Fingerprint-test at panopticlick.eff.org has

"...one in 4xxxx ([rounded]) browsers have the same fingerprint as yours."

Usually it has only a few hundreds instead of 40k.

I guess it's the same problem with the "language":

HTTP_ACCEPT Headers

bits of identifying information: 7.xx

one in x browsers have this value: 140.x

text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 gzip, deflate de,en-US;q=0.7,en;q=0.3

Any workaround? Any fix? Any help? Ty

TBB just did a major Firefox update ESR31 -> ESR38. Before, the signature was the same for a LONG time. So just wait a bit, while more ESR38 users are being picked up.

It's similar with English, TBB 4.5.3 is 1/300; TBB 5.0 is 1/4000.

But this "de" in "de,en-US;q=0.7,en;q=0.3" means German language so it looks to me that something is wrong cause it shouldnt be readable this de. Also http://ip-check.info recommends a signature without "de."

Can someone test? Which language version?

August 23, 2015

Permalink

I can not find any information on the correct SHA256 for goal. Can someone tell me whether this is sha 256 korrket me?
Many thanks!

torbrowser-install-5.0.1_de.exe
sha256 = d5ea00a10dac354e0bd4b83510bb98e26ac00921790513a144f4ad43d8b85e97

1° download your .exe and .sig/.asc

2° open a terminal and type that


cd downloads
*the folder where are the files .asc/.sig and tor.exe

gpg --verify torbrowser-install-5.0.1_de.asc torbrowser-install-5.0.1_de.exe
*ID key is written (D40814E0 e.g.), copy it and paste it at the end of the next command.

gpg --keyserver x-hkp://pool.sks-keyservers.net --recv-keys [ID key=8]
.*ID key is added.

gpg --verify torbrowser-install-5.0.1_de.asc torbrowser-install-5.0.1_de.exe
*good signature

I can not find any information on the correct SHA256 for goal. Can someone tell me whether this is sha 256 korrket me?

No, don't verify your downloads using hashsums. Why? According to "How to verify signatures for packages" (URL: https://www.torproject.org/docs/verifying-signatures.html.en):

    These "checksums" help you answer the question "Did I download this file correctly from whoever sent it to me?" They do a good job at making sure you didn't have any random errors in your download, but they don't help you figure out whether you were downloading it from the attacker. The better question to answer is: "Is this file that I just downloaded the file that Tor intended me to get?"

Read the section "Where do I get the signatures and the keys that made them?" and pay attention to the section "Windows" starting with the following lines:

    You need to have GnuPG installed before you can verify signatures. Download it from http://gpg4win.org/download.html.

    Once it's installed, use GnuPG to import the key that signed your package. Since GnuPG for Windows is a command-line tool, you will need to use cmd.exe..blah...blah

This pretends that downloading a crucial security file from an non-secure site to get security is perfectly sensible.

Please, at least discuss the workaround.

August 23, 2015

Permalink

Hi i have a question

tor is for search but for what?
in first i am waiting my conexion is bad

August 24, 2015

Permalink

I'd highly recommend the Tor project consider switching to Pale Moon as a base for future versions of the Tor browser. Pale Moon is an Open Source fork of Mozilla/Firefox that is faster, lighter, and does not implement all the bloatware that is prone to vulnerabilities (Hello, Pocket, Reader+, Share, Telegram, etc). Also, Mozilla, in its infinite wisdom, has decided its going to deprecate XUL and XPCOM, which is essentially the very foundation of the browser. This will break virtually every extension in existence and be the end of customization. The future doesn't look good for FF.

August 24, 2015

Permalink

on linux x64 with 5.01 torbundle verified
i opened vnbook before the connection to tor and the result is negative

log ; ******/2015 ****.
100 [WARN] Problem bootstrapping. Stuck at 80%: Connecting to the Tor network. (Connection refused; CONNECTREFUSED;count 10; recommendation warn; host
**********************************************
100 [WARN] 9 connections have failed:
100 [WARN] 9 connections died in state connect()ing with SSL state (No SSL object)

does it mean that my connection with openvpn (vpnbook) is not encrypted ?
does it mean that vpnbook does not allow a connection with tor ?

does it mean that vpnbook does not allow a connection with tor?

Forget about vpnbook. It's one of the worst privacy-enhancing proxies ever.

ok , i thank you for your answer ; let's forget vpnbook ( i uninstall it now) but could you pls explain the reason why you think vpnbook is the worst privacy-enhancing proxies ?
usa spot ?
obsolete product ?
unsafe encryption ?.
informant admin ?

August 25, 2015

Permalink

"One of the mechanisms that an attacker may employ to figures out which relay is the first hop and which relay is the last hop of a client is by compromising the middle node. Once an attacker compromised the middle node, then she knows which hop is the first node and which hop is the last node the client is using, and now the attacker can compromise these hops to de-anonymise the client. The Guard is specially vulnerable now because it is stationary for weeks and months. If there were several middle nodes, then the attacker was not able to obtain this information from any of the middle nodes"

Why not 4 or more hops?

August 29, 2015

In reply to gk

Permalink

"it increases load on the network!" ...

I think there is no shortage of middle nodes.
The nodes have become faster over the last years.

..."without providing any more security".

It does abate the attack vector described by the poster.

August 25, 2015

Permalink

Please list the countries/cities to avoid in the Nodes because of SIGINT surveillance and instruction for configuration.
Why there is no Security Level slider for this or this is not posted on main page?
Why nodes can be from the same country by default?
Why with New Tor Circuit for this Site the cookie stays the same?

I also have this problem of nodes always being the same at the top of the list and other times the map not working at all. Just checked with a friend who has also found this after checking the nodes list. Strange no response from the TOR developers.

August 26, 2015

Permalink

1/2 off-topic but TAILS has no simple open contact side.
Mail-list to complicated.

It has a 'stable' strange bug. Very reproducible in all versions of Tails i had.Tails only.
When i pull windows -bigger,small- the desktop is crashing.
Black fullscreen,sad smiley and:

"Oh no! Something has gone wrong.
A problem has occurred and the system can't recover.
Please log out and tray again.
|Log Out|"

System-messages from the desktop are visible.

It seems to be TBB and Vidalia.

August 26, 2015

Permalink

Note to desktop crash bug in Tails.
I had sent this to the Tails developers with Whisperback.
May it helps.

August 26, 2015

Permalink

Do you know any popular servers that could automatically generate padding from your tab?

Other popular solutions?

Problems mentioned in docs look pathetic.

August 26, 2015

Permalink

my tor does not work i have download it and installed step by step but when i hit the connect it stays in LOADING NETWORK STATUS and it does not load the whole way? /?? can some one pls help me

August 27, 2015

Permalink

How come -> 2 versions of 'https-everywhere' firefox add-on = v5.0.7 + v5.1.0,
despite restarting TBB 5.0.1 twice ?

August 27, 2015

Permalink

I Used To Have A Lot Of Respect For Tor. I Still Respect most of the coders , But After Reading Many Many Pages Like this one, Most of The Respect is Gone Out the window with the Water and the baby Also. No wonder Tor Cannot find a Director!

Do you think Tor has been compromised? Do you think Tor is in bed with the Government? I just hope not. I do not want to find out that all Tor users have been under monitoring by the military at the very end and everything was all smoke and mirrors.

I just hope Astoria and Hornet will come out faster or sooner so we can test out true and absolute privacy. I also hope that DarkMail comes out sooner so that our emails cannot be tracked anytime or anywhere.

I also have some good news for you Californians. All electronic data search requires a warrant now as of June 2015. Good luck to you Westerners out there!

August 27, 2015

Permalink

All right. For those who wanted to know who says you are a terrorist or extremist if you use encryption, privacy, or Tor? You guess it! Check out these articles to update your knowledge.

1) NSA Targets As “Extremists” Americans Who Simply Wish to Protect Themselves from Oppression @ http://www.washingtonsblog.com/2014/07/nsa-targets-extremists-people-tr…

2) Your Interest in Privacy Will Ensure You’re Targeted By The NSA @ http://www.makeuseof.com/tag/interest-privacy-will-ensure-youre-targete…

3) The NSA Thinks You Are an Extremist If You Care About Privacy @ http://securitywatch.pcmag.com/privacy/325273-the-nsa-thinks-you-are-an…

4) 25 More Ridiculous FBI Lists: You Might Be A Terrorist If . . . @ http://www.networkworld.com/article/2221637/microsoft-subnet/25-more-ri…

Enjoy!

the links are in http, not in https (tor must be set in https for preserving your privacy).
i do agree with you even if the arguments are not mine ( i should say that it is not an American idea and live in full nudity is also a consequence of gay & migrant movement ). The Government(s) _ (bankers !) _ do not need a people with an history, a culture or an identity ; only consumers are welcome so,the real population - 'genuine '- must disappear without trouble and in silence. It seems that this strategy does not work ... a criminal/terrorist/extremist is now someone who refuse to be outside of the society ; encryption tool is another manner to be a patriot, a citizen,

September 10, 2015

Permalink

why tor browser seems only connect to ip 66.228.44.204? when tried dld a torrent file was sent (torentname).exe file instead? something wrong or coincidence? btw is there a sha or md5 for the torbrowser?