Tor Browser 6.0.4 is released

by gk | August 16, 2016

Tor Browser 6.0.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release finally brings Tor Browser users the latest Tor stable, 0.2.8.6, and avoids pinging Mozilla's servers for system extensions.

Pinging Mozilla's servers was responsible for users getting an extension into their Tor Browser that resulted in annoying and confusing "Your Firefox is out of date" notifications on start-up (bug 19890). Thanks to Mozilla engineers, who fixed that issue as quickly as possible on their side, the extension is not shipped to Tor Browser users anymore since August 11 13:00 UTC. This takes care of getting the add-on removed as well in case it got installed into Tor Browser (as does the fix we ship in Tor Browser 6.0.4) which should have happened/is happening during the next extension update ping. For further information see the discussion in our bug tracker.

Users that are on the alpha channel or are using the hardened Tor Browser were not affected. The same goes for Tails users as far as we know.

The full changelog since Tor Browser 6.0.3 is:

Tor Browser 6.0.4 -- August 16

  • All Platforms
    • Update Tor to 0.2.8.6
    • Update NoScript to 2.9.0.14
    • Bug 19890: Disable installation of system addons

Comments

Please note that the comment area below has been archived.

August 16, 2016

Permalink

So, the question is: Tor Browser 6.0.3 included in Tails is different? And why? Or what else?

Yes, there appear to be a few differences [1]. Mostly, just preference adjustments and adding the Add Block Plus addon. Most modifications appear to be required since the Tor daemon, which is responsible for connecting to the Tor network, and the browser are not intertwined. This allows for better security in tails by running the Tor daemon in as a different user. Also, it allows to connect to the Tor network before the browser is opened, speeding up things, and allows sharing one single tor daemon for all network traffic.

[1]: https://git-tails.immerda.ch/tails/tree/config/chroot_local-includes/et…

August 16, 2016

Permalink

Hello All. My name is Don, and I am obviously new to TOR, but am finding the privacy features of this browser to be very usefull in maintaining my online privacy, which is a refreshing new status.I will do my best to make using TOR a part of my daily web surfing. Thank you for creating such a wonderful product!

August 30, 2016

In reply to gk

Permalink

Agreed. NSA did not make TOR.
I don't know who for sure to thank but another version I heard is the U. S. Navy created it. Probably just another Myth. Of course I'm sure HIV was actually created by CIA and was supposed to target only GAY's! RRRRIIIIIIGGGGHHHHT!!

August 16, 2016

In reply to gk

Permalink

LoL, "outofdate-notifications@mozilla.org" !! once-upon-a-time found this in a situation (couldn't recall) & asked myself: What "Mozilla" has got to do with anything -OutOfDate- that is related =Exclusively= to TBB! .. Thought -even- it might leak usage practice --innocently- to an (agent) on the other end ;)

However, today -THANKFULLY- you answered my thoughts, but a bit sad: Why wasn't me who must report this"BUG" to you, ..Well, no-problem.. at least my thoughts were -almost- Right :)

Thanks again TBB team, & best of luck to you ALL..

August 16, 2016

In reply to by Anonymous (not verified)

Permalink

You ask youself Why wasn't me who report this bug.

You say: I need to move the chair in the corner. You do not move the chair until maybe years later.

Same reason. No fault.

August 21, 2016

In reply to gk

Permalink

Is there going to be away of using Tor with out agreeing to the new terms and conditions contract MS is going make everyone sign ?

. I refuse to sign anything I don't agree with .

How can I even have windows on my devices with out signing those intrusive agreements ?

Using either or both will probably give you a more distinct fingerprint. Privacy Badger "learns" as it is used, changing the users fingerprint. Given that most use cases of ublock involve blocking specific sites, you're going to end up with a unique fingerprint there as well. There's a reason why NoScript in TB has been modified to not allow site-specific white/blacklisting.

Of course, installing any addon has standard risks involving fingerprinting and attack vectors. Privacy Badger and ublock are just particularly bad for specific reasons. They're good addons, but they fail to deal with specific concerns for most TB use cases.

i don;t see how a webpage could access bookmarks.

for small set of "bookmarks", you could drag urls into a text editor, then load that text file into tor browser as webpage.

but does this create a new privacy risk? (None seems obvious to me)

bookmarks are not threat to anonymity. They could only be used if your PC was taken by police and they opened your tbb. But you can have full disk encryption or just have your tor browser inside encrypted container. But don't forget to unmount it or shutdown PC when you exit home or open door.

August 16, 2016

Permalink

Здравствуйте меня зовут Руслан Мне интересно можно перевдить в Тор веб -сайты на Русский язык если это возможно то как подскажите?Спасибо Удачи!!!

August 16, 2016

Permalink

Could we get a heads up before having the update forced on us? I prefer to download and reinstall myself.
You talk about freedom, how about that freedom?
Thank you for your great work!

There was a heads-up before this version was getting out (as with basically all stable versions). Feel free to look at our tor-qa mailing list to convince yourself.

August 16, 2016

Permalink

It wasn't just annoying and confusing. It also broke non-Tor Firefox browsers. Why you would thank Mozilla engineers for anything is suspicious. They intentionally created and included the extension. And it proves Tor is easily hacked by big brother.

Tor Browser will no longer load such add-ons. Also, the list of add-ons Mozilla is deploying must be public so any malicious attempt would be caught easily.

Hi, are you able to explain further how Tor maybe hacked hijack etc.
Privacy is important to me; I've no real knowledge of computers.
Is there a simple list of things not to do...

thanks for your time...
Cash

August 16, 2016

Permalink

tor did not connect to dir auth servers successfully.
are there any changes fetching the consensus/descs at firstrun ?

August 16, 2016

Permalink

Here in Syria we must use TOR to avoid mass surveillance have here, my friend was sent to prison because internet surveillance.

I afraid but I will never stop to use internet to send photos of this awful government.

Thank you.

i just decided i ,m gonna set up a relay to help free! internet only thing is i am gonnna need some help with this if there is ANYONE OUTTHERE HELP me with this issue so how to set up a relay on a mac system. is nnot there a program for it Who knows pleAS REPLAY..............

The comments area to this blog is a terrible place to ask for help, I'd expect no one to bother answering you here on this, especially when you can just read the documentation provided by the Tor Project itself.

You can find your starting point for how to set up a relay here:

http://expyuzz4wqqyqhjn.onion/docs/tor-relay-debian.html.en

I have deliberately given you the onion service link, which you can only reach using Tor itself. You look eager, but very fresh, and running a relay is serious work. Needing to use Tor to reach the onion service ensures you're actually using Tor yourself, otherwise you're likely to screw up.

You'll need to decide whether you'll just be a middle relay (fairly harmless, but helps), or an exit node (which can be a real headache if you are too naive about legal repercussions*).

* Hint: If you need to ask what legal repercussions, you're probably too naive!

August 16, 2016

Permalink

Перестало работать расширение NoSquint (((

Это очень плохо, т.к. это часть браузера, скачай и поставь заново. Как так получилось?

August 16, 2016

Permalink

ok

August 16, 2016

Permalink

i just wanna thank you to all you're great minds that brought this to us and one more thing if the CIA is tracking me how can i got it to stop lol off the record

August 16, 2016

Permalink

TBB Thanks for taking care of the recent MozFire update problem so quickly! That might of caused alot more sleepless nights for us that depend on your security and info to help make us feel safe! The new apps that were sent,with the new logo,are they safe to use with new version? or should those files be deleted! Thanks again congrats!

August 17, 2016

In reply to gk

Permalink

WOW: "starting with a clean TBB"!!

I'am running my Dear>TBB with about 24 FF-Add-ons!
(+15 disabled: ..some Enabled if needed)

1-Are there any possibility of anonymity risks involved!

2- Is it a future-possibility that TBB team might create a new division that Checks & Approves most used add-ones as of (TBB Singed Add-ons)

3- Thank You Very much :)

Yes, there's a possibility of anonymity risks with each addon; you can make your browser appear different to websites(fingerprinting) and you're increasing the attack surface for someone trying to find an exploit in your browser in order to hack into your computer. There's a reason it's recommended that you don't install 3rd party addons in Tor Browser. The Torproject is a small organization and has difficulty as it is supporting Tor Browser. Checking Addons for potential security exploits is a time consuming process that Mozilla doesn't even really do. The Torproject simply doesn't have the resources required to do code audits on 3rd party addons that may change their code at any time.

That was Well said & understood, Yes i forgot most addons will change their code from time to time and can't be followed every time & then by The TBB Team.. Thank you for the good info ,, hope it's useful for others too :) ,, Bye--

It is why the flash player was created and adopted by the sites that try to force it as an only way to decode their information.

The moment you allow any scripts on a site that you are not absolutely sure you can trust youe anonymity has gone out of the window. You may as well use a regular connection.

No scripts, no plugins and you may have a chance

Flash doesn't obey browser proxy settings, so traffic from the plugin won't go through tor even if you run it from inside TB.

That's correct.

If the original poster installs Flash Player on Tor, whether he is using Microsoft Windows or Linux OS, he is easily traceable on the internet.

He may wish to try to install Whonix operating system first and then install Flash Player. However there is no 100% warranty that Flash Player may not broadcast his true IP address.

Last week Shadow Brokers upload a 200+ MB of hacking tools stolen from the NSA. A few tools exploit zero-day vulnerabilities and unpatched vulnerabilities found in Flash Player and Java. Given this information, does the original poster still want to install Flash Player on Tor?

Yes but even with Whonix, there is flash fingerprinting. So each time he would use flash they would know it's same person.
Fingerprinting can be done with flash version, settings, flash history and PC settings too.

They may know it's the same person, making it pseudonymous as opposed to anonymous, but at least Flash isn't leaking your real IP as it would be in Tor Browser. Using Flash with Tor via Whonix may be shooting yourself in the foot with a pistol, but trying to use Flash with Tor Browser alone is shooting yourself in the foot with a rocket launcher.

try
1- a video downloader website (no flash plugin, but probably requires that noscript extension allow JavaScript.).
2- play downloaded video in media player that's blocked from connecting to the net, and, or lacks any streaming feature.

August 16, 2016

Permalink

In TBB6.0.4
extensions.torbutton.use_privoxy
is on(true).

Why?
Problem?

gk

August 17, 2016

In reply to by Anonymous (not verified)

Permalink

I guess this is due to cruft in our Torbutton code. This should not be an issue for you.

August 19, 2016

In reply to gk

Permalink

For a number of months, my Tor Button was accompanied by "Tor Disabled." Finally I complained to Chief Counsel at my employer (a DoD Agency) and voila! Tor started working, I got my VPN connectiion from Avast back, and my iPhone also shed a while bunch of bugs. However, I have questions about incidents that I've been trying to get my Agency to answer for over a year, and they keep piling up. There is/are IT person(s) at my Agency who have hacked my life basically. Imagine a DoD stalker who can block references, and shift philanthropic choices. Last night I reported four more incidents of system issues to the help desk, including a 2nd mouse input whose buffer seemed to have preference over mine.

Do Tor folks have anywhere to point me?

August 16, 2016

Permalink

Tor is still shutting down periodically and randomly as with 6.0.3, needing to be restarted without closing any windows. I have no idea whether it is something to do with my system or a bug. I mention it to see if others are experiencing this. This started for me on 6.0.3, and it is still doing it. Before that, Tor never closed down for no apparent reason, even if left without use.

August 17, 2016

In reply to gk

Permalink

It is happening on Windows 7. I thought it started happening in 6.0.3 possibly as a result of installing the Mozilla Archive Format add-on. Never before had any add-ons and I thought that one was safe. But I've since disabled that and it still happens.

It seems to me that it is some change since 6.0.3 that is causing it, rather than something else on my system, but I don't know that for a fact. It seems to happen most when I have been away from the PC for a while and left Tor open. I come back to find Tor needs to be restarted. This never happened for me prior to v 6.0.3.

August 19, 2016

In reply to gk

Permalink

Not OP, but on GNU/Linux TB is a frequent victim of OOM-killer, an unfortunate kernel feature, triggered by a random memory leak.

August 16, 2016

Permalink

После обновления TOR перестал работать. Помогает только новая установка. Если после новой установки в файл TORRC добавить настройки для создания реле, TOR снова перестаёт работать, приходится снова устанавливать заново.

August 17, 2016

In reply to gk

Permalink

У меня даже после установки чистой версии Tor Browser 6.0.4 работает хорошо пока в файл torrc не добавлю строки:

ORPort 443
Exitpolicy reject *:*
Nickname ididntedittheconfig
ContactInfo human@...

после этого TOR перестаёт работать. Появляется всплывающее окно "Управляющий сервер ненайден"

August 17, 2016

Permalink

Is there a Tor option to NOT automatically download and install new versions? I wouldn't mind an announcement that a new version is available, but I would like to make the installation decision myself.

Yes, me as well - especially, since sometimes there are problems with specific options set (like Javascript in specific applications) or problems with access to my Hushmail, like today,

go into options (windows) or preferences (linux) or paste this url address
about:preferences#advanced
click "Updates" in top row

see on this page http://www.ghacks.net/2015/07/13/what-you-need-to-do-if-firefox-is-not-…

update settings shown in this image
http://www.ghacks.net/wp-content/uploads/2015/07/firefox-automatic-upda…

i have only the second dot enabled
"Check for updates, but let me choose whether to install them."

for me, TBB is obeying this setting as firefox does.

August 17, 2016

Permalink

Hey, what's this? Can't get to my Hushmail account via Tor, from Firefox it's possible, but I do wish to use Tor for access to my email. Please investigate ASAP!!

I don't have a Hushmail account but looking at the changelog posted above we did not change anything in the Firefox code that could cause this. Looking at the NoScript changelog 2.9.0.14 should not be the culprit either. Thus, I guess the best explanation is that Hushmail changed things on their side.

August 18, 2016

In reply to gk

Permalink

Hi Dear gk :)

Found that Hushmail is pain in the A:$$, after a period of --pause-- (not using), & when it happens that it must be re-checked --say-- for FB or twitter email Re-verification, you're blocked, Damn :)

Thus, found --real free-- that best works with Tor- NO matter what geo-location changes you log from- It is >> [geshifilter-code]https://www.vfemail.net[/geshifilter-code]

also on other topic, Would like report a bug --if it is!-- (not sure it's a bug yet) so, When many tabs are opened that might make TBB using about 1.5 gb of memory, then when that ALL are closed; Memory will not auto-decrease (say to 0.5 gb) in fact: will've to restart TBB to look more refreshed,

Any idea please to sort this out without restarting TBB!

Thank you..

Thus, found --real free-- that best works with Tor- NO matter what geo-location changes you log from- It is >> https://www.vfemail.net

Your recommendation, vfemail.net, is bad.

According to that website, it states: You will need javascript enabled to log into this site from this page.

If one wishes to use Tor with a web-based email provider, the latter should allow non-Javascript.

You might wish to try bitmessage.ch

Do you work for bitmessage? The full text you're referring to ACTUALLY says:

You will need javascript enabled to log into this site from this page.
Otherwise you can go directly to:
The Horde interface [link]
or
The new RoundCube interface [link]

LOL ,, "vfemail.net is bad" Well! it might be not that BAD but quiet NOT-good,, ;)

My recommendation was not based on "javascript enabled" or not! it was rather based on:

1- Acceptance of frequent Geo-locations changes made by TBB, which is not always 'permitted' by most famous web email providers, unless [mobile Number] is entered ;)

2- Ease and quick registration (30 sec or less) so it most used for me as (Trash mail) --not black listed-- ,, websites wont see it "black-listed" like Ex: TRASHMAIL.com

3- Membership never expires (situation like when a website Ex: Twitter want to re-confirm your vfemail email)

4: etc ,, etc ,,

a quite (not so-good) in vfemail ""for non-paid members"" is that it has --sometimes-- a delayed Que to SEND mail .. That doesn't matter much for me because --as said-- use for Coming "confirmations" ..

Finally, "bitmessage.ch" on a fast glance might look GREAT, but not tested by me yet,, Wishing it could pass the above: 1's 2's & (3's: can see that website stated: Account is not deleted if inactive)

Thanks for your contribution and thanks again to our-dual BrainStorming that showed-up nice results :)

If you could use your webmail only by allowing scripts you must have been trusting hushmail greatly. If you are using hushmail by thunderbird/icedove with tor-birdy installed and now you can not reach the server this you need to clarify.

a different privacy topic.
Advice I have read says:
you should never access any same account in both tor and in a "plain net" browser.
so
- have a hushmail account you access only by tor
- and can have another hushmail account accessed otherwise.

"you should never access any same account in both tor and in a "plain net" browser."

Shouldn't that be obvious? I mean, if someone logs into an account with their real IP, then it's pretty much game over, isn't it?

I wish it was obvious to everyone too, but it's not.

Most people don't even realise that their computers/routers get assigned an Internet Protocol Address upon connection to the internet. It all seems like magic to them.

Arther C Clarke once wrote: "Any sufficiently advanced technology is indistinguishable from magic."

For many, this is actually the case for computers and the internet. This is why privacy also requires being asked to change computer and internet habits too.

August 17, 2016

Permalink

Hello Folks: I would like to know your point of view, about using additional - Privacy and Security related add-ons, such as: Calomel SSL Validation, No resource uri leak, Self Destructing Cookies, Privacy Badger, uBlock Origin, Random Agent Spoofer, Decentraleyes and Blue Hell Firewall. Such add-ons are kind of first-class Citizens wherever I have Firefox installed. But I was wondering if they could interfere while using the Tor Browser. Thanks for your time.

Any/all add-ons pose another potential security risk. In other words, the more you install the more at risk you are that one of them may be phoning home all your browsing activity etc. Additionally, your unique combination of installed add-ons can potentially be probed by sites in order to track you. Using the default TBB with no additional add-ons is the best way to blend in with the crowd.
Some of the ones in your list seem redundant with the add-ons/configuration provided in TBB. For example, HTTPS Everywhere and Noscript are included and cookies are automatically deleted every session by default.

August 17, 2016

Permalink

ok

August 17, 2016

Permalink

any one else struggling to connect? keep getting "could not connect to tor control port" had this issue since i have updated, i have not changed any setting. anyone able to help?

August 17, 2016

Permalink

help

August 20, 2016

In reply to by Anonymous (not verified)

Permalink

I am on it

August 17, 2016

Permalink

Is is possible to prevent the automatic update untill I'm ready to engage the new version?
thanks

If a failed version should appear for a certain OS such as Linux, Mac OS or windows you can't use TOr as it will force the update to the version that may not run as expected/ This is why the user should have the ability to decide when to upgrade

August 17, 2016

Permalink

something weird happened after i update to last version by update manager tor won't open at all!! Linux Mint 18 Sarah.

What do you mean with "update manager"? Do you get an error message? If you open a terminal and change the directory to tor-browser_en-US (assuming you are using the en-US bundle) and start Tor Browser by "./start-tor-browser.desktop --debug" (without quotation marks) do you get any log output in your terminal which would help explain things?

August 17, 2016

Permalink

I line very much TOR browser. But lately it is working very slow. Please give me solution (if any).

August 18, 2016

Permalink

Many had said it and i´ll agree, please notify updates don´t make the browser inactive, lost a loot of info and documents for the documentary.

Ps By saying that, don´t mean I´m not grateful to TOR and the project but that is just a thing Goggle would do did not expect it from U.
Ty for update

Working as intended I'm not sure why the author of that thinks it's a problem when, "Not keeping data in the app bundle" is part of what is required to get Gatekeeper code signing working on OSX, and volatile data needs to go somewhere.

August 18, 2016

Permalink

Any plans to enhance the circuit visualizer/controller in torbutton? Only shows circuit for main domain of site you are accessing, but many websites do cross-domain requests - I realize this would require the extension monitoring requests locally - unsure whether this could be implemented securely - but some ad blockers do the same thing. It would be good to know which circuits are used by the cross-domain requests in a given tab and be able to request a new tor circuit for each of these domains.

Example:

URL domain: google.com

Torbutton shows:

Tor circuit for this site: google.com

This browser
Node1
Node2
Node3
Internet

google.com also connects to the domain gstatic.com which tor will do using a different circuit. However, torbutton does not display this other circuit.

I think you are misunderstanding how Tor Browser is working. The circuit visualizer is showing you which circuit is used for the domain in the URL bar and *all* other requests related to it (be them third or first party ones). That's the idea behind isolating everything to the URL bar domain which is one of our core ideas behind the Tor Browser design.

August 18, 2016

Permalink

I cannot open flash videos, Please note that I've already updated my flash adobe but still there is a massage appear saying that update your flash adobe every time. Please help

Flash and Tor Browser shouldn't be used together. If you must use Flash with tor you need a solution like Whonix where everything is sent through tor including Flash.

If you open a terminal and change the directory to tor-browser_en-US (assuming you are using the en-US bundle) and start Tor Browser by "./start-tor-browser.desktop --debug" (without quotation marks) do you get any log output in your terminal which would help explain things?

August 19, 2016

Permalink

hello,
since i migrate to the new version this tuesday , i can t no longer surf on the web because it takes a too long time before i can connect to sites. i used Tor since a long time and it is the first time that i got this problem
annie

August 19, 2016

Permalink

Hello
I have both a Imac and a Windows based laptop. There are no issues with running TOR on the Imac. The latest version on it runs flawlessly and I expect the latest one to do as well. However, not so with my Windows laptop, which is running Windows 10.
When I downloaded the 6.0.2 version and installed it would quit, as the warning said - unexpectedly. I assumed it was a fluke happening until I attempted many times afterwards with same result. Thinking that the problem was isolated to .02, I downloaded .04 with like results. ???
I am not to technical oriented so if you have a suggestion please keep it as simple as possible. Lol. I am running my laptop clean with no virus or malware programs installed or running. No problem with previous versions.
Help.

August 19, 2016

Permalink

hello all
i am used tor since a long time , but just
after the install of the last version , the access to all sites became very very slow and this speed can t allow to use tor any longer . what is the matter please ?

August 19, 2016

Permalink

ok

August 19, 2016

Permalink

Is it the case now that no pluggable transports are supported, or simply that no bridges are being provided?

August 25, 2016

In reply to gk

Permalink

Anon may have been referring to something I noticed as well, that no bridges of any kind were being offered by the bridges server for about two weeks. (And the only ones I have been seeing since it's been repopulated are ones I'd marked some time back as stale/nonresponsive but of course some recycling is to be expected.)

August 19, 2016

Permalink

hmmm what to say......... well im pretty much brand new to tor ive read and read as much as i can but tbh im simply not a computer wiz and im getting tired of reading one thing and then i find another that seems to be completely different and it doesnt bloody help that i dont even know for sure what TBB stands for basically im as n00b as they come lol but i want to check if anyone has some valuable information they would like to share with me maybe links to great websites to start learning i just need a secure foundation to start research ive just spent too long getting lost in the maze of the world wide web

i love tor btw i was gonna list all the things i love but i dont have time need sleep
anyway thank you so much for all the hard work and thanks in advance to anyone that helps me ;)

August 20, 2016

Permalink

Sweden government and swedish police are acting very similar to Stasi and old DDR... Its terrifying, I am greatful for TBB. Thank you.

August 20, 2016

Permalink

Had this experience with the new Tor Browser.

The page https://check.torproject.org/ showed
"Sorry. You are not using Tor. Your IP address appears to be: 177.154.145.102"

Tor button showed me my exit node "Ukraine (185.61.138.124)".

There are two exit nodes on this IP:
$BAD729D970BB21759E9A8BA655416C23CFF9535C
$2F270CA7AC30F4C3F243E785822A519C9793F4AE

I am neither in Brazil nor do I use a VPN.

August 22, 2016

In reply to gk

Permalink

I see a difference. One user on the linked page pointed out that the IP in question there appears to be a Tor relay - just not showing up on the default check.torproject.org query.
Whereas in this instance I could not find the IP 177.154.145.102 being related to the Tor network.

August 20, 2016

Permalink

CHASE
USING TOR BROWSER

You need to upgrade your browser to access your accounts and statements.

A newer browser will help make your chase.com experience even better, and
help keep your accounts and personal information secure.

Download a new version of your favorite browser here:

Internet Explorer > (download the latest version.) (Opens Overlay)

Firefox > (download the latest version) (Opens Overlay)

Chrome > (download the lastest version) (Opens Overlay)

Safari > (download the lastest version) (Opens Overlay)

You can also access your accounts and statements from your tablet, mobile device or the Chase Mobile® App Footnote 1 (Opens Overlay). If you have questions, contact us.

Some sites always say this simply because Javascript is disabled. Check if that was the case for you, and use NoScript's options to whitelist the relevant sites.

OK, but I thought since TBB sets the user agent to the very generic "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0" those sites would even see that.

August 21, 2016

Permalink

ADD LAST SOME GUYS WHO ARE DOING SOMETHING USEFULL ON THE NET OTHER THEN SEND SPAM Thanks boys and girls GREAT work !!

August 21, 2016

Permalink

This update removed the ability for users to manage cookies, probably because you went to Mozilla 44.

Since you can no longer select "Ask me every time" regarding cookie policy you now have to chose between accepting no cookies at all, meaning logging in to any site is broken, or letting every tracking cookie on the net (except third party) crawl all over you browser.

You really shouldn't have done this without vetting a cookie manager and bundling it with the browser. It's not acceptable that a privacy suite should be broken in such a fundamental area without the user first of all noticing the problem and then also managing to find a manager that is safe to use.

TB has to update to newer versions of Firefox on occasion because unsupported older versions don't get bug fixes for anything, including serious security vulnerabilities. It would be great if the Tor Project could fork Firefox and go its own way; even better might be a new browser designed from the ground up to work with Tor. However, The Tor Project doesn't have anywhere near the resources required support every part of a browser. It's a (relatively) small organization with a small number of staff, compared to the hundreds of people Mozilla/Google/Microsoft have dedicated to browser development.

NOTE: I accidentally deleted a blog post containing a criticism about me just pointing to the design document instead of mentioning the things I wanted to mention directly. I am sorry about that. Furthermore it noted that managing cookies should work nevertheless.

I agree with the latter. And it might indeed be the case that cookies managing broke for some reason while moving to ESR45. In that case filing a bug in our bug tracker (https://trac.torproject.org) mentioning steps to reproduce the problem would be a good thing.

I gave the pointer to the design document as Tor Browser is currently only concerned with cross-origin tracking. Which means we don't rely on managing first party cookies for achieving privacy goals and third party cookies are at the moment disabled (until we get them keyed to the URL bar domain). Hope this helps.

August 21, 2016

Permalink

It has been many days perhaps coinciding with this release of TBB v6.0.4? since torproject ceased offering bridges for pluggable transports. Maybe admin can't speak directly to why that is (I have found no mention, and discussions are either being deleted or are failing to be approved for comment) but if one is needing to be circumspect about it, is there any acknowledgement possible, of the fact that it can't be addressed right now? If the project were in receipt of (another) FISA letter, it could not by law be revealed but, lacking any discussion it ought to be noted that speculation about such a letter will persist. Or, is there a simple technical reason why pluggable transports aren't being supported? This contradicts release notes.

August 26, 2016

In reply to gk

Permalink

what are torproject's plans with later versions of firefox in future torbrowser updates given e10s/move to web extensions and the plethora of new attack surfaces (features), trackable by default config options mozilla seem to be adding to their future browser releases?

Our plan has not changed: we follow Mozilla, trying to get as many patches upstreamed as possible while making sure the new features/default config options are no harm for our users. If so, we patch them to our needs.

August 22, 2016

Permalink

Considering Disconnect.me search is not working with google and just redirects to duckduckgo, is there a reason why TB is using disconnect.me instead of duckduckgo as the main search engine?

Well, we hoped they got back access to Google search results but that does not seem to be the case. We have made the switch to DuckDuckGo in the alphas to test it and assuming it sticks the next major stable update will have it, too.

August 28, 2016

In reply to gk

Permalink

Instead of Disconnect.me or DDGo,
* why not include Searx?
Is it because Searx has many instances, and we can’t all use the same instance (same server)?
* why not include Lite Qwant?
DDGo doesn’t seem very trustworthy in terms of privacy — what they say may not be the whole truth.
As for Disconnect, their extension for FF is totally lame IMHO, so why should we trust them with a search engine safe from Google’s spying.

August 22, 2016

Permalink

On windows, 6.0.3 connects fine, however 6.0.4 doesn't. Installed 6.0.4 in a fresh directory, still "could not connect to control port". Shut down, open 6.0.3, connects fine. No firewall. Weird. Disabling automatic updates for now.

August 24, 2016

In reply to gk

Permalink

No other tor instance running when opening another. I close 6.0.3 to open 6.0.4. Running anti-virus, but no logs or notices about tor. Would the AV like 6.0.3 and not 6.0.4?

August 29, 2016

In reply to gk

Permalink

Not the OP but I experienced the same problem (6.0.3 works but 6.0.4 can't connect) and I do not have any other Tor instances running.

I wonder whether you have some antivirus/firewall software running that might not like the new Tor? Could you uninstall it for testing purposes (disabling is often not enough)?

August 22, 2016

Permalink

If it updates from 5.0.4 , Bangla font is not showing. That's why I had to reinstall 5.0.4 frequently. Is there any solution ?

August 23, 2016

Permalink

Runnig the TOR browser on a Mac OS Yosemite. If I reinstall TOR after a connection is established and TOR browser is closed I get the message "A newer item named “TorBrowser.app” already exists in this location. Do you want to replace it with the older one you’re moving?" Even though the version is the latest 6.04 Aug-23-2016.

August 29, 2016

In reply to gk

Permalink

Whether I launch the TOR browser or not the latestest version of TOR reports a newer version exists when reinstalled even though 6.04 is the latest version. It appears the version value has been changed so when I try to install the same TOR version again the installer sees it as a newer version.

August 23, 2016

Permalink

Is the tor software built with some sort of protection that will stop data from being transmitted when the internet connection suddenly breaks? Or when Tor browser suddenly needs to close sue to error?

August 24, 2016

Permalink

Is there anywhere we can find an accurate list of who runs a particular node?

According to https://www.browserleaks.com/whois 163.172.29.81 is run by the British Customs and Excise authorities!!!

According to http://torstatus.blutmagie.de/ it is run by tomhek.net.

It seems highly unlikely that a government which delights in spying on its people would support TOR.

I have also found a TOR node, which according to the same web-site, is run by the British Employment authorities!

Is there ANY site with accurate, VERIFIED information?

Any information gratefully received.

Thanks

This is such a silly post. You sound like the Boys from Lagos.

There are no such things as "the British Customs and Excise authorities" or "the British Employment authorities". There is the UK's Her Majesty's Revenue and Customs (HMRC), or the UK's Department of Works and Pensions (DWP).

What exact terms did browserleaks.com report, and why couldn't you accurately paste them into your comment?

"It seems highly unlikely that a government which delights in spying on its people would support TOR."

Also, if you think Tor is compromised, why are you asking here for "ANY site with accurate, VERIFIED information"? You might as well go home with Windows 10 under your arm.

How could there be, given that anyone can run a node? Also, a large part of Tor's funding comes straight from the US government. Governments aren't monolithic bodies; different parts have different goals and frequently come into conflict. To be honest, you probably have less to worry about governments running nodes and more in them spying on nodes run by third parties. The Tor Project specifically says that it's probably ineffective against a global adversary. That means that it'll probably only slow down the Five Eyes.

I've just checked https://www.browserleaks.com/whois. I find the information presented, whether accurate or not, is precise and detailed. Is there a reason why you couldn't have copied 'n' pasted the actual strings you saw? Were they against "Organization, or something else?

You see, there're no such things as "the British Customs and Excise authorities" or "the British Employment authorities". Those would be "Her Majesty's Customs and Revenue" or the "Department of Works and Pensions".

Perhaps if you were less vague in writing what you saw. Did you keep a complete record?

"Is this supposed to be an answer to my quesion?"

You expect an authentic answer, but we can't tell between a genuine spoof and your vagueness. Perhaps what you saw was a Tor relay runner spoofing "Organization" to protect their confidentiality. Do you think it's a good idea to make Tor relay runners fully identify themselves to you?

What is wrong with https://torstatus.blutmagie.de or https://atlas.torproject.org, anyway?

August 24, 2016

Permalink

My question is: does this version remove CNNIC certificate?
Cause firefox and chrome have revoked CNNIC certificate last year, so I am thinking that if it is possible for Tor to remove it. Thanks

August 24, 2016

Permalink

There seems to be a memory leak on win7 with both 6.0.3 and 6.0.4, can someone confirm this?

Tor Browser is built on Firefox, and therefore it can only run where Firefox can run. Windows 8(.1) on Arm processors has a significantly limited API that the Firefox devs gave up on as the browser would be unusably slow.

August 25, 2016

Permalink

How can we move an installed Tor Browser to a new drive letter and location under Windows without losing all of our bookmarks?

You should be able to.
Bookmarks are in places.sqlite file in profile folder, as with firefox.
((folder))\Browser\TorBrowser\Data\Browser\profile.default\places.sqlite

To be safe, open bookmarks manager ctrl+shift+b
from menu, export bookmarks to html
from same menu, backup (to a .json file with date in filename, bookmarks-2016-08-30.json)

August 25, 2016

Permalink

From Ksysguard network history I can see the tbb making internet traffic even offline mode turned on unless you close tbb. What does it mean?

It's not possible as tbb doesn't make any internet traffic, by design. You probably meant tor.exe? I haven't tested offline mode in tbb, why would you need one? But yes it should work if there is such feature in firefox.
As a temporary solution instead of clicking offline mode you can suspend (pause) tor.exe

August 26, 2016

Permalink

Does TOR interfere with the files for a normal firefox version 48.01? I noticed on my Mac OS TOR sha256 e37826e4501e95f99029e1c9187c498cc9d1f5735384b37c7f5ae0d52dd3d326 that my Firefox reverted some how to duckduckgo search.

August 27, 2016

Permalink

Secure Connection Failed (always)
$DF3EEDE3CEBA425940F82E4C2268F4E4015C3010~TORminion BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2016-08-27 SOCKS_USERNAME="bug1259785.bmoattachments.org"
>> 650 STREAM 1216 CLOSED 115 63.245.215.122:443 REASON=END REMOTE_REASON=DONE
Exit, BMO or TBB?

August 28, 2016

Permalink

Why don't you replace the globe icon to the onion icon? It looks much more better and professional.

August 29, 2016

Permalink

When will I be able to select a word on a page and right click search it? Now noscript always thinks it's an xss attempt.

August 30, 2016

In reply to gk

Permalink

I don't experience that bug. tbb 6.0.4 windows vista x64

I don't get that warning when disconnect is torbrowsre default searchengine and I context click search some text on page.
I also have no disconnect in noscript options as suggested in first reply in trac bug:
"add a pattern like ^https://search.disconnect.me/[^"<>]+$ to NoScript (Advanced -> XSS)."

September 01, 2016

Permalink

Hello TorBrowser team,

Many thanks for TB :-)

Your "canvas add-on" is great. I don’t seem to find it among Firefox Add-ons. On Firefox, I use Canvas Blocker, which isn’t as simple and elegant as your solution.

However, the Canvas Defender team (another FF-add-on) claims that blocking canvas fingerprinting is useless and counterproductive. Not very convincing, what do you think?

I think they meant that if 0-4% of firefox users will use the blocker, it will fingerprint them as most people don't use it. And if some other people will use other addon, it will be another fingerprint.

But in case of TBB it's not an issue because all TBB users will use this addon (will be bundled). Maybe there is small drawback because Firefox ESR users won't use it, but I don't now how many users does FF ESR have compared to TBB users.
But no, actually, firefox ESR users can be differentiated from TBB users by the fact that only latter use Tor nodes/ip. So it doesn't matter and there is no drawback in using canvas addon bundled in tbb.

Blocking canvas is an identifier, yes. However, Tor doesn't hide the fact that you're using it either. Tor Browser doesn't stop you from having a fingerprint; it simply makes your fingerprint identical to all other users of Tor Browser (that have the same security slider settings, more or less.) Canvas blocking is part of the fingerprint of Tor Browser; at most, all canvas blocking does is make it clear you're using Tor Browser as opposed to Firefox ESR through tor. Canvas Defender might make a good argument for not blocking the canvas for non-tor browsing, but in terms of the threat models Tor Browser is designed to combat it isn't that relevant.

September 01, 2016

Permalink

Can only obtain 1 OBFS4 bridge a day and the bridge repeats on the 3rd day.

September 06, 2016

Permalink

Ever since I've installed TBB 6.0.4 the entry node changes more often than previously.
I've read the entry was supposed to be the same for months but if I use TBB for several hours, there's a point when I've got a new entry node, and then another one. About 2 or 3 different entry nodes.
However, when I restart TBB the same "normal" guard node is back.

It's a bug?

October 10, 2016

Permalink

HI. Please, The Ubuntu and Debian versions from TOR Repository, Are these .deb files, How I can download them?

November 17, 2016

Permalink

Mt tor now sits at "Loading network stauts" with about a 40% green bar. has been there for an hour now. Only happened after update

note: i also have gotten a new router i the past week, could that be it??