Tor Browser 6.0.7 is released

by gk | November 30, 2016

Tor Browser 6.0.7 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2).

The security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

We will have alpha and hardened Tor Browser updates out shortly. In the meantime, users of these series can mitigate the security flaw in at least two ways:

1) Set the security slider to "High" as this is preventing the exploit from working.
2) Switch to the stable series until updates for alpha and hardened are available, too.

Here is the full changelog since 6.0.6:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2

Update: We would like to remind everyone that we (The Tor Project) are having our 2016 fundraising campaign! Donate today!

Comments

Please note that the comment area below has been archived.

November 30, 2016

Permalink

Could you explain where to find the security slider bar? I went into options, security but didn't see a slider bar. Thank you

Click on the green onion, choose "Privacy and Security Settings", and you should see the security slider.

There's also a little line that appears on the very first launch of Tor Browser, saying something like "Hey there's a security slider, check it out!"

so the browser auto updated on me and now when i start the tor app it takes me to the bare bones firefox browser and wont let me connect to .onion sites.... any ideas?

Hm... this is weird. On which operating system did this happen? Do you know from which version you updated? Did you have your Tor Browser modified? Anyway, it seems a safe bet is to download a fresh copy from our website: https://www.torproject.org/download/download-easy.html.en. Still puzzling as you are the only one reporting this so far.

EDIT: Before you are deleting the non-functioning Tor Browser could you make a copy of it and pack it up and maybe make it available somewhere to us for further inspection? I'd be very interested to understand what went wrong in your case.

December 02, 2016

In reply to gk

Permalink

and remember to save bookmarks.
copy them into the fresh tor "install"

November 30, 2016

Permalink

Thank you for all the great work.
Please don't take this as a complaint; is there any kind of a rough estimate on the general timeframe for Orfox to get this update on F-Droid, or is the vulnerability desktop only?
Keep fighting censorship and oppression, this world is going to hell in a handbasket and Tor is the only beacon of hope for citizens of totalitarian dictatorships.

i agree with your point..

my point would be there should be at least an rss feed or the sort that which we can subscribe to that let us know if any tor friendly software outside the the tor project that been updated for what ever reason.

November 30, 2016

Permalink

Would this exploit work even on Selfrando? What about with the sandboxed Tor Browser by the end of this year?

> What about with the sandboxed Tor Browser by the end of this year?

It would probably crash the browser, because preventing crashes isn't something the sandbox is supposed to do.

However, assuming there was a Linux payload, it would need to be a lot more sophisticated than "get the IP address, and phone home" because the sandbox that firefox has, doesn't have an IP address, or a direct connection to the internet.

November 30, 2016

In reply to yawning

Permalink

Does the sandboxed Tor Browser have access to Tor's ControlPort?

Sort of. It talks to a surrogate service that looks enough like the control port for the various things that need the control port to work. Depending on how the sandbox is configured (up to the user) this can be either "the absolute minimum for browsing and New Identity to work" or "also enable the Circuit Display".

Even when the Circuit Display is enabled, Tor Browser only sees circuit/stream information for the circuits/streams it created. If you are scared of the firefox process knowing the IP of your Guard or Bridge(s), people shouldn't enable the Circuit Display, when using the Linux sandbox.

December 01, 2016

In reply to yawning

Permalink

Can't New Identity work without the ControlPort, by just changing the socks credentials?

Firefox knowing what the guard is seems like a very bad idea. Wouldn't it be prudent to assume that actors like the FBI can access "metadata" like who was connected to what guard when, at least for some guards and users if not all of us?

As nice as the Tor Button circuit display is, I think it really needs to be in a different application. Expecting users to be able to make an informed decision about whether to allow Firefox to identify their guard seems reckless.

No. It's not enough to just change the socks auth because there's a bunch of state that gets flushed internally in the tor process when New Identity happens.

December 06, 2016

In reply to yawning

Permalink

@yawning
Is it possible to make stock Tor Browser only need newnym, as in TAILS?
Then it's as easy as instaling a filter for the control port without having to recompile Tor Browser.
Even better still if Tor Browser could drop privileges itself, e.g. by using a builtin filter and somehow making it harder for shellcode to load the unfiltered library(zero out the address to dlopen once browser is done starting?), or if Tor control port only had newnym enabled by default, or came with one control port for dangerous stuff and one that doesn't need protected(and Tor Browser used the latter).

Basically, there are tons of solutions with various tradeoffs. Are any being considered?

It depends?

There's no technical reason why this would be impossible (I ran Tor Browser against a filtered control port for a while before working on the sandboxing stuff), but it would require extra code to get it to play nice if Tor Browser is the app that launches the tor daemon (standard usage).

As far as I know, no one is working on such a thing in a context other than "when sandboxed".

...it was "likely" used to target visitors of a dark web child pornography site, Motherboard has found

In other words, Vice is once again doing their job as a controlled opposition to put the awakening masses back to sleep so TPTB can exploit them unsuspected.

Micah Lee (EFF and FOTP) tweeted earlier today at twitter.com/Snowden about a possible cyberattack on Riseup, which is an essential part of Tails ecosystem and helps social justice activists and environmentalists all over the world. This may well be related to the exploit just fixed by TBB 6.0.7

More details should be forthcoming from Riseup.

[Moderator please pass this comment]

Actually, it is likely being used to target bloggers, journalists, union organizers, social justice organizers, technologists, and political dissidents in various nations including USA.

[Moderator: please pass this comment]

> i like the exploit! it goes after childpron users! https://motherboard.vice.com/read/tor-browser-zero-day-exploit-targeted…

You may agree with the sentiments expressed by a commentator in Shari's blog (see her post about the current fundraising drive). I have not permitted to respond in her blog, but I'd like to try to respond to that commentator here:

You write:

> humanity is based on greed, money, and power.

Following the definition of Herodotus, "History" has too often been taken to mean "the narrative of major national-scale events". (Actually, Herodotus went even further than that: he defined history as the narrative of wars fought by the Greek city states!) Put another way: some would confine history to the study of the (mostly unintended) consequences of decisions taken by political/economic/military leaders. But I hope you will seek out and read a wonderful book which takes a very different view: Howard Zinn, A People's History of the United States, HarperCollins, 1999.

Whenever I meet new people, I am always impressed anew by the fact that--- despite the poor impression of humanity which one might receive from reading mainstream news--- most people sincerely want very much to do good deeds. Many people--- especially the often young and idealistic breed known as "student activists"--- are motivated more by the desire to leave the world the better place than they found it than by naked greed or self-interest, and they are eager to work long and hard to achieve their goals. Zinn's magnificent history offers readers the chance to appreciate how history can be viewed as a struggle between ordinary people and the bosses and political leaders, who too often feel that might (which they possess) makes them right. And too often, those with wealth look enviously upward, rather than looking downward and resolving to help those with far less resources of wealth and power than they themselves enjoy.

To some extent these contrasting world views could be taken as reflecting the distinction between the socialist outlook exemplified by Howard Zinn and Sen. Bernie Sanders, and the libertarian outlook exemplified by the novels of the Russian exile Ayn Rand and the politics of certain Trump advisors.

> Those with money become hungry for power influenced by greed.

The contemporaries of Herodotus, living in a society which all too often executed its leading intellectuals (e.g. Socrates) for becoming too successful in their criticism of the government, ardently discussed very similar propositions. Later, the Romans taught politicians how to exploit "history" as propaganda (c.f. Julius Caesar's self-serving books describing in detail his conquests). A little later, Tacitus (himself a former government official) wrote disturbing accounts of the increasing corruption among the Roman economic/political elite, and writers like Suetonius made their fortune spreading salacious stories (often based upon fact) about the bizarre and horrifying behavior of the worst Roman emperors.

> [when calls for redistribution of wealth] threatens those with power (Governmental agencies, political powers, evil corporations, etc.) then they will try to evade or destroy the attempts of the redistribution.

Indeed, you might be interested in the dismal history of such episodes as the Pugachev rebellion (against Catherine, Empress of all the Russias), the Haitian revolution, the Cuban revolution, and a host of ongoing perpetual struggles in Latin America, Asia, and Africa which center around demands for redistribution of land, money, and democratization of political decision making.

You say you believe that

> [law] enforcement agencies should have the capabilities to source data to monitor illegal activities (ex. a suspected child molester, etc.

The devil, as always in complex societies, is in the details you left out.

What does it mean to say that X is a "suspected child molester"? Does anyone who uses Tor qualify? US AAG Leslie Caldwell--- whom we have learned is a "she" not a "he" as we mistakenly pronominalized her in a comment elsewhere in this blog--- seems to argue in her DOJ blog calling for Congress to let the changes to Rule 41 to through at midnight 1 Dec 2016, that the answer is "yes" [sic].

What does it mean to say that Y is a "suspected extremist". Does anyone who is a member of Riseup qualify? According to at least one judge in Spain, the answer is apparently "yes" [sic].

What does it mean to say that Z is "suspected of potential future radicalism"? According to CVE programs being implemented in all the "democratic" "Western" nations, most notably in the US, the answer is apparently "every schoolchild", or even "every citizen".

Once LEAs start down the slippery slope towards considering that they are "justified" [sic] in regarding every citizen as constantly under suspicion of *everything*, on the theory that everyone must have a positive probability (however tiny) of performing some misdeed at some point in their lives, they will wreak havoc on the lives of millions of ordinary citizens who not only are not reasonably suspected of having "done something wrong", far less reasonably suspected of having committed some heinous crime, but who would never have come close to doing anything terribly wrong if the government had simply left them in peace.

We are entering into a century which seems certain to see millions of citizens locked up in "preventative detention camps". Failing empires have had resort to such measures before. The British locked up most of the civilian population of the Boer states during the Boer wars, where many of them died of starvation or disease. In earlier centuries, the USG locked up entire First American tribes on the theory promulgated by Gen. Sheridan, that "the only good Indian is a dead Indian", and indeed a large percentage of those locked up in American concentration camps died. During WWII, the USG again locked up millions of US citizens of Japanese ancestry in concentration camps because officials decided they were all *potential* "spies".

Close advisors of Donald Trump have cited these dismal examples as justification for their stated intention to do the same thing to Muslim Americans, Mexican Americans, Socialists (supporters of Bernie Sanders), and maybe even Democrats (supporters of Hillary Clinton). Or at least, their stated intention to seriously discuss doing such things. What a tragedy for America. What a terrible example for the entire world, at a time when all the world's governments seem to be turning in unison to the worst kind of authoritarianism, the kind tinged with the sort of ethnic hatreds which have historically always led to state-sponsored genocides.

> This data collection should be against the law when it does in fact breech my privacy. Just because I look at camera's on google doesn't mean that I should be receiving advertisements about it for the next week and a half on 90% of the non-camera webpages that I visit.

Julia Angwin's book Dragnet Nation, which I also recommend, focuses on this kind of invasion of privacy. But however awful Google and Comcast are or may yet become, it seems unlikely that they will be kicking down doors, tossing grenades at infants, or dragging wailing citizens off to labor camps for "political re-education" by slave labor.

Tor users are generally far more concerned with invasions of privacy by government agencies such as GCHQ/SCA, NSA/FBI/NCTC, because these dragnets are the ones which construct what NSA whistle-blower William Binney memorably described as "turnkey fascism". And with the election of Donald Trump, many frightened citizens all over the world--- and, ironically, many leaders of the USIC--- fear that prediction, which most people long dismissed as "paranoid fantasy", has come to pass.

I think the best way to understand why civil libertarians are so horrified by the prospect of state-sponsored dragnets feeding CVE programs is to study in detail the original documents from the Snowden leaks, some of which are collected here:

https://www.eff.org/nsa-spying/nsadocs

(It's a big job because there are many acronyms to learn and many puzzle pieces to fit together, but like anything with a steep learning curve, once you get into this at some point your progress will become much more rapid.)

You suggest that we who warn of the horrors to come in America believe that "everyone is out to get us" [sic]. No, we are warning that NCTC is out to get us, and we have cited the documents which explain what we mean, and confirm our claims. Don't believe it because we say it is so, believe it because (in leaked documents) NCTC explains what they intend to do to us.

You write that Americans have lost faith in the desire of their government to protect and uplift them. Indeed we have, in many cases because we ourselves have been directly targeted by state-sponsored espionage campaigns. Some of the leaked Snowden documents specifically confirm that we have been, and no doubt will continue to be, indefinitely, on the list of people to be punished with an escalating sequence of reprisals. Don't believe it because we say it is so, believe it because people giving TS/SCI talks at NSA and GCHQ headquarters said it is so. (See the EFF repository.)

If our writings at times seem to suggest that we take the struggle of The People v The Man very personally, that is because we do, because we have learned that *they* marked us down as "enemies" long before we had ever heard their names, in the lost era of innocence, in the halcyon days when we naively believed that if we lived quietly and behaved well by seeking to do right and avoiding demands by our social superiors that we do evil, we would be left in peace, because as we knew very well, we certainly are not and never were "criminals" or "evildoers". But as we have learned, simply by bearing the "wrong" color skin or adhering to the "wrong" religion or coming from the "wrong" countries, we are regarded in the halls of real American power (the USIC) as actual or potential "Enemies of the State" [sic].

The literary works of Blok, Babel, and other revolutionary writers, seem strangely relevant to the experience of the masses in a another land (the USA) approximately a century later, just as Russians who endured the horrors of Stalinism once took solace in the poetry of Whitman and Yevtushenko.

Come out, come out!
On this day of sorrow, the long shadow of night
Spreads over the earth.
The servile faith in our little father the czar has collapsed.
...
Look around: we're lifeless
And without fear because of your servants,
Because of the merchants and the kulaks,
Because of the squires and the industrialists.
...
The czar listened to his people without speaking,
And moved his hand...
All around, the earth was shaken by a terrible sound
And the palace square was covered by corpses:
The people fell, riddled with bullets and lead.

Katz was writing about a massacre which occurred during the 1917 revolution, but he almost could have been writing about the future history of Standing Rock, or the next big anti-Trump rally in some American city.

Dear person who writes enormous blog comments:

Please focus and stick to a particular point? Your comments end up filling the comment section so nobody can notice or find the other comments, and that turns into no fun for anybody, including those of us who are trying to make sure the comment section remains useful.

Thanks!

I found this post to be erudite, informed, educational, and provocatively valuable. Thank you so much.
COMMENT: I think the inquisitorial excesses of historical Roman Catholicism should also be highlighted, not to forget several various holocausts.
There are MANY things far worse than terrorism, drugs, and childporn. Many of the named activists fight extinction itself. And as to the "big three" above, I find each of the arguments against them to be pallid, diversionary, straw men.

Thank you again for actual informed comment.

> childpron...

... Yadda yadda yadda.

That's always the "official story" as spun by US media.

RU recently incoporated Chinese technology into their own censorship regime. Maybe they are also incorporating US technology? To target the Russian underground? (See the comment just above yours.)

Sheriff Dave Clarke of Milwaukee County is apparently with the Trump transition team and has been mentioned as a possible future FBI Director in the Trump administration. He has repeatedly claimed (in speeches and Op-Eds) that the US is in a state of "civil war" (his words), apparently meaning BLM versus American police. (In fact, BLM is a nonviolent movement opposed to homicide whether committed by police or by some other party.)

It is much more likely that FBI is using NIT to attack journalists covering the protests at Standing Rock, BLM protests, anti-Trump rallies, government corruption, etc., rather than attacking "suspected child pron producers". It is very easy for them to quietly *define* anyone who uses Tor for any reason as a "suspected child pron producer", and to attack them under that assumption. But we who use Tor every day know very well that most people who use Tor every day have nothing to do with any criminal activity--- unless you regard all opposition to some governmental policy somewhere in the world as criminal.

> [FBI NIT malware] goes after childpron users!

That's always the official FBI spin, but the most recent attack on Tor users is more likely related to the Standing Rock protests, BLM protests, and anti-Trump rallies:

https://www.washingtonpost.com/news/the-switch/wp/2016/11/30/u-s-border…
U.S. border agents stopped journalist from entry and took his phones
Andrea Peterson
30 Nov 2016

> Award-winning Canadian photojournalist Ed Ou has had plenty of scary border experiences while reporting from the Middle East for the past decade. But his most disturbing encounter was with U.S. Customs and Border Protection last month, he said. On Oct. 1, customs agents detained Ou for more than six hours and briefly confiscated his mobile phones and other reporting materials before denying him entry to the United States, according to Ou. He was on his way to cover the protest against the Dakota Access Pipeline on behalf of the Canadian Broadcast Corporation.

Imagining that this attack is a response to something in the past few weeks is misunderstanding how the government bureaucracy works. They probably went through months of paperwork and judges and so on to arrive at approval to deploy it.

That's not to say that all of those barriers actually provided appropriate checks-and-balances. But do not underestimate how many barriers they have in place before deploying something like this. :)

Are you happy when a batch of cars has defective airbags since that bug goes after people who use cars to kidnap children? Do you not care about the bug also going after drivers who don't kidnap children?

November 30, 2016

Permalink

thx

November 30, 2016

Permalink

I don't understand - is updating Tor to this release make the browser susceptible to exploits? Or was the previous version subject to exploit, so the update fixes it?

The update fixes the vulnerability that was present in the earlier versions. Here is more information:

http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-…
http://arstechnica.com/security/2016/11/firefox-0day-used-against-tor-u…

But I can see why you're confused, given the number of comments that almost seem to suggest the exploit was a good thing, which is really quite frightening actually. It's really sad to see the Tor community starting to buy into the FBI's FUD.

November 30, 2016

Permalink

Does the exploit need JavaScript to be enable on browser, or can the exploit execute arbitrary JavaScript code that bypass NoScript?

As far as we know, if you had Javascript disabled (including via Noscript), this exploit would not work on you.

There appears to be some confusion about whether the vulnerability could be exploited without Javascript on, that is, whether it is possible to write a different exploit that works even when Javascript is disabled. The last I heard from Dan Veditz was that he thought no, it shouldn't be possible for this particular Firefox bug.

That said, we've also been hearing rumors about bugs in Noscript that would let a website sneak some javascript past Noscript. So it would seem you might be in better shape putting the Tor Browser security slider to high than you are relying just on Noscript.

December 01, 2016

In reply to arma

Permalink

Is it more secure to turn javascrfipt off by disabling it in firefox about:config that just using Noscript?

Yes but be sure to set security slider to high first.
Very few people will have changed settings manually, meaning you'll stand out more if you just change JS and leave everything else on lowsec. This is why Orfox should have a security slider.
Apparently you also have to disable images, which is impossible(https://trac.torproject.org/projects/tor/ticket/20772) and nobody seems to believe that it should be possible, neither at Mozilla nor at Tor Project.

Let's say I'm using the slider at the highest position, does it make a difference if Noscipt blocks the javascript or if I block it straight in the Browser?

Are there cases Noscript (js globbaly diabled) could get tricked into running javascript but browser wouldn't? (it's not about this particular exploit)

Short version; set security slider to high, and goto about:config and if javascript.enabled equals "True", then toggle it to "False".

Long version;
I don't know that but here's what I know.
If there IS a problem and NoScript gets bypassed, you're almost certainly more secure with javascript.enabled toggled off (set to "False" in about:config).

However, you might be less anonymize, because if an attack is found against NoScript and you're one of a very few number of people who manually disabled, your browser is more fingerprintable; see https://panopticlick.eff.org

But if there's an attack that runs javascript past NoScript the javascript itself might do something far more deanonymizing than just saying "this page was viewed or post was written by one of the few people we couldn't attack"; if the attack isn't blocked it might escalate privileges and install permanent malware or send back hardware serial numbers, which will likely deanonymize you far more than being one of the few people immune to attack; there will be only ONE persin with the same exact MAC address/CPU serial number/etc.

If no attack succeeds in breaking NoScript it doesn't matter if you set javascript.enabled to false or not. But NoScript gets vulnerabilities like any software. The less software that you count on working right, the safer you are.

December 01, 2016

In reply to arma

Permalink

The bug is in the core SVG code in Firefox. It can be exploited even with JS disabled.

December 03, 2016

In reply to arma

Permalink

So putting the Tor Browser security slider to high is doing the same technically with javascript as turning javascript off in about:config? Means it turns JS off completely as NoScript is just a whitelist that could get bypassed theoretically? Is this correct?

Thanks in advance.

If you want to be sure just max out the slider AND set javascript.enabled=false in about:config. Just remember to set it back to =true if you ever lower the slider(which should be never). If you have javascript=false with the slider on low your browser will be easier to fingerprint (see https://panopticlick.eff.org/).

November 30, 2016

Permalink

buen dia alguien aca habla español
hi good morning were speak spanish ?
mi inglish bery bad bery bery bad

November 30, 2016

Permalink

thanks so much for rapidly releasing this update and communicating openly with users and the community about the situation!

November 30, 2016

Permalink

I have an error on Debian Stable amd64 (updating from 6.0.6)

When starting up after update, after the message "Connected to the Tor Network", a dialog appears with a title "Software Update Failed" and text:
"The update could not be installed. Please make sure the are no other copies of Firefox running and then restart Firefox to try again."

After I click "OK" main window appears normally but the version is still 6.0.6.

I don't see any other Tor Browser instances running.

For unusual things: I have ublock-origin, request-policy-continued and flashgot from addons.mozilla.org, that's all.

I will investigate further.

The Firefox updater (which is what Tor Browser uses) gets super confused when I'm out of disk space. That might be a useful hint.

But yes, it also looks like you're running a bunch of extra extensions, so those are definitely worth considering more.

Let us know what you learn!

December 01, 2016

In reply to arma

Permalink

Hi arma, thanks for your suggestion. It looks like it was indeed lack of disk space (only ~60 MiB) that caused the problem. After freeing some space I tried again and this time it looked like the new version was installed correctly (previously the progress bar stopped at the beginning in the "Installing" window for some time and then I had the message I described before). However after installation/unpacking a new window appeared:
title: Software Update
header: Update Failed
text: The partial Update could not be applied. Tor Browser will try again by downloading a complete Update.

So the Updater tried to connect to the update server, but after a longer moment of no visible progress I decided to close the window and start the updater again. Unfortunately this time it didn't try to download update and there was no error message; it just started up normally and said it's version is 6.0.7.

I see I have "tor-browser-linux64-6.0.7_en-US.tar.xz" in "~/.cache/torbrowser/download/". Maybe I could unpack it over "./.local/share/torbrowser/tbb/x86_64/tor-browser_en-US" manually. But Tor Browser currently says I have 6.0.7 version so maybe there's no need to panic;)

The paths you list are unusual. Are you using some external program, like Micah Lee's "torbrowserlauncher" program? Else, why did you end up with files in those locations? Tor Browser should be keeping its fetched stuff inside its directories.

December 01, 2016

In reply to arma

Permalink

Yes, I'm using Tor Browser Launcher:
https://tracker.debian.org/pkg/torbrowser-launcher

Otherwise I'd would have to check the signatures myself the first time I download Tor Browser;)

So all what I've written so far maybe affects only Tor Browser Launcher because it looks like it intercepts the start of Tor Browser and performs updates itself. I must say I had a few problems in the past with this launcher and often the solution was to wait for a new version to appear in Debian's repo.

So what's the recommended way of using Tor Browser in Debian? Using this Launcher or downloading manually Tor Browser the first time (and checking signatures) and then Tor Browser will perform update itself and check sigs?

The recommended way is indeed to download Tor Browser once, check the signature, and then let it take care of itself after that.

Torbrowserlauncher is generally fine to use if you are excited to use it, but if it breaks, you get to keep both pieces. :)

November 30, 2016

Permalink

So our enemy just could not wait for the clock to strike midnight....

Many thanks to the researchers who noticed the exploit being used in the wild to target our community, and to Mozilla and Tor Projects for your rapid response fixing the issue!

November 30, 2016

Permalink

[Moderator: please do not censor this! I'd try to comment in the Tor Project HR blog, but no user comments are permitted there.]

Great news that TP is hiring a developer.

However, I with Shari or Roger would speak up and confirm that they are at least attempting to make it very difficult for CIA (or another TLA) to attempt to insert a mole inside Tor, as some fear happened in the Chasteen fiasco.

November 30, 2016

Permalink

Does this effect the tor browser in tails too. Do i need to update tor in tails as well?

December 01, 2016

In reply to arma

Permalink

yes

November 30, 2016

Permalink

Could this exploit be used to extract anything from the non-Tor Firefox that the browser isn't already giving away?

As for setting the security slider high in Tor, doesn't everyone already do that? Doesn't seem much point using Tor if you don't.

Well, it depends what the payload of the exploit does. Early indications are that it collects your hostname and your mac address and then sends it to that IP address in France.

I think both of those pieces of information might not be straightforward to get through the legitimate browser APIs.

As for the security slider on high, alas that breaks many websites. Millions of people use Tor each day, and many of them expect "the web" to behave like it does in other browsers. We face a tough battle trying to convince websites to be not broken if you don't want to run the latest crazy web 4.0 fad, and it's getting worse as Chrome accelerates the race to the bottom.

I guess this comes back to "whatever you think Tor is for, I guarantee you there are people who use it for something entirely different than that."

December 01, 2016

In reply to arma

Permalink

Usually what I end up doing with the security slider is to try to visit a new website with the slider set to "high", and then gradually lower the slider and refresh the website if the previous setting renders the site unusable.
It is rather tedious though, and I can't remember on what settings which sites work, except for those I visit semi-frequently.
Either way, is this a correct approach to using the security slider?

I see lots of folks yelling one should never set it to anything other than "high". But that's just so ridiculously impractical. I can't for the life of me imagine how anyone would manage to use the web in such a way.

I set the security slider high permanently. Most sites work fine. If they don't, and I trust them, I simply allow the site in NoScript temporarily and then it works fine. Those few I encounter and the far more Cloudflare sites, I have taught myself to regard as saving time not bothering to look at them. For me, the web I want to see works with the slider set high all the time. YouTube doesn't work. But watching YouTube in Tor is both a waste of time and a bad habit, so I'm glad it doesn't work, it reminds me to do something more productive or just get off the computer and read a book. If I'm missing something on the web, I've forgotten what it is. If I'm encountering problems, they have become non-problems in usage. I feel this breeds a better approach to browsing so I thank Tor for it.

I think that's a great attitude and I hope things are good enough for it to be practical for everyone to share your attitude.

If anyone does come across a website that they feel such a strong need to read that they consider allowing javascript so they can submit to the CloudFlare captcha, a less bad option is using a proxy like https://archive.org/web/ https://ixquick.com https://startpage.com https://validator.w3.org or maybe even https://translate.google.com ... hopefully TBB will start detecting CloudFlare like captive portals are detected, and proxy it automatically, so new users aren't tricked into enabling javascript.
These proxies aren't to use instead of Tor but with it. For websites that block people with Tor from reading them (with the nonsense excuse that blocking read-only access prevents spam).

If you must watch a video, instead of enabling javascript just view-source and search for ".mp4"(on youtube you might have to look for an iframe first), or look for a website that lets you download youtube without javascript; there are plenty. Make sure all your media players and decoding libraries are up to date. Videos aren't as dangerous as javascript but ffmpeg and stagefright have been attacked before.

November 30, 2016

Permalink

FFS, stop enabling javascript and downloading fonts/svg by default in firefox.

Don't pretending to take security seriously when the browser is wide open.

I appreciate your preference for security over usability, but how many times are we going to have to go over this? It's a tradeoff, and it's been explained in the Tor Project FAQ for a long time: https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

If we disable JavaScript by default, the Tor network will shrink substantially (people will go back to Chrome or whatever) and make all fingerprinting/correlation/confirmation/timing attacks even easier than they already are.

There really needs to be a FAQ about this. It's because, as the name might suggest, the sha256-sums-unsigned-build.txt file, contains the hashes of the raw unsigned binaries, while the actual executables have Authenticode signatures.

November 30, 2016

In reply to yawning

Permalink

So why do they make it so difficult for us to check the integrity of the downloads?

We are behind firewalls so using gnupgp and verify using public key is out of the question.

Who's the genius who decided to provide check sums nobody can use?

Why even bother providing hash for different files?

Why don't they just provide another set of hash so people can quickly verify the signed downloads?

Everyone and their dog provides hash for the files in the same directory, it's not rocket science.

What does the hash give you when it is downloaded from the same website as the binary? In other words: If you are concerned that you really got the binary we wanted you to get why can't an attacker give you a modified binary AND and an accordingly modified hash value?

The checksums have a different objective, see: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerif…

Could you elaborate on why using GPG is out of the question if you are behind firewalls?

Yes, that has been a problem for a long time now. It works under torsocks now with no gpg.conf modifications (unless you want a .onion keyserver), for me at least.

It's also possible to get they key fingerprint from https://www.torproject.org/docs/signing-keys.html.en and download the key from pgp.mit.edu, and paste it into gpg --import. It's a few steps more than it should be, but you only have to do it once every few years (whenever the signing key is replaced).

I realize I'm not answering the original question about the hashes anymore, but it is important to understand the difference between a hash and a signature, and which threats the former doesn't protect against.

December 01, 2016

In reply to gk

Permalink

Some people download the same files 10 times from 10 different exit nodes, then verify the hash for all 10 of them.

This doesn't protect against the tor project source website being hacked and files replaced on the server, but can protect against man in the middle switching the files with infected ones.

Unless the hacker hacked all 10 exit nodes and circuits.

December 01, 2016

In reply to gk

Permalink

May be he just wanted to know if he downloaded the complete files, not missing 10 bytes at the end.

The tor browser download site doesn't exactly show the complete byte count of each files.

November 30, 2016

Permalink

WTF is gfx.downloadable_fonts.enabled set to true?
We were hit by the font vulnerability before already, do you people ever learn?

gk

December 01, 2016

In reply to by Anonymous (not verified)

Permalink

I guess you are mixing some things up? The vulnerabilities you have in mind were probably the ones related to the Graphite font rendering library. This one got disabled in Firefox 38.7.1esr and still stays so, see your gfx.font_rendering.graphite.enabled preference which is set to "false" in Tor Browser.

December 01, 2016

In reply to by Anonymous (not verified)

Permalink

As a web designer I actively try to convince others to stop using fonts as icons and UI elements, but so far I feel very unsuccessful. Many websites are totally unusable without fonts.

ps: Sometimes if I don't want to enable fonts, I just open up Inspector and navigate using that. Not too user friendly though.

November 30, 2016

Permalink

Why isn't "Tor Browser 6.0.7 is released" on the front page of torproject.org yet?

It has been hours.

Don't tell me the index page only get updated like once a day

You mean in the Recent Blog Posts section or on the website in general? If the former, good question but it is not the only blog post not showing up. There might be an underlying technical issue. If the latter, because we don't advertise new releases on the landing page.

Wow this is so stupid:

Changed 10 months ago by Sebastian

Resolution set to worksforme
Status changed from new to closed

The blog feed on the front page is updated once daily, so it's expected that blog posts won't make it there immediately

November 30, 2016

Permalink

*** 6.0.7 CRASH REPORT***
The last vulnerability was caused svg
So I updated TorBrowser to 6.0.7
went to about:config and set everything svg to false
when I restart the TorBrowser, it crashes after Tor connects.

I've nailed the crash down to one single setting:
setting "svg.display-lists.painting.enabled" to false

How to reproduce crash:
in about:config
set svg.display-lists.painting.enabled to false
restart tor browser
it'll crash after tor is connected

The browser itself is using SVG for non-content parts so I guess disabling the preference you mentioned is not working well with those parts. This seems to be a Firefox bug to me and I bet Mozilla developers would gladly look into it (you can file a bug at https://bugzilla.mozilla.org).

That said if you want to disable SVG used in websites you should set the security slider to "High". That's enough.

November 30, 2016

Permalink

Folks, after update, remember to go to about:config and set the following to false:

app.update.auto
app.update.enabled
extensions.update.autoUpdateDefault
gfx.downloadable_fonts.woff2.enabled
gfx.downloadable_fonts.enabled
gfx.font_rendering.opentype_svg.enabled
svg.in-content.enabled
svg.marker-improvements.enabled

Those are not good recommendations. You should keep the updater enabled and if you want to have a more secure Tor Browser slide the security slider to a higher position. Otherwise you'll make you an easier fingerprinting target.

December 01, 2016

In reply to gk

Permalink

How does not downloading fonts make it less secure, we were hit by font exploits not long ago.

Addons has unique installation timestamps stored within firefox, I'd rather download addon updates manually, not have firefox phoning home all the time and tell them when and what addons i've installed.

Your advice is misleading at best.

Customizing individual settings makes your browser fingerprint more unique.
Disabling downloadable fonts will increase security if there's a vulnerability in the font parser, but when every client except yours downloads fonts, it can be told that the person visiting various pages is the same person; https://panopticlick.eff.org/
That's why the Tor project should disable SVG and downloadable fonts on "high" security slider setting, rather than recommending people to configure it manually.
Therr should, of course, be a choice to do it manually, but TBB should warn the user when a setting being changed can increase fingerprintability.

This is simply a tradeof between security and anonymity. The only way to have both is if the security slider does this, or an option is added to keep downloading them but just not parse them

They can't detect what fonts you downloaded unless you enable javascript

fonts are usually on another server anyway (fonts.google.com)

NEVER DOWNLOAD ANY FONTS

agreed.
in the last weeks updates for 'downthemall'
and 'flashgot' were offered by mozilla update
but there were no new versions on both homepages.

December 01, 2016

Permalink

Major flaw in update: it deletes all bookmarks since last update and entire downloads directory. Just lost about 30 hours of work.

The update is not touching your bookmarks nor your downloads directory. Thus, whatever happend on your machine it seems rather unlikely that Tor Browser is responsible for it. What operating system were you using?

EDIT: On second thought: What could have happened is that you lost the bookmarks you make after your update got applied but before you restarted. This should not happen on Windows and OS X but if you are on a Linux system this may happen. There are at least two ways to solve this right away:

1) Setting `app.update.staging.enabled` to `false` in your about:config should prevent it avoiding the update application in the background.

2) As soon as the update in the background gets applied you'll see an indicator in the upper right corner of your taskbar indicating that your Tor Browser is ready for restart right now. Restarting at that moment prevents bookmark etc. loss as well.

December 01, 2016

Permalink

Dear developers;

Please add a "Restore Default Size" button in torbutton, I'm using Whonix' TBB in Qubes OS and it always for some reason gives me the wrong resolution

Thank you so much for all the hard work!!

December 01, 2016

Permalink

I recently had to have my OS reinstalled and all my bookmarks have gone from TB. There were a lot of them. Is there ant way to recover them?
Thanks

Your old operating system, and its file systems, are gone?

It sounds like the answer is no.

You might want to make a backup copy of your bookmark file in the future if you want to keep it across reinstalls.

December 01, 2016

Permalink

I did the update via the autoupdate feature. All works finde.

Now i checked the addons. Clicked on check for updates. And it updates the https everywhere and say to restart.

So which version should we use at the moment for https everywhere? And is it a bad idea to click on update addons? Is it strange that my tor browser doesn't use the newest version of https everywhere?

It looks like I have version 5.27. Newest is 5.28? https://www.eff.org/files/Changelog.txt

Thanks for help !

December 01, 2016

Permalink

I have just updated to 6.0.7
When I use https://ipcim.com/hu/ to check the pathways, the result is that a server in France is always at the top of the country list no matter how many times I change the circuit or even change identity. This is a bit strange any ideas?

December 01, 2016

In reply to arma

Permalink

The last version of I used - 6.6 I think - had different relays every time the new tor circuit was changed. So why is it that these 'entry guards' are on some versions of TOR but not on others? I would have thought that having a fixed IP like that would make tracking easier, but I am not an expert like TOR developers are.

If the first entry guard you get is bad, then changing it is good.
But there are strong math proofs showing that without entry guards, almost everyone will be deanonymized at least once.
So the point of entry guards is to have most people never deanonymized, instead of everyone being deanonymized for short periods of time. The argument is that in totalitarian dictstorships, losing your privacy even once will get you targeted, so entry guards were made so if you get a bad one your privacy is invaded over and over which is no worse than once, and if you get a good entry guard you're safe forever (except intrusions into your computer by deliberate 0days(backdoors) that the NSA threatens to kill people for not putting in their software; project BULLRUN requires all US software companies to make remotely exploitable buffer overruns in all their software, aka "magic golden key", aka sabotage/treason).

Solution:
edit/create a file named 'torrc' (no extension)
\Browser\TorBrowser\Data\Tor\

Add:

#Fix Entry country
EntryNodes {NL}

#Fix Exit country
ExitNodes {CH}

#Block NSA partner countries and unknown countries
ExcludeNodes {GB},{FR},{US},{AU},{NZ},{??}

#Ensure no exceptions for node settings even when nodes are not found
StrictNodes 1

#Improve SSD life span
AvoidDiskWrites 1

#Stop using port 80/9001
FascistFirewall 1
FirewallPorts 443
ReachableDirAddresses *:443
ReachableORAddresses *:443

#Other settings
HiddenServiceStatistics 0

It's also dangerous to create circuit with {US},{DE},{GB} nodes
these countries work together and use supercomputers to record and decrypt traffic

This can't be done because the torrc file says:

# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it

December 01, 2016

Permalink

G-Data writes "The purpose is to retrieve the network interfaces’ mac address and report it to a server."

My question is: if the user set a custom MAC address for the network interface, does this vulnerability uses the spoofed address used by Windows, or does it get the real MAC address directly from the network hardware?

Most likely it uses a standard Windows API for obtaining the MAC address, which would probably return the effective (spoofed) address. To get the real burned-in MAC would probably be a bunch of different APIs for various hardware types/vendors, although I'm not a Windows programmer so for all I know there might be a standard API for obtaining this information. The payload is meant to be as reliable (and therefore, simple) as possible, so including code paths for interacting with many different drivers is likely out of the question, at least at this point in time.

Most coverage has been about the attack and exploit vector, but you can probably find an analysis of the payload itself somewhere (I seem to remember The Intercept covered it, I think). You can probably even get a neutered copy of the payload from one of the research groups' sites (I briefly saw one come up recently, but I can't remember the name) and try it yourself. All I know is it was very similar to the one used to attack Playpen in the past.

Keep in mind that, as I understand, it also collects your hostname, serial number, and other pieces of information, and makes a direct connection to its home server, thus revealing your un-torrified IP address. And it could have done just about anything the author wanted it to, once it made its way into your system and was executed. So MAC spoofing is rather insignificant in the grand scheme of things.

Sorry I couldn't be more help, but I hope I pointed you in the right direction.

December 01, 2016

Permalink

Updating straight from 6.0.5 to 6.0.7 on Linux consumed a huge amount of disk space, then ran out of space and failed. Now TBB won't even start.

To be more precise, it was running on an 800MB partition which contained nothing but TBB.

A full uncompressed TBB takes up what? 200MB? 250MB? Can't understand why it would need more than 800MB to do an update:

Surely:
250MB old TBB
100MB mar file
250MB new TBB = 600MB total

Would be great if updates could be done in a way that doesn't cause so much bloat.

Also, +1 to the person on the 6.0.6 update thread who asked that the updater check if enough space is available *before* it starts applying the update.

Thanks.

The incremental updates are usually just a couple of MiB as they contain just the diff from the previous version. But using 800MiB with a clean Tor Browser and updating it, even using a full update, should be more than enough.

I think checking for available disk space before updating and warning the user if there is a risk of it being not sufficient is a good idea. We have https://trac.torproject.org/projects/tor/ticket/18186 for that. See the comments which could explain why those 800MiB were maybe not enough and how to workaround that.

December 02, 2016

In reply to gk

Permalink

Good to see there is a ticket and a possible workaround too.

You're amazing, thanks :)

No they won't. God will kill these facist pigs and burn them all im hell forever for destroying a once great nation. They will dienhorrible deaths for making the USA as bad as China. Today is the beginning of Satan's 3 and a half year dominion over mankind. The terrorists were way off in thinking of American citizens as "the great satan"; it's the government that is, and not just US government, but most governments. I read the book though and know the ending.

December 01, 2016

Permalink

Let me see:

* Deanonymisation bug in Firefox - let's patch it!
* Another deanonymisation bug in Firefox - let's patch it, too!
{repeat ad nauseam}

Why Firefox, being continously weak element of Tor Bundle is forced upon us? Why not to return to solution like Vidalia?

By the way, does Torproject endorse Whonix? It is not susceptible to any Tor Browser vulnerability and provides better isolation than Tails.

Because Vidalia is not a browser. That said browsers will probably always be a weak element in the bundle as they have a vastly larger attack surface than any of the other components. We could consider Chrome instead but that would not give us a Tor Browser in the short nor the medium term due to scarce engineering capacities at least.

December 02, 2016

In reply to gk

Permalink

Or even (eventually) Servo? I know switching would be a big project but maybe one day...

December 04, 2016

In reply to gk

Permalink

Chrome?? With Google inside and no access to the source code?
I thought TB is about forking, changing the source code

December 02, 2016

Permalink

More and more exits end connections with blank pages instead of error messages :( :
09:41:19.841 The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol.

Is that caused by the exit node?. I always thought the white page was a form of tor blocking, because if you get a new circuit, sometimes it'll work. (And sometimes it's just bad web development and nothing shows up unless you javascript ;_;)

Yes, it is. Website works with a new circuit, shows special page for blocked IP, works without JS. And it is not actually the white page, it is zero size "page".

Many "javascript-only" articles can be read by simplying pressing -u or right-clicking the page and clicking "view source" (for Orfox mobile type "view-source:" in the front of the address page).

December 02, 2016

Permalink

A Problem on the Mac OS when using transport type scramblesuit it stops working after a period. I found to correct the problem I had to install the old TOR version 6.06 and reinstall from that TOR browser to recover transport type scramblesuit.

I also experienced a problem in which TOR would not start. I found 2 running TOR processes which were still running even though the Yosemite Mac showed the Tor browser not running in the Finder. Once the process were closed Tor would open

You mean a freshly downloaded Tor Browser 6.0.7 has the Scramblesuit issue but downloading a fresh 6.0.6 and updating to 6.0.7 fixes that for you? Interesting because we did not change any pluggable transport related parts in 6.0.7. It is basically just updated with the fix for the zero-day exploit (+ contains the up-to-date NoScript).

December 07, 2016

In reply to gk

Permalink

understood. I also noticed scramblesiut will stop working after performing the downgrade and then upgrade. IP 83.212.101.3 to port 443 is not responding.

Log
07-12-2016, 9:26:40.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:28:40.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:30:14.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:32:14.100 [NOTICE] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
07-12-2016, 9:38:41.300 [WARN] Proxy Client: unable to connect to 83.212.101.3:443 ("general SOCKS server failure")

December 02, 2016

Permalink

Hello to all.

I have a problem when I try to update Tor browser via update software with TBB.

Here's the return:

There were problems checking for, downloading, or installing this update. Browser Tor could not be updated because:

The integrity of the update could not be verified

It has always worked well for updates but the, I have a worry.

Thank you to you and to all the team.

Ps: I'm running Debian Os Parrotsec Version 3.2 64-bit
Linux kernel 4.8.0-parrot-amd64 x86_64.

December 02, 2016

Permalink

Hello back

My update problem was solved by this: 1) Setting `app.update.staging.enabled` to` false` in your about: config should prevent it avoiding the application in the background.

Thank you for your comments, it is thanks to you that I solved my problem;)

Ps: 64-bit version 3.2
Linux kernel 4.8.0-parrot-amd64 x86_64

Thank you all is all

December 02, 2016

Permalink

When using a Mac I get the following error in the log

Proxy Client: unable to connect to 83.212.101.3:443 ("general SOCKS server failure")

I find the IP above is not responding using 443 with scramblesuit

I don't know about adguard in particular, but this sounds like a good illustration of why you shouldn't add random extensions to your Tor Browser -- they can end up doing all sorts of surprising things that mess up your privacy.

December 03, 2016

Permalink

I announced a problem in gk's blog on TB6.0.6 dated 11/27/2016. Basically I said

According to my torlog it isolates OK :

11/27/2016 17:50:54.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.

But I also reported that it actually did not work as I, thoughtlessly, ran an install from the internet and succeeded.

And gk admitted I shouId not have succeeded. I should have needed something like torsocks to get out when I had TB running.

On November 28th, 2016 gk said:

"Not sure how you have configured your package updates/installation but, no, Tor does not automatically tunnel all your network activity. You have to configure every application to do that."

I said I was using TB6.0.6 under ubuntu 16.04 (live-cd) on an old Toshiba Satellite. I burnt a fresh TB after I got suspicious against the old usb I had used so far.

And I reported the other strange symptome I had detected: The new thing that happens is a slight delay. A first attempt to start now allways fails, independent of the configuration I choose.
But after a short while it works fine even with the config that failed to begin with.
Furthermore then communication is very slow, like 60k instead of the 200k I have had recently.

On November 30th, 2016 I reported:

By setting Privacy and Security settings to HIGH. and then in NoScript allowing all in the site I can even view video shows there, otherwise nogo.

The sad thing is that although this all looked like it could have to do with the problem solved by TB-6.0.7, after changeing to TB-6.0.7 my connection works fast enough, BU|T I still have this strange side connection to the internet. DisableNetwork does not work, thats my interpretation,somehow crawling beside it is possible.

And that means I cannot trust TB-6.0.7 either, right?.

I am having a tough time figuring out what you're doing and what you're expecting.

Are you thinking that setting DisableNetwork in the config of the Tor process run by Tor Browser will somehow prevent...something else from happening on your computer?

The DisableNetwork option does not mean that Tor Browser is reaching into your computer and preventing your Internet from working. It simply means that the Tor process run by Tor Browser has been instructed to not make connections out to the Tor network.

December 04, 2016

In reply to arma

Permalink

Ok, so I am supposed to be able to reach the internet with other means in parallell with the TB. I thought that was stopped. Does Tails do that, perhaps I am confusing Tails and TB

Tails does have a firewall to prevent network traffic going out from applications that aren't properly configured to use Tor.

Tor Browser is just a browser: it tries to make sure that it behaves correctly, and it doesn't try to take over anything else on your computer.

December 06, 2016

In reply to arma

Permalink

Fine, so my worry about the parallell connection was a confusion.
Remains then this little increased delay, or rather a regular initial failure, to connect to tor network. It appeared when I started to use a CD to load TB6.0.6 from.
Ifconfig tells me the connection is up as both TX an TR are positive, but tor cannot connect (to a first server?; log would clarify?). Once I config to e.g. fte and try again everything is fine, if enough time has passed (?), if not I may fail. And if as a third attempt I revert to the default config, I almost always succeed. Why does this happen? Should I not worry about it?

December 07, 2016

In reply to arma

Permalink

First attempt
Config default

12/07/2016 17:56:41.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:41.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:41.700 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:41.700 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/07/2016 17:56:41.700 [NOTICE] Renaming old configuration file to "/home/lubuntu/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc.orig.1"
12/07/2016 17:56:42.500 [NOTICE] Bootstrapped 5%: Connecting to directory server
12/07/2016 17:56:42.500 [WARN] Problem bootstrapping. Stuck at 5%: Connecting to directory server. (Network is unreachable; NOROUTE; count 1; recommendation warn; host 35E8B344F661F4F2E68B17648F35798B44672D7E at 146.0.32.144:9001)
12/07/2016 17:56:46.200 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/07/2016 17:56:46.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:56:46.200 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
12/07/2016 17:56:46.200 [NOTICE] Delaying directory fetches: DisableNetwork is set.
12/07/2016 17:57:07.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:07.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:07.200 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:07.200 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/07/2016 17:57:12.900 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
12/07/2016 17:57:12.900 [WARN] Proxy Client: unable to connect to 128.105.214.163:8080 ("Network unreachable")
12/07/2016 17:57:12.900 [WARN] Proxy Client: unable to connect to 131.252.210.150:8080 ("Network unr
eachable")
12/07/2016 17:57:12.900 [WARN] Proxy Client: unable to connect to 128.105.214.161:8080 ("Network unreachable")
12/07/2016 17:57:13.000 [WARN] Proxy Client: unable to connect to 128.105.214.162:8080 ("Network unreachable")
12/07/2016 17:57:46.100 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/07/2016 17:57:46.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:46.100 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
Next attempt
Config fte

12/07/2016 17:57:57.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:57.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:57.100 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:57:57.100 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/07/2016 17:57:59.800 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
12/07/2016 17:57:59.900 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
12/07/2016 17:58:00.300 [NOTICE] new bridge descriptor 'noether' (fresh): $7B126FAB960E5AC6A629C729434FF84FB5074EC2~noether at 192.99.11.54
12/07/2016 17:58:00.300 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:00.900 [NOTICE] new bridge descriptor 'riemann' (fresh): $752CF7825B3B9EA6A98C83AC41F7099D67007EA5~riemann at 198.245.60.50
12/07/2016 17:58:00.900 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.300 [NOTICE] Bridge 'Lisbeth' has both an IPv4 and an IPv6 address. Will prefer using its IPv4 address (192.95.36.142:443) based on the configured Bridge address.
12/07/2016 17:58:01.300 [NOTICE] new bridge descriptor 'Lisbeth' (fresh): $CDF2E852BF539B82BD10E27E9115A31734E378C2~Lisbeth at 192.95.36.142
12/07/2016 17:58:01.300 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.600 [NOTICE] new bridge descriptor 'GreenBelt' (fresh): $C73ADBAC8ADFDBF0FC0F3F4E8091C0107D093716~GreenBelt at 154.35.22.9
12/07/2016 17:58:01.600 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.700 [NOTICE] new bridge descriptor 'Mosaddegh' (fresh): $8FB9F4319E89E5C6223052AA525A192AFBC85D55~Mosaddegh at 154.35.22.10
12/07/2016 17:58:01.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.700 [NOTICE] new bridge descriptor 'MaBishomarim' (fresh): $A832D176ECD5C7C6B58825AE22FC4C90FA249637~MaBishomarim at 154.35.22.11
12/07/2016 17:58:01.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.700 [NOTICE] new bridge descriptor 'LeifEricson' (fresh): $A09D536DD1752D542E1FBB3C9CE4449D51298239~LeifEricson at 83.212.101.3
12/07/2016 17:58:01.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:01.800 [NOTICE] new bridge descriptor 'JonbesheSabz' (fresh): $00DC6C4FA49A65BD1472993CF6730D54F11E0DBB~JonbesheSabz at 154.35.22.12
12/07/2016 17:58:01.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:02.100 [NOTICE] Bootstrapped 25%: Loading networkstatus consensus
12/07/2016 17:58:05.700 [NOTICE] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
12/07/2016 17:58:05.900 [NOTICE] Bootstrapped 40%: Loading authority key certs
12/07/2016 17:58:06.800 [NOTICE] Bootstrapped 45%: Asking for relay descriptors
12/07/2016 17:58:06.800 [NOTICE] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/7235, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
12/07/2016 17:58:06.800 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/07/2016 17:58:06.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/07/2016 17:58:06.800 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
12/07/2016 17:58:07.000 [NOTICE] Delaying directory fetches: DisableNetwork is set.

December 09, 2016

In reply to arma

Permalink

There are two attempts to connect to start TB6.0.7 logged above. The first one with default config the second with "fte". Both failed, but a third, which again with default config, succeeded: unfortunately I failed to log it.

December 13, 2016

In reply to arma

Permalink

After I realized I should enable ufw to have any kind of firewall
and
do a security upgrade of ubuntu
I think problems are far less, if any at all.

Any comment on this sequence of events?

December 03, 2016

Permalink

Tails 2.7.1 has been out for awhile but have read no posting of latest release of Tails on Tor Project blog?

December 04, 2016

Permalink

10:53:36.100 Exception { message: "", result: 2147549183, name: "NS_ERROR_UNEXPECTED", filename: "resource://gre/modules/commonjs/too…", lineNumber: 236, columnNumber: 0, data: null, stack: "CanvasFrameAnonymousContentHelper.p…", location: XPCWrappedNative_NoHelper } protocol.js:907
10:53:36.200 "Protocol error (unknownError): [Exception... "Unexpected error" nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)" location: "JS frame :: resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/highlighters/utils/markup.js :: CanvasFrameAnonymousContentHelper.prototype._insert :: line 236" data: no]" Promise-backend.js:936

December 04, 2016

Permalink

It looks like uMatrix should be part of TorBrowser. This module would give us finer control over what we want to block. NoScript is very good but rather unwieldy. Both modules would be an improvement. NS protects us againt XSS and Clearclick, so we can’t do away with it (though Clearclick protection is disabled in TB NS, don’t know why).

Even in using Firefox, disabling CSS can be a good idea, on untrusted websites, like those of newspapers, and cloudflare hosted websites — maybe I’m wrong but I don’t trust Cloudflare).

I understand that all TB users should view web pages in the same way so as to be anonymous, but enabling JS, images, even CSS, is dangerous.

What do you think?

I think that disabling those things yourself could make you less anonymous but with less possible ways to be hacked.
I also think that it would be awesome if Tor Project could somehow find ways to disable more potentially vulnerable parts of the browser by default without sacrificing ease-of-use too much, and add the rest to the security slider so it can be disabled without making the browser more fingerprintable (see https://panopticlick.eff.org/). If disabling, say, SVG images and CSS animations hurts ease-of-use too much to be default, it could still be done at security slider "high" setting.

Right now it's not even possible to disable SVG manually (see https://trac.torproject.org/projects/tor/ticket/20772).

December 06, 2016

Permalink

Would the bug be effective in case of TBB running in VirtualBox running windows guest / windows host?

(guest connected to host in NAT mode, both macid and ip are dud in the virtualbox guest)

December 07, 2016

Permalink

I reset NoScript but it seems to have taken it back to the vanilla NoScript rather than the Tor default configuration. How can I reset NoScript to the original Tor settings? I can't find any mention of what they are anywhere.

Open the security setting menu (click on the green onion -> Privacy and Security Settings... -> drag the slider to "Low" -> click "OK" That should give you at least the settings back governed by the security slider. Apart from that there is no general button to reset the NoScript settings to the one we ship by default.

December 08, 2016

Permalink

while using scramblesuit on a mac running yosemite a problem with port 443 on IP 83.212.101.3 responding preventing using that transport. That was corrected now I get the below error

08-12-2016, 19:42:25.900 [NOTICE] Opening Socks listener on 127.0.0.1:9150
08-12-2016, 19:47:25.800 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
08-12-2016, 19:47:25.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
08-12-2016, 19:47:25.800 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
08-12-2016, 19:47:26.700 [NOTICE] Delaying directory fetches: DisableNetwork is set.
I

December 08, 2016

Permalink

I always install Tor onto a flash drive. Today I cut the Tor Browser folder from the flash drive and pasted it onto my desktop. I then downloaded the latest version of Tor Browser 6.0.7 to my desktop. I clicked on it and installed Tor 6.0.7 onto the flash drive.I forgot to make a back up copy of my latest bookmarks on the flash drive. I thought no big deal, I'll just close the Tor 6.0.7 program I was running on the flash drive, open the old version of Tor that I pasted onto the desktop, make a copy of my bookmarks and then exit the old version running off my C: drive. Much to my surprise, the latest version of Tor was also running on my C: drive and my latest bookmarks have been erased! I'm confused! I told the program to install Tor 6.0.7 onto the flash drive. Why does it also run Tor 6.0.7 off my C: drive when I installed it to the flash drive? Is there a way to find my last version of Tor, open it up, run it and retrieve my bookmarks? I don't use backup programs as I just try to keep the important stuff on external HDs.

December 20, 2016

In reply to gk

Permalink

I figured it out. I dismounted the flash drive restarted the computer and then double clicked on the old Tor browser that was now on the desktop. The browser then showed my current bookmarks. I saved them to the desktop then exited the Tor browser. I then changed the file name of the browser and securely deleted it. I then went back to using the latest version of Tor on the flash drive and imported my newest bookmarks into the Tor browser. Problem solved and lesson learned!

Thanks for a quick reply and trying to assist me!

December 09, 2016

Permalink

Mac OS problems
-Strangely when I remove Tor browser 6.06 sha 256 59e127188f4090efe45f31318a6117e8c59532f756c2324c0369538b988f5fbd
and reinstall, Bookmarks are automatically restored.

-In the directory Torbrowser.app/contents/MacOS/Tor/pluggabletransports It is missing the transport FTE and scramblesuit yet scramblesuit is shown in the Torbrowser.

On OS X the Tor Browser user data folder is separated from the one containing the binaries needed to run Tor Browser. In order to get a fresh experience you must delete the former as well. In case you installed Tor Browser to /Applications your users data should be in ~/Library/Application Support/TorBrowser-Data.

Yes, FTE is missing as its outline on disk does not comply with Gatekeeper signing requirements (see: https://trac.torproject.org/projects/tor/ticket/18495). Scramblesuit is nowadays provided by obfs4proxy.

December 13, 2016

In reply to gk

Permalink

Thanks. Deleting the torbrowser file in ~/Library/Application Support/TorBrowser-Data.allowed me to install torbrowser with no bookmarks

December 10, 2016

Permalink

It's worth noting that so far both this exploit and the earlier CIPAV installing exploit relied on javascript and used a Windows-only payload. If your safety or even more so that of anyone else depends on anonymity, you should not use Windows for Tor, and should avoid using websites that don't work without javascript for work that requires anonymity. When you must use JS, (say for posting a video of the local police chief going to a pimp for his weekly session with a ten year old) layer your defenses by using Tails from a public wifi access point, and sitting where security cameras cannot see you.

December 13, 2016

Permalink

on my Mac if I place an entry in the find field on my Torbrowser it also appears in my firefox, find field 50.02.

December 15, 2016

Permalink

Apparently this patch was created from a leaked exploit posted on an extremely illegal website, according to VICE Media who may now have turned their researchers into criminals just by visiting the site.

Are there any legal issues involved in counter-forensics patches or are software developers safe because it makes their software less vulnerable to exploits that could be hazardous to users in general?

December 20, 2016

Permalink

Using Tor 6.0.7 on Windows with automatic checking for updates set to false, updates were still automatically downloaded and installed. This behavior seems like a bug to me (even if automatic updates are advisable)